Review 25.05 Upgrade

fabianhauser commented

2025-06-25 23:53:31 +02:00

Owner

Things to check out before updating to 25.05:

Possibly breaking changes

⚠️services.nextcloud now uses systemd’s credential mechanism to read in secret files. The nextcloud-occ wrapper script implements this using systemd-run, as such it now also requires root privileges or $CREDENTIALS_DIRECTORY set where running it as user nextcloud was enough previously.
❓In users.users subuid allocation on systems with multiple users it could happen that some users’ allocated subuid ranges collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.
❓networking.wireguard.enable = true does not always add wireguard-tools to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH.
❓The behavior of the networking.nat.externalIP and networking.nat.externalIPv6 options has been changed. networking.nat.forwardPorts now only forwards packets destined for the specified IP addresses.
❓The behavior of services.hostapd.radios..networks..authentication.enableRecommendedPairwiseCiphers was changed to not include CCMP-256 anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.
❓The values of services.borgbackup.jobs..extraArgs and other extraArgs options are now represented as Bash arrays. If these arguments were modified using services.borgbackup.jobs.*.preHook, they will need to be adjusted to append to these arrays, i.e. ...

Improvements

⚠️ Nextcloud’s default FPM pool settings have been increased according to upstream recommentations. It’s advised to review the new defaults and description of services.nextcloud.poolSettings.
🔒 virtualisation.containers with backend “podman” now supports rootless containers and sd_notify(3)-integration based on container healthchecks.
- This might potentially improve CI safety.
https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive

Potential New Features

systemd’s systemd-ssh-generator(8) now works out of the box on NixOS. [...]
There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the services.vwifi module, services.kismet NixOS test, and manual for documentation and examples.
- This might be nice to test our wifi modules. Not of a big importance r/n since still things might break due to hardware...

Interesting New Packages / Projects

ncps nix cache (I have a feeling that our current cache doesn't perform very well.)
pgbackrest
https://github.com/timewave-computer/sopsidy to keep some vaultwarden / generated secrets in sync.

Things to check out before updating to 25.05: ## Possibly breaking changes - [x] ⚠️services.nextcloud now uses systemd’s credential mechanism to read in secret files. The nextcloud-occ wrapper script implements this using systemd-run, as such it now also requires root privileges or $CREDENTIALS_DIRECTORY set where running it as user nextcloud was enough previously. - [x] ❓In users.users subuid allocation on systems with multiple users it could happen that some users’ allocated subuid ranges collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly. - [x] ❓networking.wireguard.enable = true does not always add wireguard-tools to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH. - [x] ❓The behavior of the networking.nat.externalIP and networking.nat.externalIPv6 options has been changed. networking.nat.forwardPorts now only forwards packets destined for the specified IP addresses. - [x] ❓The behavior of services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers was changed to not include CCMP-256 anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd. - [x] ❓The values of services.borgbackup.jobs.*.extraArgs and other extra*Args options are now represented as Bash arrays. If these arguments were modified using services.borgbackup.jobs.*.preHook, they will need to be adjusted to append to these arrays, i.e. ... ## Improvements - [x] ⚠️ Nextcloud’s default FPM pool settings have been increased according to upstream recommentations. It’s advised to review the new defaults and description of services.nextcloud.poolSettings. - [ ] 🔒 virtualisation.containers with backend “podman” now supports rootless containers and sd_notify(3)-integration based on container healthchecks. - This might potentially improve CI safety. - [ ] https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive ## Potential New Features - [ ] systemd’s systemd-ssh-generator(8) now works out of the box on NixOS. [...] - [ ] There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the services.vwifi module, services.kismet NixOS test, and manual for documentation and examples. - This might be nice to test our wifi modules. Not of a big importance r/n since still things might break due to hardware... ## Interesting New Packages / Projects - [ncps nix cache](https://github.com/kalbasit/ncps) (I have a feeling that our current cache doesn't perform very well.) - [pgbackrest](https://pgbackrest.org/) - https://github.com/timewave-computer/sopsidy to keep some vaultwarden / generated secrets in sync.