flake: split mediaserver onto nixos-25.11, keep desktops on unstable

The mediaserver kept hard-freezing on local builds (gnupg, openldap,
deno/rusty-v8) whenever a fresh unstable revision outran Hydra's
binary cache. It doesn't need bleeding-edge packages — every service
it runs is mature enough that 6-month-old versions are fine — so move
it onto the stable channel where the cache is essentially always
warm. Gaming and Macbook stay on unstable for fresh GPU/kernel work.

Implementation: add nixpkgs-stable + home-manager-stable inputs,
parameterise mkHost to accept a (nixpkgs, home-manager) pair.

Drive-by:
- Switch homepage.nix from environmentFiles (plural, unstable-only)
  to environmentFile (singular, present on both channels).
- Gate the openldap-skip-tests overlay to non-mediaserver hosts so
  it doesn't force a local rebuild on stable, where openldap is
  always cached.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

common.nix

@@ -85,11 +85,11 @@
   # Allow unfree packages
   nixpkgs.config.allowUnfree = true;
 
-  # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky and
-  # fails reliably on local builds when the binary cache hasn't yet served
-  # the upstream-built artifact. Skip its test phase. Remove this overlay
-  # once Hydra's substituter has populated openldap for the pinned nixpkgs.
-  nixpkgs.overlays = [
+  # openldap 2.6.13's test017-syncreplication-refresh is timing-flaky on
+  # unstable's freshly-bumped revisions before Hydra has cached them. The
+  # mediaserver runs on the stable channel where openldap is always cached,
+  # so don't change its hash there — that would force a local rebuild.
+  nixpkgs.overlays = lib.optionals (config.networking.hostName != "FredOS-Mediaserver") [
     (final: prev: {
       openldap = prev.openldap.overrideAttrs (_: { doCheck = false; });
     })

flake.lock

@@ -86,6 +86,27 @@
         "type": "github"
       }
     },
+    "home-manager-stable": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-stable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1775425411,
+        "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nix-cachyos-kernel": {
       "inputs": {
         "cachyos-kernel": "cachyos-kernel",
@@ -140,6 +161,22 @@
         "type": "github"
       }
     },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1777077449,
+        "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1777268161,
@@ -159,8 +196,10 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
+        "home-manager-stable": "home-manager-stable",
         "nix-cachyos-kernel": "nix-cachyos-kernel",
         "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable",
         "zen-browser": "zen-browser"
       }
     },

flake.nix

@@ -1,11 +1,21 @@
 {
   description = "FredOS NixOS configuration";
   inputs = {
+    # Unstable: gaming desktop & laptop want bleeding-edge GPU/kernel updates.
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # Stable: mediaserver values cache hit-rate over fresh packages so it
+    # doesn't have to compile gnupg/openldap/v8 locally on every flake bump.
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    home-manager-stable = {
+      url = "github:nix-community/home-manager/release-25.11";
+      inputs.nixpkgs.follows = "nixpkgs-stable";
+    };
+
     zen-browser = {
       url = "github:0xc000022070/zen-browser-flake";
       inputs = {
@@ -16,24 +26,34 @@
 
     nix-cachyos-kernel.url = "github:xddxdd/nix-cachyos-kernel/release";
   };
-  outputs = { self, nixpkgs, home-manager, zen-browser, nix-cachyos-kernel, ... } @ inputs:
+  outputs =
+    { self
+    , nixpkgs
+    , nixpkgs-stable
+    , home-manager
+    , home-manager-stable
+    , zen-browser
+    , nix-cachyos-kernel
+    , ...
+    } @ inputs:
     let
       system = "x86_64-linux";
-    mkHost = hostname: nixpkgs.lib.nixosSystem {
+      mkHost = hostname: pkgsInput: hmInput: pkgsInput.lib.nixosSystem {
         inherit system;
         specialArgs = { inherit inputs; };
         modules = [
           ./hosts/${hostname}.nix
           ./hosts/hardware/${hostname}.nix
           ./common.nix
-        home-manager.nixosModules.home-manager
+          hmInput.nixosModules.home-manager
         ];
       };
-  in {
+    in
+    {
       nixosConfigurations = {
-      FredOS-Gaming      = mkHost "FredOS-Gaming";
-      FredOS-Mediaserver = mkHost "FredOS-Mediaserver";
-      FredOS-Macbook     = mkHost "FredOS-Macbook";
+        FredOS-Gaming      = mkHost "FredOS-Gaming"      nixpkgs        home-manager;
+        FredOS-Mediaserver = mkHost "FredOS-Mediaserver" nixpkgs-stable home-manager-stable;
+        FredOS-Macbook     = mkHost "FredOS-Macbook"     nixpkgs        home-manager;
       };
     };
 }

services/homepage.nix

@@ -118,7 +118,7 @@ in
       allowedHosts = "localhost:8082,127.0.0.1:8082,homepage.nordhammer.it";
 
       # API keys auto-extracted by homepage-extract-secrets.service
-      environmentFiles = [ "/etc/homepage-secrets" ];
+      environmentFile = "/etc/homepage-secrets";
 
       settings = {
         title = "FredOS Mediaserver";