Update nixpkgs (2024-09-09)

Pull upstream NixOS changes, security fixes and package updates:

• chromedriver: 128.0.6613.84 -> 128.0.6613.119
• chromium: 128.0.6613.84 -> 128.0.6613.119
• consul: 1.18.3 -> 1.18.4
• element-web: 1.11.75 -> 1.11.76
• firefox: 129.0.2 -> 130.0
• grafana: 10.4.7 -> 10.4.8
• haproxy: 2.9.7 -> 2.9.10 (CVE-2024-45506)
• imagemagick: 7.1.1-36 -> 7.1.1-38
• matomo_5: 5.0.2 -> 5.1.1
• matrix-synapse: 1.113.0 -> 1.114.0
• nss_latest: 3.102 -> 3.104
• php82: 8.2.21 -> 8.2.23
• php83: 8.3.9 -> 8.3.11
• prometheus: 2.53.1 → 2.54.1
• roundcube: 1.6.8 -> 1.6.9

Skip kernel (linux_5_15) updates from upstream by reverting 2 update
commits. We want to stay at 5.15.164 for now and update to 5.15.167 or
later (see PL-132971).

Additional package update by us:

• gitlab: 17.2.4 -> 17.2.5

Allow jitsi-meet which is marked as insecure now

This is caused by libolm used for e2ee which is an optional feature.

There's no fix in sight (libolm deprecated, no signs in lib-jitsi-meet
to move away from it) and the attacks are AFAIK for on the theoretical
side. I don't think that this should stop us from using Jitsi.

PL-132999

@flyingcircusio/release-managers

Release process

Impact:

Changelog:

(include pkg changes)

PR release workflow (internal)

• PR has internal ticket
• internal issue ID (PL-…) part of branch name
• internal issue ID mentioned in PR description text
• ticket is on Platform agile board
• ticket state set to Pull request ready
• if ticket is more urgent than within the next few days, directly contact a member of the Platform team

Design notes

• Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
• All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

• Security requirements defined? (WHERE)
  • pull in upstream security fixes from nixpkgs and for Gitlab regularly
• Security requirements tested? (EVIDENCE)
  • automated tests still run, works on various test VMs, including a Gitlab test machine
  • checked commit log for fixed CVEs and possible problems with updates; looked at Grafana changelog, GitLab 17 changes | GitLab, Releases · roundcube/roundcubemail, prometheus/CHANGELOG.md at main · prometheus/prometheus · GitHub and synapse/upgrade.md.