Bump nixpkgs to 25.11 for age >=1.3.0

.github/workflows/ci.yaml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v22
+    - uses: cachix/install-nix-action@v31
       with:
         extra_nix_config: |
           system-features = nixos-test recursive-nix benchmark big-parallel kvm
@@ -20,7 +20,7 @@ jobs:
     runs-on: macos-latest
     steps:
     - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v30
+    - uses: cachix/install-nix-action@v31
       with:
         extra_nix_config: |
           system-features = nixos-test recursive-nix benchmark big-parallel kvm
@@ -39,14 +39,27 @@ jobs:
         # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
 
         sudo mv /etc/nix/nix.conf{,.bak}
+
+        # nix-darwin 25.11 requires these files to be moved before activation
+        sudo mv /etc/bashrc{,.before-nix-darwin} 2>/dev/null || true
+        sudo mv /etc/zshrc{,.before-nix-darwin} 2>/dev/null || true
+
         nix \
           --extra-experimental-features 'nix-command flakes' \
           build .#checks."${ARCH}"-darwin.integration
 
-        ./result/activate-user
+        # nix-darwin 25.11: activation now runs entirely as root, no more activate-user
         sudo ./result/activate
     - name: "Test nix-darwin module"
       run: |
+        # Wait for agenix launchd daemon to decrypt secrets (runs asynchronously after activation)
+        for i in $(seq 1 30); do
+          if [ -f /run/agenix/system-secret ]; then
+            break
+          fi
+          echo "Waiting for agenix secrets to be decrypted... ($i/30)"
+          sleep 1
+        done
         sudo /run/current-system/sw/bin/agenix-integration
     - name: "Test home-manager module"
       run: |

.github/workflows/doc.yml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Setup Pages
         uses: actions/configure-pages@v3
-      - uses: cachix/install-nix-action@v20
+      - uses: cachix/install-nix-action@v31
       - run: nix build .#doc && mkdir -p _site/ && cp -r ./result/multi/* _site/
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v1

flake.nix

@@ -2,13 +2,14 @@
   description = "Secret management with age";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+    nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
     darwin = {
-      url = "github:lnl7/nix-darwin/master";
-      inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:lnl7/nix-darwin/nix-darwin-25.11";
+      inputs.nixpkgs.follows = "nixpkgs-darwin";
     };
     home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     systems.url = "github:nix-systems/default";
@@ -18,6 +19,7 @@
     {
       self,
       nixpkgs,
+      nixpkgs-darwin,
       darwin,
       home-manager,
       systems,

test/install_ssh_host_keys_darwin.nix

@@ -1,17 +1,18 @@
 # Do not copy this! It is insecure. This is only okay because we are testing.
 {
-  system.activationScripts.extraUserActivation.text = ''
+  system.activationScripts.postActivation.text = ''
     echo "Installing system SSH host key"
-    sudo cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
-    sudo cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
-    sudo chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
-    sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
+    cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
+    cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
+    chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
+    chmod 600 /etc/ssh/ssh_host_ed25519_key
 
     echo "Installing user SSH host key"
-    mkdir -p "$HOME/.ssh"
-    cp ${../example_keys/user1.pub} "$HOME/.ssh/id_ed25519.pub"
-    cp ${../example_keys/user1} "$HOME/.ssh/id_ed25519"
-    chmod 644 "$HOME/.ssh/id_ed25519.pub"
-    chmod 600 "$HOME/.ssh/id_ed25519"
+    USER_HOME="/Users/runner"
+    sudo -u runner mkdir -p "$USER_HOME/.ssh"
+    sudo -u runner cp ${../example_keys/user1.pub} "$USER_HOME/.ssh/id_ed25519.pub"
+    sudo -u runner cp ${../example_keys/user1} "$USER_HOME/.ssh/id_ed25519"
+    sudo -u runner chmod 644 "$USER_HOME/.ssh/id_ed25519.pub"
+    sudo -u runner chmod 600 "$USER_HOME/.ssh/id_ed25519"
   '';
 }

test/integration.nix

@@ -7,7 +7,7 @@
   system ? builtins.currentSystem,
   home-manager ? <home-manager>,
 }:
-pkgs.nixosTest {
+pkgs.testers.nixosTest {
   name = "agenix-integration";
   nodes.system1 =
     {