Release 2026_005 (2026-02-09)¶
Impact¶
25.05¶
more packages are built locally in the VM
Many packages cached before on cache.nixos.org cannot be pulled from there anymore, due cascading rebuilds caused by base package updates. All core roles and important packages are still pre-built by FlyingCircus, but VMs using less common packages might now need to build them locally. This can increase load on the machines already ahead of the update, when the update is prepared.
most services will be restarted due to core dependency changes
25.11¶
Machines will reboot to activate a changed kernel.
NixOS 25.05 platform¶
haproxy: switch default TLS backend to
openssl, asquictlsdevelopment is abandoned and has known vulnerabilities.grub: apply patches to make boots from XFS more resilient (PL-135139)
Improve logging and instrospection of kernel messages in early boot (PL-135139)
Pull upstream NixOS changes, security fixes, and package updates:
nodejs: 22.20.0 -> 22.21.1
nodejs_20: 20.19.6 -> 20.20.0
nodejs_22: 22.20.0 -> 22.21.1
openssl: 3.4.3 -> 3.4.4
openssl_3: 3.0.18 -> 3.0.19
NixOS 25.11 platform¶
fc.check-ceph: check_snapshot_restore_fill ignores certain edge cases about empty pools or missing fill stats (PL-134230)
fc.check-ceph: check_snapshot_restore_fill refactoring away from librados python bindings (PL-131408)
k3s: allow service users to access the default Kubernetes config file and interact with the cluster. (PL-134284)
ceph: stagger unset of “noup” flag at maintenance leave to reduce peering storm impact (PL-133952)
k3s: ensure that the frontend role does not set conflicting global mode options in the haproxy configuration. This should avoid issues when enabling the k3s roles in resource groups with existing haproxy configuration. (PL-135086)
nginx/webgateway: all TLS certificates are monitored for expiration now, by connecting to the HTTPS endpoint (check names
nginx_https_*) and checking the certificate file directly:ssl_cert_acme_*(as before) orssl_cert_nginx_*(added for non-ACME certs). Before, we only generated monitoring checks for ACME certs. (PL-134018)k3s: introduce a new NixOS option
flyingcircus.kubernetes.network.enableIPv6for creating Kubernetes clusters with IPv6 and dual-stack networking enabled. Note that this option should only be set when creating new clusters, and should not be set for existing clusters. For further information, please see the role documentation. (PL-133774)Adjust the Thunderbird auto-configuration XML after the default ports for IMAP and SMTP were adjusted in accordance with RFC8314 4.1
devhost: allow deployments to skip channel updates.
(companion to https://github.com/flyingcircusio/batou/issues/525)
k3s: document maintenance integration. Agent nodes will be gracefully drained of workloads before entering maintenance. (PL-135128)
Improve logging and instrospection of kernel messages in early boot (PL-135139)
Pull upstream NixOS changes, security fixes, and package updates:
asterisk: 22.7.0 -> 22.8.1
chromedriver: 144.0.7559.59 -> 144.0.7559.109
chromium: 144.0.7559.59 -> 144.0.7559.109
element-web: 1.12.7 -> 1.12.9
firefox: 147.0.1 -> 147.0.2
gitaly: 18.6.3 -> 18.6.4
github-runner: 2.330.0 -> 2.331.0
gitlab-container-registry: 4.33.0 -> 4.34.0
gitlab-ee: 18.6.3 -> 18.6.4
gitlab-pages: 18.6.3 -> 18.6.4
gitlab-workhorse: 18.6.3 -> 18.6.4
gitlab: 18.6.3 -> 18.6.4
grafana: 12.3.1 -> 12.3.2
grub2: 2.12 -> 2.12.1
imagemagick6: 6.9.13-10 -> 6.9.13-38
k3s: 1.34.2+k3s1 -> 1.34.3+k3s1
k3s_1_32: 1.32.10+k3s1 -> 1.32.11+k3s1
k3s_1_33: 1.33.6+k3s1 -> 1.33.7+k3s1
keycloak: 26.5.1 -> 26.5.2
linuxKernelStable: 6.12.66 -> 6.12.68
linuxKernelVerify: 6.12.66 -> 6.12.68
mastodon: 4.5.4 -> 4.5.5
matrix-synapse: 1.145.0 -> 1.146.0
openssl_3: 3.0.18 -> 3.0.19
tomcat10: 10.1.50 -> 10.1.52
uv: 0.9.26 -> 0.9.28
Detailed Changes¶
NixOS 25.05: platform code, nixpkgs/upstream changes, metadata, channel url
NixOS 25.11: platform code, nixpkgs/upstream changes, metadata, channel url