From 9bad67a3de54f01e0f3eac96e0311e42270f25f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 19:55:28 -0700
Subject: [PATCH 1/6] feat(spore): use apoxy-dev golink fork with OAuth key
 support

Switch golink input from tailscale/golink to the apoxy-dev fork
(dilyevsky/tsnet-1.90-upgrade branch) to enable OAuth key
authentication, which is not yet available upstream.

See: https://github.com/tailscale/golink/pull/210

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 flake.lock | 11 ++++++-----
 flake.nix  |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/flake.lock b/flake.lock
index c65040af..0bdee33d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -171,15 +171,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1772034702,
-        "narHash": "sha256-8Q5UF0PQzMcY/zaJVssZCaXXizSBEHrecBk3qaw1al0=",
-        "owner": "tailscale",
+        "lastModified": 1765523342,
+        "narHash": "sha256-x1KyVQHnHNSBeuLYtRGUqjVtwv4AZMd2RPhtTPXrR4I=",
+        "owner": "apoxy-dev",
         "repo": "golink",
-        "rev": "4036fc3a9694944dfd48586ea939212360391b22",
+        "rev": "17e583241673aa51935ca9e0d559f91a63144d48",
         "type": "github"
       },
       "original": {
-        "owner": "tailscale",
+        "owner": "apoxy-dev",
+        "ref": "dilyevsky/tsnet-1.90-upgrade",
         "repo": "golink",
         "type": "github"
       }
diff --git a/flake.nix b/flake.nix
index f631cee7..d110b891 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,7 +39,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     golink = {
-      url = "github:tailscale/golink";
+      url = "github:apoxy-dev/golink/dilyevsky/tsnet-1.90-upgrade";
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.systems.follows = "systems";
     };

From 33b000b254e695ef5207d59db2abffbb8f698219 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 20:03:34 -0700
Subject: [PATCH 2/6] feat(spore): update tailscale auth key to OAuth client
 secret

Replace expiring Tailscale auth key with a non-expiring OAuth client
secret for golink authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 hosts/spore/secrets/tailscale-auth-key.age | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/hosts/spore/secrets/tailscale-auth-key.age b/hosts/spore/secrets/tailscale-auth-key.age
index 06874a1b..c8624a75 100644
--- a/hosts/spore/secrets/tailscale-auth-key.age
+++ b/hosts/spore/secrets/tailscale-auth-key.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 2AxgaQ Bml5zq38B3BTWMtQ8jDplWdAb/KRYeHInY+ON6Vr80I
-P+uTPP3Xul0eMo5tMu4A6nwhFAhBmoVwoN0k/QnoUxw
--> ssh-ed25519 3EWhnQ qKFgwRZ0Aj8UBm4Ti2qtQqdZku6y4gd29Lqfg9aoLnM
-wQ/rJ5aTJBbM+DMHR8eWiLrLXxYRMxMnQVs+yk4UvTI
---- VMe18Za/KOH7wECyAiwcYfvpsyjAE/oo1nCsW7umrvw
-g��C��,��I��S�ø���c6�P�ϻ�(�� F<�P���Ň����h��٫n���hFm]>���u�*m�+����TL�W�.�r�����YP
\ No newline at end of file
+-> ssh-ed25519 2AxgaQ nZxoKnnhBN/Vu5ChV+cvH/+/QtoACBB5EdMeRHfTExY
+0//vPZFL/tECbRHROmZ4rLK6ZGKwfmFFBPIpIZdLcOk
+-> ssh-ed25519 3EWhnQ 6y7+yYJFVby7SLWf/1ngX7LxIyhASKzqLlo75vVkylc
+wcX9MumA4EF9W0dHE/KnHIbDU2b5C4HsdWe9q2sO8+Q
+--- r/2H19LwRcmRGfyIVrLDDxGKN2rKFLmkD1BTRyNL3uU
+BWL�E$�0og�ƿ��+�j8�FȤ�"�AS�2�IC�I�ƅ�0��p\���
��)j��9�@e���ks[�X����H�쬋�ӽ*O��x��
\ No newline at end of file

From 1ac8310cb33c10e0edbbe526d4aa60ba9e2ed02b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 20:25:02 -0700
Subject: [PATCH 3/6] fix(spore): override golink vendorHash for apoxy-dev fork

The apoxy-dev fork has a stale vendorHash in its flake.nix. Add a
local overlay to fix it, and reorder NixOS modules so the golink
overlay is applied before ours.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 lib/hosts.nix        | 2 +-
 overlays/default.nix | 3 +++
 overlays/golink.nix  | 6 ++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 overlays/golink.nix

diff --git a/lib/hosts.nix b/lib/hosts.nix
index e14c0177..690f3c63 100644
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@@ -71,10 +71,10 @@ inputs @ {
           inherit username hostname system;
           showBatteryStatus = false;
         })
+        golink.nixosModules.default
         {
           nixpkgs.overlays = overlays;
         }
-        golink.nixosModules.default
         zx-dev.nixosModules.default
       ];
     };
diff --git a/overlays/default.nix b/overlays/default.nix
index de9cfa4a..4318462f 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -5,4 +5,7 @@
 
   # Fix Daisydisk ahead of upstream
   (import ./daisydisk.nix)
+
+  # Fix vendorHash for apoxy-dev golink fork
+  (import ./golink.nix)
 ]
diff --git a/overlays/golink.nix b/overlays/golink.nix
new file mode 100644
index 00000000..0a0a2116
--- /dev/null
+++ b/overlays/golink.nix
@@ -0,0 +1,6 @@
+# Fix vendorHash for apoxy-dev golink fork
+final: prev: {
+  golink = prev.golink.overrideAttrs {
+    vendorHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
+  };
+}

From b626130710a4756e15ec6715e68ea4dd17322e1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 21:00:40 -0700
Subject: [PATCH 4/6] fix(spore): override golink goModules hash instead of
 vendorHash

vendorHash is consumed by buildGoModule to create a separate
fixed-output derivation, so overrideAttrs doesn't reach it. Override
goModules.outputHash directly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 overlays/golink.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/overlays/golink.nix b/overlays/golink.nix
index 0a0a2116..46f6daa9 100644
--- a/overlays/golink.nix
+++ b/overlays/golink.nix
@@ -1,6 +1,8 @@
 # Fix vendorHash for apoxy-dev golink fork
 final: prev: {
-  golink = prev.golink.overrideAttrs {
-    vendorHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
-  };
+  golink = prev.golink.overrideAttrs (old: {
+    goModules = old.goModules.overrideAttrs {
+      outputHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
+    };
+  });
 }

From 613791060a4b835490f65a6ae8512663e9dd3024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 21:02:33 -0700
Subject: [PATCH 5/6] fix(spore): rebuild golink package with correct
 vendorHash

overrideAttrs can't reach vendorHash since it's consumed by
buildGoModule before derivation creation. Rebuild the package
from scratch using the same source and ldflags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 overlays/golink.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/overlays/golink.nix b/overlays/golink.nix
index 46f6daa9..5355a7a6 100644
--- a/overlays/golink.nix
+++ b/overlays/golink.nix
@@ -1,8 +1,8 @@
-# Fix vendorHash for apoxy-dev golink fork
+# Rebuild golink from apoxy-dev fork source with correct vendorHash
 final: prev: {
-  golink = prev.golink.overrideAttrs (old: {
-    goModules = old.goModules.overrideAttrs {
-      outputHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
-    };
-  });
+  golink = prev.buildGo125Module {
+    pname = "golink";
+    inherit (prev.golink) version src ldflags;
+    vendorHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
+  };
 }

From 881b3059da97fa63daec13ab8606dac0ec29bf08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey=20=28they/them=29?= <c@rey.foo>
Date: Mon, 9 Mar 2026 21:15:52 -0700
Subject: [PATCH 6/6] fix(spore): set golink package directly to fix vendorHash

The golink flake's overlay always overwrites pkgs.golink with its
own pre-built package, making overlay-based overrides ineffective.
Set services.golink.package directly with the correct vendorHash.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 hosts/spore/services/default.nix | 5 +++++
 lib/hosts.nix                    | 2 +-
 overlays/default.nix             | 3 ---
 overlays/golink.nix              | 8 --------
 4 files changed, 6 insertions(+), 12 deletions(-)
 delete mode 100644 overlays/golink.nix

diff --git a/hosts/spore/services/default.nix b/hosts/spore/services/default.nix
index 68a5ee30..10e7554e 100644
--- a/hosts/spore/services/default.nix
+++ b/hosts/spore/services/default.nix
@@ -31,6 +31,11 @@
   services.golink = {
     enable = true;
     tailscaleAuthKeyFile = config.age.secrets.tailscale-auth-key.path;
+    package = pkgs.buildGo125Module {
+      pname = "golink";
+      inherit (pkgs.golink) version src ldflags;
+      vendorHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
+    };
   };
 
   services.openssh.enable = true;
diff --git a/lib/hosts.nix b/lib/hosts.nix
index 690f3c63..e14c0177 100644
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@@ -71,10 +71,10 @@ inputs @ {
           inherit username hostname system;
           showBatteryStatus = false;
         })
-        golink.nixosModules.default
         {
           nixpkgs.overlays = overlays;
         }
+        golink.nixosModules.default
         zx-dev.nixosModules.default
       ];
     };
diff --git a/overlays/default.nix b/overlays/default.nix
index 4318462f..de9cfa4a 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -5,7 +5,4 @@
 
   # Fix Daisydisk ahead of upstream
   (import ./daisydisk.nix)
-
-  # Fix vendorHash for apoxy-dev golink fork
-  (import ./golink.nix)
 ]
diff --git a/overlays/golink.nix b/overlays/golink.nix
deleted file mode 100644
index 5355a7a6..00000000
--- a/overlays/golink.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-# Rebuild golink from apoxy-dev fork source with correct vendorHash
-final: prev: {
-  golink = prev.buildGo125Module {
-    pname = "golink";
-    inherit (prev.golink) version src ldflags;
-    vendorHash = "sha256-M3Qm25KF6gWtp3K1SigLucgrIJ+5KokMq+Bp7XXaE+o=";
-  };
-}