This commit upgrades nixpkgs to nixos-25.11, and all other management
systems (home-manager, nix-darwin, etc.) to the equivalent tag, and also
upgrades any syntax within the modules to follow new syntax.
1. Upgrades nixpkgs to nixos-25.11
2. Upgrades nixpkgs-darwin to nixpkgs-25.11-darwin
3. Upgrades home-manger to release-25.11
4. Upgrades nix-darwin to 25.11
5. Implements conditional to use nixpkgs on Linux and nixpkgs-darwin on
Darwin
6. Replace micromamba with mamba-cpp and set alias, see
<https://github.com/NixOS/nixpkgs/issues/456288#issuecomment-3584844923>
7. Replace asitop with its new name: macpm
8. Remove ollama package and launchd service. ollama was removed from
Linux in 275270cef7, but remained in Darwin. The build process
technically did not fail, but it did extend build time and is unused,
so it was removed.
9. Switch git program module to use new syntax
10. Switch to NixOS-provided Crowdsec module
11. Switch logind lidSwitch settings to use new syntax
12. Switch sabma module to use new syntax
Bad on me, but I have spent way too long making edits that are all
required on mcentire to get Authentik semi-working. There are lots of
notes in here on reasoning of why stuff is the way it is. Backup still
needs to be configured, and potentially Crowdsec.
User systemd units cannot wait for system units. Fix race condition bugs
in user Quadlet services by using a user service that the Quadlet
services can use as a `After=` or `Requires=` directive.
NixOS does some weird stuff with setting security bits in wrappers,
rather than in packages themselves, and this was breaking podman. Add
the wrappers directory to the PATH of the secrets service.
I used to try to control Ansible's bootstrapping of home-manager by
recording the current git hash of the home-manager repo, but I haven't
allowed ansible to touch home-manager after initial setup for a while
now, so remove the hash code.
