docs: 23.05 upgrade docs and other version changes

Author: dpausp

doc/default.nix

@@ -10,7 +10,7 @@
 
 {
   pkgs ? import (fetchTarball https://hydra.flyingcircus.io/build/207931/download/1/nixexprs.tar.xz) {}
-, branch ? "22.11"
+, branch ? "23.05"
 , updated ? "1970-01-01 01:00"
 , docObjectsInventory ? null # path to objects.inv generated by flyingcircusio/doc
 , failOnWarnings ? false

doc/src/kubernetes.md

@@ -30,7 +30,7 @@ run in a process called the `k3s agent`. We will prefer to use the words
 `server` and `agent` through the remainder of this document.
 :::
 
-We provide version 1.25.x of k3s.
+We provide version 1.26.x of k3s.
 
 ## Reference architecture and minimal resource requirements
 

doc/src/local.md

@@ -83,6 +83,6 @@ Run `sudo fc-manage -b` to activate the changes (**may restart services!**).
 For more information about writing NixOS modules, refer to the
 [NixOS manual](https://nixos.org/nixos/manual/index.html#sec-writing-modules)
 
-Look up NixOS options here, with channel *22.11* selected:
+Look up NixOS options here, with channel *23.05* selected:
 
 [https://nixos.org/nixos/options.html](https://nixos.org/nixos/options.html)

doc/src/mongodb.md

@@ -5,12 +5,8 @@
 Managed instance of [MongoDB](https://www.mongodb.com).
 There's a role for each supported major version, currently:
 
-- mongodb36
-- mongodb40
 - mongodb42
 
-Versions before 4.2 are end-of-life and should be upgraded.
-
 ## Configuration
 
 MongoDB works out-of-the box without configuration.
@@ -33,7 +29,7 @@ current running mongodb version.
 Set the compatibility version in the {command}`mongo` Shell, for example:
 
 ```
-db.adminCommand( { setFeatureCompatibilityVersion: "3.6" } )
+db.adminCommand( { setFeatureCompatibilityVersion: "4.2" } )
 ```
 
 To upgrade, disable the current role and enable the role for the next major version.

doc/src/slurm.md

@@ -15,7 +15,7 @@ documented below.
 The remainder of this documentation assumes that you are aware of the basics of
 Slurm and understand the general terminology.
 
-We provide version 22.5.0 of Slurm.
+We provide version 23.2.0 of Slurm.
 
 ## Basic architecture and roles
 

doc/src/upgrade.md

@@ -15,11 +15,8 @@ Contact our {ref}`support` for upgrade assistance.
 
 ## Overview
 
-- Status: stable
-- First production release: [2023_005 (2023-03-13)](https://doc.flyingcircus.io/platform/changes/2023/r005.html)
-- Added roles: postgresql15
-- Removed roles: {ref}`graylog, loghost, loghost-location <nixos-upgrade-loghost>`, {ref}`kibana, kibana6, kibana7 <nixos-upgrade-kibana>`, {ref}`postgresql10 <nixos-upgrade-postgresql>`
-- Roles with significant breaking changes: {ref}`nginx, webgateway <nixos-upgrade-webgateway>`, {ref}`nixos-upgrade-statshost-master`
+- Status: staging/non-production
+- Removed roles: {ref}`elasticsearch6, elasticsearch7 <nixos-upgrade-elasticsearch>`
 
 
 ## Why upgrade? Security
@@ -32,7 +29,7 @@ We do back-ports for critical security issues but this may take longer in some
 cases and less important security fixes will not be back-ported most of the time.
 
 NixOS provides regular security updates for about one month after the release.
-Upstream support for 22.11 ends on **2023-06-30**.
+Upstream support for 23.05 ends on **2023-12-31**.
 
 New platform features are always developed for the current stable platform version
 and only critical bug fixes are back-ported to older versions.
@@ -115,119 +112,84 @@ following common breaking changes and role-specific notes below.
 
 ### Common breaking changes
 
-- Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have been
-  removed. Please convert any uses to `services.logrotate.settings`
-  before upgrading.
+- `libxcrypt`, the library providing the `crypt(3)` password hashing function,
+  is now built without support for algorithms not flagged[`strong`]
+  (https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48)
+  in NixOS 23.05. We added a variant package called `libxcrypt-with-sha256`
+  which also enables the `sha256` algorithm. OpenLDAP, Dovecot, Postfix,
+  cyrus_sasl use that version by default. New password hashes should use
+  strong algorithms like `yescrypt`.
+- `podman` now uses the `netavark` network stack. Users will need to delete
+  all of their local containers, images, volumes, etc, by running `podman
+  system reset --force` once before upgrading their systems.
 
-(nixos-upgrade-webgateway)=
 
-### webgateway
+(nixos-upgrade-elasticsearch)=
 
-**Nginx** now uses the *nginx* user to run the main process. Before, only
-worker processes ran as *nginx* and the main process as *root* to allow
-reading SSL certificates from arbitrary directories, like deployments in
-`/srv/s-user`, for example.
-
-Normally, the built-in support for Letsencrypt should be used to avoid
-permission problems and make sure that certificates are rotated
-automatically.
-
-If using other SSL certificates cannot be avoided, make sure
-that permissions allow read access for the *nginx* user, for example by
-applying `setfacl -Rm u:nginx:rX` to the certificate directory.
-
-It's also possible to keep the old behavior for some time by adding as
-{ref}`nixos-custom-modules` before the upgrade:
-
-```nix
-# /etc/local/nixos/nginx-master-user-root.nix
-{
-  services.nginx.masterUser = "root";
-}
-```
-
-This setting will trigger a deprecation warning on 23.05 and be removed in a
-later version.
-
-(nixos-upgrade-statshost-master)=
-
-### statshost-master
-
-The options to add custom Grafana config have changed.
-
-`services.grafana.extraOptions` has been removed and free-form config
-settings moved to `services.grafana.settings`. For example,
-`services.grafana.smtp.port` is now at `services.grafana.settings.smtp.port`.
-
-For a detailed migration guide, please look at the
-[NixOS 22.11 release notes](https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-22.11-notable-changes).
-
-### nginx
-
-See {ref}`nixos-upgrade-webgateway`.
-
-(nixos-upgrade-postgresql)=
-
-### postgresql
-
-The `postgresql10` role has been removed. {ref}`Upgrade the database <nixos-postgresql-major-upgrade>`
-to a newer role version before the platform upgrade.
-
-The `postgresql15` role is now available.
-
-(nixos-upgrade-kibana)=
-
-### kibana
-
-All `kibana*` roles have been removed. Machines that use kibana should stay on
-22.05 for now. We are working on
-[OpenSearch](https://opensearch.org/)/[OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/quickstart-dashboards/)
-roles for 22.11 which will replace Elasticsearch/Kibana in the future.
-
-(nixos-upgrade-loghost)=
-
-### loghost
-
-`graylog` and `loghost*` roles have been removed. Machines that use these
-roles should stay on 22.05. We are working on a new logging stack for 22.11
-which will be based on [Grafana Loki](https://grafana.com/oss/loki/).
+### Elasticsearch
 
+`elasticsearch6` and `elasticsearch7` roles have been removed. Machines that use these
+roles should stay on 22.11 and migrate to Opensearch before upgrading.
 
 ## Other notable changes
 
-- PHP is now built in NTS (Non-Thread Safe) mode by default. For Apache and
-  mod_php usage, we enable ZTS (Zend Thread Safe) mode. This has been a
-  common practice for a long time in other distributions.
-- openssh was updated to version 9.1, disabling the generation of DSA keys
-  when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives
-  in `ssh_config` and `sshd_config` are now first-match-wins.
-- Python now defaults to 3.10, updated from 3.9. Python 3.11 is now stable.
-- PHP now defaults to PHP 8.1, updated from 8.0.
-- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
-- The `nodePackages` package set now defaults to the LTS release in the `nodejs`
-  package again, instead of being pinned to `nodejs_14`. `nodejs_10` has
-  been removed.
+- NixOS now defaults to using nsncd (a non-caching reimplementation in Rust)
+  as NSS lookup dispatcher, instead of the buggy and deprecated
+  glibc-provided nscd.
+- The `NodeJS` packages have been renamed to a more usual naming scheme,
+  for example `nodejs-19_x` is now `nodejs_19`.
+- The `dnsmasq` service now takes configuration via the
+  `services.dnsmasq.settings` attribute set. The option
+  `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches
+  end of life.
+- PostgreSQL has opt-in support for [JIT compilation]
+  (https://www.postgresql.org/docs/current/jit-reason.html). It can be
+  enabled like this:
+  ```nix
+  {
+    services.postgresql = {
+      enableJIT = true;
+    };
+  }
+  ```
+- `openjdk` from version 11 and above is not build with `openjfx`
+  (i.e.: JavaFX) support by default anymore. You can re-enable it by
+  overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`.
+- A new option `recommendedBrotliSettings` has been added to `services.nginx`.
+  Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md).
+- `vim_configurable` has been renamed to `vim-full` to avoid confusion:
+  `vim-full`'s build-time features are configurable, but both `vim` and
+  `vim-full` are _customizable_ (in the sense of user configuration, like
+  vimrc).
 - For more details, see the
-  [release notes of NixOS 22.11](https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-22.11-notable-changes).
+  [release notes of NixOS 23.05](https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-23.05-notable-changes).
 
 
 ## Significant package updates
 
-- docker-compose: 1.29 -> 2.12
-- git: 2.36 -> 2.38
-- gitlab: 15.4.6 -> 15.8.4
-- glibc: 2.34 -> 2.35
-- haproxy: 2.5 -> 2.6
-- k3s: 1.23 -> 1.25
-- keycloak: 18 -> 20
-- nix: 2.8 -> 2.11
-- openssh: 9.0 -> 9.1
-- postfix: 3.6.6 -> 3.7.3
-- powerdns: 4.6 -> 4.7
-- rabbitmq: 3.9 -> 3.10
-- roundcube: 1.5 -> 1.6
-- systemd: 250 -> 251
-- telegraf: 1.22 -> 1.24
-- varnish: 7.1 -> 7.2
-- zlib: 1.2.12 -> 1.2.13
-- zsh: 5.8 -> 5.9
+- asterisk: 19.8.0 -> asterisk-20.2.1
+- bash: 5.1 -> 5.2
+- binutils: 2.39 -> 2.40
+- bundler: 2.3 -> 2.4
+- curl: 7.86.0 -> 8.0
+- dnsmasq: 2.87 -> 2.89
+- docker-compose: 2.12 -> 2.17
+- ffmpeg: 4.4.2 -> 5.1
+- gcc: 11 -> 12
+- git: 2.38 -> 2.40
+- glibc: 2.35 -> 2.37
+- grafana: 9.4 -> 9.5
+- haproxy: 2.6 -> 2.7
+- k3s: 1.25 -> 1.26
+- kubernetes-helm: 3.10 -> 3.11
+- linux: 5.15 -> 6.1
+- nginx: 1.22 -> 1.24
+- nss-cacert: 3.86 -> 3.89
+- openjdk: 17 -> 19 (same for other Java default packages like `jre`)
+- openssh: 9.1 -> 9.3
+- podman: 4.3 -> 4.5
+- rabbitmq-server: 3.10 -> 3.11
+- ruby: 2.7 -> 3.1
+- systemd: 251 -> 253
+- telegraf: 1.24 -> 1.26
+- xfsprogs: 5.19 -> 6.2

doc/src/user_profile.md

@@ -35,7 +35,7 @@ Create a file like {file}`myproject_env.nix` which specifies the packages to be
 let
   # Imports. Which package sources should be used?
   # Use a pinned platform version
-  # pkgs = import (fetchTarball https://hydra.flyingcircus.io/build/176012/download/1/nixexprs.tar.xz) {};
+  # pkgs = import (fetchTarball https://hydra.flyingcircus.io/build/259314/download/1/nixexprs.tar.xz) {};
   # ...or just use the current version of the platform
   pkgs = import <nixpkgs> {};
 in
@@ -53,7 +53,7 @@ pkgs.buildEnv {
 ```
 
 The code shown above defines an environment with 5 packages installed from a
-specific build of our NixOS 22.05 platform.
+specific build of our NixOS 23.05 platform.
 The pinned version can be newer or older than the installed system version.
 
 Pinning the version of the import prevents unwanted changes in your
@@ -65,23 +65,23 @@ latest security fixes. NixOS re-uses packages if the wanted version is already
 in the Nix store, saving disk space and reducing installation time.
 
 The URL for the current release can be found in the {ref}`changelog` for the
-22.05 platform.
+23.05 platform.
 
 If you want to try NixOS unstable with the newest packages, get the URL from the channel:
 
 ```
 $ curl -w "%{url_effective}\n" -I -L -s -S $URL -o /dev/null https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz
-https://releases.nixos.org/nixos/unstable/nixos-22.11pre391680.4a01ca36d6b/nixexprs.tar.xz
+https://releases.nixos.org/nixos/unstable/nixos-23.11pre489246.4e37b4e55b6/nixexprs.tar.xz
 ```
 
 Note that the unstable channel may be broken and that upstream NixOS channels
 don't have some additional packages we provide on our platform.
 
-Older NixOS versions than 22.05 usually don't get security updates anymore.
+Older NixOS versions than 22.11 usually don't get security updates anymore.
 
-Links to all platform builds for 22.05 can be found here:
+Links to all staging platform builds for 23.05 can be found here (no production channel, yet):
 
-<https://hydra.flyingcircus.io/job/flyingcircus/fc-22.05-production/release>
+<https://hydra.flyingcircus.io/job/flyingcircus/fc-23.05-staging/release>
 
 See <https://nixos.org/nixos/packages.html> for a list of packages.
 Use the *attribute name* from the list and include it in `paths`.
@@ -199,7 +199,7 @@ You can import packages from different NixOS versions or other sources:
 ```
 let
   pkgs = import <nixpkgs> {};
-  pkgsUnstable = import (fetchTarball https://releases.nixos.org/nixos/unstable/nixos-22.11pre391680.4a01ca36d6b/nixexprs.tar.xz) {};
+  pkgsUnstable = import (fetchTarball https://releases.nixos.org/nixos/unstable/nixos-23.11pre489246.4e37b4e55b6/nixexprs.tar.xz) {};
 in
 pkgs.buildEnv {
   name = "myproject-env";
@@ -211,7 +211,7 @@ pkgs.buildEnv {
 }
 ```
 
-This installs the `zlib` from the platform NixOS version but `libjpeg` from NixOS unstable (here 22.11pre).
+This installs the `zlib` from the platform NixOS version but `libjpeg` from NixOS unstable (here 23.11pre).
 
 % XXX list env vars
 

doc/src/webgateway.md

@@ -8,8 +8,8 @@ failover support.
 
 ## Versions
 
-- HAProxy: 2.6.x
-- Nginx: 1.22.x
+- HAProxy: 2.7.x
+- Nginx: 1.24.x
 
 ## Role architecture