summary refs log tree commit diff
path: root/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2105.section.xml')
-rw-r--r--nixos/doc/manual/from_md/release-notes/rl-2105.section.xml1567
1 files changed, 1567 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml
new file mode 100644
index 00000000000..f4155d6f8ce
--- /dev/null
+++ b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml
@@ -0,0 +1,1567 @@
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.05">
+  <title>Release 21.05 (<quote>Okapi</quote>, 2021.05/31)</title>
+  <para>
+    Support is planned until the end of December 2021, handing over to
+    21.11.
+  </para>
+  <section xml:id="sec-release-21.05-highlights">
+    <title>Highlights</title>
+    <para>
+      In addition to numerous new and upgraded packages, this release
+      has the following highlights:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Core version changes:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              gcc: 9.3.0 -&gt; 10.3.0
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              glibc: 2.30 -&gt; 2.32
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              default linux: 5.4 -&gt; 5.10, all supported kernels
+              available
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              mesa: 20.1.7 -&gt; 21.0.1
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          Desktop Environments:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              GNOME: 3.36 -&gt; 40, see its
+              <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">release
+              notes</link>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Plasma5: 5.18.5 -&gt; 5.21.3
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              kdeApplications: 20.08.1 -&gt; 20.12.3
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              cinnamon: 4.6 -&gt; 4.8.1
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          Programming Languages and Frameworks:
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              Python optimizations were disabled again. Builds with
+              optimizations enabled are not reproducible. Optimizations
+              can now be enabled with an option.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          The linux_latest kernel was updated to the 5.12 series. It
+          currently is not officially supported for use with the zfs
+          filesystem. If you use zfs, you should use a different kernel
+          version (either the LTS kernel, or track a specific one).
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-21.05-new-services">
+    <title>New Services</title>
+    <para>
+      The following new services were added since the last release:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.gnuradio.org/">GNURadio</link>
+          3.8 and 3.9 were
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
+          packaged, along with a rewrite to the Nix expressions,
+          allowing users to override the features upstream supports
+          selecting to compile or not to. Additionally, the attribute
+          <literal>gnuradio</literal> (3.9),
+          <literal>gnuradio3_8</literal> and
+          <literal>gnuradio3_7</literal> now point to an externally
+          wrapped by default derivations, that allow you to also add
+          `extraPythonPackages` to the Python interpreter used by
+          GNURadio. Missing environmental variables needed for
+          operational GUI were also added
+          (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.keycloak.org/">Keycloak</link>,
+          an open source identity and access management server with
+          support for
+          <link xlink:href="https://openid.net/connect/">OpenID
+          Connect</link>, <link xlink:href="https://oauth.net/2/">OAUTH
+          2.0</link> and
+          <link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
+          2.0</link>.
+        </para>
+        <para>
+          See the <link linkend="module-services-keycloak">Keycloak
+          section of the NixOS manual</link> for more information.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-services.samba-wsdd.enable">services.samba-wsdd.enable</link>
+          Web Services Dynamic Discovery host daemon
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.discourse.org/">Discourse</link>,
+          a modern and open source discussion platform.
+        </para>
+        <para>
+          See the <link linkend="module-services-discourse">Discourse
+          section of the NixOS manual</link> for more information.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-services.nebula.networks">services.nebula.networks</link>
+          <link xlink:href="https://github.com/slackhq/nebula">Nebula
+          VPN</link>
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-21.05-incompatibilities">
+    <title>Backward Incompatibilities</title>
+    <para>
+      When upgrading from a previous release, please be aware of the
+      following incompatible changes:
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          GNOME desktop environment was upgraded to 40, see the release
+          notes for
+          <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link>
+          and
+          <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>.
+          The <literal>gnome3</literal> attribute set has been renamed
+          to <literal>gnome</literal> and so have been the NixOS
+          options.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          If you are using <literal>services.udev.extraRules</literal>
+          to assign custom names to network interfaces, this may stop
+          working due to a change in the initialisation of dhcpcd and
+          systemd networkd. To avoid this, either move them to
+          <literal>services.udev.initrdRules</literal> or see the new
+          <link linkend="sec-custom-ifnames">Assigning custom
+          names</link> section of the NixOS manual for an example using
+          networkd links.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>security.hideProcessInformation</literal> module
+          has been removed. It was broken since the switch to
+          cgroups-v2.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>linuxPackages.ati_drivers_x11</literal> kernel
+          modules have been removed. The drivers only supported kernels
+          prior to 4.2, and thus have become obsolete.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>systemConfig</literal> kernel parameter is no
+          longer added to boot loader entries. It has been unused since
+          September 2010, but if do have a system generation from that
+          era, you will now be unable to boot into them.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>systemd-journal2gelf</literal> no longer parses json
+          and expects the receiving system to handle it. How to achieve
+          this with Graylog is described in this
+          <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub
+          issue</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          If the <literal>services.dbus</literal> module is enabled,
+          then the user D-Bus session is now always socket activated.
+          The associated options
+          <literal>services.dbus.socketActivated</literal> and
+          <literal>services.xserver.startDbusSession</literal> have
+          therefore been removed and you will receive a warning if they
+          are present in your configuration. This change makes the user
+          D-Bus session available also for non-graphical logins.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>networking.wireless.iwd</literal> module now
+          installs the upstream-provided 80-iwd.link file, which sets
+          the NamePolicy= for all wlan devices to &quot;keep
+          kernel&quot;, to avoid race conditions between iwd and
+          networkd. If you don't want this, you can set
+          <literal>systemd.network.links.&quot;80-iwd&quot; = lib.mkForce {}</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>rubyMinimal</literal> was removed due to being unused
+          and unusable. The default ruby interpreter includes JIT
+          support, which makes it reference it's compiler. Since JIT
+          support is probably needed by some Gems, it was decided to
+          enable this feature with all cc references by default, and
+          allow to build a Ruby derivation without references to cc, by
+          setting <literal>jitSupport = false;</literal> in an overlay.
+          See
+          <link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
+          for more info.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Setting
+          <literal>services.openssh.authorizedKeysFiles</literal> now
+          also affects which keys
+          <literal>security.pam.enableSSHAgentAuth</literal> will use.
+          WARNING: If you are using these options in combination do make
+          sure that any key paths you use are present in
+          <literal>services.openssh.authorizedKeysFiles</literal>!
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The option <literal>fonts.enableFontDir</literal> has been
+          renamed to
+          <link xlink:href="options.html#opt-fonts.fontDir.enable">fonts.fontDir.enable</link>.
+          The path of font directory has also been changed to
+          <literal>/run/current-system/sw/share/X11/fonts</literal>, for
+          consistency with other X11 resources.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          A number of options have been renamed in the kicad interface.
+          <literal>oceSupport</literal> has been renamed to
+          <literal>withOCE</literal>, <literal>withOCCT</literal> has
+          been renamed to <literal>withOCC</literal>,
+          <literal>ngspiceSupport</literal> has been renamed to
+          <literal>withNgspice</literal>, and
+          <literal>scriptingSupport</literal> has been renamed to
+          <literal>withScripting</literal>. Additionally,
+          <literal>kicad/base.nix</literal> no longer provides default
+          argument values since these are provided by
+          <literal>kicad/default.nix</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The socket for the <literal>pdns-recursor</literal> module was
+          moved from <literal>/var/lib/pdns-recursor</literal> to
+          <literal>/run/pdns-recursor</literal> to match upstream.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Paperwork was updated to version 2. The on-disk format
+          slightly changed, and it is not possible to downgrade from
+          Paperwork 2 back to Paperwork 1.3. Back your documents up
+          before upgrading. See
+          <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this
+          thread</link> for more details.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PowerDNS has been updated from <literal>4.2.x</literal> to
+          <literal>4.3.x</literal>. Please be sure to review the
+          <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade
+          Notes</link> provided by upstream before upgrading. Worth
+          specifically noting is that the service now runs entirely as a
+          dedicated <literal>pdns</literal> user, instead of starting as
+          <literal>root</literal> and dropping privileges, as well as
+          the default <literal>socket-dir</literal> location changing
+          from <literal>/var/lib/powerdns</literal> to
+          <literal>/run/pdns</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mediatomb</literal> service is now using by
+          default the new and maintained fork <literal>gerbera</literal>
+          package instead of the unmaintained
+          <literal>mediatomb</literal> package. If you want to keep the
+          old behavior, you must declare it with:
+        </para>
+        <programlisting language="bash">
+{
+  services.mediatomb.package = pkgs.mediatomb;
+}
+</programlisting>
+        <para>
+          One new option <literal>openFirewall</literal> has been
+          introduced which defaults to false. If you relied on the
+          service declaration to add the firewall rules itself before,
+          you should now declare it with:
+        </para>
+        <programlisting language="bash">
+{
+  services.mediatomb.openFirewall = true;
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          xfsprogs was update from 4.19 to 5.11. It now enables reflink
+          support by default on filesystem creation. Support for
+          reflinks was added with an experimental status to kernel 4.9
+          and deemed stable in kernel 4.16. If you want to be able to
+          mount XFS filesystems created with this release of xfsprogs on
+          kernel releases older than those, you need to format them with
+          <literal>mkfs.xfs -m reflink=0</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The uWSGI server is now built with POSIX capabilities. As a
+          consequence, root is no longer required in emperor mode and
+          the service defaults to running as the unprivileged
+          <literal>uwsgi</literal> user. Any additional capability can
+          be added via the new option
+          <link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>.
+          The previous behaviour can be restored by setting:
+        </para>
+        <programlisting language="bash">
+{
+  services.uwsgi.user = &quot;root&quot;;
+  services.uwsgi.group = &quot;root&quot;;
+  services.uwsgi.instance =
+    {
+      uid = &quot;uwsgi&quot;;
+      gid = &quot;uwsgi&quot;;
+    };
+}
+</programlisting>
+        <para>
+          Another incompatibility from the previous release is that
+          vassals running under a different user or group need to use
+          <literal>immediate-{uid,gid}</literal> instead of the usual
+          <literal>uid,gid</literal> options.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          btc1 has been abandoned upstream, and removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          cpp_ethereum (aleth) has been abandoned upstream, and removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          riak-cs package removed along with
+          <literal>services.riak-cs</literal> module.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          stanchion package removed along with
+          <literal>services.stanchion</literal> module.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          mutt has been updated to a new major version (2.x), which
+          comes with some backward incompatible changes that are
+          described in the
+          <link xlink:href="http://www.mutt.org/relnotes/2.0/">release
+          notes for Mutt 2.0</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>vim</literal> and <literal>neovim</literal> switched
+          to Python 3, dropping all Python 2 support.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.&lt;name&gt;.generatePrivateKeyFile</link>,
+          which is off by default, had a <literal>chmod</literal> race
+          condition fixed. As an aside, the parent directory's
+          permissions were widened, and the key files were made
+          owner-writable. This only affects newly created keys. However,
+          if the exact permissions are important for your setup, read
+          <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
+          previously did nothing, but has been fixed. However its
+          default has been changed to <literal>false</literal> to
+          preserve the existing default behaviour. If you have this
+          explicitly set to <literal>true</literal>, please note that
+          your non-root pools will now be forcibly imported.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          openafs now points to openafs_1_8, which is the new stable
+          release. OpenAFS 1.6 was removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The WireGuard module gained a new option
+          <literal>networking.wireguard.interfaces.&lt;name&gt;.peers.*.dynamicEndpointRefreshSeconds</literal>
+          that implements refreshing the IP of DNS-based endpoints
+          periodically (which WireGuard itself
+          <link xlink:href="https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html">cannot
+          do</link>).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          MariaDB has been updated to 10.5. Before you upgrade, it would
+          be best to take a backup of your database and read
+          <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105">
+          Incompatible Changes Between 10.4 and 10.5</link>. After the
+          upgrade you will need to run <literal>mysql_upgrade</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The TokuDB storage engine dropped in mariadb 10.5 and removed
+          in mariadb 10.6. It is recommended to switch to RocksDB. See
+          also
+          <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>
+          and
+          <link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780:
+          Remove the TokuDB storage engine</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>openldap</literal> module now has support for
+          OLC-style configuration, users of the
+          <literal>configDir</literal> option may wish to migrate. If
+          you continue to use <literal>configDir</literal>, ensure that
+          <literal>olcPidFile</literal> is set to
+          <literal>/run/slapd/slapd.pid</literal>.
+        </para>
+        <para>
+          As a result, <literal>extraConfig</literal> and
+          <literal>extraDatabaseConfig</literal> are removed. To help
+          with migration, you can convert your
+          <literal>slapd.conf</literal> file to OLC configuration with
+          the following script (find the location of this configuration
+          file by running <literal>systemctl status openldap</literal>,
+          it is the <literal>-f</literal> option.
+        </para>
+        <programlisting>
+$ TMPDIR=$(mktemp -d)
+$ slaptest -f /path/to/slapd.conf -F $TMPDIR
+$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
+</programlisting>
+        <para>
+          This will dump your current configuration in LDIF format,
+          which should be straightforward to convert into Nix settings.
+          This does not show your schema configuration, as this is
+          unnecessarily verbose for users of the default schemas and
+          <literal>slaptest</literal> is buggy with schemas directly in
+          the config file.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Amazon EC2 and OpenStack Compute (nova) images now re-fetch
+          instance meta data and user data from the instance metadata
+          service (IMDS) on each boot. For example: stopping an EC2
+          instance, changing its user data, and restarting the instance
+          will now cause it to fetch and apply the new user data.
+        </para>
+        <warning>
+          <para>
+            Specifically, <literal>/etc/ec2-metadata</literal> is
+            re-populated on each boot. Some NixOS scripts that read from
+            this directory are guarded to only run if the files they
+            want to manipulate do not already exist, and so will not
+            re-apply their changes if the IMDS response changes.
+            Examples: <literal>root</literal>'s SSH key is only added if
+            <literal>/root/.ssh/authorized_keys</literal> does not
+            exist, and SSH host keys are only set from user data if they
+            do not exist in <literal>/etc/ssh</literal>.
+          </para>
+        </warning>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>rspamd</literal> services is now sandboxed. It is
+          run as a dynamic user instead of root, so secrets and other
+          files may have to be moved or their permissions may have to be
+          fixed. The sockets are now located in
+          <literal>/run/rspamd</literal> instead of
+          <literal>/run</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Enabling the Tor client no longer silently also enables and
+          configures Privoxy, and the
+          <literal>services.tor.client.privoxy.enable</literal> option
+          has been removed. To enable Privoxy, and to configure it to
+          use Tor's faster port, use the following configuration:
+        </para>
+        <programlisting language="bash">
+{
+  opt-services.privoxy.enable = true;
+  opt-services.privoxy.enableTor = true;
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.tor</literal> module has a new
+          exhaustively typed
+          <link xlink:href="options.html#opt-services.tor.settings">services.tor.settings</link>
+          option following RFC 0042; backward compatibility with old
+          options has been preserved when aliasing was possible. The
+          corresponding systemd service has been hardened, but there is
+          a chance that the service still requires more permissions, so
+          please report any related trouble on the bugtracker. Onion
+          services v3 are now supported in
+          <link xlink:href="options.html#opt-services.tor.relay.onionServices">services.tor.relay.onionServices</link>.
+          A new
+          <link xlink:href="options.html#opt-services.tor.openFirewall">services.tor.openFirewall</link>
+          option as been introduced for allowing connections on all the
+          TCP ports configured.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The options
+          <literal>services.slurm.dbdserver.storagePass</literal> and
+          <literal>services.slurm.dbdserver.configFile</literal> have
+          been removed. Use
+          <literal>services.slurm.dbdserver.storagePassFile</literal>
+          instead to provide the database password. Extra config options
+          can be given via the option
+          <literal>services.slurm.dbdserver.extraConfig</literal>. The
+          actual configuration file is created on the fly on startup of
+          the service. This avoids that the password gets exposed in the
+          nix store.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>wafHook</literal> hook does not wrap Python
+          anymore. Packages depending on <literal>wafHook</literal> need
+          to include any Python into their
+          <literal>nativeBuildInputs</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Starting with version 1.7.0, the project formerly named
+          <literal>CodiMD</literal> is now named
+          <literal>HedgeDoc</literal>. New installations will no longer
+          use the old name for users, state directories and such, this
+          needs to be considered when moving state to a more recent
+          NixOS installation. Based on
+          <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>,
+          existing installations will continue to work.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The fish-foreign-env package has been replaced with
+          fishPlugins.foreign-env, in which the fish functions have been
+          relocated to the <literal>vendor_functions.d</literal>
+          directory to be loaded automatically.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The prometheus json exporter is now managed by the prometheus
+          community. Together with additional features some backwards
+          incompatibilities were introduced. Most importantly the
+          exporter no longer accepts a fixed command-line parameter to
+          specify the URL of the endpoint serving JSON. It now expects
+          this URL to be passed as an URL parameter, when scraping the
+          exporter's <literal>/probe</literal> endpoint. In the
+          prometheus scrape configuration the scrape target might look
+          like this:
+        </para>
+        <programlisting>
+http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
+</programlisting>
+        <para>
+          Existing configuration for the exporter needs to be updated,
+          but can partially be re-used. Documentation is available in
+          the upstream repository and a small example for NixOS is
+          available in the corresponding NixOS test.
+        </para>
+        <para>
+          These changes also affect
+          <link xlink:href="options.html#opt-services.prometheus.exporters.rspamd.enable">services.prometheus.exporters.rspamd.enable</link>,
+          which is just a preconfigured instance of the json exporter.
+        </para>
+        <para>
+          For more information, take a look at the
+          <link xlink:href="https://github.com/prometheus-community/json_exporter">
+          official documentation</link> of the json_exporter.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Androidenv was updated, removing the
+          <literal>includeDocs</literal> and
+          <literal>lldbVersions</literal> arguments. Docs only covered a
+          single version of the Android SDK, LLDB is now bundled with
+          the NDK, and both are no longer available to download from the
+          Android package repositories. Additionally, since the package
+          lists have been updated, some older versions of Android
+          packages may not be bundled. If you depend on older versions
+          of Android packages, we recommend overriding the repo.
+        </para>
+        <para>
+          Android packages are now loaded from a repo.json file created
+          by parsing Android repo XML files. The arguments
+          <literal>repoJson</literal> and <literal>repoXmls</literal>
+          have been added to allow overriding the built-in androidenv
+          repo.json with your own. Additionally, license files are now
+          written to allow compatibility with Gradle-based tools, and
+          the <literal>extraLicenses</literal> argument has been added
+          to accept more SDK licenses if your project requires it. See
+          the androidenv documentation for more details.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The attribute <literal>mpi</literal> is now consistently used
+          to provide a default, system-wide MPI implementation. The
+          default implementation is openmpi, which has been used before
+          by all derivations affects by this change. Note that all
+          packages that have used <literal>mpi ? null</literal> in the
+          input for optional MPI builds, have been changed to the
+          boolean input paramater <literal>useMpi</literal> to enable
+          building with MPI. Building all packages with
+          <literal>mpich</literal> instead of the default
+          <literal>openmpi</literal> can now be achived like this:
+        </para>
+        <programlisting language="bash">
+self: super:
+{
+  mpi = super.mpich;
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          The Searx module has been updated with the ability to
+          configure the service declaratively and uWSGI integration. The
+          option <literal>services.searx.configFile</literal> has been
+          renamed to
+          <link xlink:href="options.html#opt-services.searx.settingsFile">services.searx.settingsFile</link>
+          for consistency with the new
+          <link xlink:href="options.html#opt-services.searx.settings">services.searx.settings</link>.
+          In addition, the <literal>searx</literal> uid and gid
+          reservations have been removed since they were not necessary:
+          the service is now running with a dynamically allocated uid.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The libinput module has been updated with the ability to
+          configure mouse and touchpad settings separately. The options
+          in <literal>services.xserver.libinput</literal> have been
+          renamed to
+          <literal>services.xserver.libinput.touchpad</literal>, while
+          there is a new
+          <literal>services.xserver.libinput.mouse</literal> for mouse
+          related configuration.
+        </para>
+        <para>
+          Since touchpad options no longer apply to all devices, you may
+          want to replicate your touchpad configuration in mouse
+          section.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          ALSA OSS emulation
+          (<literal>sound.enableOSSEmulation</literal>) is now disabled
+          by default.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Thinkfan as been updated to <literal>1.2.x</literal>, which
+          comes with a new YAML based configuration format. For this
+          reason, several NixOS options of the thinkfan module have been
+          changed to non-backward compatible types. In addition, a new
+          <link xlink:href="options.html#opt-services.thinkfan.settings">services.thinkfan.settings</link>
+          option has been added.
+        </para>
+        <para>
+          Please read the
+          <link xlink:href="https://github.com/vmatare/thinkfan#readme">
+          thinkfan documentation</link> before updating.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Adobe Flash Player support has been dropped from the tree. In
+          particular, the following packages no longer support it:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              chromium
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              firefox
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              qt48
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              qt5.qtwebkit
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          Additionally, packages flashplayer and hal-flash were removed
+          along with the <literal>services.flashpolicyd</literal>
+          module.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>security.rngd</literal> module has been removed.
+          It was disabled by default in 20.09 as it was functionally
+          redundant with krngd in the linux kernel. It is not necessary
+          for any device that the kernel recognises as an hardware RNG,
+          as it will automatically run the krngd task to periodically
+          collect random data from the device and mix it into the
+          kernel's RNG.
+        </para>
+        <para>
+          The default SMTP port for GitLab has been changed to
+          <literal>25</literal> from its previous default of
+          <literal>465</literal>. If you depended on this default, you
+          should now set the
+          <link xlink:href="options.html#opt-services.gitlab.smtp.port">services.gitlab.smtp.port</link>
+          option.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The default version of ImageMagick has been updated from 6 to
+          7. You can use imagemagick6, imagemagick6_light, and
+          imagemagick6Big if you need the older version.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-services.xserver.videoDrivers">services.xserver.videoDrivers</link>
+          no longer uses the deprecated <literal>cirrus</literal> and
+          <literal>vesa</literal> device dependent X drivers by default.
+          It also enables both <literal>amdgpu</literal> and
+          <literal>nouveau</literal> drivers by default now.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>kindlegen</literal> package is gone, because it
+          is no longer supported or hosted by Amazon. Sadly, its
+          replacement, Kindle Previewer, has no Linux support. However,
+          there are other ways to generate MOBI files. See
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/96439">the
+          discussion</link> for more info.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The apacheKafka packages are now built with version-matched
+          JREs. Versions 2.6 and above, the ones that recommend it, use
+          jdk11, while versions below remain on jdk8. The NixOS service
+          has been adjusted to start the service using the same version
+          as the package, adjustable with the new
+          <link xlink:href="options.html#opt-services.apache-kafka.jre">services.apache-kafka.jre</link>
+          option. Furthermore, the default list of
+          <link xlink:href="options.html#opt-services.apache-kafka.jvmOptions">services.apache-kafka.jvmOptions</link>
+          have been removed. You should set your own according to the
+          <link xlink:href="https://kafka.apache.org/documentation/#java">upstream
+          documentation</link> for your Kafka version.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The kodi package has been modified to allow concise addon
+          management. Consider the following configuration from previous
+          releases of NixOS to install kodi, including the
+          kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp
+          addons:
+        </para>
+        <programlisting language="bash">
+{
+  environment.systemPackages = [
+    pkgs.kodi
+  ];
+
+  nixpkgs.config.kodi = {
+    enableInputStreamAdaptive = true;
+    enableVFSSFTP = true;
+  };
+}
+</programlisting>
+        <para>
+          All Kodi <literal>config</literal> flags have been removed,
+          and as a result the above configuration should now be written
+          as:
+        </para>
+        <programlisting language="bash">
+{
+  environment.systemPackages = [
+    (pkgs.kodi.withPackages (p: with p; [
+      inputstream-adaptive
+      vfs-sftp
+    ]))
+  ];
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>environment.defaultPackages</literal> now includes
+          the nano package. If pkgs.nano is not added to the list, make
+          sure another editor is installed and the
+          <literal>EDITOR</literal> environment variable is set to it.
+          Environment variables can be set using
+          <literal>environment.variables</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>services.minio.dataDir</literal> changed type to a
+          list of paths, required for specifiyng multiple data
+          directories for using with erasure coding. Currently, the
+          service doesn't enforce nor checks the correct number of paths
+          to correspond to minio requirements.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          All CUDA toolkit versions prior to CUDA 10 have been removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The kbdKeymaps package was removed since dvp and neo are now
+          included in kbd. If you want to use the Programmer Dvorak
+          Keyboard Layout, you have to use
+          <literal>dvorak-programmer</literal> in
+          <literal>console.keyMap</literal> now instead of
+          <literal>dvp</literal>. In
+          <literal>services.xserver.xkbVariant</literal> it's still
+          <literal>dvp</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The babeld service is now being run as an unprivileged user.
+          To achieve that the module configures
+          <literal>skip-kernel-setup true</literal> and takes care of
+          setting forwarding and rp_filter sysctls by itself as well as
+          for each interface in
+          <literal>services.babeld.interfaces</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.zigbee2mqtt.config</literal> option has
+          been renamed to
+          <literal>services.zigbee2mqtt.settings</literal> and now
+          follows
+          <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
+          0042</link>.
+        </para>
+      </listitem>
+    </itemizedlist>
+    <para>
+      The yadm dotfile manager has been updated from 2.x to 3.x, which
+      has new (XDG) default locations for some data/state files. Most
+      yadm commands will fail and print a legacy path warning (which
+      describes how to upgrade/migrate your repository). If you have
+      scripts, daemons, scheduled jobs, shell profiles, etc. that invoke
+      yadm, expect them to fail or misbehave until you perform this
+      migration and prepare accordingly.
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          Instead of determining
+          <literal>services.radicale.package</literal> automatically
+          based on <literal>system.stateVersion</literal>, the latest
+          version is always used because old versions are not officially
+          supported.
+        </para>
+        <para>
+          Furthermore, Radicale's systemd unit was hardened which might
+          break some deployments. In particular, a non-default
+          <literal>filesystem_folder</literal> has to be added to
+          <literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal>
+          if the deprecated <literal>services.radicale.config</literal>
+          is used.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          In the <literal>security.acme</literal> module, use of
+          <literal>--reuse-key</literal> parameter for Lego has been
+          removed. It was introduced for HKPK, but this security feature
+          is now deprecated. It is a better security practice to rotate
+          key pairs instead of always keeping the same. If you need to
+          keep this parameter, you can add it back using
+          <literal>extraLegoRenewFlags</literal> as an option for the
+          appropriate certificate.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="sec-release-21.05-notable-changes">
+    <title>Other Notable Changes</title>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <literal>stdenv.lib</literal> has been deprecated and will
+          break eval in 21.11. Please use <literal>pkgs.lib</literal>
+          instead. See
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link>
+          for details.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.gnuradio.org/">GNURadio</link>
+          has a <literal>pkgs</literal> attribute set, and there's a
+          <literal>gnuradio.callPackage</literal> function that extends
+          <literal>pkgs</literal> with a
+          <literal>mkDerivation</literal>, and a
+          <literal>mkDerivationWith</literal>, like Qt5. Now all
+          <literal>gnuradio.pkgs</literal> are defined with
+          <literal>gnuradio.callPackage</literal> and some packages that
+          depend on gnuradio are defined with this as well.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.privoxy.org/">Privoxy</link> has
+          been updated to version 3.0.32 (See
+          <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
+          Compared to the previous release, Privoxy has gained support
+          for HTTPS inspection (still experimental), Brotli
+          decompression, several new filters and lots of bug fixes,
+          including security ones. In addition, the package is now built
+          with compression and external filters support, which were
+          previously disabled.
+        </para>
+        <para>
+          Regarding the NixOS module, new options for HTTPS inspection
+          have been added and
+          <literal>services.privoxy.extraConfig</literal> has been
+          replaced by the new
+          <link xlink:href="options.html#opt-services.privoxy.settings">services.privoxy.settings</link>
+          (See
+          <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
+          0042</link> for the motivation).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://kodi.tv/">Kodi</link> has been
+          updated to version 19.1 &quot;Matrix&quot;. See the
+          <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link>
+          for further details.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.packagekit.backend</literal> option has
+          been removed as it only supported a single setting which would
+          always be the default. Instead new
+          <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
+          0042</link> compliant
+          <link xlink:href="options.html#opt-services.packagekit.settings">services.packagekit.settings</link>
+          and
+          <link xlink:href="options.html#opt-services.packagekit.vendorSettings">services.packagekit.vendorSettings</link>
+          options have been introduced.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://nginx.org">Nginx</link> has been
+          updated to stable version 1.20.0. Now nginx uses the zlib-ng
+          library by default.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          KDE Gear (formerly KDE Applications) is upgraded to 21.04, see
+          its
+          <link xlink:href="https://kde.org/announcements/gear/21.04/">release
+          notes</link> for details.
+        </para>
+        <para>
+          The <literal>kdeApplications</literal> package set is now
+          <literal>kdeGear</literal>, in keeping with the new name. The
+          old name remains for compatibility, but it is deprecated.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://libreswan.org/">Libreswan</link> has
+          been updated to version 4.4. The package now includes example
+          configurations and manual pages by default. The NixOS module
+          has been changed to use the upstream systemd units and write
+          the configuration in the <literal>/etc/ipsec.d/ </literal>
+          directory. In addition, two new options have been added to
+          specify connection policies
+          (<link xlink:href="options.html#opt-services.libreswan.policies">services.libreswan.policies</link>)
+          and disable send/receive redirects
+          (<link xlink:href="options.html#opt-services.libreswan.disableRedirects">services.libreswan.disableRedirects</link>).
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The Mailman NixOS module (<literal>services.mailman</literal>)
+          has a new option
+          <link xlink:href="options.html#opt-services.mailman.enablePostfix">services.mailman.enablePostfix</link>,
+          defaulting to true, that controls integration with Postfix.
+        </para>
+        <para>
+          If this option is disabled, default MTA config becomes not set
+          and you should set the options in
+          <literal>services.mailman.settings.mta</literal> according to
+          the desired configuration as described in
+          <link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman
+          documentation</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The default-version of <literal>nextcloud</literal> is
+          nextcloud21. Please note that it's <emphasis>not</emphasis>
+          possible to upgrade <literal>nextcloud</literal> across
+          multiple major versions! This means that it's e.g. not
+          possible to upgrade from nextcloud18 to nextcloud20 in a
+          single deploy and most <literal>20.09</literal> users will
+          have to upgrade to nextcloud20 first.
+        </para>
+        <para>
+          The package can be manually upgraded by setting
+          <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
+          to nextcloud21.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The setting
+          <link xlink:href="options.html#opt-services.redis.bind">services.redis.bind</link>
+          defaults to <literal>127.0.0.1</literal> now, making Redis
+          listen on the loopback interface only, and not all public
+          network interfaces.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          NixOS now emits a deprecation warning if systemd's
+          <literal>StartLimitInterval</literal> setting is used in a
+          <literal>serviceConfig</literal> section instead of in a
+          <literal>unitConfig</literal>; that setting is deprecated and
+          now undocumented for the service section by systemd upstream,
+          but still effective and somewhat buggy there, which can be
+          confusing. See
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link>
+          for details.
+        </para>
+        <para>
+          All services should use
+          <link xlink:href="options.html#opt-systemd.services._name_.startLimitIntervalSec">systemd.services.<emphasis>name</emphasis>.startLimitIntervalSec</link>
+          or <literal>StartLimitIntervalSec</literal> in
+          <link xlink:href="options.html#opt-systemd.services._name_.unitConfig">systemd.services.<emphasis>name</emphasis>.unitConfig</link>
+          instead.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mediatomb</literal> service declares new options.
+          It also adapts existing options so the configuration
+          generation is now lazy. The existing option
+          <literal>customCfg</literal> (defaults to false), when
+          enabled, stops the service configuration generation
+          completely. It then expects the users to provide their own
+          correct configuration at the right location (whereas the
+          configuration was generated and not used at all before). The
+          new option <literal>transcodingOption</literal> (defaults to
+          no) allows a generated configuration. It makes the mediatomb
+          service pulls the necessary runtime dependencies in the nix
+          store (whereas it was generated with hardcoded values before).
+          The new option <literal>mediaDirectories</literal> allows the
+          users to declare autoscan media directories from their nixos
+          configuration:
+        </para>
+        <programlisting language="bash">
+{
+  services.mediatomb.mediaDirectories = [
+    { path = &quot;/var/lib/mediatomb/pictures&quot;; recursive = false; hidden-files = false; }
+    { path = &quot;/var/lib/mediatomb/audio&quot;; recursive = true; hidden-files = false; }
+  ];
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          The Unbound DNS resolver service
+          (<literal>services.unbound</literal>) has been refactored to
+          allow reloading, control sockets and to fix startup ordering
+          issues.
+        </para>
+        <para>
+          It is now possible to enable a local UNIX control socket for
+          unbound by setting the
+          <link xlink:href="options.html#opt-services.unbound.localControlSocketPath">services.unbound.localControlSocketPath</link>
+          option.
+        </para>
+        <para>
+          Previously we just applied a very minimal set of restrictions
+          and trusted unbound to properly drop root privs and
+          capabilities.
+        </para>
+        <para>
+          As of this we are (for the most part) just using the upstream
+          example unit file for unbound. The main difference is that we
+          start unbound as <literal>unbound</literal> user with the
+          required capabilities instead of letting unbound do the chroot
+          &amp; uid/gid changes.
+        </para>
+        <para>
+          The upstream unit configuration this is based on is a lot
+          stricter with all kinds of permissions then our previous
+          variant. It also came with the default of having the
+          <literal>Type</literal> set to <literal>notify</literal>,
+          therefore we are now also using the
+          <literal>unbound-with-systemd</literal> package here. Unbound
+          will start up, read the configuration files and start
+          listening on the configured ports before systemd will declare
+          the unit <literal>active (running)</literal>. This will likely
+          help with startup order and the occasional race condition
+          during system activation where the DNS service is started but
+          not yet ready to answer queries. Services depending on
+          <literal>nss-lookup.target</literal> or
+          <literal>unbound.service</literal> are now be able to use
+          unbound when those targets have been reached.
+        </para>
+        <para>
+          Additionally to the much stricter runtime environment the
+          <literal>/dev/urandom</literal> mount lines we previously had
+          in the code (that randomly failed during the stop-phase) have
+          been removed as systemd will take care of those for us.
+        </para>
+        <para>
+          The <literal>preStart</literal> script is now only required if
+          we enabled the trust anchor updates (which are still enabled
+          by default).
+        </para>
+        <para>
+          Another benefit of the refactoring is that we can now issue
+          reloads via either <literal>pkill -HUP unbound</literal> and
+          <literal>systemctl reload unbound</literal> to reload the
+          running configuration without taking the daemon offline. A
+          prerequisite of this was that unbound configuration is
+          available on a well known path on the file system. We are
+          using the path <literal>/etc/unbound/unbound.conf</literal> as
+          that is the default in the CLI tooling which in turn enables
+          us to use <literal>unbound-control</literal> without passing a
+          custom configuration location.
+        </para>
+        <para>
+          The module has also been reworked to be
+          <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
+          0042</link> compliant. As such,
+          <literal>sevices.unbound.extraConfig</literal> has been
+          removed and replaced by
+          <link xlink:href="options.html#opt-services.unbound.settings">services.unbound.settings</link>.
+          <literal>services.unbound.interfaces</literal> has been
+          renamed to
+          <literal>services.unbound.settings.server.interface</literal>.
+        </para>
+        <para>
+          <literal>services.unbound.forwardAddresses</literal> and
+          <literal>services.unbound.allowedAccess</literal> have also
+          been changed to use the new settings interface. You can follow
+          the instructions when executing
+          <literal>nixos-rebuild</literal> to upgrade your configuration
+          to use the new interface.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.dnscrypt-proxy2</literal> module now
+          takes the upstream's example configuration and updates it with
+          the user's settings. An option has been added to restore the
+          old behaviour if you prefer to declare the configuration from
+          scratch.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          NixOS now defaults to the unified cgroup hierarchy
+          (cgroupsv2). See the
+          <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora
+          Article for 31</link> for details on why this is desirable,
+          and how it impacts containers.
+        </para>
+        <para>
+          If you want to run containers with a runtime that does not yet
+          support cgroupsv2, you can switch back to the old behaviour by
+          setting
+          <link xlink:href="options.html#opt-systemd.enableUnifiedCgroupHierarchy">systemd.enableUnifiedCgroupHierarchy</link>
+          = <literal>false</literal>; and rebooting.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PulseAudio was upgraded to 14.0, with changes to the handling
+          of default sinks. See its
+          <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release
+          notes</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          GNOME users may wish to delete their
+          <literal>~/.config/pulse</literal> due to the changes to
+          stream routing logic. See
+          <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio
+          bug 832</link> for more information.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The zookeeper package does not provide
+          <literal>zooInspector.sh</literal> anymore, as that
+          &quot;contrib&quot; has been dropped from upstream releases.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          In the ACME module, the data used to build the hash for the
+          account directory has changed to accomodate new features to
+          reduce account rate limit issues. This will trigger new
+          account creation on the first rebuild following this update.
+          No issues are expected to arise from this, thanks to the new
+          account creation handling.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="options.html#opt-users.users._name_.createHome">users.users.<emphasis>name</emphasis>.createHome</link>
+          now always ensures home directory permissions to be
+          <literal>0700</literal>. Permissions had previously been
+          ignored for already existing home directories, possibly
+          leaving them readable by others. The option's description was
+          incorrect regarding ownership management and has been
+          simplified greatly.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          When defining a new user, one of
+          <link xlink:href="options.html#opt-users.users._name_.isNormalUser">users.users.<emphasis>name</emphasis>.isNormalUser</link>
+          and
+          <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
+          is now required. This is to prevent accidentally giving a UID
+          above 1000 to system users, which could have unexpected
+          consequences, like running user activation scripts for system
+          users. Note that users defined with an explicit UID below 500
+          are exempted from this check, as
+          <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
+          has no effect for those.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>security.apparmor</literal> module, for the
+          <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
+          Mandatory Access Control system, has been substantialy
+          improved along with related tools, so that module maintainers
+          can now more easily write AppArmor profiles for NixOS. The
+          most notable change on the user-side is the new option
+          <link xlink:href="options.html#opt-security.apparmor.policies">security.apparmor.policies</link>,
+          replacing the previous <literal>profiles</literal> option to
+          provide a way to disable a profile and to select whether to
+          confine in enforce mode (default) or in complain mode (see
+          <literal>journalctl -b --grep apparmor</literal>).
+          Security-minded users may also want to enable
+          <link xlink:href="options.html#opt-security.apparmor.killUnconfinedConfinables">security.apparmor.killUnconfinedConfinables</link>,
+          at the cost of having some of their processes killed when
+          updating to a NixOS version introducing new AppArmor profiles.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The GNOME desktop manager once again installs gnome.epiphany
+          by default.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          NixOS now generates empty <literal>/etc/netgroup</literal>.
+          <literal>/etc/netgroup</literal> defines network-wide groups
+          and may affect to setups using NIS.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Platforms, like <literal>stdenv.hostPlatform</literal>, no
+          longer have a <literal>platform</literal> attribute. It has
+          been (mostly) flattened away:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <literal>platform.gcc</literal> is now
+              <literal>gcc</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <literal>platform.kernel*</literal> is now
+              <literal>linux-kernel.*</literal>
+            </para>
+          </listitem>
+        </itemizedlist>
+        <para>
+          Additionally, <literal>platform.kernelArch</literal> moved to
+          the top level as <literal>linuxArch</literal> to match the
+          other <literal>*Arch</literal> variables.
+        </para>
+        <para>
+          The <literal>platform</literal> grouping of these things never
+          meant anything, and was just a historial/implementation
+          artifact that was overdue removal.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>services.restic</literal> now uses a dedicated cache
+          directory for every backup defined in
+          <literal>services.restic.backups</literal>. The old global
+          cache directory, <literal>/root/.cache/restic</literal>, is
+          now unused and can be removed to free up disk space.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>isync</literal>: The <literal>isync</literal>
+          compatibility wrapper was removed and the Master/Slave
+          terminology has been deprecated and should be replaced with
+          Far/Near in the configuration file.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The nix-gc service now accepts randomizedDelaySec (default: 0)
+          and persistent (default: true) parameters. By default nix-gc
+          will now run immediately if it would have been triggered at
+          least once during the time when the timer was inactive.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>rustPlatform.buildRustPackage</literal> function
+          is split into several hooks: cargoSetupHook to set up
+          vendoring for Cargo-based projects, cargoBuildHook to build a
+          project using Cargo, cargoInstallHook to install a project
+          using Cargo, and cargoCheckHook to run tests in Cargo-based
+          projects. With this change, mixed-language projects can use
+          the relevant hooks within builders other than
+          <literal>buildRustPackage</literal>. However, these changes
+          also required several API changes to
+          <literal>buildRustPackage</literal> itself:
+        </para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              The <literal>target</literal> argument was removed.
+              Instead, <literal>buildRustPackage</literal> will always
+              use the same target as the C/C++ compiler that is used.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              The <literal>cargoParallelTestThreads</literal> argument
+              was removed. Parallel tests are now disabled through
+              <literal>dontUseCargoParallelTests</literal>.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>rustPlatform.maturinBuildHook</literal> hook was
+          added. This hook can be used with
+          <literal>buildPythonPackage</literal> to build Python packages
+          that are written in Rust and use Maturin as their build tool.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Kubernetes has
+          <link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated
+          docker</link> as container runtime. As a consequence, the
+          Kubernetes module now has support for configuration of custom
+          remote container runtimes and enables containerd by default.
+          Note that containerd is more strict regarding container image
+          OCI-compliance. As an example, images with CMD or ENTRYPOINT
+          defined as strings (not lists) will fail on containerd, while
+          working fine on docker. Please test your setup and container
+          images with containerd prior to upgrading.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The GitLab module now has support for automatic backups. A
+          schedule can be set with the
+          <link xlink:href="options.html#opt-services.gitlab.backup.startAt">services.gitlab.backup.startAt</link>
+          option.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Prior to this release, systemd would also read system units
+          from an undocumented
+          <literal>/etc/systemd-mutable/system</literal> path. This path
+          has been dropped from the defaults. That path (or others) can
+          be re-enabled by adding it to the
+          <link xlink:href="options.html#opt-boot.extraSystemdUnitPaths">boot.extraSystemdUnitPaths</link>
+          list.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle
+          and has been removed.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://www.xfce.org/">Xfce4</link> relies
+          on GIO/GVfs for userspace virtual filesystem access in
+          applications like
+          <link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link>
+          and
+          <link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>.
+          For that to work, the gvfs nixos service is enabled by
+          default, and it can be configured with the specific package
+          that provides GVfs. Until now Xfce4 was setting it to use a
+          lighter version of GVfs (without support for samba). To avoid
+          conflicts with other desktop environments this setting has
+          been dropped. Users that still want it should add the
+          following to their system configuration:
+        </para>
+        <programlisting language="bash">
+{
+  services.gvfs.package = pkgs.gvfs.override { samba = null; };
+}
+</programlisting>
+      </listitem>
+      <listitem>
+        <para>
+          The newly enabled <literal>systemd-pstore.service</literal>
+          now automatically evacuates crashdumps and panic logs from the
+          persistent storage to
+          <literal>/var/lib/systemd/pstore</literal>. This prevents
+          NVRAM from filling up, which ensures the latest diagnostic
+          data is always stored and alleviates problems with writing new
+          boot configurations.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Nixpkgs now contains
+          <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically
+          packaged GNOME Shell extensions</link> from the
+          <link xlink:href="https://extensions.gnome.org/">GNOME
+          Extensions</link> portal. You can find them, filed by their
+          UUID, under <literal>gnome38Extensions</literal> attribute for
+          GNOME 3.38 and under <literal>gnome40Extensions</literal> for
+          GNOME 40. Finally, the <literal>gnomeExtensions</literal>
+          attribute contains extensions for the latest GNOME Shell
+          version in Nixpkgs, listed under a more human-friendly name.
+          The unqualified attribute scope also contains manually
+          packaged extensions. Note that the automatically packaged
+          extensions are provided for convenience and are not checked or
+          guaranteed to work.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Erlang/OTP versions older than R21 got dropped. We also
+          dropped the cuter package, as it was purely an example of how
+          to build a package. We also dropped <literal>lfe_1_2</literal>
+          as it could not build with R21+. Moving forward, we expect to
+          only support 3 yearly releases of OTP.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</section>