For Nixpkgs it seems best to disable the usage of CPU extensions by
default as older CPUs don't support them which will result in a crash at
runtime (SIGILL: Illegal instruction) [0].
The performance on my old test system was more than enough anyway
(usually ~10% CPU usage due to wayvnc).
[0]: https://github.com/any1/neatvnc/issues/21
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.
The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:
* Randomize the time certificates are renewed within a 24 hour period.
* Check for renewal every 24 hours, to ensure the certificate is always
renewed before an expiry notice is sent out.
* Increase the AccuracySec (thus lowering the accuracy(!)), so that
systemd can coalesce the renewal with other timers being run.
(You might be worried that this would defeat the purpose of the time
skewing, but systemd is documented as avoiding this by picking a
random time.)
* source-han-sans: 1.004R -> 2.001
* source-han-serif: switch to Super OTC
* source-han-mono: init at 1.002
The Source Han fonts now use shared package infrastructure, and the
Super OTC distributions, which unify the various scripts into a single
bundle file, improving automatic font selection and reducing overall
disk space usage. This also means that the Traditional
Chinese—Hong Kong language variant is now included.
The old package names including language are aliased to the Super OTC
bundle packages.
The environment.systemPackages option lacks in the example which is used in the next paragraph to explain merging of the options defined by multiple modules.
Previously, we would asssert that the lockfiles are consistent during the
unpackPhase, but if the pkg has a patch for the lockfile itself then we must
wait until the patchPhase is complete to check.
This also removes an implicity dependency on the src attribute coming from
`fetchzip` / `fetchFromGitHub`, which happens to name the source directory
"source". Now we glob for it, so different fetchers will work consistently.
