diff options
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2111.section.xml')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 2091 |
1 files changed, 2091 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml new file mode 100644 index 00000000000..b61a0268dee --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -0,0 +1,2091 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.11"> + <title>Release 21.11 (“Porcupine”, 2021/11/30)</title> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of June 2022, handing over to + 22.05. + </para> + </listitem> + </itemizedlist> + <section xml:id="sec-release-21.11-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Nix has been updated to version 2.4, reference its + <link xlink:href="https://discourse.nixos.org/t/nix-2-4-released/15822">release + notes</link> for more information on what has changed. The + previous version of Nix, 2.3.16, remains available for the + time being in the <literal>nix_2_3</literal> package. + </para> + </listitem> + <listitem> + <para> + <literal>iptables</literal> is now using + <literal>nf_tables</literal> under the hood, by using + <literal>iptables-nft</literal>, similar to + <link xlink:href="https://wiki.debian.org/nftables#Current_status">Debian</link> + and + <link xlink:href="https://fedoraproject.org/wiki/Changes/iptables-nft-default">Fedora</link>. + This means, <literal>ip[6]tables</literal>, + <literal>arptables</literal> and <literal>ebtables</literal> + commands will actually show rules from some specific tables in + the <literal>nf_tables</literal> kernel subsystem. In case + you’re migrating from an older release without rebooting, + there might be cases where you end up with iptable rules + configured both in the legacy <literal>iptables</literal> + kernel backend, as well as in the <literal>nf_tables</literal> + backend. This can lead to confusing firewall behaviour. An + <literal>iptables-save</literal> after switching will complain + about <quote>iptables-legacy tables present</quote>. It’s + probably best to reboot after the upgrade, or manually + removing all legacy iptables rules (via the + <literal>iptables-legacy</literal> package). + </para> + </listitem> + <listitem> + <para> + systemd got an <literal>nftables</literal> backend, and + configures (networkd) rules in their own + <literal>io.systemd.*</literal> tables. Check + <literal>nft list ruleset</literal> to see these rules, not + <literal>iptables-save</literal> (which only shows + <literal>iptables</literal>-created rules. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 8.0, updated from 7.4. + </para> + </listitem> + <listitem> + <para> + kops now defaults to 1.21.1, which uses containerd as the + default runtime. + </para> + </listitem> + <listitem> + <para> + <literal>python3</literal> now defaults to Python 3.9, updated + from Python 3.8. + </para> + </listitem> + <listitem> + <para> + PostgreSQL now defaults to major version 13. + </para> + </listitem> + <listitem> + <para> + spark now defaults to spark 3, updated from 2. A + <link xlink:href="https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-24-to-30">migration + guide</link> is available. + </para> + </listitem> + <listitem> + <para> + Improvements have been made to the Hadoop module and package: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + HDFS and YARN now support production-ready highly + available deployments with automatic failover. + </para> + </listitem> + <listitem> + <para> + Hadoop now defaults to Hadoop 3, updated from 2. + </para> + </listitem> + <listitem> + <para> + JournalNode, ZKFS and HTTPFS services have been added. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Activation scripts can now, optionally, be run during a + <literal>nixos-rebuild dry-activate</literal> and can detect + the dry activation by reading + <literal>$NIXOS_ACTION</literal>. This allows activation + scripts to output what they would change if the activation was + really run. The users/modules activation script supports this + and outputs some of is actions. + </para> + </listitem> + <listitem> + <para> + KDE Plasma now finally works on Wayland. + </para> + </listitem> + <listitem> + <para> + bash now defaults to major version 5. + </para> + </listitem> + <listitem> + <para> + Systemd was updated to version 249 (from 247). + </para> + </listitem> + <listitem> + <para> + Pantheon desktop has been updated to version 6. Due to changes + of screen locker, if locking doesn’t work for you, please try + <literal>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>kubernetes-helm</literal> now defaults to 3.7.0, + which introduced some breaking changes to the experimental OCI + manifest format. See + <link xlink:href="https://github.com/helm/community/blob/main/hips/hip-0006.md">HIP + 6</link> for more details. <literal>helmfile</literal> also + defaults to 0.141.0, which is the minimum compatible version. + </para> + </listitem> + <listitem> + <para> + GNOME has been upgraded to 41. Please take a look at their + <link xlink:href="https://help.gnome.org/misc/release-notes/41.0/">Release + Notes</link> for details. + </para> + </listitem> + <listitem> + <para> + LXD support was greatly improved: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + building LXD images from configurations is now directly + possible with just nixpkgs + </para> + </listitem> + <listitem> + <para> + hydra is now building nixOS LXD images that can be used + standalone with full nixos-rebuild support + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + OpenSSH was updated to version 8.8p1 + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This breaks connections to old SSH daemons as ssh-rsa host + keys and ssh-rsa public keys that were signed with SHA-1 + are disabled by default now + </para> + </listitem> + <listitem> + <para> + These can be re-enabled, see the + <link xlink:href="https://www.openssh.com/txt/release-8.8">OpenSSH + changelog</link> for details + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + ORY Kratos was updated to version 0.8.0-alpha.3 + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This release requires you to run SQL migrations. Please, + as always, create a backup of your database first! + </para> + </listitem> + <listitem> + <para> + The SDKs are now generated with tag v0alpha2 to reflect + that some signatures have changed in a breaking fashion. + Please update your imports from v0alpha1 to v0alpha2. + </para> + </listitem> + <listitem> + <para> + The SMTPS scheme used in courier config URL with + cleartext/StartTLS/TLS SMTP connection types is now only + supporting implicit TLS. For StartTLS and cleartext SMTP, + please use the SMTP scheme instead. + </para> + </listitem> + <listitem> + <para> + for more details, see + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.0-alpha.1">Release + Notes</link>. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://digint.ch/btrbk/index.html">btrbk</link>, + a backup tool for btrfs subvolumes, taking advantage of btrfs + specific capabilities to create atomic snapshots and transfer + them incrementally to your backup locations. Available as + <link xlink:href="options.html#opt-services.brtbk.instances">services.btrbk</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>, + an X11 clipboard manager written in Rust. Available at + <link xlink:href="options.html#opt-services.clipcat.enable">services.clipcat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/dexidp/dex">dex</link>, + an OpenID Connect (OIDC) identity and OAuth 2.0 provider. + Available at + <link xlink:href="options.html#opt-services.dex.enable">services.dex</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/maxmind/geoipupdate">geoipupdate</link>, + a GeoIP database updater from MaxMind. Available as + <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jitsi/jibri">Jibri</link>, + a service for recording or streaming a Jitsi Meet conference. + Available as + <link xlink:href="options.html#opt-services.jibri.enable">services.jibri</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.isc.org/kea/">Kea</link>, ISCs + 2nd generation DHCP and DDNS server suite. Available at + <link xlink:href="options.html#opt-services.kea.dhcp4">services.kea</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://owncast.online/">owncast</link>, + self-hosted video live streaming solution. Available at + <link xlink:href="options.html#opt-services.owncast.enable">services.owncast</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://joinpeertube.org/">PeerTube</link>, + developed by Framasoft, is the free and decentralized + alternative to video platforms. Available at + <link xlink:href="options.html#opt-services.peertube.enable">services.peertube</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://sr.ht">sourcehut</link>, a + collection of tools useful for software development. Available + as + <link xlink:href="options.html#opt-services.sourcehut.enable">services.sourcehut</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://download.pureftpd.org/pub/ucarp/README">ucarp</link>, + an userspace implementation of the Common Address Redundancy + Protocol (CARP). Available as + <link xlink:href="options.html#opt-networking.ucarp.enable">networking.ucarp</link>. + </para> + </listitem> + <listitem> + <para> + Users of flashrom should migrate to + <link xlink:href="options.html#opt-programs.flashrom.enable">programs.flashrom.enable</link> + and add themselves to the <literal>flashrom</literal> group to + be able to access programmers supported by flashrom. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://vikunja.io">vikunja</link>, a to-do + list app. Available as + <link linkend="opt-services.vikunja.enable">services.vikunja</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/evilsocket/opensnitch">opensnitch</link>, + an application firewall. Available as + <link linkend="opt-services.opensnitch.enable">services.opensnitch</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.snapraid.it/">snapraid</link>, a + backup program for disk arrays. Available as + <link linkend="opt-snapraid.enable">snapraid</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hockeypuck/hockeypuck">Hockeypuck</link>, + a OpenPGP Key Server. Available as + <link linkend="opt-services.hockeypuck.enable">services.hockeypuck</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/buildkite/buildkite-agent-metrics">buildkite-agent-metrics</link>, + a command-line tool for collecting Buildkite agent metrics, + now has a Prometheus exporter available as + <link linkend="opt-services.prometheus.exporters.buildkite-agent.enable">services.prometheus.exporters.buildkite-agent</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus/influxdb_exporter">influxdb-exporter</link> + a Prometheus exporter that exports metrics received on an + InfluxDB compatible endpoint is now available as + <link linkend="opt-services.prometheus.exporters.influxdb.enable">services.prometheus.exporters.influxdb</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/matrix-discord/mx-puppet-discord">mx-puppet-discord</link>, + a discord puppeting bridge for matrix. Available as + <link linkend="opt-services.mx-puppet-discord.enable">services.mx-puppet-discord</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.meshcommander.com/meshcentral2/overview">MeshCentral</link>, + a remote administration service (<quote>TeamViewer but + self-hosted and with more features</quote>) is now available + with a package and a module: + <link linkend="opt-services.meshcentral.enable">services.meshcentral.enable</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/Arksine/moonraker">moonraker</link>, + an API web server for Klipper. Available as + <link linkend="opt-services.moonraker.enable">moonraker</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/influxdata/influxdb">influxdb2</link>, + a Scalable datastore for metrics, events, and real-time + analytics. Available as + <link linkend="opt-services.influxdb2.enable">services.influxdb2</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://posativ.org/isso/">isso</link>, a + commenting server similar to Disqus. Available as + <link linkend="opt-services.isso.enable">isso</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.navidrome.org/">navidrome</link>, + a personal music streaming server with subsonic-compatible + api. Available as + <link linkend="opt-services.navidrome.enable">navidrome</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.fluidd.xyz/">fluidd</link>, a + Klipper web interface for managing 3d printers using + moonraker. Available as + <link linkend="opt-services.fluidd.enable">fluidd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/earnestly/sx">sx</link>, + a simple alternative to both xinit and startx for starting a + Xorg server. Available as + <link linkend="opt-services.xserver.displayManager.sx.enable">services.xserver.displayManager.sx</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://postfixadmin.sourceforge.io/">postfixadmin</link>, + a web based virtual user administration interface for Postfix + mail servers. Available as + <link linkend="opt-services.postfixadmin.enable">postfixadmin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://wiki.servarr.com/prowlarr">prowlarr</link>, + an indexer manager/proxy built on the popular arr .net/reactjs + base stack + <link linkend="opt-services.prowlarr.enable">services.prowlarr</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://sr.ht/~emersion/soju">soju</link>, a + user-friendly IRC bouncer. Available as + <link xlink:href="options.html#opt-services.soju.enable">services.soju</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nats.io/">nats</link>, a high + performance cloud and edge messaging system. Available as + <link linkend="opt-services.nats.enable">services.nats</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://git-scm.com">git</link>, a + distributed version control system. Available as + <link xlink:href="options.html#opt-programs.git.enable">programs.git</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://domainaware.github.io/parsedmarc/">parsedmarc</link>, + a service which parses incoming + <link xlink:href="https://dmarc.org/">DMARC</link> reports and + stores or sends them to a downstream service for further + analysis. Documented in + <link linkend="module-services-parsedmarc">its manual + entry</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://spark.apache.org/">spark</link>, a + unified analytics engine for large-scale data processing. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/JoseExposito/touchegg">touchegg</link>, + a multi-touch gesture recognizer. Available as + <link linkend="opt-services.touchegg.enable">services.touchegg</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/pantheon-tweaks/pantheon-tweaks">pantheon-tweaks</link>, + an unofficial system settings panel for Pantheon. Available as + <link linkend="opt-programs.pantheon-tweaks.enable">programs.pantheon-tweaks</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/DanielOgorchock/joycond">joycond</link>, + a service that uses <literal>hid-nintendo</literal> to provide + nintendo joycond pairing and better nintendo switch pro + controller support. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/opensvc/multipath-tools">multipath</link>, + the device mapper multipath (DM-MP) daemon. Available as + <link linkend="opt-services.multipath.enable">services.multipath</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.seafile.com/en/home/">seafile</link>, + an open source file syncing & sharing software. Available + as + <link xlink:href="options.html#opt-services.seafile.enable">services.seafile</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mchehab/rasdaemon">rasdaemon</link>, + a hardware error logging daemon. Available as + <link linkend="opt-hardware.rasdaemon.enable">hardware.rasdaemon</link>. + </para> + </listitem> + <listitem> + <para> + <literal>code-server</literal>-module now available + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/xmrig/xmrig">xmrig</link>, + a high performance, open source, cross platform RandomX, + KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and + RandomX benchmark. + </para> + </listitem> + <listitem> + <para> + Auto nice daemons + <link xlink:href="https://github.com/Nefelim4ag/Ananicy">ananicy</link> + and + <link xlink:href="https://gitlab.com/ananicy-cpp/ananicy-cpp/">ananicy-cpp</link>. + Available as + <link linkend="opt-services.ananicy.enable">services.ananicy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-community/smartctl_exporter">smartctl_exporter</link>, + a Prometheus exporter for + <link xlink:href="https://en.wikipedia.org/wiki/S.M.A.R.T.">S.M.A.R.T.</link> + data. Available as + <link xlink:href="options.html#opt-services.prometheus.exporters.smartctl.enable">services.prometheus.exporters.smartctl</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + The NixOS VM test framework, + <literal>pkgs.nixosTest</literal>/<literal>make-test-python.nix</literal>, + now requires detaching commands such as + <literal>succeed("foo &")</literal> and + <literal>succeed("foo | xclip -i")</literal> to + close stdout. This can be done with a redirect such as + <literal>succeed("foo >&2 &")</literal>. + This breaking change was necessitated by a race condition + causing tests to fail or hang. It applies to all methods that + invoke commands on the nodes, including + <literal>execute</literal>, <literal>succeed</literal>, + <literal>fail</literal>, + <literal>wait_until_succeeds</literal>, + <literal>wait_until_fails</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.wakeonlan</literal> option was removed, + and replaced with + <literal>networking.interfaces.<name>.wakeOnLan</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.wrappers</literal> option now requires + to always specify an owner, group and whether the + setuid/setgid bit should be set. This is motivated by the fact + that before NixOS 21.11, specifying either setuid or setgid + but not owner/group resulted in wrappers owned by + nobody/nogroup, which is unsafe. + </para> + </listitem> + <listitem> + <para> + Since <literal>iptables</literal> now uses + <literal>nf_tables</literal> backend and + <literal>ipset</literal> doesn’t support it, some applications + (ferm, shorewall, firehol) may have limited functionality. + </para> + </listitem> + <listitem> + <para> + The <literal>paperless</literal> module and package have been + removed. All users should migrate to the successor + <literal>paperless-ng</literal> instead. The Paperless project + <link xlink:href="https://github.com/the-paperless-project/paperless/commit/9b0063c9731f7c5f65b1852cb8caff97f5e40ba4">has + been archived</link> and advises all users to use + <literal>paperless-ng</literal> instead. + </para> + <para> + Users can use the <literal>services.paperless-ng</literal> + module as a replacement while noting the following + incompatibilities: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.paperless.ocrLanguages</literal> has no + replacement. Users should migrate to + <link xlink:href="options.html#opt-services.paperless-ng.extraConfig"><literal>services.paperless-ng.extraConfig</literal></link> + instead: + </para> + </listitem> + </itemizedlist> + <programlisting language="bash"> +{ + services.paperless-ng.extraConfig = { + # Provide languages as ISO 639-2 codes + # separated by a plus (+) sign. + # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes + PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse + }; +} +</programlisting> + <itemizedlist> + <listitem> + <para> + If you previously specified + <literal>PAPERLESS_CONSUME_MAIL_*</literal> settings in + <literal>services.paperless.extraConfig</literal> you + should remove those options now. You now + <emphasis>must</emphasis> define those settings in the + admin interface of paperless-ng. + </para> + </listitem> + <listitem> + <para> + Option <literal>services.paperless.manage</literal> no + longer exists. Use the script at + <literal>${services.paperless-ng.dataDir}/paperless-ng-manage</literal> + instead. Note that this script only exists after the + <literal>paperless-ng</literal> service has been started + at least once. + </para> + </listitem> + <listitem> + <para> + After switching to the new system configuration you should + run the Django management command to reindex your + documents and optionally create a user, if you don’t have + one already. + </para> + <para> + To do so, enter the data directory (the value of + <literal>services.paperless-ng.dataDir</literal>, + <literal>/var/lib/paperless</literal> by default), switch + to the paperless user and execute the management command + like below: + </para> + <programlisting> +$ cd /var/lib/paperless +$ su paperless -s /bin/sh +$ ./paperless-ng-manage document_index reindex +# if not already done create a user account, paperless-ng requires a login +$ ./paperless-ng-manage createsuperuser +Username (leave blank to use 'paperless'): my-user-name +Email address: me@example.com +Password: ********** +Password (again): ********** +Superuser created successfully. +</programlisting> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>staticjinja</literal> package has been upgraded + from 1.0.4 to 4.1.1 + </para> + </listitem> + <listitem> + <para> + Firefox v91 does not support addons with invalid signature + anymore. Firefox ESR needs to be used for nix addon support. + </para> + </listitem> + <listitem> + <para> + The <literal>erigon</literal> ethereum node has moved to a new + database format in <literal>2021-05-04</literal>, and requires + a full resync + </para> + </listitem> + <listitem> + <para> + The <literal>erigon</literal> ethereum node has moved it’s + database location in <literal>2021-08-03</literal>, users + upgrading must manually move their chaindata (see + <link xlink:href="https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03">release + notes</link>). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-users.users._name_.group">users.users.<name>.group</link> + no longer defaults to <literal>nogroup</literal>, which was + insecure. Out-of-tree modules are likely to require + adaptation: instead of + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + }; +} +</programlisting> + <para> + also create a group for your user: + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>services.geoip-updater</literal> was broken and has + been replaced by + <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. + </para> + </listitem> + <listitem> + <para> + <literal>ihatemoney</literal> has been updated to version + 5.1.1 + (<link xlink:href="https://github.com/spiral-project/ihatemoney/blob/5.1.1/CHANGELOG.rst">release + notes</link>). If you serve ihatemoney by HTTP rather than + HTTPS, you must set + <link xlink:href="options.html#opt-services.ihatemoney.secureCookie">services.ihatemoney.secureCookie</link> + to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + PHP 7.3 is no longer supported due to upstream not supporting + this version for the entire lifecycle of the 21.11 release. + </para> + </listitem> + <listitem> + <para> + Those making use of <literal>buildBazelPackage</literal> will + need to regenerate the fetch hashes (preferred), or set + <literal>fetchConfigured = false;</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>consul</literal> was upgraded to a new major release + with breaking changes, see + <link xlink:href="https://github.com/hashicorp/consul/releases/tag/v1.10.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + fsharp41 has been removed in preference to use the latest + dotnet-sdk + </para> + </listitem> + <listitem> + <para> + The following F#-related packages have been removed for being + unmaintaned. Please use <literal>fetchNuGet</literal> for + specific packages. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + ExtCore + </para> + </listitem> + <listitem> + <para> + Fake + </para> + </listitem> + <listitem> + <para> + Fantomas + </para> + </listitem> + <listitem> + <para> + FsCheck + </para> + </listitem> + <listitem> + <para> + FsCheck262 + </para> + </listitem> + <listitem> + <para> + FsCheckNunit + </para> + </listitem> + <listitem> + <para> + FSharpAutoComplete + </para> + </listitem> + <listitem> + <para> + FSharpCompilerCodeDom + </para> + </listitem> + <listitem> + <para> + FSharpCompilerService + </para> + </listitem> + <listitem> + <para> + FSharpCompilerTools + </para> + </listitem> + <listitem> + <para> + FSharpCore302 + </para> + </listitem> + <listitem> + <para> + FSharpCore3125 + </para> + </listitem> + <listitem> + <para> + FSharpCore4001 + </para> + </listitem> + <listitem> + <para> + FSharpCore4117 + </para> + </listitem> + <listitem> + <para> + FSharpData + </para> + </listitem> + <listitem> + <para> + FSharpData225 + </para> + </listitem> + <listitem> + <para> + FSharpDataSQLProvider + </para> + </listitem> + <listitem> + <para> + FSharpFormatting + </para> + </listitem> + <listitem> + <para> + FsLexYacc + </para> + </listitem> + <listitem> + <para> + FsLexYacc706 + </para> + </listitem> + <listitem> + <para> + FsLexYaccRuntime + </para> + </listitem> + <listitem> + <para> + FsPickler + </para> + </listitem> + <listitem> + <para> + FsUnit + </para> + </listitem> + <listitem> + <para> + Projekt + </para> + </listitem> + <listitem> + <para> + Suave + </para> + </listitem> + <listitem> + <para> + UnionArgParser + </para> + </listitem> + <listitem> + <para> + ExcelDnaRegistration + </para> + </listitem> + <listitem> + <para> + MathNetNumerics + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>programs.x2goserver</literal> is now + <literal>services.x2goserver</literal> + </para> + </listitem> + <listitem> + <para> + The following dotnet-related packages have been removed for + being unmaintaned. Please use <literal>fetchNuGet</literal> + for specific packages. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Autofac + </para> + </listitem> + <listitem> + <para> + SystemValueTuple + </para> + </listitem> + <listitem> + <para> + MicrosoftDiaSymReader + </para> + </listitem> + <listitem> + <para> + MicrosoftDiaSymReaderPortablePdb + </para> + </listitem> + <listitem> + <para> + SystemCollectionsImmutable + </para> + </listitem> + <listitem> + <para> + SystemCollectionsImmutable131 + </para> + </listitem> + <listitem> + <para> + SystemReflectionMetadata + </para> + </listitem> + <listitem> + <para> + NUnit350 + </para> + </listitem> + <listitem> + <para> + Deedle + </para> + </listitem> + <listitem> + <para> + ExcelDna + </para> + </listitem> + <listitem> + <para> + GitVersionTree + </para> + </listitem> + <listitem> + <para> + NDeskOptions + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + The <literal>antlr</literal> package now defaults to the 4.x + release instead of the old 2.7.7 version. + </para> + </listitem> + <listitem> + <para> + The <literal>pulseeffects</literal> package updated to + <link xlink:href="https://github.com/wwmm/easyeffects/releases/tag/v6.0.0">version + 4.x</link> and renamed to <literal>easyeffects</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>libwnck</literal> package now defaults to the 3.x + release instead of the old 2.31.0 version. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> packages and modules were + renamed to <literal>vaultwarden</literal> + <link xlink:href="https://github.com/dani-garcia/vaultwarden/discussions/1642">following + upstream</link>. More specifically, + </para> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.bitwarden_rs</literal>, + <literal>pkgs.bitwarden_rs-sqlite</literal>, + <literal>pkgs.bitwarden_rs-mysql</literal> and + <literal>pkgs.bitwarden_rs-postgresql</literal> were + renamed to <literal>pkgs.vaultwarden</literal>, + <literal>pkgs.vaultwarden-sqlite</literal>, + <literal>pkgs.vaultwarden-mysql</literal> and + <literal>pkgs.vaultwarden-postgresql</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> executable was + also renamed to <literal>vaultwarden</literal> in all + packages. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> was renamed to + <literal>pkgs.vaultwarden-vault</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> is + preserved as an alias for backwards compatibility, but + may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The static files were moved from + <literal>/usr/share/bitwarden_rs</literal> to + <literal>/usr/share/vaultwarden</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bitwarden_rs</literal> config module + was renamed to <literal>services.vaultwarden</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.bitwarden_rs</literal> is preserved + as an alias for backwards compatibility, but may be + removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>systemd.services.bitwarden_rs</literal>, + <literal>systemd.services.backup-bitwarden_rs</literal> + and <literal>systemd.timers.backup-bitwarden_rs</literal> + were renamed to + <literal>systemd.services.vaultwarden</literal>, + <literal>systemd.services.backup-vaultwarden</literal> and + <literal>systemd.timers.backup-vaultwarden</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>users.users.bitwarden_rs</literal> and + <literal>users.groups.bitwarden_rs</literal> were renamed + to <literal>users.users.vaultwarden</literal> and + <literal>users.groups.vaultwarden</literal>, respectively. + </para> + </listitem> + <listitem> + <para> + The data directory remains located at + <literal>/var/lib/bitwarden_rs</literal>, for backwards + compatibility. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + <literal>yggdrasil</literal> was upgraded to a new major + release with breaking changes, see + <link xlink:href="https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + <literal>icingaweb2</literal> was upgraded to a new release + which requires a manual database upgrade, see + <link xlink:href="https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>isabelle</literal> package has been upgraded from + 2020 to 2021 + </para> + </listitem> + <listitem> + <para> + the <literal>mingw-64</literal> package has been upgraded from + 6.0.0 to 9.0.0 + </para> + </listitem> + <listitem> + <para> + <literal>tt-rss</literal> was upgraded to the commit on + 2021-06-21, which has breaking changes. If you use + <literal>services.tt-rss.extraConfig</literal> you should + migrate to the <literal>putenv</literal>-style configuration. + See + <link xlink:href="https://community.tt-rss.org/t/rip-config-php-hello-classes-config-php/4337">this + Discourse post</link> in the tt-rss forums for more details. + </para> + </listitem> + <listitem> + <para> + The following Visual Studio Code extensions were renamed to + keep the naming convention uniform. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>bbenoist.Nix</literal> -> + <literal>bbenoist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>CoenraadS.bracket-pair-colorizer</literal> -> + <literal>coenraads.bracket-pair-colorizer</literal> + </para> + </listitem> + <listitem> + <para> + <literal>golang.Go</literal> -> + <literal>golang.go</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>services.uptimed</literal> now uses + <literal>/var/lib/uptimed</literal> as its stateDirectory + instead of <literal>/var/spool/uptimed</literal>. Make sure to + move all files to the new directory. + </para> + </listitem> + <listitem> + <para> + Deprecated package aliases in <literal>emacs.pkgs.*</literal> + have been removed. These aliases were remnants of the old + Emacs package infrastructure. We now use exact upstream names + wherever possible. + </para> + </listitem> + <listitem> + <para> + <literal>programs.neovim.runtime</literal> switched to a + <literal>linkFarm</literal> internally, making it impossible + to use wildcards in the <literal>source</literal> argument. + </para> + </listitem> + <listitem> + <para> + The <literal>openrazer</literal> and + <literal>openrazer-daemon</literal> packages as well as the + <literal>hardware.openrazer</literal> module now require users + to be members of the <literal>openrazer</literal> group + instead of <literal>plugdev</literal>. With this change, users + no longer need be granted the entire set of + <literal>plugdev</literal> group permissions, which can + include permissions other than those required by + <literal>openrazer</literal>. This is desirable from a + security point of view. The setting + <link xlink:href="options.html#opt-services.hardware.openrazer.users"><literal>harware.openrazer.users</literal></link> + can be used to add users to the <literal>openrazer</literal> + group. + </para> + </listitem> + <listitem> + <para> + The fontconfig service’s dpi option has been removed. + Fontconfig should use Xft settings by default so there’s no + need to override one value in multiple places. The user can + set DPI via ~/.Xresources properly, or at the system level per + monitor, or as a last resort at the system level with + <literal>services.xserver.dpi</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>yambar</literal> package has been split into + <literal>yambar</literal> and + <literal>yambar-wayland</literal>, corresponding to the xorg + and wayland backend respectively. Please switch to + <literal>yambar-wayland</literal> if you are on wayland. + </para> + </listitem> + <listitem> + <para> + The <literal>services.minio</literal> module gained an + additional option <literal>consoleAddress</literal>, that + configures the address and port the web UI is listening, it + defaults to <literal>:9001</literal>. To be able to access the + web UI this port needs to be opened in the firewall. + </para> + </listitem> + <listitem> + <para> + The <literal>varnish</literal> package was upgraded from 6.3.x + to 7.x. <literal>varnish60</literal> for the last LTS release + is also still available. + </para> + </listitem> + <listitem> + <para> + The <literal>kubernetes</literal> package was upgraded to + 1.22. The <literal>kubernetes.apiserver.kubeletHttps</literal> + option was removed and HTTPS is always used. + </para> + </listitem> + <listitem> + <para> + The attribute <literal>linuxPackages_latest_hardened</literal> + was dropped because the hardened patches lag behind the + upstream kernel which made version bumps harder. If you want + to use a hardened kernel, please pin it explicitly with a + versioned attribute such as + <literal>linuxPackages_5_10_hardened</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>nomad</literal> package now defaults to a 1.1.x + release instead of 1.0.x + </para> + </listitem> + <listitem> + <para> + If <literal>exfat</literal> is included in + <literal>boot.supportedFilesystems</literal> and when using + kernel 5.7 or later, the <literal>exfatprogs</literal> + user-space utilities are used instead of + <literal>exfat</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>todoman</literal> package was upgraded from 3.9.0 + to 4.0.0. This introduces breaking changes in the + <link xlink:href="https://todoman.readthedocs.io/en/stable/configure.html#configuration-file">configuration + file</link> format. + </para> + </listitem> + <listitem> + <para> + The <literal>datadog-agent</literal>, + <literal>datadog-integrations-core</literal> and + <literal>datadog-process-agent</literal> packages were + upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and + 6.11.1 to 7.30.2, respectively. As a result + <literal>services.datadog-agent</literal> has had breaking + changes to the configuration file. For details, see the + <link xlink:href="https://github.com/DataDog/datadog-agent/blob/main/CHANGELOG.rst">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + <literal>opencv2</literal> no longer includes the non-free + libraries by default, and consequently + <literal>pfstools</literal> no longer includes OpenCV support + by default. Both packages now support an + <literal>enableUnfree</literal> option to re-enable this + functionality. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.displayManager.defaultSession = "plasma5"</literal> + does not work anymore, instead use either + <literal>"plasma"</literal> for the Plasma X11 + session or <literal>"plasmawayland"</literal> for + the Plasma Wayland sesison. + </para> + </listitem> + <listitem> + <para> + <literal>boot.kernelParams</literal> now only accepts one + command line parameter per string. This change is aimed to + reduce common mistakes like <quote>param = 12</quote>, which + would be parsed as 3 parameters. + </para> + </listitem> + <listitem> + <para> + <literal>nix.daemonNiceLevel</literal> and + <literal>nix.daemonIONiceLevel</literal> have been removed in + favour of the new options + <link xlink:href="options.html#opt-nix.daemonCPUSchedPolicy"><literal>nix.daemonCPUSchedPolicy</literal></link>, + <link xlink:href="options.html#opt-nix.daemonIOSchedClass"><literal>nix.daemonIOSchedClass</literal></link> + and + <link xlink:href="options.html#opt-nix.daemonIOSchedPriority"><literal>nix.daemonIOSchedPriority</literal></link>. + Please refer to the options documentation and the + <literal>sched(7)</literal> and + <literal>ioprio_set(2)</literal> man pages for guidance on how + to use them. + </para> + </listitem> + <listitem> + <para> + The <literal>coursier</literal> package’s binary was renamed + from <literal>coursier</literal> to <literal>cs</literal>. + Completions which haven’t worked for a while should now work + with the renamed binary. To keep using + <literal>coursier</literal>, you can create a shell alias. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mosquitto</literal> module has been + rewritten to support multiple listeners and per-listener + configuration. Module configurations from previous releases + will no longer work and must be updated. + </para> + </listitem> + <listitem> + <para> + The <literal>fluidsynth_1</literal> attribute has been + removed, as this legacy version is no longer needed in + nixpkgs. The actively maintained 2.x series is available as + <literal>fluidsynth</literal> unchanged. + </para> + </listitem> + <listitem> + <para> + Nextcloud 20 (<literal>pkgs.nextcloud20</literal>) has been + dropped because it was EOLed by upstream in 2021-10. + </para> + </listitem> + <listitem> + <para> + The <literal>virtualisation.pathsInNixDB</literal> option was + renamed + <link xlink:href="options.html#opt-virtualisation.additionalPaths"><literal>virtualisation.additionalPaths</literal></link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.ddclient.password</literal> option was + removed, and replaced with + <literal>services.ddclient.passwordFile</literal>. + </para> + </listitem> + <listitem> + <para> + The default GNAT version has been changed: The + <literal>gnat</literal> attribute now points to + <literal>gnat11</literal> instead of <literal>gnat9</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>retroArchCores</literal> has been removed. This means + that using <literal>nixpkgs.config.retroarch</literal> to + customize RetroArch cores is not supported anymore. Instead, + use package overrides, for example: + <literal>retroarch.override { cores = with libretro; [ citra snes9x ]; };</literal>. + Also, <literal>retroarchFull</literal> derivation is available + for those who want to have all RetroArch cores available. + </para> + </listitem> + <listitem> + <para> + The Linux kernel for security reasons now restricts access to + BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>. + Unprivileged access can be reenabled via the + <literal>kernel.unprivileged_bpf_disabled</literal> sysctl + knob. + </para> + </listitem> + <listitem> + <para> + <literal>/usr</literal> will always be included in the initial + ramdisk. See the + <literal>fileSystems.<name>.neededForBoot</literal> + option. If any files exist under <literal>/usr</literal> + (which is not typical for NixOS), they will be included in the + initial ramdisk, increasing its size to a possibly problematic + extent. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The linux kernel package infrastructure was moved out of + <literal>all-packages.nix</literal>, and restructured. Linux + related functions and attributes now live under the + <literal>pkgs.linuxKernel</literal> attribute set. In + particular the versioned <literal>linuxPackages_*</literal> + package sets (such as <literal>linuxPackages_5_4</literal>) + and kernels from <literal>pkgs</literal> were moved there and + now live under <literal>pkgs.linuxKernel.packages.*</literal>. + The unversioned ones (such as + <literal>linuxPackages_latest</literal>) remain untouched. + </para> + </listitem> + <listitem> + <para> + In NixOS virtual machines (QEMU), the + <literal>virtualisation</literal> module has been updated with + new options: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.forwardPorts"><literal>forwardPorts</literal></link> + to configure IPv4 port forwarding, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.sharedDirectories"><literal>sharedDirectories</literal></link> + to set up shared host directories, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.resolution"><literal>resolution</literal></link> + to set the screen resolution, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.useNixStoreImage"><literal>useNixStoreImage</literal></link> + to use a disk image for the Nix store instead of 9P. + </para> + </listitem> + </itemizedlist> + <para> + In addition, the default + <link xlink:href="options.html#opt-virtualisation.msize"><literal>msize</literal></link> + parameter in 9P filesystems (including /nix/store and all + shared directories) has been increased to 16K for improved + performance. + </para> + </listitem> + <listitem> + <para> + The setting + <link xlink:href="options.html#opt-services.openssh.logLevel"><literal>services.openssh.logLevel</literal></link> + <literal>"VERBOSE"</literal> + <literal>"INFO"</literal>. This brings NixOS in line + with upstream and other Linux distributions, and reduces log + spam on servers due to bruteforcing botnets. + </para> + <para> + However, if + <link xlink:href="options.html#opt-services.fail2ban.enable"><literal>services.fail2ban.enable</literal></link> + is <literal>true</literal>, the <literal>fail2ban</literal> + will override the verbosity to + <literal>"VERBOSE"</literal>, so that + <literal>fail2ban</literal> can observe the failed login + attempts from the SSH logs. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.xserver.extraLayouts"><literal>services.xserver.extraLayouts</literal></link> + no longer cause additional rebuilds when a layout is added or + modified. + </para> + </listitem> + <listitem> + <para> + Sway: The terminal emulator <literal>rxvt-unicode</literal> is + no longer installed by default via + <literal>programs.sway.extraPackages</literal>. The current + default configuration uses <literal>alacritty</literal> (and + soon <literal>foot</literal>) so this is only an issue when + using a customized configuration and not installing + <literal>rxvt-unicode</literal> explicitly. + </para> + </listitem> + <listitem> + <para> + <literal>python3</literal> now defaults to Python 3.9. Python + 3.9 introduces many deprecation warnings, please look at the + <link xlink:href="https://docs.python.org/3/whatsnew/3.9.html">What’s + New In Python 3.9 post</link> for more information. + </para> + </listitem> + <listitem> + <para> + <literal>qtile</literal> hase been updated from + <quote>0.16.0</quote> to <quote>0.18.0</quote>, please check + <link xlink:href="https://github.com/qtile/qtile/blob/master/CHANGELOG">qtile + changelog</link> for changes. + </para> + </listitem> + <listitem> + <para> + The <literal>claws-mail</literal> package now references the + new GTK+ 3 release branch, major version 4. To use the GTK+ 2 + releases, one can install the + <literal>claws-mail-gtk2</literal> package. + </para> + </listitem> + <listitem> + <para> + The wordpress module provides a new interface which allows to + use different webservers with the new option + <link xlink:href="options.html#opt-services.wordpress.webserver"><literal>services.wordpress.webserver</literal></link>. + Currently <literal>httpd</literal>, <literal>caddy</literal> + and <literal>nginx</literal> are supported. The definitions of + wordpress sites should now be set in + <link xlink:href="options.html#opt-services.wordpress.sites"><literal>services.wordpress.sites</literal></link>. + </para> + <para> + Sites definitions that use the old interface are automatically + migrated in the new option. This backward compatibility will + be removed in 22.05. + </para> + </listitem> + <listitem> + <para> + The dokuwiki module provides a new interface which allows to + use different webservers with the new option + <link xlink:href="options.html#opt-services.dokuwiki.webserver"><literal>services.dokuwiki.webserver</literal></link>. + Currently <literal>caddy</literal> and + <literal>nginx</literal> are supported. The definitions of + dokuwiki sites should now be set in + <link xlink:href="options.html#opt-services.dokuwiki.sites"><literal>services.dokuwiki.sites</literal></link>. + </para> + <para> + Sites definitions that use the old interface are automatically + migrated in the new option. This backward compatibility will + be removed in 22.05. + </para> + </listitem> + <listitem> + <para> + The order of NSS (host) modules has been brought in line with + upstream recommendations: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>myhostname</literal> module is placed before + the <literal>resolve</literal> (optional) and + <literal>dns</literal> entries, but after + <literal>file</literal> (to allow overriding via + <literal>/etc/hosts</literal> / + <literal>networking.extraHosts</literal>, and prevent ISPs + with catchall-DNS resolvers from hijacking + <literal>.localhost</literal> domains) + </para> + </listitem> + <listitem> + <para> + The <literal>mymachines</literal> module, which provides + hostname resolution for local containers (registered with + <literal>systemd-machined</literal>) is placed to the + front, to make sure its mappings are preferred over other + resolvers. + </para> + </listitem> + <listitem> + <para> + If systemd-networkd is enabled, the + <literal>resolve</literal> module is placed before + <literal>files</literal> and + <literal>myhostname</literal>, as it provides the same + logic internally, with caching. + </para> + </listitem> + <listitem> + <para> + The <literal>mdns(_minimal)</literal> module has been + updated to the new priorities. + </para> + </listitem> + </itemizedlist> + <para> + If you use your own NSS host modules, make sure to update your + priorities according to these rules: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + NSS modules which should be queried before + <literal>resolved</literal> DNS resolution should use + mkBefore. + </para> + </listitem> + <listitem> + <para> + NSS modules which should be queried after + <literal>resolved</literal>, <literal>files</literal> and + <literal>myhostname</literal>, but before + <literal>dns</literal> should use the default priority + </para> + </listitem> + <listitem> + <para> + NSS modules which should come after <literal>dns</literal> + should use mkAfter. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-networking.wireless.enable">networking.wireless</link> + module (based on wpa_supplicant) has been heavily reworked, + solving a number of issues and adding useful features: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The automatic discovery of wireless interfaces at boot has + been made reliable again (issues + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/101963">#101963</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/23196">#23196</link>). + </para> + </listitem> + <listitem> + <para> + WPA3 and Fast BSS Transition (802.11r) are now enabled by + default for all networks. + </para> + </listitem> + <listitem> + <para> + Secrets like pre-shared keys and passwords can now be + handled safely, meaning without including them in a + world-readable file + (<literal>wpa_supplicant.conf</literal> under /nix/store). + This is achieved by storing the secrets in a secured + <link xlink:href="options.html#opt-networking.wireless.environmentFile">environmentFile</link> + and referring to them though environment variables that + are expanded inside the configuration. + </para> + </listitem> + <listitem> + <para> + With multiple interfaces declared, independent + wpa_supplicant daemons are started, one for each interface + (the services are named + <literal>wpa_supplicant-wlan0</literal>, + <literal>wpa_supplicant-wlan1</literal>, etc.). + </para> + </listitem> + <listitem> + <para> + The generated <literal>wpa_supplicant.conf</literal> file + is now formatted for easier reading. + </para> + </listitem> + <listitem> + <para> + A new + <link xlink:href="options.html#opt-networking.wireless.scanOnLowSignal">scanOnLowSignal</link> + option has been added to facilitate fast roaming between + access points (enabled by default). + </para> + </listitem> + <listitem> + <para> + A new + <link xlink:href="options.html#opt-networking.wireless.networks._name_.authProtocols">networks.<name>.authProtocols</link> + option has been added to change the authentication + protocols used when connecting to a network. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-networking.wireless.iwd.enable">networking.wireless.iwd</link> + module has a new + <link xlink:href="options.html#opt-networking.wireless.iwd.settings">networking.wireless.iwd.settings</link> + option. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.smokeping.host">services.smokeping.host</link> + option was added and defaulted to + <literal>localhost</literal>. Before, + <literal>smokeping</literal> listened to all interfaces by + default. NixOS defaults generally aim to provide + non-Internet-exposed defaults for databases and internal + monitoring tools, see e.g. + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/100192">#100192</link>. + Further, the systemd service for <literal>smokeping</literal> + got reworked defaults for increased operational stability, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/144127">PR + #144127</link> for details. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.syncoid.enable">services.syncoid.enable</link> + module now properly drops ZFS permissions after usage. Before + it delegated permissions to whole pools instead of datasets + and didn’t clean up after execution. You can manually look + this up for your pools by running + <literal>zfs allow your-pool-name</literal> and use + <literal>zfs unallow syncoid your-pool-name</literal> to clean + this up. + </para> + </listitem> + <listitem> + <para> + Zfs: <literal>latestCompatibleLinuxPackages</literal> is now + exported on the zfs package. One can use + <literal>boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;</literal> + to always track the latest compatible kernel with a given + version of zfs. + </para> + </listitem> + <listitem> + <para> + Nginx will use the value of + <literal>sslTrustedCertificate</literal> if provided for a + virtual host, even if <literal>enableACME</literal> is set. + This is useful for providers not using the same certificate to + sign OCSP responses and server certificates. + </para> + </listitem> + <listitem> + <para> + <literal>lib.formats.yaml</literal>’s + <literal>generate</literal> will not generate JSON anymore, + but instead use more of the YAML-specific syntax. + </para> + </listitem> + <listitem> + <para> + MariaDB was upgraded from 10.5.x to 10.6.x. Please read the + <link xlink:href="https://mariadb.com/kb/en/changes-improvements-in-mariadb-106/">upstream + release notes</link> for changes and upgrade instructions. + </para> + </listitem> + <listitem> + <para> + The MariaDB C client library, also known as libmysqlclient or + mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While + this should hopefully not have any impact, this upgrade comes + with some changes to default behavior, so you might want to + review the + <link xlink:href="https://mariadb.com/kb/en/changes-and-improvements-in-mariadb-connector-c-32/">upstream + release notes</link>. + </para> + </listitem> + <listitem> + <para> + GNOME desktop environment now enables + <literal>QGnomePlatform</literal> as the Qt platform theme, + which should avoid crashes when opening file chooser dialogs + in Qt apps by using XDG desktop portal. Additionally, it will + make the apps fit better visually. + </para> + </listitem> + <listitem> + <para> + <literal>rofi</literal> has been updated from + <quote>1.6.1</quote> to <quote>1.7.0</quote>, one important + thing is the removal of the old xresources based configuration + setup. Read more + <link xlink:href="https://github.com/davatorium/rofi/blob/cb12e6fc058f4a0f4f/Changelog#L1">in + rofi’s changelog</link>. + </para> + </listitem> + <listitem> + <para> + ipfs now defaults to not listening on you local network. This + setting was change as server providers won’t accept port + scanning on their private network. If you have several ipfs + instances running on a network you own, feel free to change + the setting <literal>ipfs.localDiscovery = true;</literal>. + localDiscovery enables different instances to discover each + other and share data. + </para> + </listitem> + <listitem> + <para> + <literal>lua</literal> and <literal>luajit</literal> + interpreters have been patched to avoid looking into /usr/lib + directories, thus increasing the purity of the build. + </para> + </listitem> + <listitem> + <para> + Three new options, + <link linkend="opt-xdg.mime.addedAssociations">xdg.mime.addedAssociations</link>, + <link linkend="opt-xdg.mime.defaultApplications">xdg.mime.defaultApplications</link>, + and + <link linkend="opt-xdg.mime.removedAssociations">xdg.mime.removedAssociations</link> + have been added to the + <link linkend="opt-xdg.mime.enable">xdg.mime</link> module to + allow the configuration of + <literal>/etc/xdg/mimeapps.list</literal>. + </para> + </listitem> + <listitem> + <para> + Kopia was upgraded from 0.8.x to 0.9.x. Please read the + <link xlink:href="https://github.com/kopia/kopia/releases/tag/v0.9.0">upstream + release notes</link> for changes and upgrade instructions. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd.network</literal> module has gained + support for the FooOverUDP link type. + </para> + </listitem> + <listitem> + <para> + The <literal>networking</literal> module has a new + <literal>networking.fooOverUDP</literal> option to configure + Foo-over-UDP encapsulations. + </para> + </listitem> + <listitem> + <para> + <literal>networking.sits</literal> now supports Foo-over-UDP + encapsulation. + </para> + </listitem> + <listitem> + <para> + The <literal>virtualisation.libvirtd</literal> module has been + refactored and updated with new options: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>virtualisation.libvirtd.qemu*</literal> options + (e.g.: + <literal>virtualisation.libvirtd.qemuRunAsRoot</literal>) + were moved to + <link xlink:href="options.html#opt-virtualisation.libvirtd.qemu"><literal>virtualisation.libvirtd.qemu</literal></link> + submodule, + </para> + </listitem> + <listitem> + <para> + software TPM1/TPM2 support (e.g.: Windows 11 guests) + (<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.swtpm"><literal>virtualisation.libvirtd.qemu.swtpm</literal></link>), + </para> + </listitem> + <listitem> + <para> + custom OVMF package (e.g.: + <literal>pkgs.OVMFFull</literal> with HTTP, CSM and Secure + Boot support) + (<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.ovmf.package"><literal>virtualisation.libvirtd.qemu.ovmf.package</literal></link>). + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>cawbird</literal> Twitter client now uses its own + API keys to count as different application than upstream + builds. This is done to evade application-level rate limiting. + While existing accounts continue to work, users may want to + remove and re-register their account in the client to enjoy a + better user experience and benefit from this change. + </para> + </listitem> + <listitem> + <para> + A new option + <literal>services.prometheus.enableReload</literal> has been + added which can be enabled to reload the prometheus service + when its config file changes instead of restarting. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.prometheus.environmentFile</literal> has + been removed since it was causing + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/126083">issues</link> + and Prometheus now has native support for secret files, i.e. + <literal>basic_auth.password_file</literal> and + <literal>authorization.credentials_file</literal>. + </para> + </listitem> + <listitem> + <para> + Dokuwiki now supports caddy! However + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + the nginx option has been removed, in the new + configuration, please use the + <literal>dokuwiki.webserver = "nginx"</literal> + instead. + </para> + </listitem> + <listitem> + <para> + The <quote>${hostname}</quote> option has been deprecated, + please use + <literal>dokuwiki.sites = [ "${hostname}" ]</literal> + instead + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.unifi.enable">services.unifi</link> + module has been reworked, solving a number of issues. This + leads to several user facing changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>services.unifi.dataDir</literal> option is + removed and the data is now always located under + <literal>/var/lib/unifi/data</literal>. This is done to + make better use of systemd state direcotiry and thus + making the service restart more reliable. + </para> + </listitem> + <listitem> + <para> + The unifi logs can now be found under: + <literal>/var/log/unifi</literal> instead of + <literal>/var/lib/unifi/logs</literal>. + </para> + </listitem> + <listitem> + <para> + The unifi run directory can now be found under: + <literal>/run/unifi</literal> instead of + <literal>/var/lib/unifi/run</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>security.pam.services.<name>.makeHomeDir</literal> + now uses <literal>umask=0077</literal> instead of + <literal>umask=0022</literal> when creating the home + directory. + </para> + </listitem> + <listitem> + <para> + Loki has had another release. Some default values have been + changed for the configuration and some configuration options + have been renamed. For more details, please check + <link xlink:href="https://grafana.com/docs/loki/latest/upgrading/#240">the + upgrade guide</link>. + </para> + </listitem> + <listitem> + <para> + <literal>julia</literal> now refers to + <literal>julia-stable</literal> instead of + <literal>julia-lts</literal>. In practice this means it has + been upgraded from <literal>1.0.4</literal> to + <literal>1.5.4</literal>. + </para> + </listitem> + <listitem> + <para> + RetroArch has been upgraded from version + <literal>1.8.5</literal> to <literal>1.9.13.2</literal>. Since + the previous release was quite old, if you’re having issues + after the upgrade, please delete your + <literal>$XDG_CONFIG_HOME/retroarch/retroarch.cfg</literal> + file. + </para> + </listitem> + <listitem> + <para> + hydrus has been upgraded from version <literal>438</literal> + to <literal>463</literal>. Since upgrading between releases + this old is advised against, be sure to have a backup of your + data before upgrading. For details, see + <link xlink:href="https://hydrusnetwork.github.io/hydrus/help/getting_started_installing.html#big_updates">the + hydrus manual</link>. + </para> + </listitem> + <listitem> + <para> + More jdk and jre versions are now exposed via + <literal>java-packages.compiler</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> |