auto-update: flake inputs 2026-05-11T00:41:50-07:00

The tangled core was on rev 956f97c (v1.11.0-alpha) and v1.13.0-alpha
introduces automatic DID minting for repositories which we want.

Master HEAD (6a27cd2) is post-v1.13.0-alpha and includes the DID
auto-mint migration. After deploy, retry verification on the knot
dashboard at https://tangled.org/settings/knots.

Note: the build's reported version string is hardcoded to 1.11.0-alpha
in nix/pkgs/knot-unwrapped.nix upstream -- this is a stale label, but
the actual code includes v1.13.0-alpha features (DID minting schema in
knotserver/db/db.go).

Also add an explicit `nix flake update tangled` to auto-update.nix so
tangled is always tracked, independent of how other inputs are pinned.

flake.lock

@@ -1,5 +1,21 @@
 {
   "nodes": {
+    "actor-typeahead-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1762835797,
+        "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",
+        "ref": "refs/heads/main",
+        "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"
+      }
+    },
     "agenix": {
       "inputs": {
         "darwin": "darwin",
@@ -10,11 +26,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1760836749,
-        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
         "type": "github"
       },
       "original": {
@@ -45,6 +61,28 @@
         "type": "github"
       }
     },
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "tangled",
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1772176312,
+        "narHash": "sha256-Yjo/QCJvY9GUhAzwac/m6Rx3oxvRyEaiT5DQ5o+T6g4=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "92d91250c1acd59beabc51208192adc92f31aeb5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -64,11 +102,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -86,11 +124,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754078208,
-        "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",
+        "lastModified": 1763982521,
+        "narHash": "sha256-ur4QIAHwgFc0vXiaxn5No/FuZicxBr2p0gmT54xZkUQ=",
         "owner": "nix-community",
         "repo": "gomod2nix",
-        "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",
+        "rev": "02e63a239d6eabd595db56852535992c898eba72",
         "type": "github"
       },
       "original": {
@@ -150,11 +188,11 @@
         "lastModified": 1731402384,
         "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=",
         "type": "tarball",
-        "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"
+        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"
+        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"
       }
     },
     "indigo": {
@@ -199,13 +237,25 @@
         "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"
       }
     },
+    "mermaid-src": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-/YOdECG2V5c3kJ1QfGvhziTT6K/Dx/4mOk2mr3Fs/do=",
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/mermaid@11.12.3/dist/mermaid.min.js"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/mermaid@11.12.3/dist/mermaid.min.js"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1761373498,
-        "narHash": "sha256-Q/uhWNvd7V7k1H1ZPMy/vkx3F8C13ZcdrKjO7Jv7v0c=",
+        "lastModified": 1777954456,
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6a08e6bb4e46ff7fcbb53d409b253f6bad8a28ce",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -222,6 +272,23 @@
         "tangled": "tangled"
       }
     },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1772094427,
+        "narHash": "sha256-TiVs6OUBJEvajHdJZ5nIq0KognNJooUWuLGPFfQacSw=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "56b59a832858329c2f947f9b7bdf1a49da39c981",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
     "sqlite-lib-src": {
       "flake": false,
       "locked": {
@@ -267,6 +334,8 @@
     },
     "tangled": {
       "inputs": {
+        "actor-typeahead-src": "actor-typeahead-src",
+        "fenix": "fenix",
         "flake-compat": "flake-compat",
         "gomod2nix": "gomod2nix",
         "htmx-src": "htmx-src",
@@ -275,17 +344,18 @@
         "indigo": "indigo",
         "inter-fonts-src": "inter-fonts-src",
         "lucide-src": "lucide-src",
+        "mermaid-src": "mermaid-src",
         "nixpkgs": [
           "nixpkgs"
         ],
         "sqlite-lib-src": "sqlite-lib-src"
       },
       "locked": {
-        "lastModified": 1761563708,
-        "narHash": "sha256-Q74UiisPJpqr3808Jp2Qbl/uEDxSoj2tIJQ5MLFoWx0=",
+        "lastModified": 1778394106,
+        "narHash": "sha256-z/IaSibX+c+NH7nQxwEAhkZm2N34Lg7GDzaX9Obz1jA=",
         "ref": "refs/heads/master",
-        "rev": "bfdcfc5f77733c782f289091de53bb1b315f84be",
-        "revCount": 1555,
+        "rev": "4eb8cf9a5d230233c033e26dd225444d7ef991df",
+        "revCount": 2376,
         "type": "git",
         "url": "https://tangled.org/@tangled.org/core"
       },

flake.nix

@@ -13,47 +13,55 @@
     };
   };
 
-  outputs = {
-    self,
-    nixpkgs,
-    tangled,
-    agenix,
-    ...
-  } @ inputs: let
-    inherit (self) outputs;
-  in {
-    # Available through 'nixos-rebuild --flake .#your-hostname'
-    nixosConfigurations = {
-      asusmini = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs;};
-        system = "x86_64-linux";
-        modules = [
-          ./hosts/asusmini 
-          tangled.nixosModules.knot
-          tangled.nixosModules.spindle
-          agenix.nixosModules.default
-        ];
+  outputs =
+    {
+      self,
+      nixpkgs,
+      tangled,
+      agenix,
+      ...
+    }@inputs:
+    let
+      inherit (self) outputs;
+    in
+    {
+      # Available through 'nixos-rebuild --flake .#your-hostname'
+      nixosConfigurations = {
+        asusmini = nixpkgs.lib.nixosSystem {
+          specialArgs = { inherit inputs outputs; };
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/asusmini
+            tangled.nixosModules.knot
+            tangled.nixosModules.spindle
+            agenix.nixosModules.default
+            { nixpkgs.overlays = [ (import ./overlays) ]; }
+          ];
+        };
       };
-    };
 
-    devShells = {
-      aarch64-darwin.default = let
-        pkgs = nixpkgs.legacyPackages.aarch64-darwin;
-      in pkgs.mkShell {
-        packages = [ 
-          agenix.packages.aarch64-darwin.default
-          pkgs.dnscontrol
-        ];
-      };
-      
-      x86_64-linux.default = let
-        pkgs = nixpkgs.legacyPackages.x86_64-linux;
-      in pkgs.mkShell {
-        packages = [ 
-          agenix.packages.x86_64-linux.default
-          pkgs.dnscontrol
-        ];
+      devShells = {
+        aarch64-darwin.default =
+          let
+            pkgs = nixpkgs.legacyPackages.aarch64-darwin;
+          in
+          pkgs.mkShell {
+            packages = [
+              agenix.packages.aarch64-darwin.default
+              pkgs.dnscontrol
+            ];
+          };
+
+        x86_64-linux.default =
+          let
+            pkgs = nixpkgs.legacyPackages.x86_64-linux;
+          in
+          pkgs.mkShell {
+            packages = [
+              agenix.packages.x86_64-linux.default
+              pkgs.dnscontrol
+            ];
+          };
       };
     };
-  };
 }

hosts/asusmini/atproto.nix

@@ -12,15 +12,24 @@
     settings = {
       PDS_PORT = 5556;
       PDS_HOSTNAME = "pds.commonscomputer.com";
+      # 100 MB blob upload limit (matches upstream default as of v0.4.219).
+      # Set explicitly so the limit is visible in our config rather than
+      # depending on whatever default the pinned nixpkgs module ships with.
+      PDS_BLOB_UPLOAD_LIMIT = "104857600";
       # We can set a bunch of other things too
       # PDS_BSKY_APP_VIEW_URL
       # PDS_CRAWLERS
-      # PDS_BLOB_UPLOAD_LIMIT
       # Full list available here: https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts
     };
   };
 
-  services.tangled-spindle = {
+  # Note: the option namespace is `services.tangled.<service>` (with a dot),
+  # not `services.tangled-<service>` (with a dash). The dashed form was used
+  # by an older third-party `tangled-knot-nix` flake; the official monorepo
+  # at tangled.org/@tangled.org/core (which we import) uses the dotted form.
+  # See nix/modules/{knot,spindle}.nix in the tangled core flake for the
+  # full list of options.
+  services.tangled.spindle = {
     enable = true;
     server = {
       hostname = "spindle.commonscomputer.com";
@@ -28,30 +37,12 @@
     };
   };
 
-  # stolen from https://tangled.org/@isuggest.selfce.st/tangled-knot-nix/blob/main/knot.nix
-  services.tangled-knot = {
+  services.tangled.knot = {
     enable = true;
     server = {
-      hostname = "knot.commonscomputer.com"; # put in the hostname where your knot can be accessed at. e.g. knot.a.tgirl.gay
-      owner = "did:plc:om5yygegi4yxcbay5gemn2wm"; # your did, must be did:plc:<whatever> or did:web:<whatever>.
+      hostname = "knot.commonscomputer.com";
+      owner = "did:plc:om5yygegi4yxcbay5gemn2wm";
     };
-    # optional configuration options. the current value is the default provided to the knot server.
-    # appviewEndpoint = "https://tangled.sh"; # appview endpoint.
-    # gitUser = "git"; # user that hosts git repos and performs git operations.
-    # openFirewall = true; # open port 22 in the firewall for ssh.
-    # stateDir = "/home/${cfg.gitUser}"; # tangled knot data directory.
-    # repo = {
-    #   scanPath = cfg.stateDir; # path where repositories are scanned from;
-    #   mainBranch = "main"; # default branch name for repositories;
-    # };
-    # motd = ""; # message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you.
-    # motdFile = null; # "file containing message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you."
-    # server = {
-    #   listenAddr = "0.0.0.0:5555"; # address to listen on.
-    #   internalListenAddr = "127.0.0.1:5444"; # internal address for inter-service communication.
-    #   dbPath = "${cfg.stateDir}/knotserver.db"; # path to the database file.
-    #   dev = false; # enable development mode (disables signature verification)
-    # };
   };
 
   services.caddy = {
@@ -59,7 +50,7 @@
     virtualHosts = {
       "knot.commonscomputer.com".extraConfig = ''
         reverse_proxy http://localhost:5555
-      ''; 
+      '';
       "pds.commonscomputer.com".extraConfig = ''
         reverse_proxy http://localhost:5556
       '';

hosts/asusmini/auto-update.nix

@@ -3,23 +3,33 @@
 {
   systemd.services.auto-update = {
     description = "Auto-update NixOS configuration";
-    path = with pkgs; [ git nix openssh ];
-    
+    path = with pkgs; [
+      git
+      nix
+      openssh
+    ];
+
     serviceConfig = {
       Type = "oneshot";
       User = "root";
       WorkingDirectory = "/etc/commonscomputing-nix";
     };
-    
+
     script = ''
       set -e
-      
+
       echo "Pulling latest changes..."
       git pull
-      
+
       echo "Updating flake inputs..."
       nix flake update
-      
+
+      # Explicitly update tangled so we always pull the latest knot/spindle
+      # builds, even if other inputs are pinned or the general update is
+      # later restricted. tangled.org/@tangled.org/core moves quickly and
+      # we want to track master.
+      nix flake update tangled
+
       # Check if there are changes to commit
       if ! git diff --quiet flake.lock; then
         echo "Committing flake.lock updates..."
@@ -31,13 +41,13 @@
       else
         echo "No flake.lock changes to commit"
       fi
-      
+
       echo "Rebuilding system..."
       if ! ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch --flake .#asusmini; then
         echo "Build/switch failed, staying on current generation"
         exit 1
       fi
-      
+
       echo "Auto-update completed successfully"
     '';
   };
@@ -46,12 +56,12 @@
     description = "Auto-update timer";
     wantedBy = [ "timers.target" ];
     timerConfig = {
-      OnCalendar = "weekly";  # Run weekly, adjust as needed
-      Persistent = true;  # Run on boot if missed
-      RandomizedDelaySec = "1h";  # Add some randomness
+      OnCalendar = "weekly"; # Run weekly, adjust as needed
+      Persistent = true; # Run on boot if missed
+      RandomizedDelaySec = "1h"; # Add some randomness
     };
   };
-  
+
   # TODO: Set up SSH key for git push access
   # Options:
   # 1. Deploy key with write access to the repo

overlays/default.nix

@@ -0,0 +1,46 @@
+# Nixpkgs overlay for commonscomputing
+#
+# Overlays modify the global pkgs set. Anything that references
+# `pkgs.<name>` (including NixOS service modules using `mkPackageOption`)
+# automatically picks up our overrides without further config changes.
+#
+# Each override below should include a brief note about why we're overriding
+# and when the override can be removed (e.g. when nixpkgs catches up).
+
+final: prev: {
+  # Override bluesky-pds to v0.4.219 (latest tag in bluesky-social/pds repo).
+  #
+  # As of 2026-04-26 nixpkgs-unstable ships 0.4.204. The deployed version on
+  # z-space (from our pinned flake.lock) is even older at 0.4.182.
+  #
+  # Notable changes between 0.4.182 and 0.4.219:
+  #   - Default PDS_BLOB_UPLOAD_LIMIT doubled to 100 MB (commit cc0e9ac)
+  #   - Rate limits enabled by default (PR #308)
+  #   - Node bumped to v20.20 (commit 0ef7817)
+  #   - pdsadmin account commands replaced with goat (PR #313)
+  #
+  # Remove this override once nixpkgs ships bluesky-pds >= 0.4.219.
+  bluesky-pds = prev.bluesky-pds.overrideAttrs (old: rec {
+    version = "0.4.219";
+
+    src = prev.fetchFromGitHub {
+      owner = "bluesky-social";
+      repo = "pds";
+      tag = "v${version}";
+      hash = "sha256-zXNg1rtXN9qdTBvRlSiPlRu6k1Pv3T8nhROsEarev5U=";
+    };
+
+    sourceRoot = "${src.name}/service";
+
+    # pnpmDeps must be re-fetched whenever src changes because pnpm-lock.yaml
+    # may have changed. The hash below was computed by running a build with
+    # an empty hash and reading the correct one from the build failure.
+    pnpmDeps = prev.fetchPnpmDeps {
+      pname = "pds";
+      inherit version src sourceRoot;
+      pnpm = prev.pnpm_9;
+      fetcherVersion = 2;
+      hash = "sha256-n7UurqgR15vu1yNRXCWTWpEU42xgqVVaKurIMvt3XYk=";
+    };
+  });
+}