diff options
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2205.section.xml')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 1630 |
1 files changed, 1630 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml new file mode 100644 index 00000000000..348374026b4 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -0,0 +1,1630 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.05"> + <title>Release 22.05 (“Quokka”, 2022.05/??)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of December 2022, handing over + to 22.11. + </para> + </listitem> + </itemizedlist> + <section xml:id="sec-release-22.05-highlights"> + <title>Highlights</title> + <itemizedlist> + <listitem> + <para> + <literal>security.acme.defaults</literal> has been added to + simplify configuring settings for many certificates at once. + This also opens up the the option to use DNS-01 validation + when using <literal>enableACME</literal> on web server virtual + hosts (e.g. + <literal>services.nginx.virtualHosts.*.enableACME</literal>). + </para> + </listitem> + <listitem> + <para> + PHP 8.1 is now available + </para> + </listitem> + <listitem> + <para> + Mattermost has been updated to extended support release 6.3, + as the previously packaged extended support release 5.37 is + <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching + its end of life</link>. Migrations may take a while, see the + <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> + and + <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important + upgrade notes</link>. + </para> + </listitem> + <listitem> + <para> + systemd services can now set + <link linkend="opt-systemd.services">systemd.services.<name>.reloadTriggers</link> + instead of <literal>reloadIfChanged</literal> for a more + granular distinction between reloads and restarts. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> + defaults to 1.22.4, which will enable + <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance + Metadata Service Version 2</link> and require tokens on new + clusters with Kubernetes 1.22. This will increase security by + default, but may break some types of workloads. See the + <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">release + notes</link> for details. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>, + the Intel SGX Architectural Enclave Service Manager. Available + as + <link linkend="opt-services.aesmd.enable">services.aesmd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless + Docker</link>, a <literal>systemd --user</literal> Docker + service which runs without root permissions. Available as + <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://conduit.rs/">matrix-conduit</link>, + a simple, fast and reliable chat server powered by matrix. + Available as + <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, + a lightweight shipper for forwarding and centralizing log + data. Available as + <link linkend="opt-services.filebeat.enable">services.filebeat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, + a kernel module for mounting the Apple File System (APFS). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://frrouting.org/">FRRouting</link>, a + popular suite of Internet routing protocol daemons (BGP, BFD, + OSPF, IS-IS, VVRP and others). Available as + <link linkend="opt-services.frr.babel.enable">services.frr</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, + a bouncer-style Matrix IRC bridge. Available as + <link xlink:href="options.html#opt-services.heisenbridge.enable">services.heisenbridge</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, + a system to defeat internet censorship. Available as + <link xlink:href="options.html#opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ergo.chat">ergochat</link>, a modern + IRC with IRCv3 features. Available as + <link xlink:href="options.html#opt-services.ergochat.enable">services.ergochat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, + a web interface for the PowerDNS server. Available at + <link xlink:href="options.html#opt-services.powerdns-admin.enable">services.powerdns-admin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, + an admin interface for the PostgreSQL database. Available at + <link xlink:href="options.html#opt-services.pgadmin.enable">services.pgadmin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>, + an easy to use tool to change the mapping of your input device + buttons. Available at + <link xlink:href="options.html#opt-services.input-remapper.enable">services.input-remapper</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://invoiceplane.com">InvoicePlane</link>, + web application for managing and creating invoices. Available + at + <link xlink:href="options.html#opt-services.invoiceplane.enable">services.invoiceplane</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://maddy.email">maddy</link>, a + composable all-in-one mail server. Available as + <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.scorchworks.com/K40whisperer/k40whisperer.html">K40-Whisperer</link>, + a program to control cheap Chinese laser cutters. Available as + <link xlink:href="options.html#opt-programs.k4-whisperer.enable">programs.k40-whisperer.enable</link>. + Users must add themselves to the <literal>k40</literal> group + to be able to access the device. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>, + a Prometheus exporter for mtr metrics. Available as + <link xlink:href="options.html#opt-services.mtr-exporter.enable">services.mtr-exporter</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, + a tool that exposes information from the Proxmox VE API for + use by Prometheus. Available as + <link xlink:href="options.html#opt-services.prometheus.exporters.pve">services.prometheus.exporters.pve</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://tetrd.app">tetrd</link>, share your + internet connection from your device to your PC and vice versa + through a USB cable. Available at + <link linkend="opt-services.tetrd.enable">services.tetrd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, + a very simple server for the Gemini hypertext protocol. + Available as + <link xlink:href="options.html#opt-services.agate.enable">services.agate</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, + a C# application with primary purpose of idling Steam cards + from multiple accounts simultaneously. Available as + <link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://goteleport.com">teleport</link>, + allows engineers and security professionals to unify access + for SSH servers, Kubernetes clusters, web applications, and + databases across all environments. Available at + <link linkend="opt-services.teleport.enable">services.teleport</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, + a lightweight NuGet and symbol server. Available at + <link linkend="opt-services.baget.enable">services.baget</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://moosefs.com">moosefs</link>, fault + tolerant petabyte distributed file system. Available as + <link linkend="opt-services.moosefs.client.enable">moosefs</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>, + a server for handling XMPP HTTP Upload requests. Available at + <link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, + allow system level notifications to reach the users. Available + as + <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. + Please keep in mind that this service should only be enabled + on machines with fully trusted users, as any local user is + able to DoS user sessions by spamming notifications. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, + an online collaborative spreadsheet. Available as + <link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a + Network Block Device server. Available as + <link xlink:href="options.html#opt-services.nbd.server.enable">services.nbd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://timetagger.app">timetagger</link>, + an open source time-tracker with an intuitive user experience + and powerful reporting. + <link xlink:href="options.html#opt-services.timetagger.enable">services.timetagger</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, + a browser-based version of the RStudio IDE for the R + programming language. Available as + <link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, + an Open Source implementation of the + <link xlink:href="https://tailscale.io">Tailscale</link> + Control Server. Available as + <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://clusterlabs.org/pacemaker/">pacemaker</link> + cluster resource manager + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.ghc</literal> now refers to + <literal>pkgs.targetPackages.haskellPackages.ghc</literal>. + This <emphasis>only</emphasis> makes a difference if you are + cross-compiling and will ensure that + <literal>pkgs.ghc</literal> always runs on the host platform + and compiles for the target platform (similar to + <literal>pkgs.gcc</literal> for example). + <literal>haskellPackages.ghc</literal> still behaves as + before, running on the build platform and compiling for the + host platform (similar to <literal>stdenv.cc</literal>). This + means you don’t have to adjust your derivations if you use + <literal>haskellPackages.callPackage</literal>, but when using + <literal>pkgs.callPackage</literal> and taking + <literal>ghc</literal> as an input, you should now use + <literal>buildPackages.ghc</literal> instead to ensure cross + compilation keeps working (or switch to + <literal>haskellPackages.callPackage</literal>). + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.ghc.withPackages</literal> as well as + <literal>haskellPackages.ghcWithPackages</literal> etc. now + needs be overridden directly, as opposed to overriding the + result of calling it. Additionally, the + <literal>withLLVM</literal> parameter has been renamed to + <literal>useLLVM</literal>. So instead of + <literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>, + one needs to use + <literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>home-assistant</literal> module now requires + users that don’t want their configuration to be managed + declaratively to set + <literal>services.home-assistant.config = null;</literal>. + This is required due to the way default settings are handled + with the new settings style. + </para> + <para> + Additionally the default list of + <literal>extraComponents</literal> now includes the minimal + dependencies to successfully complete the + <link xlink:href="https://www.home-assistant.io/getting-started/onboarding/">onboarding</link> + procedure. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.emacsPackages.orgPackages</literal> is removed + because org elpa is deprecated. The packages in the top level + of <literal>pkgs.emacsPackages</literal>, such as org and + org-contrib, refer to the ones in + <literal>pkgs.emacsPackages.elpaPackages</literal> and + <literal>pkgs.emacsPackages.nongnuPackages</literal> where the + new versions will release. + </para> + </listitem> + <listitem> + <para> + <literal>services.kubernetes.addons.dashboard</literal> was + removed due to it being an outdated version. + </para> + </listitem> + <listitem> + <para> + <literal>services.kubernetes.scheduler.{port,address}</literal> + now set <literal>--secure-port</literal> and + <literal>--bind-address</literal> instead of + <literal>--port</literal> and <literal>--address</literal>, + since the former have been deprecated and are no longer + functional in kubernetes>=1.23. Ensure that you are not + relying on the insecure behaviour before upgrading. + </para> + </listitem> + <listitem> + <para> + <literal>services.k3s.enable</literal> no longer implies + <literal>systemd.enableUnifiedCgroupHierarchy = false</literal>, + and will default to the <quote>systemd</quote> cgroup driver + when using <literal>services.k3s.docker = true</literal>. This + change may require a reboot to take effect, and k3s may not be + able to run if the boot cgroup hierarchy does not match its + configuration. The previous behavior may be retained by + explicitly setting + <literal>systemd.enableUnifiedCgroupHierarchy = false</literal> + in your configuration. + </para> + </listitem> + <listitem> + <para> + <literal>fonts.fonts</literal> no longer includes ancient + bitmap fonts when both + <literal>config.services.xserver.enable</literal> and + <literal>config.nixpkgs.config.allowUnfree</literal> are + enabled. If you still want these fonts, use: + </para> + <programlisting language="bash"> +{ + fonts.fonts = [ + pkgs.xorg.fontbhlucidatypewriter100dpi + pkgs.xorg.fontbhlucidatypewriter75dpi + pkgs.xorg.fontbh100dpi + ]; +} +</programlisting> + </listitem> + <listitem> + <para> + The DHCP server (<literal>services.dhcpd4</literal>, + <literal>services.dhcpd6</literal>) has been hardened. The + service is now using the systemd’s + <literal>DynamicUser</literal> mechanism to run as an + unprivileged dynamically-allocated user with limited + capabilities. The dhcpd state files are now always stored in + <literal>/var/lib/dhcpd{4,6}</literal> and the + <literal>services.dhcpd4.stateDir</literal> and + <literal>service.dhcpd6.stateDir</literal> options have been + removed. If you were depending on root privileges or + set{uid,gid,cap} binaries in dhcpd shell hooks, you may give + dhcpd more capabilities with e.g. + <literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mailpile</literal> email webclient + (<literal>services.mailpile</literal>) has been removed due to + its reliance on python2. + </para> + </listitem> + <listitem> + <para> + The <literal>matrix-synapse</literal> service + (<literal>services.matrix-synapse</literal>) has been + converted to use the <literal>settings</literal> option + defined in RFC42. This means that options that are part of + your <literal>homeserver.yaml</literal> configuration, and + that were specified at the top-level of the module + (<literal>services.matrix-synapse</literal>) now need to be + moved into + <literal>services.matrix-synapse.settings</literal>. And while + not all options you may use are defined in there, they are + still supported, because you can set arbitrary values in this + freeform type. + </para> + <para> + The <literal>listeners.*.bind_address</literal> option was + renamed to <literal>bind_addresses</literal> in order to match + the upstream <literal>homeserver.yaml</literal> option name. + It is now also a list of strings instead of a string. + </para> + <para> + An example to make the required migration clearer: + </para> + <para> + Before: + </para> + <programlisting language="bash"> +{ + services.matrix-synapse = { + enable = true; + + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; + macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = ""; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + + }; +} +</programlisting> + <para> + After: + </para> + <programlisting language="bash"> +{ + services.matrix-synapse = { + enable = true; + + # this attribute set holds all values that go into your homeserver.yaml configuration + # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for + # possible values. + settings = { + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_addresses = [ + "::" + "0.0.0.0" + ]; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + }; + + extraConfigFiles = [ + /run/keys/matrix-synapse/secrets.yaml + ]; + }; +} +</programlisting> + <para> + The secrets in your original config should be migrated into a + YAML file that is included via + <literal>extraConfigFiles</literal>. + </para> + <para> + Additionally a few option defaults have been synced up with + upstream default values, for example the + <literal>max_upload_size</literal> grew from + <literal>10M</literal> to <literal>50M</literal>. For the same + reason, the default <literal>media_store_path</literal> was + changed from <literal>${dataDir}/media</literal> to + <literal>${dataDir}/media_store</literal> if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Files will need to be manually moved + to the new location if the <literal>stateVersion</literal> is + updated. + </para> + </listitem> + <listitem> + <para> + The MoinMoin wiki engine + (<literal>services.moinmoin</literal>) has been removed, + because Python 2 is being retired from nixpkgs. + </para> + </listitem> + <listitem> + <para> + Services in the <literal>hadoop</literal> module previously + set <literal>openFirewall</literal> to true by default. This + has now been changed to false. Node definitions for multi-node + clusters would need <literal>openFirewall = true;</literal> to + be added to to hadoop services when upgrading from NixOS + 21.11. + </para> + </listitem> + <listitem> + <para> + <literal>services.hadoop.yarn.nodemanager</literal> now uses + cgroup-based CPU limit enforcement by default. Additionally, + the option <literal>useCGroups</literal> was added to + nodemanagers as an easy way to switch back to the old + behavior. + </para> + </listitem> + <listitem> + <para> + The <literal>wafHook</literal> hook now honors + <literal>NIX_BUILD_CORES</literal> when + <literal>enableParallelBuilding</literal> is not set + explicitly. Packages can restore the old behaviour by setting + <literal>enableParallelBuilding=false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.claws-mail-gtk2</literal>, representing Claws + Mail’s older release version three, was removed in order to + get rid of Python 2. Please switch to + <literal>claws-mail</literal>, which is Claws Mail’s latest + release based on GTK+3 and Python 3. + </para> + </listitem> + <listitem> + <para> + The <literal>writers.writePython2</literal> and corresponding + <literal>writers.writePython2Bin</literal> convenience + functions to create executable Python 2 scripts in the store + were removed in preparation of removal of the Python 2 + interpreter. Scripts have to be converted to Python 3 for use + with <literal>writers.writePython3</literal> or + <literal>writers.writePyPy2</literal> needs to be used. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> was updated to use + <literal>go_1_17</literal>, third party derivations that + specify >= go 1.17 in the main <literal>go.mod</literal> + will need to regenerate their <literal>vendorSha256</literal> + hash. + </para> + </listitem> + <listitem> + <para> + The <literal>gnome-passwordsafe</literal> package updated to + <link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version + 6.x</link> and renamed to <literal>gnome-secrets</literal>. + </para> + </listitem> + <listitem> + <para> + If you previously used + <literal>/etc/docker/daemon.json</literal>, you need to + incorporate the changes into the new option + <literal>virtualisation.docker.daemon.settings</literal>. + </para> + </listitem> + <listitem> + <para> + Ntopng (<literal>services.ntopng</literal>) is updated to + 5.2.1 and uses a separate Redis instance if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Existing setups shouldn’t be + affected. + </para> + </listitem> + <listitem> + <para> + The backward compatibility in + <literal>services.wordpress</literal> to configure sites with + the old interface has been removed. Please use + <literal>services.wordpress.sites</literal> instead. + </para> + </listitem> + <listitem> + <para> + The backward compatibility in + <literal>services.dokuwiki</literal> to configure sites with + the old interface has been removed. Please use + <literal>services.dokuwiki.sites</literal> instead. + </para> + </listitem> + <listitem> + <para> + opensmtpd-extras is no longer build with python2 scripting + support due to python2 deprecation in nixpkgs + </para> + </listitem> + <listitem> + <para> + <literal>services.miniflux.adminCredentialFiles</literal> is + now required, instead of defaulting to + <literal>admin</literal> and <literal>password</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>autorestic</literal> package has been upgraded + from 1.3.0 to 1.5.0 which introduces breaking changes in + config file, check + <link xlink:href="https://autorestic.vercel.app/migration/1.4_1.5">their + migration guide</link> for more details. + </para> + </listitem> + <listitem> + <para> + For <literal>pkgs.python3.pkgs.ipython</literal>, its direct + dependency + <literal>pkgs.python3.pkgs.matplotlib-inline</literal> (which + is really an adapter to integrate matplotlib in ipython if it + is installed) does not depend on + <literal>pkgs.python3.pkgs.matplotlib</literal> anymore. This + is closer to a non-Nix install of ipython. This has the added + benefit to reduce the closure size of + <literal>ipython</literal> from ~400MB to ~160MB (including + ~100MB for python itself). + </para> + </listitem> + <listitem> + <para> + <literal>documentation.man</literal> has been refactored to + support choosing a man implementation other than GNU’s + <literal>man-db</literal>. For this, + <literal>documentation.man.manualPages</literal> has been + renamed to + <literal>documentation.man.man-db.manualPages</literal>. If + you want to use the new alternative man implementation + <literal>mandoc</literal>, add + <literal>documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }</literal> + to your configuration. + </para> + </listitem> + <listitem> + <para> + Normal users (with <literal>isNormalUser = true</literal>) + which have non-empty <literal>subUidRanges</literal> or + <literal>subGidRanges</literal> set no longer have additional + implicit ranges allocated. To enable automatic allocation back + set <literal>autoSubUidGidRange = true</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>idris2</literal> now requires + <literal>--package</literal> when using packages + <literal>contrib</literal> and <literal>network</literal>, + while previously these idris2 packages were automatically + loaded. + </para> + </listitem> + <listitem> + <para> + The iputils package, which is installed by default, no longer + provides the legacy tools <literal>tftpd</literal> and + <literal>traceroute6</literal>. More tools + (<literal>ninfod</literal>, <literal>rarpd</literal>, and + <literal>rdisc</literal>) are going to be removed in the next + release. See + <link xlink:href="https://github.com/iputils/iputils/releases/tag/20211215">upstream’s + release notes</link> for more details and available + replacements. + </para> + </listitem> + <listitem> + <para> + <literal>services.thelounge.private</literal> was removed in + favor of <literal>services.thelounge.public</literal>, to + follow with upstream changes. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.docbookrx</literal> was removed since it’s + unmaintained + </para> + </listitem> + <listitem> + <para> + <literal>pkgs._7zz</literal> is now correctly licensed as + LGPL3+ and BSD3 with optional unfree unRAR licensed code + </para> + </listitem> + <listitem> + <para> + <literal>tilp2</literal> was removed together with its module + </para> + </listitem> + <listitem> + <para> + The F-PROT antivirus (<literal>fprot</literal> package) and + its service module were removed because it reached + <link xlink:href="https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/434/0/end-of-sale--end-of-life-for-f-prot-and-csam">end-of-life</link>. + </para> + </listitem> + <listitem> + <para> + <literal>bird1</literal> and its modules + <literal>services.bird</literal> as well as + <literal>services.bird6</literal> have been removed. Upgrade + to <literal>services.bird2</literal>. + </para> + </listitem> + <listitem> + <para> + The options + <literal>networking.interfaces.<name>.ipv4.routes</literal> + and + <literal>networking.interfaces.<name>.ipv6.routes</literal> + are no longer ignored when using networkd instead of the + default scripted network backend by setting + <literal>networking.useNetworkd</literal> to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + MultiMC has been replaced with the fork PolyMC due to upstream + developers being hostile to 3rd party package maintainers. + PolyMC removes all MultiMC branding and is aimed at providing + proper 3rd party packages like the one contained in Nixpkgs. + This change affects the data folder where game instances and + other save and configuration files are stored. Users with + existing installations should rename + <literal>~/.local/share/multimc</literal> to + <literal>~/.local/share/polymc</literal>. The main config + file’s path has also moved from + <literal>~/.local/share/multimc/multimc.cfg</literal> to + <literal>~/.local/share/polymc/polymc.cfg</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>systemd-nspawn@.service</literal> settings have been + reverted to the default systemd behaviour. User namespaces are + now activated by default. If you want to keep running nspawn + containers without user namespaces you need to set + <literal>systemd.nspawn.<name>.execConfig.PrivateUsers = false</literal> + </para> + </listitem> + <listitem> + <para> + The Tor SOCKS proxy is now actually disabled if + <literal>services.tor.client.enable</literal> is set to + <literal>false</literal> (the default). If you are using this + functionality but didn’t change the setting or set it to + <literal>false</literal>, you now need to set it to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The terraform 0.12 compatibility has been removed and the + <literal>terraform.withPlugins</literal> and + <literal>terraform-providers.mkProvider</literal> + implementations simplified. Providers now need to be stored + under + <literal>$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version></literal> + (which mkProvider does). + </para> + <para> + This breaks back-compat so it’s not possible to mix-and-match + with previous versions of nixpkgs. In exchange, it now becomes + possible to use the providers from + <link xlink:href="https://github.com/numtide/nixpkgs-terraform-providers-bin">nixpkgs-terraform-providers-bin</link> + directly. + </para> + </listitem> + <listitem> + <para> + The <literal>dendrite</literal> package has been upgraded from + 0.5.1 to + <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.5">0.6.5</link>. + Instances configured with split sqlite databases, which has + been the default in NixOS, require merging of the federation + sender and signing key databases. See upstream + <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.0">release + notes</link> on version 0.6.0 for details on database changes. + </para> + </listitem> + <listitem> + <para> + The existing <literal>pkgs.opentelemetry-collector</literal> + has been moved to + <literal>pkgs.opentelemetry-collector-contrib</literal> to + match the actual source being the <quote>contrib</quote> + edition. <literal>pkgs.opentelemetry-collector</literal> is + now the actual core release of opentelemetry-collector. If you + use the community contributions you should change the package + you refer to. If you don’t need them update your commands from + <literal>otelcontribcol</literal> to + <literal>otelcorecol</literal> and enjoy a 7x smaller binary. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.pgadmin</literal> now refers to + <literal>pkgs.pgadmin4</literal>. If you still need pgadmin3, + use <literal>pkgs.pgadmin3</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.noto-fonts-cjk</literal> is now deprecated in + favor of <literal>pkgs.noto-fonts-cjk-sans</literal> and + <literal>pkgs.noto-fonts-cjk-serif</literal> because they each + have different release schedules. To maintain compatibility + with prior releases of Nixpkgs, + <literal>pkgs.noto-fonts-cjk</literal> is currently an alias + of <literal>pkgs.noto-fonts-cjk-sans</literal> and doesn’t + include serif fonts. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.epgstation</literal> has been upgraded from v1 + to v2, resulting in incompatible changes in the database + scheme and configuration format. + </para> + </listitem> + <listitem> + <para> + Some top-level settings under + <link linkend="opt-services.epgstation.enable">services.epgstation</link> + is now deprecated because it was redudant due to the same + options being present in + <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link>. + </para> + </listitem> + <listitem> + <para> + The option <literal>services.epgstation.basicAuth</literal> + was removed because basic authentication support was dropped + by upstream. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-services.epgstation.database.passwordFile">services.epgstation.database.passwordFile</link> + no longer has a default value. Make sure to set this option + explicitly before upgrading. Change the database password if + necessary. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link> + option now expects options for <literal>config.yml</literal> + in EPGStation v2. + </para> + </listitem> + <listitem> + <para> + Existing data for the + <link linkend="opt-services.epgstation.enable">services.epgstation</link> + module would have to be backed up prior to the upgrade. To + back up exising data to + <literal>/tmp/epgstation.bak</literal>, run + <literal>sudo -u epgstation epgstation run backup /tmp/epgstation.bak</literal>. + To import that data after to the upgrade, run + <literal>sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak</literal> + </para> + </listitem> + <listitem> + <para> + <literal>switch-to-configuration</literal> (the script that is + run when running <literal>nixos-rebuild switch</literal> for + example) has been reworked + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The interface that allows activation scripts to restart + units has been streamlined. Restarting and reloading is + now done by a single file + <literal>/run/nixos/activation-restart-list</literal> that + honors <literal>restartIfChanged</literal> and + <literal>reloadIfChanged</literal> of the units. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Preferring to reload instead of restarting can still + be achieved using + <literal>/run/nixos/activation-reload-list</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The script now uses a proper ini-file parser to parse + systemd units. Some values are now only searched in one + section instead of in the entire unit. This is only + relevant for units that don’t use the NixOS systemd moule. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>RefuseManualStop</literal>, + <literal>X-OnlyManualStart</literal>, + <literal>X-StopOnRemoval</literal>, + <literal>X-StopOnReconfiguration</literal> are only + searched in the <literal>[Unit]</literal> section + </para> + </listitem> + <listitem> + <para> + <literal>X-ReloadIfChanged</literal>, + <literal>X-RestartIfChanged</literal>, + <literal>X-StopIfChanged</literal> are only searched + in the <literal>[Service]</literal> section + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bookstack.cacheDir</literal> option has + been removed, since the cache directory is now handled by + systemd. + </para> + </listitem> + <listitem> + <para> + The <literal>services.bookstack.extraConfig</literal> option + has been replaced by + <literal>services.bookstack.config</literal> which implements + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link> + configuration. + </para> + </listitem> + <listitem> + <para> + <literal>lib.assertMsg</literal> and + <literal>lib.assertOneOf</literal> no longer return + <literal>false</literal> if the passed condition is + <literal>false</literal>, <literal>throw</literal>ing the + given error message instead (which makes the resulting error + message less cluttered). This will not impact the behaviour of + code using these functions as intended, namely as top-level + wrapper for <literal>assert</literal> conditions. + </para> + </listitem> + <listitem> + <para> + The <literal>vpnc</literal> package has been changed to use + GnuTLS instead of OpenSSL by default for licensing reasons. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to + <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link> + (formerly refers to + <link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>). + </para> + </listitem> + <listitem> + <para> + <literal>services.pipewire.enable</literal> will default to + enabling the WirePlumber session manager instead of + pipewire-media-session. pipewire-media-session is deprecated + by upstream and not recommended, but can still be manually + enabled by setting + <literal>services.pipewire.media-session.enable</literal> to + <literal>true</literal> and + <literal>services.pipewire.wireplumber.enable</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.makeDesktopItem</literal> has been refactored to + provide a more idiomatic API. Specifically: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + All valid options as of FDO Desktop Entry specification + version 1.4 can now be passed in as explicit arguments + </para> + </listitem> + <listitem> + <para> + <literal>exec</literal> can now be null, for entries that + are not of type Application + </para> + </listitem> + <listitem> + <para> + <literal>mimeType</literal> argument is renamed to + <literal>mimeTypes</literal> for consistency + </para> + </listitem> + <listitem> + <para> + <literal>mimeTypes</literal>, + <literal>categories</literal>, + <literal>implements</literal>, + <literal>keywords</literal>, <literal>onlyShowIn</literal> + and <literal>notShowIn</literal> take lists of strings + instead of one string with semicolon separators + </para> + </listitem> + <listitem> + <para> + <literal>extraDesktopEntries</literal> renamed to + <literal>extraConfig</literal> for consistency + </para> + </listitem> + <listitem> + <para> + Actions should now be provided as an attrset + <literal>actions</literal>, the <literal>Actions</literal> + line will be autogenerated. + </para> + </listitem> + <listitem> + <para> + <literal>extraEntries</literal> is removed. + </para> + </listitem> + <listitem> + <para> + Additional validation is added both at eval time and at + build time. + </para> + </listitem> + </itemizedlist> + <para> + See the <literal>vscode</literal> package for a more detailed + example. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The option + <link linkend="opt-services.redis.servers">services.redis.servers</link> + was added to support per-application + <literal>redis-server</literal> which is more secure since + Redis databases are only mere key prefixes without any + configuration or ACL of their own. Backward-compatibility is + preserved by mapping old + <literal>services.redis.settings</literal> to + <literal>services.redis.servers."".settings</literal>, + but you are strongly encouraged to name each + <literal>redis-server</literal> instance after the application + using it, instead of keeping that nameless one. Except for the + nameless + <literal>services.redis.servers.""</literal> still + accessible at <literal>127.0.0.1:6379</literal>, and to the + members of the Unix group <literal>redis</literal> through the + Unix socket <literal>/run/redis/redis.sock</literal>, all + other <literal>services.redis.servers.${serverName}</literal> + are only accessible by default to the members of the Unix + group <literal>redis-${serverName}</literal> through the Unix + socket <literal>/run/redis-${serverName}/redis.sock</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-virtualisation.vmVariant">virtualisation.vmVariant</link> + was added to allow users to make changes to the + <literal>nixos-rebuild build-vm</literal> configuration that + do not apply to their normal system. + </para> + <para> + The <literal>config.system.build.vm</literal> attribute now + always exists and defaults to the value from + <literal>vmVariant</literal>. Configurations that import the + <literal>virtualisation/qemu-vm.nix</literal> module + themselves will override this value, such that + <literal>vmVariant</literal> is not used. + </para> + <para> + Similarly + <link linkend="opt-virtualisation.vmVariantWithBootLoader">virtualisation.vmVariantWithBootloader</link> + was added. + </para> + </listitem> + <listitem> + <para> + The configuration portion of the <literal>nix-daemon</literal> + module has been reworked and exposed as + <link xlink:href="options.html#opt-nix-settings">nix.settings</link>: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Legacy options have been mapped to the corresponding + options under under + <link xlink:href="options.html#opt-nix.settings">nix.settings</link> + but may be deprecated in the future. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-nix.buildMachines.publicHostKey">nix.buildMachines.publicHostKey</link> + has been added. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal> + and corresponding + <literal>writers.writePyPy2Bin</literal>/<literal>writers.writePyPy3Bin</literal> + convenience functions to create executable Python 2/3 scripts + using the PyPy interpreter were added. + </para> + </listitem> + <listitem> + <para> + Some improvements have been made to the + <literal>hadoop</literal> module: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + A <literal>gatewayRole</literal> option has been added, + for deploying hadoop cluster configuration files to a node + that does not have any active services + </para> + </listitem> + <listitem> + <para> + Support for older versions of hadoop have been added to + the module + </para> + </listitem> + <listitem> + <para> + Overriding and extending site XML files has been made + easier + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + If you are using Wayland you can choose to use the Ozone + Wayland support in Chrome and several Electron apps by setting + the environment variable <literal>NIXOS_OZONE_WL=1</literal> + (for example via + <literal>environment.sessionVariables.NIXOS_OZONE_WL = "1"</literal>). + This is not enabled by default because Ozone Wayland is still + under heavy development and behavior is not always flawless. + Furthermore, not all Electron apps use the latest Electron + versions. + </para> + </listitem> + <listitem> + <para> + The <literal>influxdb2</literal> package was split into + <literal>influxdb2-server</literal> and + <literal>influxdb2-cli</literal>, matching the split that took + place upstream. A combined <literal>influxdb2</literal> + package is still provided in this release for backwards + compatibilty, but will be removed at a later date. + </para> + </listitem> + <listitem> + <para> + The <literal>unifi</literal> package was switched from + <literal>unifi6</literal> to <literal>unifi7</literal>. Direct + downgrades from Unifi 7 to Unifi 6 are not possible and + require restoring from a backup made by Unifi 6. + </para> + </listitem> + <listitem> + <para> + <literal>programs.zsh.autosuggestions.strategy</literal> now + takes a list of strings instead of a string. + </para> + </listitem> + <listitem> + <para> + The <literal>services.unifi.openPorts</literal> option default + value of <literal>true</literal> is now deprecated and will be + changed to <literal>false</literal> in 22.11. Configurations + using this default will print a warning when rebuilt. + </para> + </listitem> + <listitem> + <para> + <literal>security.acme</literal> certificates will now + correctly check for CA revokation before reaching their + minimum age. + </para> + </listitem> + <listitem> + <para> + Removing domains from + <literal>security.acme.certs._name_.extraDomainNames</literal> + will now correctly remove those domains during rebuild/renew. + </para> + </listitem> + <listitem> + <para> + MariaDB is now offered in several versions, not just the + newest one. So if you have a need for running MariaDB 10.4 for + example, you can now just set + <literal>services.mysql.package = pkgs.mariadb_104;</literal>. + In general, it is recommended to run the newest version, to + get the newest features, while sticking with an LTS version + will most likely provide a more stable experience. Sometimes + software is also incompatible with the newest version of + MariaDB. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-programs.ssh.enableAskPassword">programs.ssh.enableAskPassword</link> + was added, decoupling the setting of + <literal>SSH_ASKPASS</literal> from + <literal>services.xserver.enable</literal>. This allows easy + usage in non-X11 environments, e.g. Wayland. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-programs.ssh.knownHosts">programs.ssh.knownHosts</link> + has gained an <literal>extraHostNames</literal> option to + replace <literal>hostNames</literal>. + <literal>hostNames</literal> is deprecated, but still + available for now. + </para> + </listitem> + <listitem> + <para> + The <literal>services.stubby</literal> module was converted to + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link> + configuration. + </para> + </listitem> + <listitem> + <para> + The option <literal>services.duplicati.dataDir</literal> has + been added to allow changing the location of duplicati’s + files. + </para> + </listitem> + <listitem> + <para> + The options <literal>boot.extraModprobeConfig</literal> and + <literal>boot.blacklistedKernelModules</literal> now also take + effect in the initrd by copying the file + <literal>/etc/modprobe.d/nixos.conf</literal> into the initrd. + </para> + </listitem> + <listitem> + <para> + <literal>nixos-generate-config</literal> now puts the dhcp + configuration in <literal>hardware-configuration.nix</literal> + instead of <literal>configuration.nix</literal>. + </para> + </listitem> + <listitem> + <para> + ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which + introduces some breaking changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + If you are relying on the SQLite images, update your + Docker Pull commands as follows: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>docker pull oryd/kratos:{version}</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Additionally, all passwords now have to be at least 8 + characters long. + </para> + </listitem> + <listitem> + <para> + For more details, see: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1">Release + Notes for v0.8.1-alpha-1</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1">Release + Notes for v0.8.2-alpha-1</link> + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>fetchFromSourcehut</literal> now allows fetching + repositories recursively using <literal>fetchgit</literal> or + <literal>fetchhg</literal> if the argument + <literal>fetchSubmodules</literal> is set to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>element-desktop</literal> package now has an + <literal>useKeytar</literal> option (defaults to + <literal>true</literal>), which allows disabling + <literal>keytar</literal> and in turn + <literal>libsecret</literal> usage (which binds to native + credential managers / keychain libraries). + </para> + </listitem> + <listitem> + <para> + The option <literal>services.thelounge.plugins</literal> has + been added to allow installing plugins for The Lounge. Plugins + can be found in + <literal>pkgs.theLoungePlugins.plugins</literal> and + <literal>pkgs.theLoungePlugins.themes</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.xserver.videoDriver = [ "nvidia" ];</literal> + will now also install + <link xlink:href="https://github.com/elFarto/nvidia-vaapi-driver">nvidia + VA-API drivers</link> by default. + </para> + </listitem> + <listitem> + <para> + The <literal>firmwareLinuxNonfree</literal> package has been + renamed to <literal>linux-firmware</literal>. + </para> + </listitem> + <listitem> + <para> + It is now possible to specify wordlists to include as handy to + access environment variables using the + <literal>config.environment.wordlist</literal> configuration + options. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mbpfan</literal> module was converted to + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> configuration. + </para> + </listitem> + <listitem> + <para> + The default value for + <literal>programs.spacefm.settings.graphical_su</literal> got + unset. It previously pointed to <literal>gksu</literal> which + has been removed. + </para> + </listitem> + <listitem> + <para> + A new module was added for the + <link xlink:href="https://starship.rs/">Starship</link> shell + prompt, providing the options + <literal>programs.starship.enable</literal> and + <literal>programs.starship.settings</literal>. + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://dino.im">Dino</link> XMPP client + was updated to 0.3, adding support for audio and video calls. + </para> + </listitem> + <listitem> + <para> + <literal>services.mattermost.plugins</literal> has been added + to allow the declarative installation of Mattermost plugins. + Plugins are automatically repackaged using autoPatchelf. + </para> + </listitem> + <listitem> + <para> + <literal>services.logrotate.enable</literal> now defaults to + true if any rotate path has been defined, and some paths have + been added by default. + </para> + </listitem> + <listitem> + <para> + The <literal>zrepl</literal> package has been updated from + 0.4.0 to 0.5: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The RPC protocol version was bumped; all zrepl daemons in + a setup must be updated and restarted before replication + can resume. + </para> + </listitem> + <listitem> + <para> + A bug involving encrypt-on-receive has been fixed. Read + the + <link xlink:href="https://zrepl.github.io/configuration/sendrecvoptions.html#job-recv-options-placeholder">zrepl + documentation</link> and check the output of + <literal>zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS</literal> + on the receiver. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Renamed option + <literal>services.openssh.challengeResponseAuthentication</literal> + to + <literal>services.openssh.kbdInteractiveAuthentication</literal>. + Reason is that the old name has been deprecated upstream. + Using the old option name will still work, but produce a + warning. + </para> + </listitem> + <listitem> + <para> + The <literal>pomerium-cli</literal> command has been moved out + of the <literal>pomerium</literal> package into the + <literal>pomerium-cli</literal> package, following upstream’s + repository split. If you are using the + <literal>pomerium-cli</literal> command, you should now + install the <literal>pomerium-cli</literal> package. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link> + was added to support FCC unlock procedures. Since release + 1.18.4, the ModemManager daemon no longer automatically + performs the FCC unlock procedure by default. See + <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the + docs</link> for more details. + </para> + </listitem> + <listitem> + <para> + <literal>programs.tmux</literal> has a new option + <literal>plugins</literal> that accepts a list of packages + from the <literal>tmuxPlugins</literal> group. The specified + packages are added to the system and loaded by + <literal>tmux</literal>. + </para> + </listitem> + <listitem> + <para> + The polkit service, available at + <literal>security.polkit.enable</literal>, is now disabled by + default. It will automatically be enabled through services and + desktop environments as needed. + </para> + </listitem> + <listitem> + <para> + The <literal>hadoop</literal> package has added support for + <literal>aarch64-linux</literal> and + <literal>aarch64-darwin</literal> as of 3.3.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>R</literal> package now builds again on + <literal>aarch64-darwin</literal> + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package has been updated from + 3.1.2 to 3.2.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/160075">#160075</link>): + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Testing has been enabled for + <literal>aarch64-linux</literal> in addition to + <literal>x86_64-linux</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package is now usable on + <literal>aarch64-darwin</literal> as a result of + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link> + and + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> +</section> |