After much troubleshooting, I figured out that FreshRSS does not actually support OIDC with the use of the environment variables for configuration. Instead, the config files actually have to be set with the web wizard and persisted with a volume mount. Do that.
This commit upgrades nixpkgs to nixos-25.11, and all other management
systems (home-manager, nix-darwin, etc.) to the equivalent tag, and also
upgrades any syntax within the modules to follow new syntax.
1. Upgrades nixpkgs to nixos-25.11
2. Upgrades nixpkgs-darwin to nixpkgs-25.11-darwin
3. Upgrades home-manger to release-25.11
4. Upgrades nix-darwin to 25.11
5. Implements conditional to use nixpkgs on Linux and nixpkgs-darwin on
Darwin
6. Replace micromamba with mamba-cpp and set alias, see
<https://github.com/NixOS/nixpkgs/issues/456288#issuecomment-3584844923>
7. Replace asitop with its new name: macpm
8. Remove ollama package and launchd service. ollama was removed from
Linux in 275270cef7, but remained in Darwin. The build process
technically did not fail, but it did extend build time and is unused,
so it was removed.
9. Switch git program module to use new syntax
10. Switch to NixOS-provided Crowdsec module
11. Switch logind lidSwitch settings to use new syntax
12. Switch sabma module to use new syntax
Bad on me, but I have spent way too long making edits that are all
required on mcentire to get Authentik semi-working. There are lots of
notes in here on reasoning of why stuff is the way it is. Backup still
needs to be configured, and potentially Crowdsec.
User systemd units cannot wait for system units. Fix race condition bugs
in user Quadlet services by using a user service that the Quadlet
services can use as a `After=` or `Requires=` directive.
NixOS does some weird stuff with setting security bits in wrappers,
rather than in packages themselves, and this was breaking podman. Add
the wrappers directory to the PATH of the secrets service.
