diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 06ac7a60e2ba..3fd90f745561 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -173,6 +173,9 @@ - `transmission-gtk`: `~/.config/transmission` - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`) +- `unifi` has been updated to UniFi 8. + `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life. + - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later. - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index 38908e3d6f1d..8c5bc82ffcb1 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -2,8 +2,8 @@ let cfg = config.services.unifi; stateDir = "/var/lib/unifi"; - cmd = lib.escapeShellArgs ([ "@${cfg.jrePackage}/bin/java" "java" ] - ++ lib.optionals (lib.versionAtLeast (lib.getVersion cfg.jrePackage) "16") [ + cmd = lib.escapeShellArgs ([ + "@${cfg.jrePackage}/bin/java" "java" "--add-opens=java.base/java.lang=ALL-UNNAMED" "--add-opens=java.base/java.time=ALL-UNNAMED" "--add-opens=java.base/sun.security.util=ALL-UNNAMED" @@ -27,24 +27,19 @@ in ''; }; - services.unifi.jrePackage = lib.mkOption { - type = lib.types.package; - default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8; - defaultText = lib.literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8''; - description = '' - The JRE package to use. Check the release notes to ensure it is supported. + services.unifi.jrePackage = lib.mkPackageOption pkgs "jdk" { + default = "jdk17_headless"; + extraDescription = '' + Check the UniFi controller release notes to ensure it is supported. ''; }; - services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi5" { }; + services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi" { + default = "unifi8"; + }; services.unifi.mongodbPackage = lib.mkPackageOption pkgs "mongodb" { - default = "mongodb-5_0"; - extraDescription = '' - ::: {.note} - unifi7 officially only supports mongodb up until 4.4 but works with 5.0. - ::: - ''; + default = "mongodb-7_0"; }; services.unifi.openFirewall = lib.mkOption { @@ -92,6 +87,29 @@ in config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = lib.versionAtLeast config.system.stateVersion "24.11" + || ( + options.services.unifi.unifiPackage.highestPrio < (lib.mkOptionDefault { }).priority + && options.services.unifi.mongodbPackage.highestPrio < (lib.mkOptionDefault { }).priority + ); + message = '' + Support for UniFi < 8 has been dropped; please explicitly set + `services.unifi.unifiPackage` and `services.unifi.mongodbPackage`. + + Note that the previous default MongoDB version was 5.0 and MongoDB + only supports migrating one major version at a time; therefore, you + may wish to set `services.unifi.mongodbPackage = pkgs.mongodb-6_0;` + and activate your configuration before upgrading again to the default + `mongodb-7_0` supported by `unifi8`. + + For more information, see the MongoDB upgrade notes: + + ''; + } + ]; + users.users.unifi = { isSystemUser = true; group = "unifi"; diff --git a/nixos/tests/unifi.nix b/nixos/tests/unifi.nix index 789b11b55985..15de78045501 100644 --- a/nixos/tests/unifi.nix +++ b/nixos/tests/unifi.nix @@ -31,6 +31,5 @@ let ''; }; in with pkgs; { - unifi7 = makeAppTest unifi7; unifi8 = makeAppTest unifi8; } diff --git a/pkgs/servers/unifi/default.nix b/pkgs/servers/unifi/default.nix index 1c7684f273a9..f207737ed080 100644 --- a/pkgs/servers/unifi/default.nix +++ b/pkgs/servers/unifi/default.nix @@ -46,13 +46,6 @@ let in rec { # see https://community.ui.com/releases / https://www.ui.com/download/unifi - unifi7 = generic { - version = "7.5.187"; - suffix = "-f57f5bf7ab"; - sha256 = "sha256-a5kl8gZbRnhS/p1imPl7soM0/QSFHdM0+2bNmDfc1mY="; - knownVulnerabilities = [ "CVE-2024-42025" ]; - }; - unifi8 = generic { version = "8.4.62"; suffix = "-i3q2j125cz"; diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 9aa18d96e99e..429856cc2dfd 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1606,6 +1606,7 @@ mapAliases { unifi-video = throw "unifi-video has been removed as it has been unsupported upstream since 2021"; # Added 2024-10-01 unifi5 = throw "'unifi5' has been removed since its required MongoDB version is EOL."; # Added 2024-04-11 unifi6 = throw "'unifi6' has been removed since its required MongoDB version is EOL."; # Added 2024-04-11 + unifi7 = throw "'unifi7' has been removed since it is vulnerable to CVE-2024-42025 and its required MongoDB version is EOL."; # Added 2024-10-01 unifiLTS = throw "'unifiLTS' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Added 2024-04-11 unifiStable = throw "'unifiStable' has been removed since UniFi no longer has LTS and stable releases. Use `pkgs.unifi` instead."; # Converted to throw 2024-04-11 untrunc = untrunc-anthwlock; # Added 2021-02-01 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e5de0428da28..f5dc2144814e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -25461,7 +25461,6 @@ with pkgs; matomo-beta; inherit (callPackages ../servers/unifi { }) - unifi7 unifi8; unifi = unifi8;