Release 2026_012 (2026-04-07)¶

Impact¶

Machines will reboot to activate the changed kernel.
varnish-7.x is still default for the webproxy role but has known vulnerabilities. Consider updating to varnish-8.0 by setting services.varnish.package = pkgs.varnish80;. Note the breaking changes of that updated.
- Vulnerability VSV00018 is already mitigated by additional config in our webproxy role.
- Nonetheless, other upcoming security vulnerabilities will not be fixed for varnish-7.x.

gitlab: run container registry migrations for instances that use a database as backend (PL-135270)
flyingcircus-physical: show grub-bios bootloader menu over serial console as well (PL-130728)
Hotfix upgrade for skvaider (AI API). (PL-135254)
provide varnish80 package (PL-135243)
Add extra configuration to Varnish’s default VCL that mitigates VSV00018 (FC-52533)
fc-ceph: Add locking to internal object storage accounting to prevent race conditions (PL-128135)
backy: make whole object diff configurable and disable by default. (PL-134246)
Pull upstream NixOS changes, security fixes, and package updates:
- chromedriver: 146.0.7680.153 -> 146.0.7680.164
- chromium: 146.0.7680.153 -> 146.0.7680.164
- discourse: 2025.12.2 -> 2026.1.2
- firefox: 148.0.2 -> 149.0
- gitaly: 18.9.2 -> 18.9.3
- gitlab: 18.9.2 -> 18.9.3
- gitlab-container-registry: 4.37.0 -> 4.39.0
- gitlab-ee: 18.9.2 -> 18.9.3
- gitlab-pages: 18.9.2 -> 18.9.3
- gitlab-workhorse: 18.9.2 -> 18.9.3
- grafana: 12.3.5 -> 12.3.6
- keycloak: 26.5.5 -> 26.5.6
- linuxKernelStable: 6.12.76 -> 6.12.78
- linuxKernelVerify: 6.12.76 -> 6.12.78
- mastodon: 4.5.7 -> 4.5.8
- matrix-synapse: 1.149.1 -> 1.150.0
- nginx: 1.28.2 -> 1.28.3
- nginxMainline: 1.29.5 -> 1.29.7
- nginxStable: 1.28.2 -> 1.28.3
- nodejs_20: 20.20.1 -> 20.20.2
- nss_latest: 3.121 -> 3.122
- strongswan: 6.0.4 -> 6.0.5
- uv: 0.9.29 -> 0.9.30