feat: upgrade to NixOS 25.11

- Update nixpkgs and home-manager to 25.11 release
- Update flake dependencies
- Migrate git config to settings attribute
- Replace deprecated packages (mpc-cli -> mpc, vaapiIntel -> intel-vaapi-driver)
- Fix system references to use stdenv.hostPlatform.system
- Add crowdsec module overrides
- Remove android-udev-rules from fuchsia
- Configure SSH with enableDefaultConfig = false
- Update zsh dotDir to use config.xdg.configHome

CLAUDE.md

@@ -1,233 +0,0 @@
-# CLAUDE.md
-
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
-
-## Build and Deployment Commands
-
-### Building Configurations
-```bash
-# Build a NixOS configuration (creates ./result symlink)
-just build <hostname>
-# or
-nixos-rebuild build --flake .#<hostname>
-
-# Build home-manager configuration
-home-manager build --flake .#sajenim@<hostname>
-```
-
-### Deploying Changes
-```bash
-# Apply NixOS configuration locally (requires sudo)
-just switch <hostname>
-# or
-sudo nixos-rebuild switch --flake .#<hostname>
-
-# Deploy to remote host
-just deploy <hostname>
-# or
-nixos-rebuild switch --flake .#<hostname> --target-host <hostname> --use-remote-sudo
-
-# Apply home-manager configuration
-home-manager switch --flake .#sajenim@<hostname>
-```
-
-### Code Quality
-```bash
-# Format all Nix files using alejandra
-nix fmt
-
-# Check flake and evaluate all configurations
-nix flake check
-```
-
-### Secret Management
-```bash
-# Rekey secrets using YubiKey (after adding/modifying secrets)
-agenix-rekey edit <secret-name>
-agenix-rekey rekey
-```
-
-## Architecture Overview
-
-### Flake Structure
-This is a NixOS flake-based configuration managing two hosts:
-- **fuchsia**: Desktop workstation (gaming, development, XMonad)
-- **viridian**: Server (multimedia, services, containers)
-
-The flake follows the standard structure from Misterio77's starter configs.
-
-### Configuration Layers
-
-**NixOS System Configuration** (`nixos/`):
-```
-nixos/
-├── common/
-│   ├── global/           # Base system config for all hosts
-│   │   ├── age.nix      # Agenix secret management with YubiKey
-│   │   ├── env.nix      # Environment variables
-│   │   ├── nix.nix      # Nix daemon, flakes, garbage collection
-│   │   └── ssh.nix      # SSH server config
-│   ├── optional/         # Opt-in features
-│   │   ├── ephemeral-btrfs.nix  # Impermanence with btrfs root wipe
-│   │   ├── persist.nix           # Persistence paths for ephemeral root
-│   │   └── yubikey.nix           # YubiKey support
-│   └── users/            # User-specific system settings
-├── fuchsia/
-│   ├── configuration.nix
-│   └── services/         # Desktop services (X11, pipewire, flatpak, etc.)
-└── viridian/
-    ├── configuration.nix
-    ├── services/         # Server services (traefik, minecraft, IRC, etc.)
-    └── multimedia/       # *arr stack (sonarr, radarr, jellyfin, etc.)
-```
-
-**Home-Manager User Configuration** (`home-manager/`):
-```
-home-manager/sajenim/
-├── global/               # Base home config
-├── features/             # Modular user features
-│   ├── cli/             # Shell, terminal utilities
-│   ├── desktop/         # GUI applications, window manager
-│   ├── editors/         # Text editors configuration
-│   ├── games/           # Gaming-related configs
-│   ├── printing/        # Printer utilities
-│   └── university/      # Academic tools
-├── fuchsia.nix          # Desktop profile
-└── viridian.nix         # Server profile (minimal)
-```
-
-### Key Architectural Patterns
-
-**Module Organization**: Configuration is split between:
-- `nixos/common/global/`: Imported by ALL hosts (mandatory base config)
-- `nixos/common/optional/`: Opt-in features imported per-host
-- `nixos/<hostname>/`: Host-specific hardware and services
-- `home-manager/sajenim/features/`: Composable user environment features
-
-**Imports Pattern**: Each host's `configuration.nix` composes its full system by:
-1. Importing `../common/global` (base system)
-2. Importing selected `../common/optional/*` modules
-3. Importing `../common/users/<username>` (user accounts)
-4. Importing host-specific services from `./services/`
-5. Setting host-specific options (hostname, firewall, etc.)
-
-**Impermanence**: Uses opt-in persistence with ephemeral btrfs root:
-- Root filesystem (`/`) wiped on every boot
-- Only `/nix`, `/persist`, and `/boot` survive reboots
-- Services must explicitly declare what to persist in `/persist`
-- Secrets use persistent SSH keys at `/persist/etc/ssh/` for decryption
-
-**Secret Management**:
-- Encrypted with agenix using host SSH keys
-- Master key stored on YubiKey for rekeying
-- Rekeyed secrets stored in `nixos/common/global/secrets/rekeyed/<hostname>/`
-- Decryption happens during system activation using persistent SSH keys
-
-**Overlays**: Applied globally via `nixos/common/global/default.nix`:
-- `additions`: Custom packages from `pkgs/`
-- `modifications`: Patches to existing packages (e.g., dmenu theming)
-- `unstable-packages`: Makes `pkgs.unstable.*` available for newer versions
-
-**Unfree Packages**: Allowlist is centralized in `nixos/common/global/default.nix`
-- Default policy: only free software
-- Exceptions listed explicitly (steam, minecraft-server)
-- Do NOT use `allowUnfreePredicate` in other modules (won't merge)
-
-### Flake Inputs
-External dependencies include:
-- `nixpkgs` (25.05 stable), `nixpkgs-unstable`
-- `home-manager` (follows nixpkgs)
-- `agenix`, `agenix-rekey` (secret management)
-- `impermanence` (ephemeral root filesystem)
-- `crowdsec` (security)
-- `nixvim` (personal Neovim config, external flake)
-- `xmonad-config` (personal XMonad config, external flake)
-- `nix-minecraft` (declarative Minecraft server)
-
-Personal flakes (nixvim, xmonad-config) are maintained in separate repositories
-and imported as flake inputs. They are updated independently via `nix flake update`.
-
-## Working with This Configuration
-
-### Adding a New Host
-1. Create `nixos/<hostname>/` directory
-2. Add `configuration.nix` and `hardware-configuration.nix`
-3. Add SSH host keys (ed25519 and RSA) to the host directory
-4. Update `flake.nix` to add the new `nixosConfiguration`
-5. Configure secrets: update age.rekey to include new host key
-
-### Adding a Service
-Services are organized by host in `nixos/<hostname>/services/`:
-- Create a subdirectory for complex services (e.g., `traefik/`)
-- Each service gets its own `default.nix`
-- Import in `nixos/<hostname>/services/default.nix` or `configuration.nix`
-- Declare persistence paths if using ephemeral root
-- Use agenix for any credentials
-
-### Modifying Packages
-- **Custom packages**: Add to `pkgs/` and reference in `pkgs/default.nix`
-- **Patching packages**: Add patches to `overlays/patches/`, modify overlay in
-  `overlays/default.nix`
-- **Unfree packages**: Add to allowlist in `nixos/common/global/default.nix`
-
-### Testing Changes
-1. **IMPORTANT**: Stage new files with git before building or checking
-   - Nix flakes only evaluate files tracked in git
-   - Run `git add <file>` for any new files before `nix flake check` or build
-2. Build configuration: `just build <hostname>`
-3. Check for evaluation errors: `nix flake check`
-4. Review changes before switching
-5. Switch: `just switch <hostname>` (local) or `just deploy <hostname>` (remote)
-
-### Managing Secrets
-- Secrets are encrypted per-host and stored in
-  `nixos/common/global/secrets/rekeyed/<hostname>/`
-- Edit secrets: `agenix-rekey edit <secret-name>`
-- After editing, rekey all hosts: `agenix-rekey rekey`
-- YubiKey required for rekeying operations
-- Host SSH keys at `/persist/etc/ssh/` are used for automatic decryption
-
-## Important Conventions
-
-### Network IP Allocation
-This infrastructure uses the following IP range scheme to avoid conflicts:
-
-**Allocated Ranges:**
-- `192.168.50.0/24` - Home router/main LAN
-- `10.1.0.0/24` - Internet sharing from fuchsia (Ethernet to printer)
-- `10.2.0.0/24` - Reserved for future internet sharing from another host
-- `10.3.0.0/24` - Reserved for future internet sharing from another host
-- `10.39.179.0/24` - WireGuard VPN on Raspberry Pi
-- `172.17.0.0/16` - Docker default bridge network (viridian)
-
-**Conventions:**
-- Internet connection sharing uses `10.N.0.0/24` where N is 1, 2, 3, etc.
-- Gateway host is always `10.N.0.1`
-- DHCP pools typically use `10.N.0.2` through `10.N.0.10`
-- Keep VPN/tunnel ranges in the `10.30.0.0/16` and higher space
-
-### Line Length
-Keep all Nix code to a maximum of 100 characters per line for consistency.
-
-### Module Naming
-- System-level services: `nixos/<hostname>/services/<service-name>/default.nix`
-- User-level features: `home-manager/sajenim/features/<category>/<feature>.nix`
-
-### Persistence Declarations
-When adding services to hosts with ephemeral root, declare persistence:
-```nix
-environment.persistence."/persist" = {
-  directories = [
-    "/var/lib/service-name"
-  ];
-  files = [
-    "/var/lib/service-name/config.conf"
-  ];
-};
-```
-
-### Comments
-This codebase uses structured comments to explain configuration choices:
-- Block comments at file top explain module purpose
-- Inline comments explain non-obvious configuration decisions
-- Group related options with visual separators when helpful

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1761656077,
+        "lastModified": 1762618334,
-        "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
+        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1762466517,
+        "lastModified": 1766008910,
-        "narHash": "sha256-sFlWhpLBmORSIwdhIinu2nos0xhQkUzFkO3AOHRolps=",
+        "narHash": "sha256-mrhbMNkrkvAPQsytce3zMeDF1UVkkcj8N/Bw9n4BFUo=",
         "owner": "sadjow",
         "repo": "claude-code-nix",
-        "rev": "c75a19ff3b5de3edc68512b31c406338c3c3ce65",
+        "rev": "e39652c800e82c4f8cae68ac0bacb7bdecace7f5",
         "type": "github"
       },
       "original": {
@@ -143,6 +143,22 @@
       }
     },
     "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1765121682,
+        "narHash": "sha256-4VBOP18BFeiPkyhy9o4ssBNQEvfvv1kXkasAYd0+rrA=",
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "65f23138d8d09a92e30f1e5c87611b23ef451bf3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1747046372,
@@ -464,16 +480,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1758463745,
+        "lastModified": 1765979862,
-        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "narHash": "sha256-/r9/1KamvbHJx6I40H4HsSXnEcBAkj46ZwibhBx9kg0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "rev": "d3135ab747fd9dac250ffb90b4a7e80634eacbe9",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-25.05",
+        "ref": "release-25.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -547,16 +563,17 @@
     },
     "nix-jetbrains-plugins": {
       "inputs": {
+        "flake-compat": "flake-compat_2",
         "flake-utils": "flake-utils_3",
         "nixpkgs": "nixpkgs_4",
         "systems": "systems_4"
       },
       "locked": {
-        "lastModified": 1761996900,
+        "lastModified": 1765666486,
-        "narHash": "sha256-1XURw0oFac/jDYP/TjxOOO5DWABOQ6HOuAnXS7GGP5k=",
+        "narHash": "sha256-BZfXO+5aUgGgGKr85UdVMTUsUi2rgufzK6/jgqoEVDI=",
         "owner": "theCapypara",
         "repo": "nix-jetbrains-plugins",
-        "rev": "5a03f5a3d0ab9b465cdab58dc03da2a7b473bc8c",
+        "rev": "82c9b1d2e0f235d61f0941fdafd408a23483dc99",
         "type": "github"
       },
       "original": {
@@ -567,16 +584,16 @@
     },
     "nix-minecraft": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
         "flake-utils": "flake-utils_4",
         "nixpkgs": "nixpkgs_5"
       },
       "locked": {
-        "lastModified": 1762480864,
+        "lastModified": 1766023574,
-        "narHash": "sha256-OD3/2nATIXFEyTq3cxGUjZyBf8YlCSpIX/iJzSJbWag=",
+        "narHash": "sha256-vx7KhTqR/UBnBUXAei3DKXJ4Nq3p7yLw+kZ03/inm8I=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "4f3414fdfce0ddf85c35e95d07809aeb93d2f0ad",
+        "rev": "5e0cae13ca72d3e4ef0f101b01725e25441c4ebd",
         "type": "github"
       },
       "original": {
@@ -633,11 +650,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1762363567,
+        "lastModified": 1765779637,
-        "narHash": "sha256-YRqMDEtSMbitIMj+JLpheSz0pwEr0Rmy5mC7myl17xs=",
+        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ae814fd3904b621d8ab97418f1d0f2eb0d3716f4",
+        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
         "type": "github"
       },
       "original": {
@@ -681,11 +698,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1762361079,
+        "lastModified": 1765934234,
-        "narHash": "sha256-lz718rr1BDpZBYk7+G8cE6wee3PiBUpn8aomG/vLLiY=",
+        "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ffcdcf99d65c61956d882df249a9be53e5902ea5",
+        "rev": "af84f9d270d404c17699522fab95bbf928a2d92f",
         "type": "github"
       },
       "original": {
@@ -712,11 +729,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1757745802,
+        "lastModified": 1765472234,
-        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
+        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
+        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
         "type": "github"
       },
       "original": {
@@ -744,16 +761,16 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1762233356,
+        "lastModified": 1765838191,
-        "narHash": "sha256-cGS3lLTYusbEP/IJIWGgnkzIl+FA5xDvtiHyjalGr4k=",
+        "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ca534a76c4afb2bdc07b681dbc11b453bab21af8",
+        "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -792,11 +809,11 @@
     },
     "nixpkgs_9": {
       "locked": {
-        "lastModified": 1748460289,
+        "lastModified": 1761373498,
-        "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=",
+        "narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
+        "rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
         "type": "github"
       },
       "original": {
@@ -813,11 +830,11 @@
         "nixvim": "nixvim_2"
       },
       "locked": {
-        "lastModified": 1760970422,
+        "lastModified": 1765715781,
-        "narHash": "sha256-w1pRoU2z0xkkGb2SFl16x1GVzLVErzgPiWunS+JHI+c=",
+        "narHash": "sha256-iwCEwl0ak3J/yy063UlqSxh+fyWCeDfW60HCcBWOuGA=",
         "ref": "refs/heads/master",
-        "rev": "5e370bf24716430b66364666a9a512b07e249471",
+        "rev": "ea07178de031c25a16e007564ad61cc1fd8b98e1",
-        "revCount": 109,
+        "revCount": 110,
         "type": "git",
         "url": "https://git.sajenim.dev/jasmine/nixvim-config.git"
       },
@@ -923,11 +940,11 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1760908465,
+        "lastModified": 1765727347,
-        "narHash": "sha256-ZdyNTh/O7W7ZJJr8bAeG2kQBFREZGTQ2wXCyzr9z+RQ=",
+        "narHash": "sha256-fiHH7CIgUSQgrPkcOzBK6B0ojDNbeFEc7IXdqGqm2IM=",
         "owner": "Scrybbling-together",
         "repo": "remarks",
-        "rev": "b8bfd751cf82a47ce24763c5b220a1f4f5ab90a6",
+        "rev": "9a6673d55df96d4985f13bc523e680df750b6e73",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,12 +3,12 @@
 
   inputs = {
     # Nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
 
     # Home manager
     home-manager = {
-      url = "github:nix-community/home-manager/release-25.05";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 

home-manager/sajenim/features/cli/default.nix

@@ -18,6 +18,6 @@
       unstable.rmapi
     ]
     ++ [
-      inputs.remarks.packages.${pkgs.system}.default
+      inputs.remarks.packages.${pkgs.stdenv.hostPlatform.system}.default
     ];
 }

home-manager/sajenim/features/cli/git.nix

@@ -1,12 +1,14 @@
 {...}: {
   programs.git = {
     enable = true;
-    userName = "jasmine";
+    settings = {
-    userEmail = "its.jassy@pm.me";
-    extraConfig = {
       init.defaultBranch = "master";
+      user = {
+        name = "jasmine";
+        email = "its.jassy@pm.me";
+        signingkey = "8563E358D4E8040E";
+      };
       commit.gpgsign = "true";
-      user.signingkey = "8563E358D4E8040E";
     };
   };
 }

home-manager/sajenim/features/cli/mpd.nix

@@ -2,7 +2,7 @@
 
   # Install some applications for managing mpd 
   home.packages = with pkgs; [
-    mpc-cli
+    mpc
     ncmpcpp
   ];
 

home-manager/sajenim/features/cli/ssh.nix

@@ -1,6 +1,8 @@
 {...}: {
   programs.ssh = {
     enable = true;
+    enableDefaultConfig = false;
+
     matchBlocks = {
       "viridian" = {
         hostname = "viridian.home.arpa";

home-manager/sajenim/features/cli/zsh.nix

@@ -1,4 +1,4 @@
-{pkgs, ...}: {
+{pkgs, config, ...}: {
   imports = [
     ./direnv.nix
     ./starship.nix
@@ -21,7 +21,7 @@
     enableCompletion = true;
 
     # Configuration directory
-    dotDir = ".config/zsh";
+    dotDir = "${config.xdg.configHome}/zsh";
 
     shellAliases = {
       # Single letter aliases

home-manager/sajenim/features/editors/default.nix

@@ -27,10 +27,10 @@
     ]
     ++ [
       # Our personal neovim configuration.
-      inputs.nixvim.packages.${pkgs.system}.default
+      inputs.nixvim.packages.${pkgs.stdenv.hostPlatform.system}.default
     ]
     # Install jetbrains IDEs with plugins
-    ++ (with inputs.nix-jetbrains-plugins.lib."${system}"; [
+    ++ (with inputs.nix-jetbrains-plugins.lib."${pkgs.stdenv.hostPlatform.system}"; [
       (buildIdeWithPlugins pkgs.jetbrains "idea-ultimate" [
         "IdeaVIM"
         "gruvbox-material-dark"

nixos/common/users/sajenim/xmonad/default.nix

@@ -15,7 +15,7 @@
       # Picture viewer
       pkgs.xfce.ristretto
       # Install our XMonad and Xmobar configuration
-      inputs.xmonad-config.packages.${pkgs.system}.default
+      inputs.xmonad-config.packages.${pkgs.stdenv.hostPlatform.system}.default
     ];
   };
 

nixos/fuchsia/services/default.nix

@@ -6,7 +6,6 @@
     ./flatpak
     ./internet-sharing
     ./libinput
-    ./printing
     ./snapper
     ./ssh
     ./udev

nixos/fuchsia/services/printing/default.nix

@@ -1,11 +0,0 @@
-{...}: {
-  # Enable CUPS for printing services.
-  services.printing = {
-    enable = true;
-    # Connect to a remote CUPS server. 
-    clientConf = ''
-      ServerName 192.168.50.249
-      ServerPort 631
-    '';
-  };
-}

nixos/fuchsia/services/udev/default.nix

@@ -1,7 +1,6 @@
 {pkgs, ...}: {
   # Enable necessary udev rules.
   services.udev.packages = with pkgs; [
-    android-udev-rules
     openrgb
     unstable.qmk-udev-rules
   ];

nixos/viridian/hardware-configuration.nix

@@ -39,10 +39,10 @@
     enable = true;
     extraPackages = with pkgs; [
       intel-media-driver
-      vaapiIntel
-      vaapiVdpau
       libvdpau-va-gl
+      libva-vdpau-driver
       intel-compute-runtime
+      intel-vaapi-driver
     ];
   };
 

nixos/viridian/services/crowdsec/default.nix

@@ -15,6 +15,11 @@ in {
     inputs.crowdsec.overlays.default
   ];
 
+  disabledModules = [
+    "services/security/crowdsec.nix"
+    "services/security/crowdsec-firewall-bouncer.nix"
+  ];
+
   age.secrets.enrollment-key = {
     rekeyFile = ./enrollment_key.age;
     owner = "crowdsec";

overlays/default.nix

@@ -19,7 +19,7 @@
   # be accessible through 'pkgs.unstable'
   unstable-packages = final: _prev: {
     unstable = import inputs.nixpkgs-unstable {
-      system = final.system;
+      system = final.stdenv.hostPlatform.system;
       config.allowUnfree = false;
     };
   };