summary refs log tree commit diff
path: root/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-1909.section.xml')
-rw-r--r--nixos/doc/manual/from_md/release-notes/rl-1909.section.xml1197
1 files changed, 1197 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml
new file mode 100644
index 00000000000..83cd649f4ea
--- /dev/null
+++ b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml
@@ -0,0 +1,1197 @@
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.09">
+  <title>Release 19.09 (<quote>Loris</quote>, 2019/10/09)</title>
+  <section xml:id="sec-release-19.09-highlights">
+    <title>Highlights</title>
+    <para>
+      In addition to numerous new and upgraded packages, this release
+      has the following highlights:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          End of support is planned for end of April 2020, handing over
+          to 20.03.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Nix has been updated to 2.3; see its
+          <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release
+          notes</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Core version changes:
+        </para>
+        <para>
+          systemd: 239 -&gt; 243
+        </para>
+        <para>
+          gcc: 7 -&gt; 8
+        </para>
+        <para>
+          glibc: 2.27 (unchanged)
+        </para>
+        <para>
+          linux: 4.19 LTS (unchanged)
+        </para>
+        <para>
+          openssl: 1.0 -&gt; 1.1
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Desktop version changes:
+        </para>
+        <para>
+          plasma5: 5.14 -&gt; 5.16
+        </para>
+        <para>
+          gnome3: 3.30 -&gt; 3.32
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PHP now defaults to PHP 7.3, updated from 7.2.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PHP 7.1 is no longer supported due to upstream not supporting
+          this version for the entire lifecycle of the 19.09 release.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The binfmt module is now easier to use. Additional systems can
+          be added through
+          <literal>boot.binfmt.emulatedSystems</literal>. For instance,
+          <literal>boot.binfmt.emulatedSystems = [ &quot;wasm32-wasi&quot; &quot;x86_64-windows&quot; &quot;aarch64-linux&quot; ];</literal>
+          will set up binfmt interpreters for each of those listed
+          systems.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The installer now uses a less privileged
+          <literal>nixos</literal> user whereas before we logged in as
+          root. To gain root privileges use <literal>sudo -i</literal>
+          without a password.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          We've updated to Xfce 4.14, which brings a new module
+          <literal>services.xserver.desktopManager.xfce4-14</literal>.
+          If you'd like to upgrade, please switch from the
+          <literal>services.xserver.desktopManager.xfce</literal> module
+          as it will be deprecated in a future release. They're
+          incompatibilities with the current Xfce module; it doesn't
+          support <literal>thunarPlugins</literal> and it isn't
+          recommended to use
+          <literal>services.xserver.desktopManager.xfce</literal> and
+          <literal>services.xserver.desktopManager.xfce4-14</literal>
+          simultaneously or to downgrade from Xfce 4.14 after upgrading.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The GNOME 3 desktop manager module sports an interface to
+          enable/disable core services, applications, and optional GNOME
+          packages like games.
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>services.gnome3.core-os-services.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.gnome3.core-shell.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.gnome3.core-utilities.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.gnome3.games.enable</literal>
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          With these options we hope to give users finer grained control
+          over their systems. Prior to this change you'd either have to
+          manually disable options or use
+          <literal>environment.gnome3.excludePackages</literal> which
+          only excluded the optional applications.
+          <literal>environment.gnome3.excludePackages</literal> is now
+          unguarded, it can exclude any package installed with
+          <literal>environment.systemPackages</literal> in the GNOME 3
+          module.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Orthogonal to the previous changes to the GNOME 3 desktop
+          manager module, we've updated all default services and
+          applications to match as close as possible to a default
+          reference GNOME 3 experience.
+        </para>
+        <para>
+          <emphasis role="strong">The following changes were enacted in
+          <literal>services.gnome3.core-utilities.enable</literal></emphasis>
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>accerciser</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>dconf-editor</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>evolution</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-documents</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-nettool</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-power-manager</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-todo</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-tweaks</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gnome-usage</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>gucharmap</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>nautilus-sendto</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>vinagre</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>cheese</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>geary</literal>
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          <emphasis role="strong">The following changes were enacted in
+          <literal>services.gnome3.core-shell.enable</literal></emphasis>
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>gnome-color-manager</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>orca</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.avahi.enable</literal>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-19.09-new-services">
+    <title>New Services</title>
+    <para>
+      The following new services were added since the last release:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <literal>./programs/dwm-status.nix</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The new <literal>hardware.printers</literal> module allows to
+          declaratively configure CUPS printers via the
+          <literal>ensurePrinters</literal> and
+          <literal>ensureDefaultPrinter</literal> options.
+          <literal>ensurePrinters</literal> will never delete existing
+          printers, but will make sure that the given printers are
+          configured as declared.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          There is a new
+          <link xlink:href="options.html#opt-services.system-config-printer.enable">services.system-config-printer.enable</link>
+          and
+          <link xlink:href="options.html#opt-programs.system-config-printer.enable">programs.system-config-printer.enable</link>
+          module for the program of the same name. If you previously had
+          <literal>system-config-printer</literal> enabled through some
+          other means you should migrate to using one of these modules.
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>services.xserver.desktopManager.plasma5</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.xserver.desktopManager.gnome3</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.xserver.desktopManager.pantheon</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.xserver.desktopManager.mate</literal>
+              Note Mate uses
+              <literal>programs.system-config-printer</literal> as it
+              doesn't use it as a service, but its graphical interface
+              directly.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-services.blueman.enable">services.blueman.enable</link>
+          has been added. If you previously had blueman installed via
+          <literal>environment.systemPackages</literal> please migrate
+          to using the NixOS module, as this would result in an
+          insufficiently configured blueman.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-19.09-incompatibilities">
+    <title>Backward Incompatibilities</title>
+    <para>
+      When upgrading from a previous release, please be aware of the
+      following incompatible changes:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Buildbot no longer supports Python 2, as support was dropped
+          upstream in version 2.0.0. Configurations may need to be
+          modified to make them compatible with Python 3.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PostgreSQL now uses <literal>/run/postgresql</literal> as its
+          socket directory instead of <literal>/tmp</literal>. So if you
+          run an application like eg. Nextcloud, where you need to use
+          the Unix socket path as the database host name, you need to
+          change it accordingly.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle
+          and has been removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The options
+          <literal>services.prometheus.alertmanager.user</literal> and
+          <literal>services.prometheus.alertmanager.group</literal> have
+          been removed because the alertmanager service is now using
+          systemd's
+          <link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
+          DynamicUser mechanism</link> which obviates these options.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The NetworkManager systemd unit was renamed back from
+          network-manager.service to NetworkManager.service for better
+          compatibility with other applications expecting this name. The
+          same applies to ModemManager where modem-manager.service is
+          now called ModemManager.service again.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.nzbget.configFile</literal> and
+          <literal>services.nzbget.openFirewall</literal> options were
+          removed as they are managed internally by the nzbget. The
+          <literal>services.nzbget.dataDir</literal> option hadn't
+          actually been used by the module for some time and so was
+          removed as cleanup.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.mysql.pidDir</literal> option was
+          removed, as it was only used by the wordpress apache-httpd
+          service to wait for mysql to have started up. This can be
+          accomplished by either describing a dependency on
+          mysql.service (preferred) or waiting for the (hardcoded)
+          <literal>/run/mysqld/mysql.sock</literal> file to appear.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.emby.enable</literal> module has been
+          removed, see <literal>services.jellyfin.enable</literal>
+          instead for a free software fork of Emby. See the Jellyfin
+          documentation:
+          <link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
+          Migrating from Emby to Jellyfin </link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          IPv6 Privacy Extensions are now enabled by default for
+          undeclared interfaces. The previous behaviour was quite
+          misleading — even though the default value for
+          <literal>networking.interfaces.*.preferTempAddress</literal>
+          was <literal>true</literal>, undeclared interfaces would not
+          prefer temporary addresses. Now, interfaces not mentioned in
+          the config will prefer temporary addresses. EUI64 addresses
+          can still be set as preferred by explicitly setting the option
+          to <literal>false</literal> for the interface in question.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Since Bittorrent Sync was superseded by Resilio Sync in 2016,
+          the <literal>bittorrentSync</literal>,
+          <literal>bittorrentSync14</literal>, and
+          <literal>bittorrentSync16</literal> packages have been removed
+          in favor of <literal>resilio-sync</literal>.
+        </para>
+        <para>
+          The corresponding module, <literal>services.btsync</literal>
+          has been replaced by the <literal>services.resilio</literal>
+          module.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The httpd service no longer attempts to start the postgresql
+          service. If you have come to depend on this behaviour then you
+          can preserve the behavior with the following configuration:
+          <literal>systemd.services.httpd.after = [ &quot;postgresql.service&quot; ];</literal>
+        </para>
+        <para>
+          The option <literal>services.httpd.extraSubservices</literal>
+          has been marked as deprecated. You may still use this feature,
+          but it will be removed in a future release of NixOS. You are
+          encouraged to convert any httpd subservices you may have
+          written to a full NixOS module.
+        </para>
+        <para>
+          Most of the httpd subservices packaged with NixOS have been
+          replaced with full NixOS modules including LimeSurvey,
+          WordPress, and Zabbix. These modules can be enabled using the
+          <literal>services.limesurvey.enable</literal>,
+          <literal>services.mediawiki.enable</literal>,
+          <literal>services.wordpress.enable</literal>, and
+          <literal>services.zabbixWeb.enable</literal> options.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The option
+          <literal>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnlink</literal>
+          was renamed to
+          <literal>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnLink</literal>
+          (capital <literal>L</literal>). This follows
+          <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
+          upstreams renaming </link> of the setting.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          As of this release the NixOps feature
+          <literal>autoLuks</literal> is deprecated. It no longer works
+          with our systemd version without manual intervention.
+        </para>
+        <para>
+          Whenever the usage of the module is detected the evaluation
+          will fail with a message explaining why and how to deal with
+          the situation.
+        </para>
+        <para>
+          A new knob named
+          <literal>nixops.enableDeprecatedAutoLuks</literal> has been
+          introduced to disable the eval failure and to acknowledge the
+          notice was received and read. If you plan on using the feature
+          please note that it might break with subsequent updates.
+        </para>
+        <para>
+          Make sure you set the <literal>_netdev</literal> option for
+          each of the file systems referring to block devices provided
+          by the autoLuks module. Not doing this might render the system
+          in a state where it doesn't boot anymore.
+        </para>
+        <para>
+          If you are actively using the <literal>autoLuks</literal>
+          module please let us know in
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue
+          #62211</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The setopt declarations will be evaluated at the end of
+          <literal>/etc/zshrc</literal>, so any code in
+          <link xlink:href="options.html#opt-programs.zsh.interactiveShellInit">programs.zsh.interactiveShellInit</link>,
+          <link xlink:href="options.html#opt-programs.zsh.loginShellInit">programs.zsh.loginShellInit</link>
+          and
+          <link xlink:href="options.html#opt-programs.zsh.promptInit">programs.zsh.promptInit</link>
+          may break if it relies on those options being set.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>prometheus-nginx-exporter</literal> package now
+          uses the offical exporter provided by NGINX Inc. Its metrics
+          are differently structured and are incompatible to the old
+          ones. For information about the metrics, have a look at the
+          <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official
+          repo</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>shibboleth-sp</literal> package has been updated
+          to version 3. It is largely backward compatible, for further
+          information refer to the
+          <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release
+          notes</link> and
+          <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade
+          guide</link>.
+        </para>
+        <para>
+          Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has
+          been dropped.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          By default, prometheus exporters are now run with
+          <literal>DynamicUser</literal> enabled. Exporters that need a
+          real user, now run under a seperate user and group which
+          follow the pattern
+          <literal>&lt;exporter-name&gt;-exporter</literal>, instead of
+          the previous default <literal>nobody</literal> and
+          <literal>nogroup</literal>. Only some exporters are affected
+          by the latter, namely the exporters
+          <literal>dovecot</literal>, <literal>node</literal>,
+          <literal>postfix</literal> and <literal>varnish</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>ibus-qt</literal> package is not installed by
+          default anymore when
+          <link xlink:href="options.html#opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link>
+          is set to <literal>ibus</literal>. If IBus support in Qt 4.x
+          applications is required, add the <literal>ibus-qt</literal>
+          package to your
+          <link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>
+          manually.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The CUPS Printing service now uses socket-based activation by
+          default, only starting when needed. The previous behavior can
+          be restored by setting
+          <literal>services.cups.startWhenNeeded</literal> to
+          <literal>false</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.systemhealth</literal> module has been
+          removed from nixpkgs due to lack of maintainer.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.mantisbt</literal> module has been
+          removed from nixpkgs due to lack of maintainer.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Squid 3 has been removed and the <literal>squid</literal>
+          derivation now refers to Squid 4.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.pdns-recursor.extraConfig</literal>
+          option has been replaced by
+          <literal>services.pdns-recursor.settings</literal>. The new
+          option allows setting extra configuration while being better
+          type-checked and mergeable.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          No service depends on <literal>keys.target</literal> anymore
+          which is a systemd target that indicates if all
+          <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps
+          keys</link> were successfully uploaded. Instead,
+          <literal>&lt;key-name&gt;-key.service</literal> should be used
+          to define a dependency of a key in a service. The full issue
+          behind the <literal>keys.target</literal> dependency is
+          described at
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
+        </para>
+        <para>
+          The following services are affected by this:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.nsd.enable"><literal>services.nsd</literal></link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.softether.enable"><literal>services.softether</literal></link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.strongswan.enable"><literal>services.strongswan</literal></link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <link xlink:href="options.html#opt-services.httpd.enable"><literal>services.httpd</literal></link>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>security.acme.directory</literal> option has been
+          replaced by a read-only
+          <literal>security.acme.certs.&lt;cert&gt;.directory</literal>
+          option for each certificate you define. This will be a
+          subdirectory of <literal>/var/lib/acme</literal>. You can use
+          this read-only option to figure out where the certificates are
+          stored for a specific certificate. For example, the
+          <literal>services.nginx.virtualhosts.&lt;name&gt;.enableACME</literal>
+          option will use this directory option to find the certs for
+          the virtual host.
+        </para>
+        <para>
+          <literal>security.acme.preDelay</literal> and
+          <literal>security.acme.activationDelay</literal> options have
+          been removed. To execute a service before certificates are
+          provisioned or renewed add a
+          <literal>RequiredBy=acme-${cert}.service</literal> to any
+          service.
+        </para>
+        <para>
+          Furthermore, the acme module will not automatically add a
+          dependency on <literal>lighttpd.service</literal> anymore. If
+          you are using certficates provided by letsencrypt for
+          lighttpd, then you should depend on the certificate service
+          <literal>acme-${cert}.service&gt;</literal> manually.
+        </para>
+        <para>
+          For nginx, the dependencies are still automatically managed
+          when
+          <literal>services.nginx.virtualhosts.&lt;name&gt;.enableACME</literal>
+          is enabled just like before. What changed is that nginx now
+          directly depends on the specific certificates that it needs,
+          instead of depending on the catch-all
+          <literal>acme-certificates.target</literal>. This target unit
+          was also removed from the codebase. This will mean nginx will
+          no longer depend on certificates it isn't explicitly managing
+          and fixes a bug with certificate renewal ordering racing with
+          nginx restarting which could lead to nginx getting in a broken
+          state as described at
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The old deprecated <literal>emacs</literal> package sets have
+          been dropped. What used to be called
+          <literal>emacsPackagesNg</literal> is now simply called
+          <literal>emacsPackages</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>services.xserver.desktopManager.xterm</literal> is
+          now disabled by default if <literal>stateVersion</literal> is
+          19.09 or higher. Previously the xterm desktopManager was
+          enabled when xserver was enabled, but it isn't useful for all
+          people so it didn't make sense to have any desktopManager
+          enabled default.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The WeeChat plugin
+          <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been
+          removed as it doesn't receive any updates from upstream and
+          depends on outdated Python2-based modules.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Old unsupported versions (<literal>logstash5</literal>,
+          <literal>kibana5</literal>, <literal>filebeat5</literal>,
+          <literal>heartbeat5</literal>, <literal>metricbeat5</literal>,
+          <literal>packetbeat5</literal>) of the ELK-stack and Elastic
+          beats have been removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          For NixOS 19.03, both Prometheus 1 and 2 were available to
+          allow for a seamless transition from version 1 to 2 with
+          existing setups. Because Prometheus 1 is no longer developed,
+          it was removed. Prometheus 2 is now configured with
+          <literal>services.prometheus</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Citrix Receiver (<literal>citrix_receiver</literal>) has been
+          dropped in favor of Citrix Workspace
+          (<literal>citrix_workspace</literal>).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.gitlab</literal> module has had its
+          literal secret options
+          (<literal>services.gitlab.smtp.password</literal>,
+          <literal>services.gitlab.databasePassword</literal>,
+          <literal>services.gitlab.initialRootPassword</literal>,
+          <literal>services.gitlab.secrets.secret</literal>,
+          <literal>services.gitlab.secrets.db</literal>,
+          <literal>services.gitlab.secrets.otp</literal> and
+          <literal>services.gitlab.secrets.jws</literal>) replaced by
+          file-based versions
+          (<literal>services.gitlab.smtp.passwordFile</literal>,
+          <literal>services.gitlab.databasePasswordFile</literal>,
+          <literal>services.gitlab.initialRootPasswordFile</literal>,
+          <literal>services.gitlab.secrets.secretFile</literal>,
+          <literal>services.gitlab.secrets.dbFile</literal>,
+          <literal>services.gitlab.secrets.otpFile</literal> and
+          <literal>services.gitlab.secrets.jwsFile</literal>). This was
+          done so that secrets aren't stored in the world-readable nix
+          store, but means that for each option you'll have to create a
+          file with the same exact string, add &quot;File&quot; to the
+          end of the option name, and change the definition to a string
+          pointing to the corresponding file; e.g.
+          <literal>services.gitlab.databasePassword = &quot;supersecurepassword&quot;</literal>
+          becomes
+          <literal>services.gitlab.databasePasswordFile = &quot;/path/to/secret_file&quot;</literal>
+          where the file <literal>secret_file</literal> contains the
+          string <literal>supersecurepassword</literal>.
+        </para>
+        <para>
+          The state path (<literal>services.gitlab.statePath</literal>)
+          now has the following restriction: no parent directory can be
+          owned by any other user than <literal>root</literal> or the
+          user specified in <literal>services.gitlab.user</literal>;
+          i.e. if <literal>services.gitlab.statePath</literal> is set to
+          <literal>/var/lib/gitlab/state</literal>,
+          <literal>gitlab</literal> and all parent directories must be
+          owned by either <literal>root</literal> or the user specified
+          in <literal>services.gitlab.user</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>networking.useDHCP</literal> option is
+          unsupported in combination with
+          <literal>networking.useNetworkd</literal> in anticipation of
+          defaulting to it. It has to be set to <literal>false</literal>
+          and enabled per interface with
+          <literal>networking.interfaces.&lt;name&gt;.useDHCP = true;</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The Twitter client <literal>corebird</literal> has been
+          dropped as
+          <link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it
+          is discontinued and does not work against the new Twitter
+          API</link>. Please use the fork <literal>cawbird</literal>
+          instead which has been adapted to the API changes and is still
+          maintained.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>nodejs-11_x</literal> package has been removed as
+          it's EOLed by upstream.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Because of the systemd upgrade, systemd-timesyncd will no
+          longer work if <literal>system.stateVersion</literal> is not
+          set correctly. When upgrading from NixOS 19.03, please make
+          sure that <literal>system.stateVersion</literal> is set to
+          <literal>&quot;19.03&quot;</literal>, or lower if the
+          installation dates back to an earlier version of NixOS.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Due to the short lifetime of non-LTS kernel releases package
+          attributes like <literal>linux_5_1</literal>,
+          <literal>linux_5_2</literal> and <literal>linux_5_3</literal>
+          have been removed to discourage dependence on specific non-LTS
+          kernel versions in stable NixOS releases. Going forward,
+          versioned attributes like <literal>linux_4_9</literal> will
+          exist for LTS versions only. Please use
+          <literal>linux_latest</literal> or
+          <literal>linux_testing</literal> if you depend on non-LTS
+          releases. Keep in mind that <literal>linux_latest</literal>
+          and <literal>linux_testing</literal> will change versions
+          under the hood during the lifetime of a stable release and
+          might include breaking changes.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Because of the systemd upgrade, some network interfaces might
+          change their name. For details see
+          <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History">
+          upstream docs</link> or
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086">
+          our ticket</link>.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-19.09-notable-changes">
+    <title>Other Notable Changes</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <literal>documentation</literal> module gained an option
+          named <literal>documentation.nixos.includeAllModules</literal>
+          which makes the generated configuration.nix 5 manual page
+          include all options from all NixOS modules included in a given
+          <literal>configuration.nix</literal> configuration file.
+          Currently, it is set to <literal>false</literal> by default as
+          enabling it frequently prevents evaluation. But the plan is to
+          eventually have it set to <literal>true</literal> by default.
+          Please set it to <literal>true</literal> now in your
+          <literal>configuration.nix</literal> and fix all the bugs it
+          uncovers.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>vlc</literal> package gained support for
+          Chromecast streaming, enabled by default. TCP port 8010 must
+          be open for it to work, so something like
+          <literal>networking.firewall.allowedTCPPorts = [ 8010 ];</literal>
+          may be required in your configuration. Also consider enabling
+          <link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
+          Accelerated Video Playback</link> for better transcoding
+          performance.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The following changes apply if the
+          <literal>stateVersion</literal> is changed to 19.09 or higher.
+          For <literal>stateVersion = &quot;19.03&quot;</literal> or
+          lower the old behavior is preserved.
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              <literal>solr.package</literal> defaults to
+              <literal>pkgs.solr_8</literal>.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>hunspellDicts.fr-any</literal> dictionary now
+          ships with <literal>fr_FR.{aff,dic}</literal> which is linked
+          to <literal>fr-toutesvariantes.{aff,dic}</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mysql</literal> service now runs as
+          <literal>mysql</literal> user. Previously, systemd did execute
+          it as root, and mysql dropped privileges itself. This includes
+          <literal>ExecStartPre=</literal> and
+          <literal>ExecStartPost=</literal> phases. To accomplish that,
+          runtime and data directory setup was delegated to
+          RuntimeDirectory and tmpfiles.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          With the upgrade to systemd version 242 the
+          <literal>systemd-timesyncd</literal> service is no longer
+          using <literal>DynamicUser=yes</literal>. In order for the
+          upgrade to work we rely on an activation script to move the
+          state from the old to the new directory. The older directory
+          (prior <literal>19.09</literal>) was
+          <literal>/var/lib/private/systemd/timesync</literal>.
+        </para>
+        <para>
+          As long as the <literal>system.config.stateVersion</literal>
+          is below <literal>19.09</literal> the state folder will
+          migrated to its proper location
+          (<literal>/var/lib/systemd/timesync</literal>), if required.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The package <literal>avahi</literal> is now built to look up
+          service definitions from
+          <literal>/etc/avahi/services</literal> instead of its output
+          directory in the nix store. Accordingly the module
+          <literal>avahi</literal> now supports custom service
+          definitions via
+          <literal>services.avahi.extraServiceFiles</literal>, which are
+          then placed in the aforementioned directory. See
+          avahi.service5 for more information on custom service
+          definitions.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Since version 0.1.19, <literal>cargo-vendor</literal> honors
+          package includes that are specified in the
+          <literal>Cargo.toml</literal> file of Rust crates.
+          <literal>rustPlatform.buildRustPackage</literal> uses
+          <literal>cargo-vendor</literal> to collect and build dependent
+          crates. Since this change in <literal>cargo-vendor</literal>
+          changes the set of vendored files for most Rust packages, the
+          hash that use used to verify the dependencies,
+          <literal>cargoSha256</literal>, also changes.
+        </para>
+        <para>
+          The <literal>cargoSha256</literal> hashes of all in-tree
+          derivations that use <literal>buildRustPackage</literal> have
+          been updated to reflect this change. However, third-party
+          derivations that use <literal>buildRustPackage</literal> may
+          have to be updated as well.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>consul</literal> package was upgraded past
+          version <literal>1.5</literal>, so its deprecated legacy UI is
+          no longer available.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The default resample-method for PulseAudio has been changed
+          from the upstream default <literal>speex-float-1</literal> to
+          <literal>speex-float-5</literal>. Be aware that low-powered
+          ARM-based and MIPS-based boards will struggle with this so
+          you'll need to set
+          <literal>hardware.pulseaudio.daemon.config.resample-method</literal>
+          back to <literal>speex-float-1</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>phabricator</literal> package and associated
+          <literal>httpd.extraSubservice</literal>, as well as the
+          <literal>phd</literal> service have been removed from nixpkgs
+          due to lack of maintainer.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mercurial</literal>
+          <literal>httpd.extraSubservice</literal> has been removed from
+          nixpkgs due to lack of maintainer.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>trac</literal>
+          <literal>httpd.extraSubservice</literal> has been removed from
+          nixpkgs because it was unmaintained.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>foswiki</literal> package and associated
+          <literal>httpd.extraSubservice</literal> have been removed
+          from nixpkgs due to lack of maintainer.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>tomcat-connector</literal>
+          <literal>httpd.extraSubservice</literal> has been removed from
+          nixpkgs.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          It's now possible to change configuration in
+          <link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link>
+          after the initial deploy since all config parameters are
+          persisted in an additional config file generated by the
+          module. Previously core configuration like database parameters
+          were set using their imperative installer after creating
+          <literal>/var/lib/nextcloud</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          There exists now <literal>lib.forEach</literal>, which is like
+          <literal>map</literal>, but with arguments flipped. When
+          mapping function body spans many lines (or has nested
+          <literal>map</literal>s), it is often hard to follow which
+          list is modified.
+        </para>
+        <para>
+          Previous solution to this problem was either to use
+          <literal>lib.flip map</literal> idiom or extract that
+          anonymous mapping function to a named one. Both can still be
+          used but <literal>lib.forEach</literal> is preferred over
+          <literal>lib.flip map</literal>.
+        </para>
+        <para>
+          The <literal>/etc/sysctl.d/nixos.conf</literal> file
+          containing all the options set via
+          <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
+          was moved to <literal>/etc/sysctl.d/60-nixos.conf</literal>,
+          as sysctl.d5 recommends prefixing all filenames in
+          <literal>/etc/sysctl.d</literal> with a two-digit number and a
+          dash to simplify the ordering of the files.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          We now install the sysctl snippets shipped with systemd.
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              Loose reverse path filtering
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Source route filtering
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>fq_codel</literal> as a packet scheduler (this
+              helps to fight bufferbloat)
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          This also configures the kernel to pass core dumps to
+          <literal>systemd-coredump</literal>, and restricts the SysRq
+          key combinations to the sync command only. These sysctl
+          snippets can be found in
+          <literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via
+          <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
+          (which will place the parameters in
+          <literal>/etc/sysctl.d/60-nixos.conf</literal>).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Core dumps are now processed by
+          <literal>systemd-coredump</literal> by default.
+          <literal>systemd-coredump</literal> behaviour can still be
+          modified via <literal>systemd.coredump.extraConfig</literal>.
+          To stick to the old behaviour (having the kernel dump to a
+          file called <literal>core</literal> in the working directory),
+          without piping it through <literal>systemd-coredump</literal>,
+          set <literal>systemd.coredump.enable</literal> to
+          <literal>false</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>systemd.packages</literal> option now also supports
+          generators and shutdown scripts. Old
+          <literal>systemd.generator-packages</literal> option has been
+          removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>rmilter</literal> package was removed with
+          associated module and options due deprecation by upstream
+          developer. Use <literal>rspamd</literal> in proxy mode
+          instead.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          systemd cgroup accounting via the
+          <link xlink:href="options.html#opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
+          option is now enabled by default. It now also enables the more
+          recent Block IO and IP accounting features.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          We no longer enable custom font rendering settings with
+          <literal>fonts.fontconfig.penultimate.enable</literal> by
+          default. The defaults from fontconfig are sufficient.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>crashplan</literal> package and the
+          <literal>crashplan</literal> service have been removed from
+          nixpkgs due to crashplan shutting down the service, while the
+          <literal>crashplansb</literal> package and
+          <literal>crashplan-small-business</literal> service have been
+          removed from nixpkgs due to lack of maintainer.
+        </para>
+        <para>
+          The
+          <link xlink:href="options.html#opt-services.redis.enable">redis
+          module</link> was hardcoded to use the
+          <literal>redis</literal> user, <literal>/run/redis</literal>
+          as runtime directory and <literal>/var/lib/redis</literal> as
+          state directory. Note that the NixOS module for Redis now
+          disables kernel support for Transparent Huge Pages (THP),
+          because this features causes major performance problems for
+          Redis, e.g. (https://redis.io/topics/latency).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Using <literal>fonts.enableDefaultFonts</literal> adds a
+          default emoji font <literal>noto-fonts-emoji</literal>.
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>services.xserver.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>programs.sway.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>programs.way-cooler.enable</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>services.xrdp.enable</literal>
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>altcoins</literal> categorization of packages has
+          been removed. You now access these packages at the top level,
+          ie. <literal>nix-shell -p dogecoin</literal> instead of
+          <literal>nix-shell -p altcoins.dogecoin</literal>, etc.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Ceph has been upgraded to v14.2.1. See the
+          <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release
+          notes</link> for details. The mgr dashboard as well as osds
+          backed by loop-devices is no longer explicitly supported by
+          the package and module. Note: There's been some issues with
+          python-cherrypy, which is used by the dashboard and prometheus
+          mgr modules (and possibly others), hence
+          0000-dont-check-cherrypy-version.patch.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>pkgs.weechat</literal> is now compiled against
+          <literal>pkgs.python3</literal>. Weechat also recommends
+          <link xlink:href="https://weechat.org/scripts/python3/">to use
+          Python3 in their docs.</link>
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</section>