path: root/nixos/doc/manual/release-notes/rl-2205.section.md



# Release 22.05 (“Quokka”, 2022.05/??) {#sec-release-22.05}

In addition to numerous new and upgraded packages, this release has the following highlights:

- Support is planned until the end of December 2022, handing over to 22.11.

## Highlights {#sec-release-22.05-highlights}

- `security.acme.defaults` has been added to simplify configuring
  settings for many certificates at once. This also opens up the
  the option to use DNS-01 validation when using `enableACME` on
  web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`).

- PHP 8.1 is now available

- Mattermost has been updated to version 6.2. Migrations may take a while,
  see the [upgrade notes](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6.2-feature-release).

## New Services {#sec-release-22.05-new-services}

- [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).

- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).

- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable).

- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).

- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable)

- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable).

- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable).

- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable).

- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable).

- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable).

- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable).

- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).

- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).

- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).

- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).

- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable).

## Backward Incompatibilities {#sec-release-22.05-incompatibilities}

- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
  This *only* makes a difference if you are cross-compiling and will
  ensure that `pkgs.ghc` always runs on the host platform and compiles
  for the target platform (similar to `pkgs.gcc` for example).
  `haskellPackages.ghc` still behaves as before, running on the build
  platform and compiling for the host platform (similar to `stdenv.cc`).
  This means you don't have to adjust your derivations if you use
  `haskellPackages.callPackage`, but when using `pkgs.callPackage` and
  taking `ghc` as an input, you should now use `buildPackages.ghc`
  instead to ensure cross compilation keeps working (or switch to
  `haskellPackages.callPackage`).

- `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated.
  The packages in the top level of `pkgs.emacsPackages`, such as org and
  org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and
  `pkgs.emacsPackages.nongnuPackages` where the new versions will release.

- `services.kubernetes.addons.dashboard` was removed due to it being an outdated version.

- The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.

- The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`.

- `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2.
  Please switch to `claws-mail`, which is Claws Mail's latest release based on GTK+3 and Python 3.

- The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
  Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used.

- If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`.

- The backward compatibility in `services.dokuwiki` to configure sites with the
  old interface has been removed. Please use `services.dokuwiki.sites` instead.

- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs

- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.

- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
  (which is really an adapter to integrate matplotlib in ipython if it is installed) does
  not depend on `pkgs.python3.pkgs.matplotlib` anymore.
  This is closer to a non-Nix install of ipython.
  This has the added benefit to reduce the closure size of `ipython` from ~400MB to ~160MB
  (including ~100MB for python itself).

- `documentation.man` has been refactored to support choosing a man implementation other than GNU's `man-db`. For this, `documentation.man.manualPages` has been renamed to `documentation.man.man-db.manualPages`. If you want to use the new alternative man implementation `mandoc`, add `documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }` to your configuration.

- Normal users (with `isNormalUser = true`) which have non-empty `subUidRanges` or `subGidRanges` set no longer have additional implicit ranges allocated. To enable automatic allocation back set `autoSubUidGidRange = true`.

- `idris2` now requires `--package` when using packages `contrib` and `network`, while previously these idris2 packages were automatically loaded.

- `services.thelounge.private` was removed in favor of `services.thelounge.public`, to follow with upstream changes.

- `pkgs.docbookrx` was removed since it's unmaintained

## Other Notable Changes {#sec-release-22.05-notable-changes}

- The option [services.redis.servers](#opt-services.redis.servers) was added
  to support per-application `redis-server` which is more secure since Redis databases
  are only mere key prefixes without any configuration or ACL of their own.
  Backward-compatibility is preserved by mapping old `services.redis.settings`
  to `services.redis.servers."".settings`, but you are strongly encouraged
  to name each `redis-server` instance after the application using it,
  instead of keeping that nameless one.
  Except for the nameless `services.redis.servers.""`
  still accessible at `127.0.0.1:6379`,
  and to the members of the Unix group `redis`
  through the Unix socket `/run/redis/redis.sock`,
  all other `services.redis.servers.${serverName}`
  are only accessible by default
  to the members of the Unix group `redis-${serverName}`
  through the Unix socket `/run/redis-${serverName}/redis.sock`.

- The option [virtualisation.vmVariant](#opt-virtualisation.vmVariant) was added
  to allow users to make changes to the `nixos-rebuild build-vm` configuration
  that do not apply to their normal system.

  The `config.system.build.vm` attribute now always exists and  defaults to the
  value from `vmVariant`. Configurations that import the `virtualisation/qemu-vm.nix`
  module themselves will override this value, such that `vmVariant` is not used.

  Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added.

- The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.

- The `influxdb2` package was split into `influxdb2-server` and
  `influxdb2-cli`, matching the split that took place upstream. A
  combined `influxdb2` package is still provided in this release for
  backwards compatibilty, but will be removed at a later date.

- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
  Configurations using this default will print a warning when rebuilt.

- `security.acme` certificates will now correctly check for CA
  revokation before reaching their minimum age.

- Removing domains from `security.acme.certs._name_.extraDomainNames`
  will now correctly remove those domains during rebuild/renew.

- The option
  [programs.ssh.enableAskPassword](#opt-programs.ssh.enableAskPassword) was
  added, decoupling the setting of `SSH_ASKPASS` from
  `services.xserver.enable`. This allows easy usage in non-X11 environments,
  e.g. Wayland.

- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.

- The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.

- `fetchFromSourcehut` now allows fetching repositories recursively
  using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
  is set to `true`.

- The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`.

- The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`.

- A new module was added for the [Starship](https://starship.rs/) shell prompt,
  providing the options `programs.starship.enable` and `programs.starship.settings`.
# Release 22.05 (“Quokka”, 2022.05/??) {#sec-release-22.05}

In addition to numerous new and upgraded packages, this release has the following highlights:

- Support is planned until the end of December 2022, handing over to 22.11.

## Highlights {#sec-release-22.05-highlights}

- `security.acme.defaults` has been added to simplify configuring
  settings for many certificates at once. This also opens up the
  the option to use DNS-01 validation when using `enableACME` on
  web server virtual hosts (e.g. `services.nginx.virtualHosts.*.enableACME`).

- PHP 8.1 is now available

- Mattermost has been updated to version 6.2. Migrations may take a while,
  see the [upgrade notes](https://docs.mattermost.com/install/self-managed-changelog.html#release-v6.2-feature-release).

## New Services {#sec-release-22.05-new-services}

- [aesmd](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw), the Intel SGX Architectural Enclave Service Manager. Available as [services.aesmd](#opt-services.aesmd.enable).

- [rootless Docker](https://docs.docker.com/engine/security/rootless/), a `systemd --user` Docker service which runs without root permissions. Available as [virtualisation.docker.rootless.enable](options.html#opt-virtualisation.docker.rootless.enable).

- [matrix-conduit](https://conduit.rs/), a simple, fast and reliable chat server powered by matrix. Available as [services.matrix-conduit](option.html#opt-services.matrix-conduit.enable).

- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).

- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable)

- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable).

- [ergochat](https://ergo.chat), a modern IRC with IRCv3 features. Available as [services.ergochat](options.html#opt-services.ergochat.enable).

- [PowerDNS-Admin](https://github.com/ngoduykhanh/PowerDNS-Admin), a web interface for the PowerDNS server. Available at [services.powerdns-admin](options.html#opt-services.powerdns-admin.enable).

- [maddy](https://maddy.email), a composable all-in-one mail server. Available as [services.maddy](options.html#opt-services.maddy.enable).

- [mtr-exporter](https://github.com/mgumz/mtr-exporter), a Prometheus exporter for mtr metrics. Available as [services.mtr-exporter](options.html#opt-services.mtr-exporter.enable).

- [tetrd](https://tetrd.app), share your internet connection from your device to your PC and vice versa through a USB cable. Available at [services.tetrd](#opt-services.tetrd.enable).

- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).

- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).

- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).

- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).

- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable).

## Backward Incompatibilities {#sec-release-22.05-incompatibilities}

- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
  This *only* makes a difference if you are cross-compiling and will
  ensure that `pkgs.ghc` always runs on the host platform and compiles
  for the target platform (similar to `pkgs.gcc` for example).
  `haskellPackages.ghc` still behaves as before, running on the build
  platform and compiling for the host platform (similar to `stdenv.cc`).
  This means you don't have to adjust your derivations if you use
  `haskellPackages.callPackage`, but when using `pkgs.callPackage` and
  taking `ghc` as an input, you should now use `buildPackages.ghc`
  instead to ensure cross compilation keeps working (or switch to
  `haskellPackages.callPackage`).

- `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated.
  The packages in the top level of `pkgs.emacsPackages`, such as org and
  org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and
  `pkgs.emacsPackages.nongnuPackages` where the new versions will release.

- `services.kubernetes.addons.dashboard` was removed due to it being an outdated version.

- The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.

- The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`.

- `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2.
  Please switch to `claws-mail`, which is Claws Mail's latest release based on GTK+3 and Python 3.

- The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
  Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used.

- If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`.

- The backward compatibility in `services.dokuwiki` to configure sites with the
  old interface has been removed. Please use `services.dokuwiki.sites` instead.

- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs

- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.

- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
  (which is really an adapter to integrate matplotlib in ipython if it is installed) does
  not depend on `pkgs.python3.pkgs.matplotlib` anymore.
  This is closer to a non-Nix install of ipython.
  This has the added benefit to reduce the closure size of `ipython` from ~400MB to ~160MB
  (including ~100MB for python itself).

- `documentation.man` has been refactored to support choosing a man implementation other than GNU's `man-db`. For this, `documentation.man.manualPages` has been renamed to `documentation.man.man-db.manualPages`. If you want to use the new alternative man implementation `mandoc`, add `documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }` to your configuration.

- Normal users (with `isNormalUser = true`) which have non-empty `subUidRanges` or `subGidRanges` set no longer have additional implicit ranges allocated. To enable automatic allocation back set `autoSubUidGidRange = true`.

- `idris2` now requires `--package` when using packages `contrib` and `network`, while previously these idris2 packages were automatically loaded.

- `services.thelounge.private` was removed in favor of `services.thelounge.public`, to follow with upstream changes.

- `pkgs.docbookrx` was removed since it's unmaintained

## Other Notable Changes {#sec-release-22.05-notable-changes}

- The option [services.redis.servers](#opt-services.redis.servers) was added
  to support per-application `redis-server` which is more secure since Redis databases
  are only mere key prefixes without any configuration or ACL of their own.
  Backward-compatibility is preserved by mapping old `services.redis.settings`
  to `services.redis.servers."".settings`, but you are strongly encouraged
  to name each `redis-server` instance after the application using it,
  instead of keeping that nameless one.
  Except for the nameless `services.redis.servers.""`
  still accessible at `127.0.0.1:6379`,
  and to the members of the Unix group `redis`
  through the Unix socket `/run/redis/redis.sock`,
  all other `services.redis.servers.${serverName}`
  are only accessible by default
  to the members of the Unix group `redis-${serverName}`
  through the Unix socket `/run/redis-${serverName}/redis.sock`.

- The option [virtualisation.vmVariant](#opt-virtualisation.vmVariant) was added
  to allow users to make changes to the `nixos-rebuild build-vm` configuration
  that do not apply to their normal system.

  The `config.system.build.vm` attribute now always exists and  defaults to the
  value from `vmVariant`. Configurations that import the `virtualisation/qemu-vm.nix`
  module themselves will override this value, such that `vmVariant` is not used.

  Similarly [virtualisation.vmVariantWithBootloader](#opt-virtualisation.vmVariantWithBootLoader) was added.

- The `writers.writePyPy2`/`writers.writePyPy3` and corresponding `writers.writePyPy2Bin`/`writers.writePyPy3Bin` convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.

- The `influxdb2` package was split into `influxdb2-server` and
  `influxdb2-cli`, matching the split that took place upstream. A
  combined `influxdb2` package is still provided in this release for
  backwards compatibilty, but will be removed at a later date.

- The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
  Configurations using this default will print a warning when rebuilt.

- `security.acme` certificates will now correctly check for CA
  revokation before reaching their minimum age.

- Removing domains from `security.acme.certs._name_.extraDomainNames`
  will now correctly remove those domains during rebuild/renew.

- The option
  [programs.ssh.enableAskPassword](#opt-programs.ssh.enableAskPassword) was
  added, decoupling the setting of `SSH_ASKPASS` from
  `services.xserver.enable`. This allows easy usage in non-X11 environments,
  e.g. Wayland.

- The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.

- The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.

- `fetchFromSourcehut` now allows fetching repositories recursively
  using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
  is set to `true`.

- The option `services.thelounge.plugins` has been added to allow installing plugins for The Lounge. Plugins can be found in `pkgs.theLoungePlugins.plugins` and `pkgs.theLoungePlugins.themes`.

- The `firmwareLinuxNonfree` package has been renamed to `linux-firmware`.

- A new module was added for the [Starship](https://starship.rs/) shell prompt,
  providing the options `programs.starship.enable` and `programs.starship.settings`.