Release 2025_046 (2025-12-08)

Impact

25.05

• k3s clusters with custom clusterDNS, podCidr, serviceCidr will fail to evaluate until adapted. See the change description below for details.

• Machines will reboot to activate the changed kernel.

25.11

NixOS 25.05 platform

• k3s clusters: options clusterDns, podCidr, serviceCidr are now a list

  affected roles: k3s-agent, k3s-server, k3s-single-node, webgateway when in a resource group with k3s nodes (PL-133889)

  The options clusterDns, podCidr, serviceCidr in the namespace flyingcircus.kubernetes.network have changed from option type string to a list of strings. This better reflects the ability to specify multiple IP address entries and process them at other parts of the configuration.
  Deployments deviating from the default option value require manual adjustment of the option. The new system will fail to evaluate, preventing this release from bein installed automatically until the configuration value has been adjusted.

• ai-model-server: GPU monitoring amd_rocm_smi plugin: ensure all global tags are included but only include rocm specific tags that do not endanger label cardinality. Note: we include all fields, some are converted to tags but those are fine

• nixos/k3s: Fix resolving of cluster-internal hostnames in our frontend module (PL-134217)

• KVM hosts: fix a regression in maintenance handling (PL-134247) fc.qemu accidentally scrapped return codes set via sys.exit and replaced them with a 0, rendering maintenance guards ineffective.
  Has been released as a hotfix to affected hosts ahead of schedule.

• Pull upstream NixOS changes, security fixes, and package updates:

  • firefox: 145.0.1 -> 145.0.2

  • gitaly: 18.5.2 -> 18.6.1

  • gitlab: 18.5.2 -> 18.6.1

  • gitlab-container-registry: 4.31.0 -> 4.32.0

  • gitlab-ee: 18.5.2 -> 18.6.1

  • gitlab-pages: 18.5.2 -> 18.6.1

  • gitlab-workhorse: 18.5.2 -> 18.6.1

  • grafana: 12.0.6 -> 12.0.7

  • linuxKernelStable: 6.12.58 -> 6.12.59

  • linuxKernelVerify: 6.12.58 -> 6.12.59

  • mastodon: 4.3.14 -> 4.3.15

  • percona: 8.0.43-34 -> 8.0.44-35

  • percona-server_8_0: 8.0.43-34 -> 8.0.44-35

  • percona80: 8.0.43-34 -> 8.0.44-35

  • php83: 8.3.27 -> 8.3.28

  • php84: 8.4.14 -> 8.4.15

  • webkitgtk: 2.50.1 -> 2.50.2

NixOS 25.11 platform

• KVM hosts: fix a regression in maintenance handling (PL-134247) fc.qemu accidentally scrapped return codes set via sys.exit and replaced them with a 0, rendering maintenance guards ineffective.
  Has been released as a hotfix to affected hosts ahead of schedule.

• Pull upstream NixOS changes, security fixes, and package updates:

  • matrix-synapse: 1.142.1 -> 1.143.0

Detailed Changes

• NixOS 25.05: platform code, nixpkgs/upstream changes, metadata, channel url

• NixOS 25.11: platform code, nixpkgs/upstream changes, metadata, channel url