Changed the service type from forking to notify,
which should gives a better indication of when the service is ready.
Changed the preStart into an ExecStart,
in order for upstream's NotifyAccess=main to work.
Added Restart=on-abnormal for better service stability.
(cherry picked from commit 9867229696)
Otherwise, the systemd service will reliably fail on a clean boot, as
invidious-router needs a set-up network connection before starting.
(cherry picked from commit fab364e89b)
GitLab 17.11 started using rails activeRecord encryption for some values.
Introduce new key files. This is breaking for unstable/25.05.
Also add a test to prevent this from happening unnoticed in the future.
For the future there should also be an option to set multiple activeRecord
keys for rotation.
This feature goes all the way back to v1.20.0 (mid 2023) back when
Forgejo was still a soft-fork and simply used the nixos/gitea module.
The tl;dr:
nixos/gitea enabled it as part of the Gitea 1.20 bump PR, while Forgejo
was still at 1.19.4 and did not support this yet, causing Forgejo to
get restarted after 90s by systemd in a loop. This, among other things,
was part of the reason why Forgejo forked the nixos/gitea module into
nixos/forgejo and it since moving independently in nixpkgs.
systemd-notify provides more accurate service unit states over the
previous service type "simple".
Ref: b61919e5e0
Ref: 44aee34594
Without this fix, when setting `services.tzupdate.enable = true`, the service would never run automatically.
Now, it's actually enabled in systemd and it actually gets executed.
Still, it could be improved with a timer as explained in https://github.com/NixOS/nixpkgs/issues/127984#issuecomment-2512059143, but this makes it at least work out of the box when rebooting the system.
Closes#249767
Before we only created the admin user when passwordFile was set.
Now it is possible to set PAPERLESS_ADMIN_USER and
PAPERLESS_ADMIN_PASSWORD directly to create the admin user, like in the
upstream Docker image.
Instead of duplicating the options from the upstream service file and letting
them get out of sync, use the file directly and only configure the needed
overrides. In particular, the upstream improvements include the mounts not
being globally visible any more, so they can't be used for bypassing nosuid and
the like, and the custom cleanup script that performed the unmount becomes
unnecessary.
