unifi7: drop

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -173,6 +173,9 @@
   - `transmission-gtk`: `~/.config/transmission`
   - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
 
+- `unifi` has been updated to UniFi 8.
+  `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life.
+
 - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
 
 - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.

nixos/modules/services/networking/unifi.nix

@@ -2,8 +2,8 @@
 let
   cfg = config.services.unifi;
   stateDir = "/var/lib/unifi";
-  cmd = lib.escapeShellArgs ([ "@${cfg.jrePackage}/bin/java" "java" ]
-    ++ lib.optionals (lib.versionAtLeast (lib.getVersion cfg.jrePackage) "16") [
+  cmd = lib.escapeShellArgs ([
+      "@${cfg.jrePackage}/bin/java" "java"
       "--add-opens=java.base/java.lang=ALL-UNNAMED"
       "--add-opens=java.base/java.time=ALL-UNNAMED"
       "--add-opens=java.base/sun.security.util=ALL-UNNAMED"
@@ -27,24 +27,19 @@ in
       '';
     };
 
-    services.unifi.jrePackage = lib.mkOption {
-      type = lib.types.package;
-      default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8;
-      defaultText = lib.literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8'';
-      description = ''
-        The JRE package to use. Check the release notes to ensure it is supported.
+    services.unifi.jrePackage = lib.mkPackageOption pkgs "jdk" {
+      default = "jdk17_headless";
+      extraDescription = ''
+        Check the UniFi controller release notes to ensure it is supported.
       '';
     };
 
-    services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi5" { };
+    services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi" {
+      default = "unifi8";
+    };
 
     services.unifi.mongodbPackage = lib.mkPackageOption pkgs "mongodb" {
-      default = "mongodb-5_0";
-      extraDescription = ''
-        ::: {.note}
-        unifi7 officially only supports mongodb up until 4.4 but works with 5.0.
-        :::
-      '';
+      default = "mongodb-7_0";
     };
 
     services.unifi.openFirewall = lib.mkOption {
@@ -92,6 +87,29 @@ in
 
   config = lib.mkIf cfg.enable {
 
+    assertions = [
+      {
+        assertion = lib.versionAtLeast config.system.stateVersion "24.11"
+        || (
+          options.services.unifi.unifiPackage.highestPrio < (lib.mkOptionDefault { }).priority
+          && options.services.unifi.mongodbPackage.highestPrio < (lib.mkOptionDefault { }).priority
+        );
+        message = ''
+          Support for UniFi < 8 has been dropped; please explicitly set
+          `services.unifi.unifiPackage` and `services.unifi.mongodbPackage`.
+
+          Note that the previous default MongoDB version was 5.0 and MongoDB
+          only supports migrating one major version at a time; therefore, you
+          may wish to set `services.unifi.mongodbPackage = pkgs.mongodb-6_0;`
+          and activate your configuration before upgrading again to the default
+          `mongodb-7_0` supported by `unifi8`.
+
+          For more information, see the MongoDB upgrade notes:
+          <https://www.mongodb.com/docs/manual/release-notes/7.0-upgrade-standalone/#upgrade-recommendations-and-checklists>
+        '';
+      }
+    ];
+
     users.users.unifi = {
       isSystemUser = true;
       group = "unifi";

nixos/tests/unifi.nix

@@ -31,6 +31,5 @@ let
     '';
   };
 in with pkgs; {
-  unifi7 = makeAppTest unifi7;
   unifi8 = makeAppTest unifi8;
 }

pkgs/servers/unifi/default.nix

@@ -46,13 +46,6 @@ let
 in rec {
   # see https://community.ui.com/releases / https://www.ui.com/download/unifi
 
-  unifi7 = generic {
-    version = "7.5.187";
-    suffix = "-f57f5bf7ab";
-    sha256 = "sha256-a5kl8gZbRnhS/p1imPl7soM0/QSFHdM0+2bNmDfc1mY=";
-    knownVulnerabilities = [ "CVE-2024-42025" ];
-  };
-
   unifi8 = generic {
     version = "8.4.62";
     suffix = "-i3q2j125cz";

pkgs/top-level/aliases.nix

@@ -1606,6 +1606,7 @@ mapAliases {
   unifi-video = throw "unifi-video has been removed as it has been unsupported upstream since 2021"; # Added 2024-10-01
   unifi5 = throw "'unifi5' has been removed since its required MongoDB version is EOL."; # Added 2024-04-11
   unifi6 = throw "'unifi6' has been removed since its required MongoDB version is EOL."; # Added 2024-04-11
+  unifi7 = throw "'unifi7' has been removed since it is vulnerable to CVE-2024-42025 and its required MongoDB version is EOL."; # Added 2024-10-01
   unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11
   unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11
   untrunc = untrunc-anthwlock; # Added 2021-02-01

pkgs/top-level/all-packages.nix

@@ -25461,7 +25461,6 @@ with pkgs;
     matomo-beta;
 
   inherit (callPackages ../servers/unifi { })
-    unifi7
     unifi8;
 
   unifi = unifi8;