Merge: postgresql_12: remove (#353158)

- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.

- `postgresql_12` has been removed since it reached its end of life.

- `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead.

- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.

- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.

- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.

- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.

  Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.

- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).

- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.

- `keycloak` was updated to version 25, which introduces new hostname related options.

  See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.

- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).

- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.

- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.

- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside

- `iproute2` now has libbpf support.

- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.

  If you use extensions that are not packaged in nixpkgs, please review whether it still works

  with the current settings and adjust accordingly if needed.

Thus:

- In September/October the new major version will be released and added to nixos-unstable.

- In November the last minor version for the oldest major will be released.

- Both the current stable .05 release and nixos-unstable should be updated to the latest minor.

- In November, before branch-off for the .11 release, the EOL-ed major will be removed from nixos-unstable.

- Both the current stable .05 release and nixos-unstable should be updated to the latest minor that will usually be released in November.

  - This is relevant for people who need to use this major for as long as possible. In that case its desirable to be able to pin nixpkgs to a commit that still has it, at the latest minor available.

- In November, before branch-off for the .11 release and after the update to the latest minor, the EOL-ed major will be removed from nixos-unstable.

This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**.

To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:

```nix

{

  services.postgresql.package = pkgs.postgresql_12;

  services.postgresql.package = pkgs.postgresql_17;

  services.postgresql.extraPlugins = ps: with ps; [

    pg_repack

    postgis

You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function `.withPackages`. For example, creating a custom PostgreSQL package in an overlay can look like:

```nix

self: super: {

  postgresql_custom = self.postgresql_12.withPackages (ps: [

  postgresql_custom = self.postgresql_17.withPackages (ps: [

    ps.pg_repack

    ps.postgis

  ]);

    optionalString

    types

    versionAtLeast

    warn

    ;

  cfg = config.services.postgresql;

    services.postgresql.package = let

        mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";

        mkWarn = ver: warn ''

          The postgresql package is not pinned and selected automatically by

          `systemd.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the

          oldest postgresql version available and thus the next that will be

          removed when EOL on the next stable cycle.

          See also https://endoflife.date/postgresql

        '';

        base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16

            else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15

            else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14

            else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13

            else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13

            else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"

            else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"

            else mkThrow "9_5";

      ensureDatabases = [ "outline" ];

    };

    # Outline is unable to create the uuid-ossp extension when using postgresql 12, in later version this

    # extension can be created without superuser permission. This services therefor this extension before

    # outline starts and postgresql 12 is using on the host.

    #

    # Can be removed after postgresql 12 is dropped from nixos.

    systemd.services.outline-postgresql =

      let

        pgsql = config.services.postgresql;

      in

        lib.mkIf (cfg.databaseUrl == "local" && pgsql.package == pkgs.postgresql_12) {

          after = [ "postgresql.service" ];

          bindsTo = [ "postgresql.service" ];

          wantedBy = [ "outline.service" ];

          partOf = [ "outline.service" ];

          path = [

            pgsql.package

          ];

          script = ''

            set -o errexit -o pipefail -o nounset -o errtrace

            shopt -s inherit_errexit

            psql outline -tAc 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp"'

          '';

          serviceConfig = {

            User = pgsql.superUser;

            Type = "oneshot";

            RemainAfterExit = true;

          };

        };

    services.redis.servers.outline = lib.mkIf (cfg.redisUrl == "local") {

      enable = true;

      user = config.services.outline.user;

        };

        postgresql = {

          enable = true;

          package = pkgs.postgresql_12;

          package = pkgs.postgresql_13;

        };

        nginx = {

          enable = true;