Release 2024_006 (2024-02-19)

Impact

• [NixOS 23.11] PostgreSQL and Matomo will be restarted.

NixOS 23.11 platform

• Pull upstream NixOS changes, security fixes and package updates (PL-132189):

  • chromium: 121.0.6167.139 -> 121.0.6167.160

  • github-runner: 2.312.0 -> 2.313.0

  • mastodon: 4.2.5 -> 4.2.6 (CVE-2024-25122, CVE-2024-25062, CVE-2024-25618)

  • postgresql_12: 12.17 -> 12.18 (CVE-2024-0985)

  • postgresql_13: 13.13 -> 13.14 (CVE-2024-0985)

  • postgresql_14: 14.10 -> 14.11 (CVE-2024-0985)

  • postgresql_15: 15.5 -> 15.6 (CVE-2024-0985)

  • webkitgtk: 2.42.4 → 2.42.5 (CVE-2024-23222, CVE-2024-23206, CVE-2024-23213)

• devhost: Varnish listens now on both IPv4 & IPv6 in a dev-host environment (PL-132197).

• mailserver: fix reload of postfix maps declared using the dynamicMaps attribute, like /etc/local/mail/transport. This was stuck until a reboot happened when the postfix-setup unit was triggered explicitly (PL-132085).

• gitlab: introduce flyingcircus.roles.gitlab.hsts which adds HTTP Strict-Transport-Security headers. The option is enabled by default for standard Gitlab installations (where Gitlab is the default vhost) (PL-132164).

• mailserver: imprintUrl now accepts a protocol scheme. Specifying this option without a protocol scheme still works as before, but is deprecated and will raise a warning (PL-132155).

• mongodb is not allowed as an unfree package anymore by default. This change affects the roles: mongodb40 and mongodb42. After checking for SSPL license compliance, add flyingcircus.allowedUnfreePackageNames = [ "mongodb" ]; to local VM config to allow installation (PL-132080).

• webgateway/nginx: revert the Nginx rate limiting settings introduced with the previous release 2024_005. These limits are too strict for some use cases and blocked legitimate traffic. We are working on a better solution which is configurable and has defaults that don’t affect applications (PL-131836).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/378017/download/1/nixexprs.tar.xz

NixOS 23.05 platform

• mongodb is not allowed as an unfree package anymore by default. This change affects the role mongodb42. After checking for SSPL license compliance, add flyingcircus.allowedUnfreePackageNames = ["mongodb"]; to local VM config to allow installation (PL-132080).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/377875/download/1/nixexprs.tar.xz

NixOS 22.11 platform

• mongodb is not allowed as an unfree package anymore by default. This change affects the roles: mongodb40 and mongodb42. After checking for SSPL license compliance, add flyingcircus.allowedUnfreePackageNames = ["mongodb"]; to local VM config to allow installation (PL-132080).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/377890/download/1/nixexprs.tar.xz

NixOS 22.05 platform

• mongodb is not allowed as an unfree package anymore by default. This change affects the roles: loghost, mongodb40 and mongodb42. After checking for SSPL license compliance, add flyingcircus.allowedUnfreePackageNames = ["mongodb"]; to local VM config to allow installation (PL-132080).

• Production channel URL for this release: https://hydra.flyingcircus.io/build/377651/download/1/nixexprs.tar.xz

Documentation

• slurm: document how to find and kill jobs which consume a lot of memory

Detailed Changes

• NixOS 23.11: platform code, upstream changes

• NixOS 23.05: platform code

• NixOS 22.11: platform code

• NixOS 22.05: platform code