Merge staging-next into staging

Author: nixpkgs-ci[bot]

doc/release-notes/rl-2605.section.md

@@ -122,6 +122,11 @@
 
 - Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
 
+- Keycloak has been updated to 26.6.X, bringing a lot new features like federated client authentication, JWT authorization grants, workflows and the ability to do
+  zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
+  and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out wether this is a breaking
+  change for your keycloak instance.
+
 - `elegant-sddm` has been updated to be Qt6 compatible. Themes for SDDM are slightly different so read the [wiki](https://wiki.nixos.org/wiki/SDDM_Themes) for more.
 
 - `forgejo` has been updated to major version 14. For more information, see the [release blog post](https://forgejo.org/2026-01-release-v14-0/) and [full release notes](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/14.0.0.md)

lib/strings.nix

@@ -337,7 +337,6 @@ rec {
 
   /**
     Concatenate a list of strings, adding a newline at the end of each one.
-    Defined as `concatMapStrings (s: s + "\n")`.
 
     # Inputs
 
@@ -361,7 +360,7 @@ rec {
 
     :::
   */
-  concatLines = concatMapStrings (s: s + "\n");
+  concatLines = str: concatStringsSep "\n" str + "\n";
 
   /**
     Given string `s`, replace every occurrence of the string `from` with the string `to`.

maintainers/maintainer-list.nix

@@ -11408,6 +11408,11 @@
     githubId = 39416660;
     name = "Mladen Branković";
   };
+  imcvampire = {
+    github = "imcvampire";
+    githubId = 9426721;
+    name = "Quoc-Anh Nguyen";
+  };
   imgabe = {
     email = "gabrielpmonte@hotmail.com";
     github = "ImGabe";
@@ -14971,6 +14976,12 @@
     githubId = 61395246;
     name = "Lampros Pitsillos";
   };
+  landreussi = {
+    email = "lucasandreussi@gmail.com";
+    github = "landreussi";
+    githubId = 5938518;
+    name = "Lucas Andreussi";
+  };
   langsjo = {
     name = "langsjo";
     github = "langsjo";

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -102,6 +102,8 @@
 
 - [Tinyauth](https://tinyauth.app/), a simple authentication middleware for web apps, with OAuth and LDAP support. Available as [services.tinyauth](#opt-services.tinyauth.enable).
 
+- [Strichliste](https://www.strichliste.org), a digital self-service tallysheet used in hackerspaces, clubs and offices. Available as [services.strichliste](#opt-services.strichliste.enable).
+
 - [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).
 
 - [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
@@ -324,6 +326,8 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 - [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).
 
+- The `services.prometheus.exporters` module interface now accepts an optional `socketOpts` attribute, allowing individual exporter modules to describe an accompanying `systemd.sockets.prometheus-${name}-exporter` unit alongside their service, enabling socket activation support.
+
 - Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
 
 - `security.acme` now defaults to a dynamic renewal duration, if

nixos/modules/module-list.nix

@@ -1779,6 +1779,7 @@
   ./services/web-apps/stash.nix
   ./services/web-apps/stirling-pdf.nix
   ./services/web-apps/strfry.nix
+  ./services/web-apps/strichliste.nix
   ./services/web-apps/suwayomi-server.nix
   ./services/web-apps/szurubooru.nix
   ./services/web-apps/tabbyapi.nix

nixos/modules/services/monitoring/prometheus/exporters.md

@@ -138,12 +138,23 @@ example:
           DynamicUser = false;
           ExecStart = ''
             ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
-              --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
+              --web.systemd-socket \
               --web.telemetry-path ${cfg.telemetryPath} \
               ${lib.concatStringsSep " \\\n  " cfg.extraFlags}
           '';
         };
       };
+
+      # `socketOpts` is an optional attribute set describing a
+      # `systemd.sockets.prometheus-${name}-exporter` unit that
+      # accompanies the exporter's service. When set, it is merged
+      # with a default definition that includes
+      # `wantedBy = [ "sockets.target" ]`, enabling socket activation
+      # for exporters that support it.
+      # Note that this attribute is optional.
+      socketOpts = {
+        socketConfig.ListenStream = "${cfg.listenAddress}:${toString cfg.port}";
+      };
     }
     ```
   - This should already be enough for the postfix exporter. Additionally one

nixos/modules/services/monitoring/prometheus/exporters.nix

@@ -36,10 +36,15 @@ let
   #   - extraOpts   (types.attrs): extra configuration options to
   #                                configure the exporter with, which
   #                                are appended to the default options
+  #   - socketOpts  (types.attrs): optional config that is merged with
+  #                                the default definition of the
+  #                                exporter's systemd socket unit. When
+  #                                set, a `prometheus-${name}-exporter.socket`
+  #                                unit is created, enabling socket activation.
   #
-  #  Note that `extraOpts` is optional, but a script for the exporter's
-  #  systemd service must be provided by specifying either
-  #  `serviceOpts.script` or `serviceOpts.serviceConfig.ExecStart`
+  #  Note that `extraOpts` and `socketOpts` are optional, but a script
+  #  for the exporter's systemd service must be provided by specifying
+  #  either `serviceOpts.script` or `serviceOpts.serviceConfig.ExecStart`
 
   exporterOpts =
     (genAttrs
@@ -311,6 +316,7 @@ let
       name,
       conf,
       serviceOpts,
+      socketOpts,
     }:
     let
       enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
@@ -368,6 +374,12 @@ let
         "-m comment --comment ${name}-exporter -j nixos-fw-accept"
       ]);
       networking.firewall.extraInputRules = mkIf (conf.openFirewall && nftables) conf.firewallRules;
+      systemd.sockets."prometheus-${name}-exporter" = mkIf (socketOpts != null) (mkMerge [
+        {
+          wantedBy = [ "sockets.target" ];
+        }
+        socketOpts
+      ]);
       systemd.services."prometheus-${name}-exporter" = mkMerge [
         {
           wantedBy = [ "multi-user.target" ];
@@ -603,6 +615,7 @@ in
       mkExporterConf {
         inherit name;
         inherit (conf) serviceOpts;
+        socketOpts = conf.socketOpts or null;
         conf = cfg.${name};
       }
     ) exporterOpts)

nixos/modules/services/monitoring/prometheus/exporters/node.nix

@@ -39,6 +39,7 @@ in
       '';
     };
   };
+
   serviceOpts = {
     serviceConfig = {
       DynamicUser = false;
@@ -47,7 +48,7 @@ in
         ${pkgs.prometheus-node-exporter}/bin/node_exporter \
           ${concatMapStringsSep " " (x: "--collector." + x) cfg.enabledCollectors} \
           ${concatMapStringsSep " " (x: "--no-collector." + x) cfg.disabledCollectors} \
-          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} ${concatStringsSep " " cfg.extraFlags}
+          --web.systemd-socket ${concatStringsSep " " cfg.extraFlags}
       '';
       RestrictAddressFamilies =
         optionals (collectorIsEnabled "logind" || collectorIsEnabled "systemd") [
@@ -67,4 +68,8 @@ in
       ProtectHome = true;
     };
   };
+
+  socketOpts = {
+    socketConfig.ListenStream = "${cfg.listenAddress}:${toString cfg.port}";
+  };
 }

nixos/modules/services/monitoring/prometheus/exporters/postfix.nix

@@ -85,6 +85,7 @@ in
       };
     };
   };
+
   serviceOpts = {
     after = mkIf cfg.systemd.enable [ cfg.systemd.unit ];
     serviceConfig = {
@@ -95,7 +96,7 @@ in
       SupplementaryGroups = mkIf cfg.systemd.enable [ "systemd-journal" ];
       ExecStart = ''
         ${lib.getExe cfg.package} \
-          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
+          --web.systemd-socket \
           --web.telemetry-path ${cfg.telemetryPath} \
           --postfix.showq_path ${escapeShellArg cfg.showqPath} \
           ${concatStringsSep " \\\n  " (
@@ -115,4 +116,8 @@ in
       '';
     };
   };
+
+  socketOpts = {
+    socketConfig.ListenStream = "${cfg.listenAddress}:${toString cfg.port}";
+  };
 }