diff options
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2009.section.xml')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2009.section.xml | 2206 |
1 files changed, 2206 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml new file mode 100644 index 00000000000..c74d850b2c6 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml @@ -0,0 +1,2206 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-20.09"> + <title>Release 20.09 (<quote>Nightingale</quote>, 2020.10/27)</title> + <para> + Support is planned until the end of June 2021, handing over to + 21.05. (Plans + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md#core-changes"> + have shifted</link> by two months since release of 20.09.) + </para> + <section xml:id="sec-release-20.09-highlights"> + <title>Highlights</title> + <para> + In addition to 7349 new, 14442 updated, and 8181 removed packages, + this release has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Core version changes: + </para> + <itemizedlist> + <listitem> + <para> + gcc: 9.2.0 -> 9.3.0 + </para> + </listitem> + <listitem> + <para> + glibc: 2.30 -> 2.31 + </para> + </listitem> + <listitem> + <para> + linux: still defaults to 5.4.x, all supported kernels + available + </para> + </listitem> + <listitem> + <para> + mesa: 19.3.5 -> 20.1.7 + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Desktop Environments: + </para> + <itemizedlist> + <listitem> + <para> + plasma5: 5.17.5 -> 5.18.5 + </para> + </listitem> + <listitem> + <para> + kdeApplications: 19.12.3 -> 20.08.1 + </para> + </listitem> + <listitem> + <para> + gnome3: 3.34 -> 3.36, see its + <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release + notes</link> + </para> + </listitem> + <listitem> + <para> + cinnamon: added at 4.6 + </para> + </listitem> + <listitem> + <para> + NixOS now distributes an official + <link xlink:href="https://nixos.org/download.html#nixos-iso">GNOME + ISO</link> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programming Languages and Frameworks: + </para> + <itemizedlist> + <listitem> + <para> + Agda ecosystem was heavily reworked (see more details + below) + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.4, updated from 7.3 + </para> + </listitem> + <listitem> + <para> + PHP 7.2 is no longer supported due to upstream not + supporting this version for the entire lifecycle of the + 20.09 release + </para> + </listitem> + <listitem> + <para> + Python 3 now defaults to Python 3.8 instead of 3.7 + </para> + </listitem> + <listitem> + <para> + Python 3.5 reached its upstream EOL at the end of + September 2020: it has been removed from the list of + available packages + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Databases and Service Monitoring: + </para> + <itemizedlist> + <listitem> + <para> + MariaDB has been updated to 10.4, MariaDB Galera to 26.4. + Please read the related upgrade instructions under + <link linkend="sec-release-20.09-incompatibilities">backwards + incompatibilities</link> before upgrading. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please read + related sections under + <link linkend="sec-release-20.09-incompatibilities">backwards + compatibilities</link> before upgrading. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Major module changes: + </para> + <itemizedlist> + <listitem> + <para> + Quickly configure a complete, private, self-hosted video + conferencing solution with the new Jitsi Meet module. + </para> + </listitem> + <listitem> + <para> + Two new options, + <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> + and + <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, + have been added to the <literal>openssh</literal> module. + If you have <literal>AuthorizedKeysCommand</literal> in + your + <link xlink:href="options.html#opt-services.openssh.extraConfig">services.openssh.extraConfig</link> + you should make use of these new options instead. + </para> + </listitem> + <listitem> + <para> + There is a new module for Podman + (<literal>virtualisation.podman</literal>), a drop-in + replacement for the Docker command line. + </para> + </listitem> + <listitem> + <para> + The new <literal>virtualisation.containers</literal> + module manages configuration shared by the CRI-O and + Podman modules. + </para> + </listitem> + <listitem> + <para> + Declarative Docker containers are renamed from + <literal>docker-containers</literal> to + <literal>virtualisation.oci-containers.containers</literal>. + This is to make it possible to use + <literal>podman</literal> instead of + <literal>docker</literal>. + </para> + </listitem> + <listitem> + <para> + The new option + <link xlink:href="options.html#opt-documentation.man.generateCaches">documentation.man.generateCaches</link> + has been added to automatically generate the + <literal>man-db</literal> caches, which are needed by + utilities like <literal>whatis</literal> and + <literal>apropos</literal>. The caches are generated + during the build of the NixOS configuration: since this + can be expensive when a large number of packages are + installed, the feature is disabled by default. + </para> + </listitem> + <listitem> + <para> + <literal>services.postfix.sslCACert</literal> was replaced + by + <literal>services.postfix.tlsTrustedAuthorities</literal> + which now defaults to system certificate authorities. + </para> + </listitem> + <listitem> + <para> + The various documented workarounds to use steam have been + converted to a module. + <literal>programs.steam.enable</literal> enables steam, + controller support and the workarounds. + </para> + </listitem> + <listitem> + <para> + Support for built-in LCDs in various pieces of Logitech + hardware (keyboards and USB speakers). + <literal>hardware.logitech.lcd.enable</literal> enables + support for all hardware supported by the + <link xlink:href="https://sourceforge.net/projects/g15daemon/">g15daemon + project</link>. + </para> + </listitem> + <listitem> + <para> + The GRUB module gained support for basic password + protection, which allows to restrict non-default entries + in the boot menu to one or more users. The users and + passwords are defined via the option + <literal>boot.loader.grub.users</literal>. Note: Password + support is only available in GRUB version 2. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + NixOS module changes: + </para> + <itemizedlist> + <listitem> + <para> + The NixOS module system now supports freeform modules as a + mix between <literal>types.attrsOf</literal> and + <literal>types.submodule</literal>. These allow you to + explicitly declare a subset of options while still + permitting definitions without an associated option. See + <xref linkend="sec-freeform-modules" /> for how to use + them. + </para> + </listitem> + <listitem> + <para> + Following its deprecation in 20.03, the Perl NixOS test + driver has been removed. All remaining tests have been + ported to the Python test framework. Code outside nixpkgs + using <literal>make-test.nix</literal> or + <literal>testing.nix</literal> needs to be ported to + <literal>make-test-python.nix</literal> and + <literal>testing-python.nix</literal> respectively. + </para> + </listitem> + <listitem> + <para> + Subordinate GID and UID mappings are now set up + automatically for all normal users. This will make + container tools like Podman work as non-root users out of + the box. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Starting with this release, the hydra-build-result + <literal>nixos-YY.MM</literal> branches no longer exist in the + <link xlink:href="https://github.com/nixos/nixpkgs-channels">deprecated + nixpkgs-channels repository</link>. These branches are now in + <link xlink:href="https://github.com/nixos/nixpkgs">the main + nixpkgs repository</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-new-services"> + <title>New Services</title> + <para> + In addition to 1119 new, 118 updated, and 476 removed options; 61 + new modules were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + Hardware: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.system76.firmware-daemon.enable">hardware.system76.firmware-daemon.enable</link> + adds easy support of system76 firmware + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.uinput.enable">hardware.uinput.enable</link> + loads uinput kernel module + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.video.hidpi.enable">hardware.video.hidpi.enable</link> + enable good defaults for HiDPI displays + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.wooting.enable">hardware.wooting.enable</link> + support for Wooting keyboards + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.xpadneo.enable">hardware.xpadneo.enable</link> + xpadneo driver for Xbox One wireless controllers + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programs: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-programs.hamster.enable">programs.hamster.enable</link> + enable hamster time tracking + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-programs.steam.enable">programs.steam.enable</link> + adds easy enablement of steam and related system + configuration + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Security: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-security.doas.enable">security.doas.enable</link> + alternative to sudo, allows non-root users to execute + commands as root + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-security.tpm2.enable">security.tpm2.enable</link> + add Trusted Platform Module 2 support + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + System: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="options.html#opt-boot.initrd.network.openvpn.enable">boot.initrd.network.openvpn.enable</link> + start an OpenVPN client during initrd boot + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Virtualization: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-boot.enableContainers">boot.enableContainers</link> + use nixos-containers + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.oci-containers.containers">virtualisation.oci-containers.containers</link> + run OCI (Docker) containers + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.podman.enable">virtualisation.podman.enable</link> + daemonless container engine + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Services: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-services.ankisyncd.enable">services.ankisyncd.enable</link> + Anki sync server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.bazarr.enable">services.bazarr.enable</link> + Subtitle manager for Sonarr and Radarr + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.biboumi.enable">services.biboumi.enable</link> + Biboumi XMPP gateway to IRC + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.blockbook-frontend">services.blockbook-frontend</link> + Blockbook-frontend, a service for the Trezor wallet + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.cage.enable">services.cage.enable</link> + Wayland cage service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.convos.enable">services.convos.enable</link> + IRC daemon, which can be accessed throught the browser + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.engelsystem.enable">services.engelsystem.enable</link> + Tool for coordinating volunteers and shifts on large + events + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.espanso.enable">services.espanso.enable</link> + text-expander written in rust + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.foldingathome.enable">services.foldingathome.enable</link> + Folding@home client + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.gerrit.enable">services.gerrit.enable</link> + Web-based team code collaboration tool + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.go-neb.enable">services.go-neb.enable</link> + Matrix bot + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.hardware.xow.enable">services.hardware.xow.enable</link> + xow as a systemd service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.hercules-ci-agent.enable">services.hercules-ci-agent.enable</link> + Hercules CI build agent + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jicofo.enable">services.jicofo.enable</link> + Jitsi Conference Focus, component of Jitsi Meet + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jirafeau.enable">services.jirafeau.enable</link> + A web file repository + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jitsi-meet.enable">services.jitsi-meet.enable</link> + Secure, simple and scalable video conferences + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jitsi-videobridge.enable">services.jitsi-videobridge.enable</link> + Jitsi Videobridge, a WebRTC compatible router + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jupyterhub.enable">services.jupyterhub.enable</link> + Jupyterhub development server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.k3s.enable">services.k3s.enable</link> + Lightweight Kubernetes distribution + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.magic-wormhole-mailbox-server.enable">services.magic-wormhole-mailbox-server.enable</link> + Magic Wormhole Mailbox Server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.malcontent.enable">services.malcontent.enable</link> + Parental Control support + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.matrix-appservice-discord.enable">services.matrix-appservice-discord.enable</link> + Matrix and Discord bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mautrix-telegram.enable">services.mautrix-telegram.enable</link> + Matrix-Telegram puppeting/relaybot bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mirakurun.enable">services.mirakurun.enable</link> + Japanese DTV Tuner Server Service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.molly-brown.enable">services.molly-brown.enable</link> + Molly-Brown Gemini server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mullvad-vpn.enable">services.mullvad-vpn.enable</link> + Mullvad VPN daemon + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.ncdns.enable">services.ncdns.enable</link> + Namecoin to DNS bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nextdns.enable">services.nextdns.enable</link> + NextDNS to DoH Proxy service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nix-store-gcs-proxy">services.nix-store-gcs-proxy</link> + Google storage bucket to be used as a nix store + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.onedrive.enable">services.onedrive.enable</link> + OneDrive sync service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.pinnwand.enable">services.pinnwand.enable</link> + Pastebin-like service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.pixiecore.enable">services.pixiecore.enable</link> + Manage network booting of machines + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.privacyidea.enable">services.privacyidea.enable</link> + Privacy authentication server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.quorum.enable">services.quorum.enable</link> + Quorum blockchain daemon + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.robustirc-bridge.enable">services.robustirc-bridge.enable</link> + RobustIRC bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.rss-bridge.enable">services.rss-bridge.enable</link> + Generate RSS and Atom feeds + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.rtorrent.enable">services.rtorrent.enable</link> + rTorrent service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.smartdns.enable">services.smartdns.enable</link> + SmartDNS DNS server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.sogo.enable">services.sogo.enable</link> + SOGo groupware + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.teeworlds.enable">services.teeworlds.enable</link> + Teeworlds game server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.torque.mom.enable">services.torque.mom.enable</link> + torque computing node + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.torque.server.enable">services.torque.server.enable</link> + torque server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.tuptime.enable">services.tuptime.enable</link> + A total uptime service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.urserver.enable">services.urserver.enable</link> + X11 remote server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.wasabibackend.enable">services.wasabibackend.enable</link> + Wasabi backend service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.yubikey-agent.enable">services.yubikey-agent.enable</link> + Yubikey agent + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.zigbee2mqtt.enable">services.zigbee2mqtt.enable</link> + Zigbee to MQTT bridge + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + MariaDB has been updated to 10.4, MariaDB Galera to 26.4. + Before you upgrade, it would be best to take a backup of your + database. For MariaDB Galera Cluster, see + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading + from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link> + instead. Before doing the upgrade read + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible + Changes Between 10.3 and 10.4</link>. After the upgrade you + will need to run <literal>mysql_upgrade</literal>. MariaDB + 10.4 introduces a number of changes to the authentication + process, intended to make things easier and more intuitive. + See + <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication + from MariaDB 10.4</link>. unix_socket auth plugin does not use + a password, and uses the connecting user's UID instead. When a + new MariaDB data directory is initialized, two MariaDB users + are created and can be used with new unix_socket auth plugin, + as well as traditional mysql_native_password plugin: + root@localhost and mysql@localhost. To actually use the + traditional mysql_native_password plugin method, one must run + the following: + </para> + <programlisting language="bash"> +{ +services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' + ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); +''; +} +</programlisting> + <para> + When MariaDB data directory is just upgraded (not + initialized), the users are not created or modified. + </para> + </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd + sandbox/hardening options for better security. The PrivateTmp, + ProtectHome, and ProtectSystem options may be problematic when + MySQL is attempting to read from or write to your filesystem + anywhere outside of its own state directory, for example when + calling + <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. + In this scenario a variant of the following may be required: - + allow MySQL to read from /home and /tmp directories when using + <literal>LOAD DATA INFILE</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +} +</programlisting> + <para> + - allow MySQL to write to custom folder + <literal>/var/data</literal> when using + <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql + user has write access to <literal>/var/data</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +} +</programlisting> + <para> + The MySQL service no longer runs its + <literal>systemd</literal> service startup script as + <literal>root</literal> anymore. A dedicated non + <literal>root</literal> super user account is required for + operation. This means users with an existing MySQL or MariaDB + database server are required to run the following SQL + statements as a super admin user before upgrading: + </para> + <programlisting language="SQL"> +CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; +GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; +</programlisting> + <para> + If you use MySQL instead of MariaDB please replace + <literal>unix_socket</literal> with + <literal>auth_socket</literal>. If you have changed the value + of + <link xlink:href="options.html#opt-services.mysql.user">services.mysql.user</link> + from the default of <literal>mysql</literal> to a different + user please change <literal>'mysql'@'localhost'</literal> to + the corresponding user instead. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please carefully + read through + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the + upgrade guide</link> and apply any changes required. Be sure + to take special note of the section on + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling + extended range of numeric (float) values</link> as you will + need to apply this database migration manually. + </para> + <para> + If you are using Zabbix Server with a MySQL or MariaDB + database you should note that using a character set of + <literal>utf8</literal> and a collate of + <literal>utf8_bin</literal> has become mandatory with this + release. See the upstream + <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> + for further discussion. Before upgrading you should check the + character set and collation used by your database and ensure + they are correct: + </para> + <programlisting language="SQL"> +SELECT + default_character_set_name, + default_collation_name +FROM + information_schema.schemata +WHERE + schema_name = 'zabbix'; +</programlisting> + <para> + If these values are not correct you should take a backup of + your database and convert the character set and collation as + required. Here is an + <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> + of how to do so, taken from the Zabbix forums: + </para> + <programlisting language="SQL"> +ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; + +-- the following will produce a list of SQL commands you should subsequently execute +SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString +FROM information_schema.`COLUMNS` +WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci"; +</programlisting> + </listitem> + <listitem> + <para> + maxx package removed along with + <literal>services.xserver.desktopManager.maxx</literal> + module. Please migrate to cdesktopenv and + <literal>services.xserver.desktopManager.cde</literal> module. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.matrix-synapse.enable">matrix-synapse</link> + module no longer includes optional dependencies by default, + they have to be added through the + <link xlink:href="options.html#opt-services.matrix-synapse.plugins">plugins</link> + option. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> now internally creates a + vendor directory in the source tree for downloaded modules + instead of using go's + <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module + proxy protocol</link>. This storage format is simpler and + therefore less likely to break with future versions of go. As + a result <literal>buildGoModule</literal> switched from + <literal>modSha256</literal> to the + <literal>vendorSha256</literal> attribute to pin fetched + version data. + </para> + </listitem> + <listitem> + <para> + Grafana is now built without support for phantomjs by default. + Phantomjs support has been + <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated + in Grafana</link> and the phantomjs project is + <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently + unmaintained</link>. It can still be enabled by providing + <literal>phantomJsSupport = true</literal> to the package + instantiation: + </para> + <programlisting language="bash"> +{ + services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { + phantomJsSupport = true; + }); +} +</programlisting> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.supybot.enable">supybot</link> + module now uses <literal>/var/lib/supybot</literal> as its + default + <link xlink:href="options.html#opt-services.supybot.stateDir">stateDir</link> + path if <literal>stateVersion</literal> is 20.09 or higher. It + also enables a number of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd + sandboxing options</link> which may possibly interfere with + some plugins. If this is the case you can disable the options + through attributes in + <literal>systemd.services.supybot.serviceConfig</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.duosec.skey</literal> option, which + stored a secret in the nix store, has been replaced by a new + <link xlink:href="options.html#opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link> + option for better security. + </para> + <para> + <literal>security.duosec.ikey</literal> has been renamed to + <link xlink:href="options.html#opt-security.duosec.integrationKey">security.duosec.integrationKey</link>. + </para> + </listitem> + <listitem> + <para> + <literal>vmware</literal> has been removed from the + <literal>services.x11.videoDrivers</literal> defaults. For + VMWare guests set + <literal>virtualisation.vmware.guest.enable</literal> to + <literal>true</literal> which will include the appropriate + drivers. + </para> + </listitem> + <listitem> + <para> + The initrd SSH support now uses OpenSSH rather than Dropbear + to allow the use of Ed25519 keys and other OpenSSH-specific + functionality. Host keys must now be in the OpenSSH format, + and at least one pre-generated key must be specified. + </para> + <para> + If you used the + <literal>boot.initrd.network.ssh.host*Key</literal> options, + you'll get an error explaining how to convert your host keys + and migrate to the new + <literal>boot.initrd.network.ssh.hostKeys</literal> option. + Otherwise, if you don't have any host keys set, you'll need to + generate some; see the <literal>hostKeys</literal> option + documentation for instructions. + </para> + </listitem> + <listitem> + <para> + Since this release there's an easy way to customize your PHP + install to get a much smaller base PHP with only wanted + extensions enabled. See the following snippet installing a + smaller PHP with the extensions <literal>imagick</literal>, + <literal>opcache</literal>, <literal>pdo</literal> and + <literal>pdo_mysql</literal> loaded: + </para> + <programlisting language="bash"> +{ + environment.systemPackages = [ + (pkgs.php.withExtensions + ({ all, ... }: with all; [ + imagick + opcache + pdo + pdo_mysql + ]) + ) + ]; +} +</programlisting> + <para> + The default <literal>php</literal> attribute hasn't lost any + extensions. The <literal>opcache</literal> extension has been + added. All upstream PHP extensions are available under + php.extensions.<name?>. + </para> + <para> + All PHP <literal>config</literal> flags have been removed for + the following reasons: + </para> + </listitem> + <listitem> + <para> + The updated <literal>php</literal> attribute is now easily + customizable to your liking by using + <literal>php.withExtensions</literal> or + <literal>php.buildEnv</literal> instead of writing config + files or changing configure flags. + </para> + </listitem> + <listitem> + <para> + The remaining configuration flags can now be set directly on + the <literal>php</literal> attribute. For example, instead of + </para> + <programlisting language="bash"> +{ + php.override { + config.php.embed = true; + config.php.apxs2 = false; + } +} +</programlisting> + <para> + you should now write + </para> + <programlisting language="bash"> +{ + php.override { + embedSupport = true; + apxs2Support = false; + } +} +</programlisting> + </listitem> + <listitem> + <para> + The ACME module has been overhauled for simplicity and + maintainability. Cert generation now implicitly uses the + <literal>acme</literal> user, and the + <literal>security.acme.certs._name_.user</literal> option has + been removed. Instead, certificate access from other services + is now managed through group permissions. The module no longer + runs lego twice under certain conditions, and will correctly + renew certificates if their configuration is changed. Services + which reload nginx and httpd after certificate renewal are now + properly configured too so you no longer have to do this + manually if you are using HTTPS enabled virtual hosts. A + mechanism for regenerating certs on demand has also been added + and documented. + </para> + </listitem> + <listitem> + <para> + Gollum received a major update to version 5.x and you may have + to change some links in your wiki when migrating from gollum + 4.x. More information can be found + <link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>. + </para> + </listitem> + <listitem> + <para> + Deluge 2.x was added and is used as default for new NixOS + installations where stateVersion is >= 20.09. If you are + upgrading from a previous NixOS version, you can set + <literal>service.deluge.package = pkgs.deluge-2_x</literal> to + upgrade to Deluge 2.x and migrate the state to the new format. + Be aware that backwards state migrations are not supported by + Deluge. + </para> + </listitem> + <listitem> + <para> + Nginx web server now starting with additional + sandbox/hardening options. By default, write access to + <literal>/var/log/nginx</literal> and + <literal>/var/cache/nginx</literal> is allowed. To allow + writing to other folders, use + <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; +} +</programlisting> + <para> + Nginx is also started with the systemd option + <literal>ProtectHome = mkDefault true;</literal> which forbids + it to read anything from <literal>/home</literal>, + <literal>/root</literal> and <literal>/run/user</literal> (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome + docs</link> for details). If you require serving files from + home directories, you may choose to set e.g. + </para> + <programlisting language="bash"> +{ + systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; +} +</programlisting> + </listitem> + <listitem> + <para> + The NixOS options <literal>nesting.clone</literal> and + <literal>nesting.children</literal> have been deleted, and + replaced with named + <link xlink:href="options.html#opt-specialisation">specialisation</link> + configurations. + </para> + <para> + Replace a <literal>nesting.clone</literal> entry with: + </para> + <programlisting language="bash"> +{ + specialisation.example-sub-configuration = { + configuration = { + ... + }; +}; +</programlisting> + <para> + Replace a <literal>nesting.children</literal> entry with: + </para> + <programlisting language="bash"> +{ + specialisation.example-sub-configuration = { + inheritParentConfig = false; + configuration = { + ... + }; +}; +</programlisting> + <para> + To switch to a specialised configuration at runtime you need + to run: + </para> + <programlisting> +$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test +</programlisting> + <para> + Before you would have used: + </para> + <programlisting> +$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test +</programlisting> + </listitem> + <listitem> + <para> + The Nginx log directory has been moved to + <literal>/var/log/nginx</literal>, the cache directory to + <literal>/var/cache/nginx</literal>. The option + <literal>services.nginx.stateDir</literal> has been removed. + </para> + </listitem> + <listitem> + <para> + The httpd web server previously started its main process as + root privileged, then ran worker processes as a less + privileged identity user. This was changed to start all of + httpd as a less privileged user (defined by + <link xlink:href="options.html#opt-services.httpd.user">services.httpd.user</link> + and + <link xlink:href="options.html#opt-services.httpd.group">services.httpd.group</link>). + As a consequence, all files that are needed for httpd to run + (included configuration fragments, SSL certificates and keys, + etc.) must now be readable by this less privileged user/group. + </para> + <para> + The default value for + <link xlink:href="options.html#opt-services.httpd.mpm">services.httpd.mpm</link> + has been changed from <literal>prefork</literal> to + <literal>event</literal>. Along with this change the default + value for + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link> + has been set to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-networkd</literal> option + <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal> + has been removed following upstream systemd's deprecation of + the same. It is recommended to use + <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> + instead. See systemd.network 5 for details. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-networkd</literal> option + <literal>systemd.network.networks._name_.dhcpConfig</literal> + has been renamed to + <link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link> + following upstream systemd's documentation change. See + systemd.network 5 for details. + </para> + </listitem> + <listitem> + <para> + In the <literal>picom</literal> module, several options that + accepted floating point numbers encoded as strings (for + example + <link xlink:href="options.html#opt-services.picom.activeOpacity">services.picom.activeOpacity</link>) + have been changed to the (relatively) new native + <literal>float</literal> type. To migrate your configuration + simply remove the quotes around the numbers. + </para> + </listitem> + <listitem> + <para> + When using <literal>buildBazelPackage</literal> from Nixpkgs, + <literal>flat</literal> hash mode is now used for dependencies + instead of <literal>recursive</literal>. This is to better + allow using hashed mirrors where needed. As a result, these + hashes will have changed. + </para> + </listitem> + <listitem> + <para> + The syntax of the PostgreSQL configuration file is now checked + at build time. If your configuration includes a file + inaccessible inside the build sandbox, set + <literal>services.postgresql.checkConfig</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + The rkt module has been removed, it was archived by upstream. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://bazaar.canonical.com">Bazaar</link> + VCS is unmaintained and, as consequence of the Python 2 EOL, + the packages <literal>bazaar</literal> and + <literal>bazaarTools</literal> were removed. Breezy, the + backward compatible fork of Bazaar (see the + <link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>), + was packaged as <literal>breezy</literal> and can be used + instead. + </para> + <para> + Regarding Nixpkgs, <literal>fetchbzr</literal>, + <literal>nix-prefetch-bzr</literal> and Bazaar support in + Hydra will continue to work through Breezy. + </para> + </listitem> + <listitem> + <para> + In addition to the hostname, the fully qualified domain name + (FQDN), which consists of + <literal>${networking.hostName}</literal> and + <literal>${networking.domain}</literal> is now added to + <literal>/etc/hosts</literal>, to allow local FQDN resolution, + as used by the <literal>hostname --fqdn</literal> command and + other applications that try to determine the FQDN. These new + entries take precedence over entries from the DNS which could + cause regressions in some very specific setups. Additionally + the hostname is now resolved to <literal>127.0.0.2</literal> + instead of <literal>127.0.1.1</literal> to be consistent with + what <literal>nss-myhostname</literal> (from systemd) returns. + The old behaviour can e.g. be restored by using + <literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>. + </para> + </listitem> + <listitem> + <para> + The hostname (<literal>networking.hostName</literal>) must now + be a valid DNS label (see RFC 1035, RFC 1123) and as such must + not contain the domain part. This means that the hostname must + start with a letter or digit, end with a letter or digit, and + have as interior characters only letters, digits, and hyphen. + The maximum length is 63 characters. Additionally it is + recommended to only use lower-case characters. If (e.g. for + legacy reasons) a FQDN is required as the Linux kernel network + node hostname (<literal>uname --nodename</literal>) the option + <literal>boot.kernel.sysctl."kernel.hostname"</literal> + can be used as a workaround (but be aware of the 64 character + limit). + </para> + </listitem> + <listitem> + <para> + The GRUB specific option + <literal>boot.loader.grub.extraInitrd</literal> has been + replaced with the generic option + <literal>boot.initrd.secrets</literal>. This option creates a + secondary initrd from the specified files, rather than using a + manually created initrd file. Due to an existing bug with + <literal>boot.loader.grub.extraInitrd</literal>, it is not + possible to directly boot an older generation that used that + option. It is still possible to rollback to that generation if + the required initrd file has not been deleted. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> + package and NixOS module have been removed from Nixpkgs as the + software is unmaintained and can't be built. For more + information see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. + </para> + </listitem> + <listitem> + <para> + In the <literal>resilio</literal> module, + <link xlink:href="options.html#opt-services.resilio.httpListenAddr">services.resilio.httpListenAddr</link> + has been changed to listen to <literal>[::1]</literal> instead + of <literal>0.0.0.0</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>sslh</literal> has been updated to version + <literal>1.21</literal>. The <literal>ssl</literal> probe must + be renamed to <literal>tls</literal> in + <link xlink:href="options.html#opt-services.sslh.appendConfig">services.sslh.appendConfig</link>. + </para> + </listitem> + <listitem> + <para> + Users of <link xlink:href="http://openafs.org">OpenAFS + 1.6</link> must upgrade their services to OpenAFS 1.8! In this + release, the OpenAFS package version 1.6.24 is marked broken + but can be used during transition to OpenAFS 1.8.x. Use the + options + <literal>services.openafsClient.packages.module</literal>, + <literal>services.openafsClient.packages.programs</literal> + and <literal>services.openafsServer.package</literal> to + select a different OpenAFS package. OpenAFS 1.6 will be + removed in the next release. The package + <literal>openafs</literal> and the service options will then + silently point to the OpenAFS 1.8 release. + </para> + <para> + See also the OpenAFS + <link xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator + Guide</link> for instructions. Beware of the following when + updating servers: + </para> + <itemizedlist> + <listitem> + <para> + The storage format of the server key has changed and the + key must be converted before running the new release. + </para> + </listitem> + <listitem> + <para> + When updating multiple database servers, turn off the + database servers from the highest IP down to the lowest + with resting periods in between. Start up in reverse + order. Do not concurrently run database servers working + with different OpenAFS releases! + </para> + </listitem> + <listitem> + <para> + Update servers first, then clients. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 2.x to 3.x. An + upgrade checklist can be found + <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. + You can use the newer version in the NixOS service by setting + the <literal>package</literal> to + <literal>radicale3</literal>, which is done automatically if + <literal>stateVersion</literal> is 20.09 or higher. + </para> + </listitem> + <listitem> + <para> + <literal>udpt</literal> experienced a complete rewrite from + C++ to rust. The configuration format changed from ini to + toml. The new configuration documentation can be found at + <link xlink:href="https://naim94a.github.io/udpt/config.html">the + official website</link> and example configuration is packaged + in <literal>${udpt}/share/udpt/udpt.toml</literal>. + </para> + </listitem> + <listitem> + <para> + We now have a unified + <link xlink:href="options.html#opt-services.xserver.displayManager.autoLogin">services.xserver.displayManager.autoLogin</link> + option interface to be used for every display-manager in + NixOS. + </para> + </listitem> + <listitem> + <para> + The <literal>bitcoind</literal> module has changed to + multi-instance, using submodules. Therefore, it is now + mandatory to name each instance. To use this new + multi-instance config with an existing bitcoind data directory + and user, you have to adjust the original config, e.g.: + </para> + <programlisting language="bash"> +{ + services.bitcoind = { + enable = true; + extraConfig = "..."; + ... + }; +} +</programlisting> + <para> + To something similar: + </para> + <programlisting language="bash"> +{ + services.bitcoind.mainnet = { + enable = true; + dataDir = "/var/lib/bitcoind"; + user = "bitcoin"; + extraConfig = "..."; + ... + }; +} +</programlisting> + <para> + The key settings are: + </para> + <itemizedlist> + <listitem> + <para> + <literal>dataDir</literal> - to continue using the same + data directory. + </para> + </listitem> + <listitem> + <para> + <literal>user</literal> - to continue using the same user + so that bitcoind maintains access to its files. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Graylog introduced a change in the LDAP server certificate + validation behaviour for version 3.3.3 which might break + existing setups. When updating Graylog from a version before + 3.3.3 make sure to check the Graylog + <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release + info</link> for information on how to avoid the issue. + </para> + </listitem> + <listitem> + <para> + The <literal>dokuwiki</literal> module has changed to + multi-instance, using submodules. Therefore, it is now + mandatory to name each instance. Moreover, forcing SSL by + default has been dropped, so <literal>nginx.forceSSL</literal> + and <literal>nginx.enableACME</literal> are no longer set to + <literal>true</literal>. To continue using your service with + the original SSL settings, you have to adjust the original + config, e.g.: + </para> + <programlisting language="bash"> +{ + services.dokuwiki = { + enable = true; + ... + }; +} +</programlisting> + <para> + To something similar: + </para> + <programlisting language="bash"> +{ + services.dokuwiki."mywiki" = { + enable = true; + nginx = { + forceSSL = true; + enableACME = true; + }; + ... + }; +} +</programlisting> + <para> + The base package has also been upgraded to the 2020-07-29 + "Hogfather" release. Plugins might be incompatible + or require upgrading. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link> + option is now set to + <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> + regardless of your + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + Users with an existing postgresql install that have a + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link> + of <literal>17.03</literal> or below should double check what + the value of their + <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link> + option is (<literal>/var/db/postgresql</literal>) and then + explicitly set this value to maintain compatibility: + </para> + <programlisting language="bash"> +{ + services.postgresql.dataDir = "/var/db/postgresql"; +} +</programlisting> + <para> + The postgresql module now expects there to be a database super + user account called <literal>postgres</literal> regardless of + your + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + Users with an existing postgresql install that have a + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link> + of <literal>17.03</literal> or below should run the following + SQL statements as a database super admin user before + upgrading: + </para> + <programlisting language="SQL"> +CREATE ROLE postgres LOGIN SUPERUSER; +</programlisting> + </listitem> + <listitem> + <para> + The USBGuard module now removes options and instead hardcodes + values for <literal>IPCAccessControlFiles</literal>, + <literal>ruleFiles</literal>, and + <literal>auditFilePath</literal>. Audit logs can be found in + the journal. + </para> + </listitem> + <listitem> + <para> + The NixOS module system now evaluates option definitions more + strictly, allowing it to detect a larger set of problems. As a + result, what previously evaluated may not do so anymore. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the + PR that changed this</link> for more info. + </para> + </listitem> + <listitem> + <para> + For NixOS configuration options, the type + <literal>loaOf</literal>, after its initial deprecation in + release 20.03, has been removed. In NixOS and Nixpkgs options + using this type have been converted to + <literal>attrsOf</literal>. For more information on this + change have look at these links: + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue + #1800</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR + #63103</link>. + </para> + </listitem> + <listitem> + <para> + <literal>config.systemd.services.${name}.path</literal> now + returns a list of paths instead of a colon-separated string. + </para> + </listitem> + <listitem> + <para> + Caddy module now uses Caddy v2 by default. Caddy v1 can still + be used by setting + <link xlink:href="options.html#opt-services.caddy.package">services.caddy.package</link> + to <literal>pkgs.caddy1</literal>. + </para> + <para> + New option + <link xlink:href="options.html#opt-services.caddy.adapter">services.caddy.adapter</link> + has been added. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.jellyfin.enable">jellyfin</link> + module will use and stay on the Jellyfin version + <literal>10.5.5</literal> if <literal>stateVersion</literal> + is lower than <literal>20.09</literal>. This is because + significant changes were made to the database schema, and it + is highly recommended to backup your instance before + upgrading. After making your backup, you can upgrade to the + latest version either by setting your + <literal>stateVersion</literal> to <literal>20.09</literal> or + higher, or set the + <literal>services.jellyfin.package</literal> to + <literal>pkgs.jellyfin</literal>. If you do not wish to + upgrade Jellyfin, but want to change your + <literal>stateVersion</literal>, you can set the value of + <literal>services.jellyfin.package</literal> to + <literal>pkgs.jellyfin_10_5</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.rngd</literal> service is now disabled + by default. This choice was made because there's krngd in the + linux kernel space making it (for most usecases) functionally + redundent. + </para> + </listitem> + <listitem> + <para> + The <literal>hardware.nvidia.optimus_prime.enable</literal> + service has been renamed to + <literal>hardware.nvidia.prime.sync.enable</literal> and has + many new enhancements. Related nvidia prime settings may have + also changed. + </para> + </listitem> + <listitem> + <para> + The package nextcloud17 has been removed and nextcloud18 was + marked as insecure since both of them will + <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html"> + will be EOL (end of life) within the lifetime of 20.09</link>. + </para> + <para> + It's necessary to upgrade to nextcloud19: + </para> + <itemizedlist> + <listitem> + <para> + From nextcloud17, you have to upgrade to nextcloud18 first + as Nextcloud doesn't allow going multiple major revisions + forward in a single upgrade. This is possible by setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> + to nextcloud18. + </para> + </listitem> + <listitem> + <para> + From nextcloud18, it's possible to directly upgrade to + nextcloud19 by setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> + to nextcloud19. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The GNOME desktop manager no longer default installs + gnome3.epiphany. It was chosen to do this as it has a + usability breaking issue (see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>) + that makes it unsuitable to be a default app. + </para> + <note> + <para> + Issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link> + is now fixed and gnome3.epiphany is once again installed by + default. + </para> + </note> + </listitem> + <listitem> + <para> + If you want to manage the configuration of wpa_supplicant + outside of NixOS you must ensure that none of + <link xlink:href="options.html#opt-networking.wireless.networks">networking.wireless.networks</link>, + <link xlink:href="options.html#opt-networking.wireless.extraConfig">networking.wireless.extraConfig</link> + or + <link xlink:href="options.html#opt-networking.wireless.userControlled.enable">networking.wireless.userControlled.enable</link> + is being used or <literal>true</literal>. Using any of those + options will cause wpa_supplicant to be started with a NixOS + generated configuration file instead of your own. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + SD images are now compressed by default using + <literal>zstd</literal>. The compression for ISO images has + also been changed to <literal>zstd</literal>, but ISO images + are still not compressed by default. + </para> + </listitem> + <listitem> + <para> + <literal>services.journald.rateLimitBurst</literal> was + updated from <literal>1000</literal> to + <literal>10000</literal> to follow the new upstream systemd + default. + </para> + </listitem> + <listitem> + <para> + The notmuch package move its emacs-related binaries and emacs + lisp files to a separate output. They're not part of the + default <literal>out</literal> output anymore - if you relied + on the <literal>notmuch-emacs-mua</literal> binary or the + emacs lisp files, access them via the + <literal>notmuch.emacs</literal> output. Device tree overlay + support was improved in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link> + and now uses + <link xlink:href="options.html#opt-hardware.deviceTree.kernelPackage">hardware.deviceTree.kernelPackage</link> + instead of <literal>hardware.deviceTree.base</literal>. + <link xlink:href="options.html#opt-hardware.deviceTree.overlays">hardware.deviceTree.overlays</link> + configuration was extended to support <literal>.dts</literal> + files with symbols. Device trees can now be filtered by + setting + <link xlink:href="options.html#opt-hardware.deviceTree.filter">hardware.deviceTree.filter</link> + option. + </para> + </listitem> + <listitem> + <para> + The default output of <literal>buildGoPackage</literal> is now + <literal>$out</literal> instead of <literal>$bin</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> <literal>doCheck</literal> + now defaults to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + Packages built using <literal>buildRustPackage</literal> now + use <literal>release</literal> mode for the + <literal>checkPhase</literal> by default. + </para> + <para> + Please note that Rust packages utilizing a custom + build/install procedure (e.g. by using a + <literal>Makefile</literal>) or test suites that rely on the + structure of the <literal>target/</literal> directory may + break due to those assumptions. For further information, + please read the Rust section in the Nixpkgs manual. + </para> + </listitem> + <listitem> + <para> + The cc- and binutils-wrapper's "infix salt" and + <literal>_BUILD_</literal> and <literal>_TARGET_</literal> + user infixes have been replaced with with a "suffix + salt" and suffixes and <literal>_FOR_BUILD</literal> and + <literal>_FOR_TARGET</literal>. This matches the autotools + convention for env vars which standard for these things, + making interfacing with other tools easier. + </para> + </listitem> + <listitem> + <para> + Additional Git documentation (HTML and text files) is now + available via the <literal>git-doc</literal> package. + </para> + </listitem> + <listitem> + <para> + Default algorithm for ZRAM swap was changed to + <literal>zstd</literal>. + </para> + </listitem> + <listitem> + <para> + The installer now enables sshd by default. This improves + installation on headless machines especially ARM + single-board-computer. To login through ssh, either a password + or an ssh key must be set for the root user or the nixos user. + </para> + </listitem> + <listitem> + <para> + The scripted networking system now uses + <literal>.link</literal> files in + <literal>/etc/systemd/network</literal> to configure mac + address and link MTU, instead of the sometimes buggy + <literal>network-link-*</literal> units, which have been + removed. Bringing the interface up has been moved to the + beginning of the <literal>network-addresses-*</literal> unit. + Note this doesn't require <literal>systemd-networkd</literal> + - it's udev that parses <literal>.link</literal> files. Extra + care needs to be taken in the presence of + <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy + udev rules</link> to rename interfaces, as MAC Address and MTU + defined in these options can only match on the original link + name. In such cases, you most likely want to create a + <literal>10-*.link</literal> file through + <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link> + and set both name and MAC Address / MTU there. + </para> + </listitem> + <listitem> + <para> + Grafana received a major update to version 7.x. A plugin is + now needed for image rendering support, and plugins must now + be signed by default. More information can be found + <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in + the Grafana documentation</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was + installing udev rules was removed, as udev gained native + support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + The <literal>services.transmission</literal> module was + enhanced with the new options: + <link xlink:href="options.html#opt-services.transmission.credentialsFile">services.transmission.credentialsFile</link>, + <link xlink:href="options.html#opt-services.transmission.openFirewall">services.transmission.openFirewall</link>, + and + <link xlink:href="options.html#opt-services.transmission.performanceNetParameters">services.transmission.performanceNetParameters</link>. + </para> + <para> + <literal>transmission-daemon</literal> is now started with + additional systemd sandbox/hardening options for better + security. Please + <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link> + any use case where this is not working well. In particular, + the <literal>RootDirectory</literal> option newly set forbids + uploading or downloading a torrent outside of the default + directory configured at + <link xlink:href="options.html#opt-services.transmission.settings">settings.download-dir</link>. + If you really need Transmission to access other directories, + you must include those directories into the + <literal>BindPaths</literal> of the service: + </para> + <programlisting language="bash"> +{ + systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; +} +</programlisting> + <para> + Also, connection to the RPC (Remote Procedure Call) of + <literal>transmission-daemon</literal> is now only available + on the local network interface by default. Use: + </para> + <programlisting language="bash"> +{ + services.transmission.settings.rpc-bind-address = "0.0.0.0"; +} +</programlisting> + <para> + to get the previous behavior of listening on all network + interfaces. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when + enabled through + <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>) + has it's netlink socket created through a + <literal>systemd.socket</literal> unit. This gives us control + over socket buffer sizes and other parameters. For larger + setups where networkd has to create a lot of (virtual) devices + the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard + tunnels, VLANs, …), that all have to be brought up during + system startup, the receive buffer size will spike for a brief + period. Eventually some of the message will be dropped since + there is not enough (permitted) buffer space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a + netlink socket created by <literal>systemd</literal> we can + configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. + <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, + timing, exact configurations etc. it isn't currently possible + to infer a good default from within the NixOS module system. + Administrators are advised to monitor the logs of + <literal>systemd-networkd</literal> for + <literal>rtnl: kernel receive buffer overrun</literal> spam + and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> + doesn't allocate any memory. It just increases the upper bound + on the kernel side. The memory allocation depends on the + amount of messages that are queued on the kernel side of the + netlink socket. + </para> + </listitem> + <listitem> + <para> + Specifying + <link xlink:href="options.html#opt-services.dovecot2.mailboxes">mailboxes</link> + in the dovecot2 module as a list is deprecated and will break + eval in 21.05. Instead, an attribute-set should be specified + where the <literal>name</literal> should be the key of the + attribute. + </para> + <para> + This means that a configuration like this + </para> + <programlisting language="bash"> +{ + services.dovecot2.mailboxes = [ + { name = "Junk"; + auto = "create"; + } + ]; +} +</programlisting> + <para> + should now look like this: + </para> + <programlisting language="bash"> +{ + services.dovecot2.mailboxes = { + Junk.auto = "create"; + }; +} +</programlisting> + </listitem> + <listitem> + <para> + netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. + This might cause problems if your projects depend on packages + that were removed in Java 11. + </para> + </listitem> + <listitem> + <para> + nextcloud has been updated to + <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>. + </para> + <para> + If you have an existing installation, please make sure that + you're on nextcloud18 before upgrading to nextcloud19 since + Nextcloud doesn't support upgrades across multiple major + versions. + </para> + </listitem> + <listitem> + <para> + The <literal>nixos-run-vms</literal> script now deletes the + previous run machines states on test startup. You can use the + <literal>--keep-vm-state</literal> flag to match the previous + behaviour and keep the same VM state between different test + runs. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-nix.buildMachines">nix.buildMachines</link> + option is now type-checked. There are no functional changes, + however this may require updating some configurations to use + correct types for all attributes. + </para> + </listitem> + <listitem> + <para> + The <literal>fontconfig</literal> module stopped generating + config and cache files for fontconfig 2.10.x, the + <literal>/etc/fonts/fonts.conf</literal> now belongs to the + latest fontconfig, just like on other Linux distributions, and + we will + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no + longer</link> be versioning the config directories. + </para> + <para> + Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t + been used in any Nixpkgs package for years now. + </para> + </listitem> + <listitem> + <para> + Nginx module + <literal>nginxModules.fastcgi-cache-purge</literal> renamed to + official name <literal>nginxModules.cache-purge</literal>. + Nginx module <literal>nginxModules.ngx_aws_auth</literal> + renamed to official name + <literal>nginxModules.aws-auth</literal>. + </para> + </listitem> + <listitem> + <para> + The option <literal>defaultPackages</literal> was added. It + installs the packages perl, rsync and strace for now. They + were added unconditionally to + <literal>systemPackages</literal> before, but are not strictly + necessary for a minimal NixOS install. You can set it to an + empty list to have a more minimal system. Be aware that some + functionality might still have an impure dependency on those + packages, so things might break. + </para> + </listitem> + <listitem> + <para> + The <literal>undervolt</literal> option no longer needs to + apply its settings every 30s. If they still become undone, + open an issue and restore the previous behaviour using + <literal>undervolt.useTimer</literal>. + </para> + </listitem> + <listitem> + <para> + Agda has been heavily reworked. + </para> + <itemizedlist> + <listitem> + <para> + <literal>agda.mkDerivation</literal> has been heavily + changed and is now located at agdaPackages.mkDerivation. + </para> + </listitem> + <listitem> + <para> + New top-level packages agda and + <literal>agda.withPackages</literal> have been added, the + second of which sets up agda with access to chosen + libraries. + </para> + </listitem> + <listitem> + <para> + All agda libraries now live under + <literal>agdaPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Many broken libraries have been removed. + </para> + </listitem> + </itemizedlist> + <para> + See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#agda">new + documentation</link> for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>deepin</literal> package set has been removed + from nixpkgs. It was a work in progress to package the + <link xlink:href="https://www.deepin.org/en/dde/">Deepin + Desktop Environment (DDE)</link>, including libraries, tools + and applications, and it was still missing a service to launch + the desktop environment. It has shown to no longer be a + feasible goal due to reasons discussed in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue + #94870</link>. The package + <literal>netease-cloud-music</literal> has also been removed, + as it depends on libraries from deepin. + </para> + </listitem> + <listitem> + <para> + The <literal>opendkim</literal> module now uses systemd + sandboxing features to limit the exposure of the system + towards the opendkim service. + </para> + </listitem> + <listitem> + <para> + Kubernetes has been upgraded to 1.19.1, which also means that + the golang version to build it has been bumped to 1.15. This + may have consequences for your existing clusters and their + certificates. Please consider + <link xlink:href="https://relnotes.k8s.io/?markdown=93264"> + the release notes for Kubernetes 1.19 carefully </link> before + upgrading. + </para> + </listitem> + <listitem> + <para> + For AMD GPUs, Vulkan can now be used by adding + <literal>amdvlk</literal> to + <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Similarly, still for AMD GPUs, the ROCm OpenCL stack can now + be used by adding <literal>rocm-opencl-icd</literal> to + <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-contributions"> + <title>Contributions</title> + <para> + I, Jonathan Ringer, would like to thank the following individuals + for their work on nixpkgs. This release could not be done without + the hard work of the NixOS community. There were 31282 + contributions across 1313 contributors. + </para> + <orderedlist numeration="arabic"> + <listitem> + <para> + 2288 Mario Rodas + </para> + </listitem> + <listitem> + <para> + 1837 Frederik Rietdijk + </para> + </listitem> + <listitem> + <para> + 946 Jörg Thalheim + </para> + </listitem> + <listitem> + <para> + 925 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 687 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 651 Jan Tojnar + </para> + </listitem> + <listitem> + <para> + 622 Daniël de Kok + </para> + </listitem> + <listitem> + <para> + 605 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 597 Florian Klink + </para> + </listitem> + <listitem> + <para> + 528 José Romildo Malaquias + </para> + </listitem> + <listitem> + <para> + 281 volth + </para> + </listitem> + <listitem> + <para> + 101 Robert Scott + </para> + </listitem> + <listitem> + <para> + 86 Tim Steinbach + </para> + </listitem> + <listitem> + <para> + 76 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 49 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 42 Thomas Tuegel + </para> + </listitem> + <listitem> + <para> + 37 Doron Behar + </para> + </listitem> + <listitem> + <para> + 36 Vladimír Čunát + </para> + </listitem> + <listitem> + <para> + 27 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 27 Maciej Krüger + </para> + </listitem> + </orderedlist> + <para> + I, Jonathan Ringer, would also like to personally thank + @WORLDofPEACE for their help in mentoring me on the release + process. Special thanks also goes to Thomas Tuegel for helping + immensely with stabilizing Qt, KDE, and Plasma5; I would also like + to thank Robert Scott for his numerous fixes and pull request + reviews. + </para> + </section> +</section> |