Merge branch 'fc-24.05-dev' into PL-132331-userscan-dont-scan-maildir

.hydra/config.json

@@ -4,7 +4,7 @@
     "inputs": {
         "nixpkgs": {
             "type": "git",
-            "value": "https://github.com/flyingcircusio/nixpkgs.git nixos-23.11",
+            "value": "https://github.com/flyingcircusio/nixpkgs.git nixos-24.05",
             "emailresponsible": false
         },
         "platformDoc": {
@@ -19,7 +19,7 @@
         },
         "branch": {
             "type": "string",
-            "value": "fc-23.11-dev",
+            "value": "fc-24.05-dev",
             "emailresponsible": false
         }
     }

.hydra/project.json

@@ -12,7 +12,7 @@
     "inputs": {
         "generator_config": {
             "type": "git",
-            "value": "https://github.com/flyingcircusio/fc-nixos.git fc-23.11-dev",
+            "value": "https://github.com/flyingcircusio/fc-nixos.git fc-24.05-dev",
             "emailresponsible": false
         },
         "inputPath": {

README.md

@@ -140,7 +140,7 @@ We use our [nixpkgs fork](https://github.com/flyingcircusio/nixpkgs) and the nix
 
 The typical workflow for a nixpkgs update looks like this (run in the dev shell):
 
-1. Rebase local nixpkgs onto current upstream version: `update_nixpkgs --nixpkgs-path ~/worksets/nixpkgs/fc/nixos-23.11 nixpkgs`
+1. Rebase local nixpkgs onto current upstream version: `update_nixpkgs --nixpkgs-path ~/worksets/nixpkgs/fc/nixos-24.05 nixpkgs`
 2. Update `versions.json` and `package-versions.json` (must be able to talk to hydra01): `update_nixpkgs fc-nixos`
 3. Create a draft PR with the changes and wait until Hydra finishes building.
 4. When Hydra is green, try it out on a test VM. Don't forget to run `build_channels_dir` if you haven't set up direnv!

doc/default.nix

@@ -9,8 +9,8 @@
 # --arg docObjectsInventory https://hydra.flyingcircus.io/job/flyingcircus/doc-test/platformDoc/latest/download-by-type/file/inventory
 
 {
-  pkgs ? import (fetchTarball https://hydra.flyingcircus.io/build/207931/download/1/nixexprs.tar.xz) {}
-, branch ? "23.11"
+  pkgs ? import (fetchTarball https://hydra.flyingcircus.io/build/402189/download/1/nixexprs.tar.xz) {}
+, branch ? "24.05"
 , updated ? "1970-01-01 01:00"
 , docObjectsInventory ? null # path to objects.inv generated by flyingcircusio/doc
 , failOnWarnings ? false
@@ -21,7 +21,9 @@ let
     linkify-it-py
     myst-docutils
     sphinx
+    sphinx-copybutton
     sphinx_rtd_theme
+    furo
   ]);
   rg = "${pkgs.ripgrep}/bin/rg";
 

doc/src/_static/flyingcircus.css

@@ -1,10 +1,31 @@
+@import "https://flyingcircus.io/fileadmin/global-data/fira/fira-small.css";
 
-img.logo {
-    float: right;
-    margin-left: 2em;
-    margin-bottom: 2em;
+.highlight {
+    background: var(--color-highlight-on-target);
 }
 
-img.logo.frame {
-    border:2px solid black;
+h1, h2, h3, h4, h5, h6 {
+    color: var(--color-headings);
+}
+
+/* Layout */
+.sidebar-logo {
+    width: 80%;
+    max-width: 300px;
+    margin: 0;
+}
+
+.sidebar-container {
+    box-sizing: border-box;
+    width: 85%;
+}
+
+.toctree-l1,
+ul,
+ul ul {
+    list-style-type: square;
+}
+
+li::marker {
+    color: var(--color-brand-content);
 }

doc/src/base.md

@@ -55,7 +55,7 @@ You can look up packages and their descriptions via the [NixOS Package Search](h
 - netcat
 - ngrep
 - nix-top
-- nixfmt
+- nixfmt-rfc-style
 - nmap
 - nvd
 - openssl

doc/src/conf.py

@@ -34,10 +34,28 @@
 
 # The theme to use for HTML and HTML Help pages.  Major themes that come with
 # Sphinx are currently 'default' and 'sphinxdoc'.
-import sphinx_rtd_theme
-
-html_theme = "sphinx_rtd_theme"
-html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+import furo
+
+html_theme = "furo"
+
+html_theme_options = {
+    "sidebar_hide_name": True,
+    "dark_logo": "RZ_FC-Logo_RGB_INV-BL_100-1080.svg",
+    "dark_css_variables": {
+        "color-brand-content": "#a9d2b6",
+        "color-brand-primary": "#a9d2b6",
+        "color-highlight-on-target": "#666",
+        "color-headings": "#fff",
+    },
+    "light_logo": "RZ_FC-Logo_RGB_100-1080.svg",
+    "light_css_variables": {
+        "color-brand-content": "#52a46c",
+        "color-brand-primary": "#52a46c",
+        "color-highlight-on-target": "#f2f5f8",
+        "color-headings": "#002855",
+        "font-stack": "Fira Sans, Helvetica, Arial, sans-serif",
+    },
+}
 
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
@@ -48,7 +66,7 @@
 
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
-html_logo = "images/flying-circus-logo.png"
+# html_logo = "images/flying-circus-logo.png"
 
 # The name of an image file (within the static path) to use as favicon of the
 # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32

doc/src/docker.md

@@ -39,9 +39,9 @@ Currently, docker is using the `overlay2` storage driver for new installations.
 
 For existing installations, Docker auto-detects the storage driver if not configured explicitly.
 
-Older versions of docker (NixOS 15.09) used the `devicemapper` storage driver which has been deprecated for some time. It will be removed in a future version of Docker.
+Older versions of docker (NixOS 15.09) used the `devicemapper` storage driver which has been deprecated for some time. It will be removed in version 25 of Docker.
 
-On 23.11, docker refuses to start if it detects `devicemapper` and is not explicitly configured to use it. You can still choose to continue using `devicemapper` or migrate to `overlay2`.
+On 24.05, docker refuses to start if it detects `devicemapper` and is not explicitly configured to use it. You can still choose to continue using `devicemapper` or migrate to `overlay2`.
 
 To find out which storage driver Docker is using, run as service user:
 
@@ -53,6 +53,13 @@ Docker also logs warnings to the journal on startup if it is using `devicemapper
 
 ### Continue using devicemapper
 
+:::{warning}
+As Docker 25 has removed the *devicemapper* backend, it is now clear that storage driver
+migration has to happen. We expect that Docker >= 25 might become the new default in the next
+platform release 24.11, so be prepared to have a migration plan for all containers that need
+to persist until then.
+:::
+
 Add {ref}`custom NixOS config <nixos-local>` like:
 
 ```nix

doc/src/fc_collect_garbage_userscan.md

@@ -93,6 +93,11 @@ Currently, the following paths are ignored:
 **/journal/
 **/lucene/
 **/solr/data/
+# Very big, has misleading store paths which shouldn't be registered.
+**/nixpkgs*/
+# If we missed a nixpkgs directory: test files from this directory trip
+# userscan over as they contain store paths which are too long on purpose.
+**/pkgs/test/make-binary-wrapper/*
 # Files in sub-directories to ignore (anywhere in the home directory)
 **/.local/share/fish/fish_history
 **/diagnostic.data/metrics.*

doc/src/lamp.md

@@ -227,15 +227,6 @@ know what you are doing. ;) )
 For more information about PHP packaging on Nix, refer to the
 [PHP section of the Nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#sec-php).
 
-### `flyingcircus.roles.lamp.tideways_api_key` (optional)
-
-If you have an account with tideways.com then you can quickly enable the
-tideways profiler for your application by setting the API key here:
-
-```Nix
-flyingcircus.roles.lamp.tideways_api_key = "my-api-key";
-```
-
 ### `flyingcircus.roles.lamp.php_ini` (optional)
 
 We deliver a production-tested PHP configuration that you can extend by placing
@@ -277,17 +268,6 @@ The Apache server listens on the {external+doc:ref}`srv interface <logical-netwo
 - Access is read-only for Apache by default, but you can grant write access for
   directories by running :command:`chmod g+rwsx` on the directory.
 
-## Debugging
-
-To assist with debugging we have integrated the [Tideways application performance monitoring](https://tideways.com/) daemon and PHP module by default.
-
-To enable it, you just have to place your Tideways API key in {file}`/etc/local/lamp/php.ini`:
-
-```console
-$ echo "tideways.api_key=<secretapikey>" >> /etc/local/lamp/php.ini
-$ sudo fc-manage -b
-```
-
 ## Logging
 
 Apache logs are available in {file}`/var/log/httpd`.

doc/src/local.md

@@ -83,6 +83,6 @@ Run `sudo fc-manage -b` to activate the changes (**may restart services!**).
 For more information about writing NixOS modules, refer to the
 [NixOS manual](https://nixos.org/nixos/manual/index.html#sec-writing-modules)
 
-Look up NixOS options here, with channel *23.11* selected:
+Look up NixOS options here, with channel *24.05* selected:
 
 [https://nixos.org/nixos/options.html](https://nixos.org/nixos/options.html)

doc/src/mailserver.md

@@ -13,9 +13,6 @@ spam control.
 User accounts can be created/modified dynamically. There is, however, no default
 mechanism for user management besides text files.
 
-```{contents}
-```
-
 ## Which components are included?
 
 The main ingredients of this role are [Postfix] for mail delivery, [Dovecot] as

doc/src/mongodb.md

@@ -5,7 +5,7 @@
 :::{warning}
 Platform support for MongoDB will be discontinued. The supported MongoDB
 versions are outdated and are only provided for the purpose of upgrading
-older machines to 23.11.
+older machines to 24.05.
 
 New projects should not use MongoDB. As a replacement, we offer a
 {ref}`FerretDB role <nixos-ferretdb>` which is currently in beta.

doc/src/mysql.md

@@ -4,14 +4,30 @@
 
 This component sets up a managed instance of the MySQL database server.
 
+We use the [Percona Distribution for MySQL](https://percona.com/software/mysql-database)
+which provides useful improvements over the standard Oracle MySQL/MariaDB implementations.
+
+(nixos-mysql-versions)=
+
+## Supported versions
+
 There's a role for each supported major version, currently:
 
 - mysql57: Percona 5.7.x (End-of-life)
-- percona80: Percona 8.0.x
-- percona81: Percona 8.1.x
-
-We use the [Percona Distribution for MySQL](https://percona.com/software/mysql-database)
-which provides useful improvements over the standard Oracle MySQL/MariaDB implementations.
+- percona80: Percona 8.0.x (*LTS* release)
+- percona83: Percona 8.3.x (*Innovation* release)
+
+Percona and MySQL currently follow a [two-fold release model](https://www.percona.com/blog/lts-and-innovation-releases-for-percona-server-for-mysql/)
+and provide support for 2 releases in parallel:
+
+- *LTS (recommended)*: These long-term support releases are supported throughout the full release life-time
+  of this NixOS platform release and only receive minor bug and security fixes.
+- *Innovation*: A new innovation release is made roughly each quarter of a year,
+  containing new features and potentially breaking changes.\
+  Please note that these releases won't receive any further upstream support once the successor
+  is out. Our platform will keep each Innovation release made during the release life-time
+  available, enabling you to update at your own pace. But we won't backport changes from
+  newer Percona Innovation releases.
 
 ## Configuration
 

doc/src/opensearch.md

@@ -2,7 +2,7 @@
 
 # OpenSearch
 
-Managed instance of [OpenSearch](https://opensearch.org) in version 2.11.x.
+Managed instance of [OpenSearch](https://opensearch.org) in version 2.14.x.
 
 
 ## Interaction
@@ -141,11 +141,11 @@ The current upgrade path is:
 
 - On 22.11, switch from Elasticsearch 6 to 7 and reindex.
 - Migrate from Elasticsearch 7 to OpenSearch.
-- Upgrade the VM to 23.11 which also upgrades OpenSearch.
+- Upgrade the VM to 24.05 which also upgrades OpenSearch.
 
 See the [22.11 OpenSearch role docs](https://doc.flyingcircus.io/roles/fc-22.11-production/opensearch.html#migrate-upgrade-from-elasticsearch) for the migration process.
 
-We will provide Elasticsearch roles on 23.11 in the future to allow upgrading the VM first
+We will provide Elasticsearch roles on 24.05 in the future to allow upgrading the VM first
 while keeping the same ES versions. You can migrate to OpenSearch later.
 
 ## Monitoring