mongodb: mongodb-5_0 -> mongodb-7_0; mongodb-5_0: drop; unifi: unifi7…

… -> unifi8; unifi{7,-video}: drop (NixOS#345625)

nixos/doc/manual/release-notes/rl-2305.section.md

@@ -252,7 +252,7 @@ In addition to numerous new and updated packages, this release has the following
   }
   ```
 
-- The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
+- The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and `services.unifi-video.openFirewall` have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall.
 
 - The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using
 

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -187,6 +187,12 @@
   - `transmission-gtk`: `~/.config/transmission`
   - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
 
+- The default `mongodb` version has been updated from 5.0 to 7.0.
+  For more information, see the compatibility changes for MongoDB [6.0](https://www.mongodb.com/docs/manual/release-notes/6.0-compatibility/) and [7.0](https://www.mongodb.com/docs/manual/release-notes/7.0-compatibility/).
+
+- `unifi` has been updated to UniFi 8.
+  `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life.
+
 - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
 
 - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.

nixos/modules/module-list.nix

@@ -1375,7 +1375,6 @@
   ./services/video/mirakurun.nix
   ./services/video/photonvision.nix
   ./services/video/mediamtx.nix
-  ./services/video/unifi-video.nix
   ./services/video/v4l2-relayd.nix
   ./services/wayland/cage.nix
   ./services/wayland/hypridle.nix

nixos/modules/rename.nix

@@ -108,6 +108,7 @@ in
       used instead.
     '')
     (mkRemovedOptionModule [ "services" "tvheadend" ] "The tvheadend package and the corresponding module have been removed as nobody was willing to maintain them and they were stuck on an unmaintained version that required FFmpeg 4; please see https://github.com/NixOS/nixpkgs/pull/332259 if you are interested in maintaining a newer version.")
+    (mkRemovedOptionModule [ "services" "unifi-video" ] "The unifi-video package and the corresponding module have been removed as the software has been unsupported since 2021 and requires a MongoDB version that has reached end of life.")
     (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")
     (mkRemovedOptionModule [ "services" "wakeonlan"] "This module was removed in favor of enabling it with networking.interfaces.<name>.wakeOnLan")
     (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")

nixos/modules/services/networking/unifi.nix

@@ -2,8 +2,8 @@
 let
   cfg = config.services.unifi;
   stateDir = "/var/lib/unifi";
-  cmd = lib.escapeShellArgs ([ "@${cfg.jrePackage}/bin/java" "java" ]
-    ++ lib.optionals (lib.versionAtLeast (lib.getVersion cfg.jrePackage) "16") [
+  cmd = lib.escapeShellArgs ([
+      "@${cfg.jrePackage}/bin/java" "java"
       "--add-opens=java.base/java.lang=ALL-UNNAMED"
       "--add-opens=java.base/java.time=ALL-UNNAMED"
       "--add-opens=java.base/sun.security.util=ALL-UNNAMED"
@@ -27,24 +27,19 @@ in
       '';
     };
 
-    services.unifi.jrePackage = lib.mkOption {
-      type = lib.types.package;
-      default = if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3") then pkgs.jdk11 else pkgs.jre8;
-      defaultText = lib.literalExpression ''if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.5") then pkgs.jdk17_headless else if (lib.versionAtLeast (lib.getVersion cfg.unifiPackage) "7.3" then pkgs.jdk11 else pkgs.jre8'';
-      description = ''
-        The JRE package to use. Check the release notes to ensure it is supported.
+    services.unifi.jrePackage = lib.mkPackageOption pkgs "jdk" {
+      default = "jdk17_headless";
+      extraDescription = ''
+        Check the UniFi controller release notes to ensure it is supported.
       '';
     };
 
-    services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi5" { };
+    services.unifi.unifiPackage = lib.mkPackageOption pkgs "unifi" {
+      default = "unifi8";
+    };
 
     services.unifi.mongodbPackage = lib.mkPackageOption pkgs "mongodb" {
-      default = "mongodb-5_0";
-      extraDescription = ''
-        ::: {.note}
-        unifi7 officially only supports mongodb up until 4.4 but works with 5.0.
-        :::
-      '';
+      default = "mongodb-7_0";
     };
 
     services.unifi.openFirewall = lib.mkOption {
@@ -92,6 +87,29 @@ in
 
   config = lib.mkIf cfg.enable {
 
+    assertions = [
+      {
+        assertion = lib.versionAtLeast config.system.stateVersion "24.11"
+        || (
+          options.services.unifi.unifiPackage.highestPrio < (lib.mkOptionDefault { }).priority
+          && options.services.unifi.mongodbPackage.highestPrio < (lib.mkOptionDefault { }).priority
+        );
+        message = ''
+          Support for UniFi < 8 has been dropped; please explicitly set
+          `services.unifi.unifiPackage` and `services.unifi.mongodbPackage`.
+
+          Note that the previous default MongoDB version was 5.0 and MongoDB
+          only supports migrating one major version at a time; therefore, you
+          may wish to set `services.unifi.mongodbPackage = pkgs.mongodb-6_0;`
+          and activate your configuration before upgrading again to the default
+          `mongodb-7_0` supported by `unifi8`.
+
+          For more information, see the MongoDB upgrade notes:
+          <https://www.mongodb.com/docs/manual/release-notes/7.0-upgrade-standalone/#upgrade-recommendations-and-checklists>
+        '';
+      }
+    ];
+
     users.users.unifi = {
       isSystemUser = true;
       group = "unifi";

nixos/tests/mongodb.nix

@@ -34,15 +34,15 @@ import ./make-test-python.nix ({ pkgs, ... }:
       node = {...}: {
         environment.systemPackages = with pkgs; [
           # remember to update mongodb.passthru.tests if you change this
-          mongodb-5_0
+          mongodb-7_0
         ];
       };
     };
 
     testScript = ''
       node.start()
     ''
-      + runMongoDBTest pkgs.mongodb-5_0
+      + runMongoDBTest pkgs.mongodb-7_0
       + ''
         node.shutdown()
       '';

nixos/tests/unifi.nix

@@ -31,6 +31,5 @@ let
     '';
   };
 in with pkgs; {
-  unifi7 = makeAppTest unifi7;
   unifi8 = makeAppTest unifi8;
 }