Release 2021_032 (2021-10-04)

NixOS 21.05 platform

• Nginx: fix a conditional reload bug. The internal status page and vhosts using the default wildcard address were not properly configured for dual stack operations and may block graceful reloads.

• Nginx: add option services.nginx.masterUser to be able to change the user for the Nginx master process. Nothing changes if you are using the platform webgateway / nginx roles or the flyingcircus.services.nginx service. They still use root and run the worker processes as nginx. Plain services.nginx now uses nginx for both by default like the upstream NixOS module. Note that changing this setting is experimental when using our platform roles/service and problems may occur, especially if Nginx has already been running on the system (#PL-130015).

• Nginx: don’t generate dhparam file by default anymore. Existing dhparam files will be removed. This file is only needed for DHE ciphers which are not used except by legacy clients like IE11 on older Windows versions. See the webgateway docs or /etc/local/nginx/README.txt on how to keep or re-enable the old behavior if needed. (#PL-130114).

• Production channel for this release: https://hydra.flyingcircus.io/build/104035/download/1/nixexprs.tar.xz

NixOS 15.09 platform

• Already released as hotfix: due to the Compatibility issues with new Let’s Encrypt X1 Root certificate, we had to roll out a new release with an updated SSL certificate bundle manually to fix our automated system management. This removes support for Graylog and the docsplit package because they need old Java versions that don’t build anymore.

Gentoo platform

• SSH: use secure key exchange algorithms, ciphers and MACs like on our NixOS platforms (#141842).

Detailed Changes

• NixOS 21.05: platform code