GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
This feature goes all the way back to v1.20.0 (mid 2023) back when
Forgejo was still a soft-fork and simply used the nixos/gitea module.
The tl;dr:
nixos/gitea enabled it as part of the Gitea 1.20 bump PR, while Forgejo
was still at 1.19.4 and did not support this yet, causing Forgejo to
get restarted after 90s by systemd in a loop. This, among other things,
was part of the reason why Forgejo forked the nixos/gitea module into
nixos/forgejo and it since moving independently in nixpkgs.
systemd-notify provides more accurate service unit states over the
previous service type "simple".
Ref: b61919e5e0
Ref: 44aee34594
Without this fix, when setting `services.tzupdate.enable = true`, the service would never run automatically.
Now, it's actually enabled in systemd and it actually gets executed.
Still, it could be improved with a timer as explained in https://github.com/NixOS/nixpkgs/issues/127984#issuecomment-2512059143, but this makes it at least work out of the box when rebooting the system.
Closes#249767
Before we only created the admin user when passwordFile was set.
Now it is possible to set PAPERLESS_ADMIN_USER and
PAPERLESS_ADMIN_PASSWORD directly to create the admin user, like in the
upstream Docker image.
Instead of duplicating the options from the upstream service file and letting
them get out of sync, use the file directly and only configure the needed
overrides. In particular, the upstream improvements include the mounts not
being globally visible any more, so they can't be used for bypassing nosuid and
the like, and the custom cleanup script that performed the unmount becomes
unnecessary.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
With release 6.0, the themes directory was moved to a different location
and thus the NixOS Redmine module needs to be adjusted. Assets seem to
be stored in public/assets now and so that needs to be handled by the
NixOS module as well.
[1] https://www.redmine.org/issues/41731
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This has been deprecated since before 24.05 was released
and displaying a warning.
This change means that only "managed", i.e.
Nix-native configurations are supported.
Using `systemd.services.<name>.script` pulls in bash in the ExecStart
line for a service. Since our "script" was only one line anyways,
we can inline it to just use ExecStart directly. Losing shell features
shouldn't be detrimental here, as we're not using pipes and there are
no globs to expand.
