Release 2025_036 (2025-10-06)

Impact

25.05

• grafana.service will be restarted

NixOS 25.05 platform

• loghost/graylog: Fix LDAP by pinning Java to a known good version. (PL-133980)

• hardware: remove settings for aggressive filesystem caching which are no longer appropriate with widespread adoption of SSD-backed storage from the default hardware profile.

  Add a NixOS option increaseVfsCacheWeight in the backyserver role to allow enabling the previous behaviour on old HDD-based backup servers which may still benefit from increased caching. (PL-133712)

• nixos/nginx: add deprecation warning for virtualHosts.<name>.emailACME as this option is deprecated and will be removed with fc-nixos 25.11 (PL-131381)

• nixos/statshost: Disable default insecure admin user (PL-134036)

  Currently, we have an insecure default admin activated, as this is the grafana default. With this change, this user is disabled on new installations and our AppOps team will disable the user on existing instances.

• nixos/nginx: Add warning for implicitly enabled flyingcircus.services.nginx.virtualHosts.<name>.enableACME as this behavior is deprecated and will be removed with fc-nixos 25.11 (PL-131381)

• Pull upstream NixOS changes, security fixes, and package updates:

  • chromedriver: 140.0.7339.185 -> 140.0.7339.207

  • chromium: 140.0.7339.185 -> 140.0.7339.207

  • firefox: 143.0 -> 143.0.1

  • gitaly: 18.3.2 -> 18.4.0

  • gitlab: 18.3.2 -> 18.4.0

  • gitlab-ee: 18.3.2 -> 18.4.0

  • gitlab-pages: 18.3.2 -> 18.4.0

  • gitlab-workhorse: 18.3.2 -> 18.4.0

  • mastodon: 4.3.12 -> 4.3.13

  • phpPackages.composer: 2.8.11 -> 2.8.12

Detailed Changes

• NixOS 25.05: platform code, nixpkgs/upstream changes, metadata, channel url