Skip to content

Update to NixOS 24.11

Merlin Hancock requested to merge merlin/nix:main into main

I used the NixOS 24.11 release notes and picked out any breaking changes which might relate to us. I could have missed something & would appreciate if someone could glance through them while reviewing.

Surprisingly few changes have been needed, only the keycloak change currently.

Backward Incompatibilities

  • lib.escapeShellArg and lib.escapeShellArgs: Arguments that don’t need to be escaped won’t be anymore, which is not breaking according to the functions documentation, but it can cause breakages if used for the non-intended use cases.

We use all of these in shell commands. So should be okay.

  • keycloak was updated to version 25, which introduces new hostname related options. See Upgrading Guide for instructions.

N.b. It actually upgrades to version 26 aswell. Main change is from https://www.keycloak.org/docs/latest/upgrading/index.html#proxy-option-removed

  • vaultwarden lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allow CAP_NET_BIND_SERVICE in your configuration.

We bind to port 8000. Protected ports are < 1024.

  • NetBox was updated to >= 4.1.0. Have a look at the breaking changes of the 4.0 release and the 4.1 release, make the required changes to your database, if needed, then upgrade by setting services.netbox.package = pkgs.netbox_4_1; in your configuration.

NetBox runs on office, which is not managed by nix.

  • The rust.toTargetArch, rust.toTargetOs, rust.toTargetFamily, rust.toTargetVendor, rust.toRustTarget, rust.toRustTargetSpec, rust.toRustTargetSpecShort, and rust.IsNoStdTarget functions are deprecated in favour of the rust.platform.arch, rust.platform.os, rust.platform.target-family, rust.platform.vendor, rust.rustcTarget, rust.rustcTargetSpec, rust.cargoShortTarget, rust.cargoEnvVarTarget, and rust.isNoStdTarget platform attributes respectively.

We do not use these.

  • The dhcpcd service (networking.useDHCP) has been hardened and now runs exclusively as the “dhcpcd” user. Users that were relying on the root privileges in networking.dhcpcd.runHook will have to write specific sudo or polkit rules to allow dhcpcd to perform privileged actions.

We do not use this.

  • grafana has been updated to version 11.3. This version doesn’t support setting http_addr to a hostname anymore, an IP address is expected.

We do not currently run grafana (I believe we used to)

Merge request reports