diff options
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes')
17 files changed, 16939 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-1310.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1310.section.xml new file mode 100644 index 00000000000..b4f3657b4b8 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1310.section.xml @@ -0,0 +1,6 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-13.10"> + <title>Release 13.10 (<quote>Aardvark</quote>, 2013/10/31)</title> + <para> + This is the first stable release branch of NixOS. + </para> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml new file mode 100644 index 00000000000..8771623b468 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1404.section.xml @@ -0,0 +1,189 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-14.04"> + <title>Release 14.04 (<quote>Baboon</quote>, 2014/04/30)</title> + <para> + This is the second stable release branch of NixOS. In addition to + numerous new and upgraded packages and modules, this release has the + following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Installation on UEFI systems is now supported. See + <xref linkend="sec-installation" /> for details. + </para> + </listitem> + <listitem> + <para> + Systemd has been updated to version 212, which has + <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous + improvements</link>. NixOS now automatically starts systemd user + instances when you log in. You can define global user units + through the <literal>systemd.unit.*</literal> options. + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.19 and GCC 4.8. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.12. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.12. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 experimental support has been added. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 1.7 + (<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>). + </para> + </listitem> + <listitem> + <para> + NixOS now supports fully declarative management of users and + groups. If you set <literal>users.mutableUsers</literal> to + <literal>false</literal>, then the contents of + <literal>/etc/passwd</literal> and <literal>/etc/group</literal> + will be + <link xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link> + to your NixOS configuration. For instance, if you remove a user + from <literal>users.extraUsers</literal> and run + <literal>nixos-rebuild</literal>, the user account will cease to + exist. Also, imperative commands for managing users and groups, + such as <literal>useradd</literal>, are no longer available. If + <literal>users.mutableUsers</literal> is <literal>true</literal> + (the default), then behaviour is unchanged from NixOS 13.10. + </para> + </listitem> + <listitem> + <para> + NixOS now has basic container support, meaning you can easily + run a NixOS instance as a container in a NixOS host system. + These containers are suitable for testing and experimentation + but not production use, since they’re not fully isolated from + the host. See <xref linkend="ch-containers" /> for details. + </para> + </listitem> + <listitem> + <para> + Systemd units provided by packages can now be overridden from + the NixOS configuration. For instance, if a package + <literal>foo</literal> provides systemd units, you can say: + </para> + <programlisting language="bash"> +{ + systemd.packages = [ pkgs.foo ]; +} +</programlisting> + <para> + to enable those units. You can then set or override unit options + in the usual way, e.g. + </para> + <programlisting language="bash"> +{ + systemd.services.foo.wantedBy = [ "multi-user.target" ]; + systemd.services.foo.serviceConfig.MemoryLimit = "512M"; +} +</programlisting> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + </listitem> + <listitem> + <para> + Nixpkgs no longer exposes unfree packages by default. If your + NixOS configuration requires unfree packages from Nixpkgs, you + need to enable support for them explicitly by setting: + </para> + <programlisting language="bash"> +{ + nixpkgs.config.allowUnfree = true; +} +</programlisting> + <para> + Otherwise, you get an error message such as: + </para> + <programlisting> + error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ + has an unfree license, refusing to evaluate +</programlisting> + </listitem> + <listitem> + <para> + The Adobe Flash player is no longer enabled by default in the + Firefox and Chromium wrappers. To enable it, you must set: + </para> + <programlisting language="bash"> +{ + nixpkgs.config.allowUnfree = true; + nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox + nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium +} +</programlisting> + </listitem> + <listitem> + <para> + The firewall is now enabled by default. If you don’t want this, + you need to disable it explicitly: + </para> + <programlisting language="bash"> +{ + networking.firewall.enable = false; +} +</programlisting> + </listitem> + <listitem> + <para> + The option <literal>boot.loader.grub.memtest86</literal> has + been renamed to + <literal>boot.loader.grub.memtest86.enable</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql55</literal> service has been merged into the + <literal>mysql</literal> service, which no longer sets a default + for the option <literal>services.mysql.package</literal>. + </para> + </listitem> + <listitem> + <para> + Package variants are now differentiated by suffixing the name, + rather than the version. For instance, + <literal>sqlite-3.8.4.3-interactive</literal> is now called + <literal>sqlite-interactive-3.8.4.3</literal>. This ensures that + <literal>nix-env -i sqlite</literal> is unambiguous, and that + <literal>nix-env -u</literal> won’t <quote>upgrade</quote> + <literal>sqlite</literal> to + <literal>sqlite-interactive</literal> or vice versa. Notably, + this change affects the Firefox wrapper (which provides + plugins), as it is now called + <literal>firefox-wrapper</literal>. So when using + <literal>nix-env</literal>, you should do + <literal>nix-env -e firefox; nix-env -i firefox-wrapper</literal> + if you want to keep using the wrapper. This change does not + affect declarative package management, since attribute names + like <literal>pkgs.firefoxWrapper</literal> were already + unambiguous. + </para> + </listitem> + <listitem> + <para> + The symlink <literal>/etc/ca-bundle.crt</literal> is gone. + Programs should instead use the environment variable + <literal>OPENSSL_X509_CERT_FILE</literal> (which points to + <literal>/etc/ssl/certs/ca-bundle.crt</literal>). + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml new file mode 100644 index 00000000000..3b6af73359d --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1412.section.xml @@ -0,0 +1,466 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-14.12"> + <title>Release 14.12 (<quote>Caterpillar</quote>, 2014/12/30)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Systemd has been updated to version 217, which has numerous + <link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg13957.html">Nix + has been updated to 1.8.</link> + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.20. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.14. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.14. + </para> + </listitem> + <listitem> + <para> + If <literal>users.mutableUsers</literal> is enabled (the + default), changes made to the declaration of a user or group + will be correctly realised when running + <literal>nixos-rebuild</literal>. For instance, removing a user + specification from <literal>configuration.nix</literal> will + cause the actual user account to be deleted. If + <literal>users.mutableUsers</literal> is disabled, it is no + longer necessary to specify UIDs or GIDs; if omitted, they are + allocated dynamically. + </para> + </listitem> + </itemizedlist> + <para> + Following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>atftpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bosun</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bspwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>chronos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>collectd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>consul</literal> + </para> + </listitem> + <listitem> + <para> + <literal>cpuminer-cryptonight</literal> + </para> + </listitem> + <listitem> + <para> + <literal>crashplan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>dnscrypt-proxy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker-registry</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker</literal> + </para> + </listitem> + <listitem> + <para> + <literal>etcd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fail2ban</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fcgiwrap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fleet</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fluxbox</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gdm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>geoclue2</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitlab</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitolite</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-documents</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-online-miners</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gvfs</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.seahorse</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hbase</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i2pd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>influxdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>kubernetes</literal> + </para> + </listitem> + <listitem> + <para> + <literal>liquidsoap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>lxc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mailpile</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mesos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mlmmj</literal> + </para> + </listitem> + <listitem> + <para> + <literal>monetdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mopidy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>neo4j</literal> + </para> + </listitem> + <listitem> + <para> + <literal>nsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openntpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>opentsdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openvswitch</literal> + </para> + </listitem> + <listitem> + <para> + <literal>parallels-guest</literal> + </para> + </listitem> + <listitem> + <para> + <literal>peerflix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>phd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>polipo</literal> + </para> + </listitem> + <listitem> + <para> + <literal>prosody</literal> + </para> + </listitem> + <listitem> + <para> + <literal>radicale</literal> + </para> + </listitem> + <listitem> + <para> + <literal>redmine</literal> + </para> + </listitem> + <listitem> + <para> + <literal>riemann</literal> + </para> + </listitem> + <listitem> + <para> + <literal>scollector</literal> + </para> + </listitem> + <listitem> + <para> + <literal>seeks</literal> + </para> + </listitem> + <listitem> + <para> + <literal>siproxd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>strongswan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tcsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>teamspeak3</literal> + </para> + </listitem> + <listitem> + <para> + <literal>thermald</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/mrom</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/server</literal> + </para> + </listitem> + <listitem> + <para> + <literal>uhub</literal> + </para> + </listitem> + <listitem> + <para> + <literal>unifi</literal> + </para> + </listitem> + <listitem> + <para> + <literal>znc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>zookeeper</literal> + </para> + </listitem> + </itemizedlist> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + The default version of Apache httpd is now 2.4. If you use the + <literal>extraConfig</literal> option to pass literal Apache + configuration text, you may need to update it — see + <link xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s + documentation</link> for details. If you wish to continue to use + httpd 2.2, add the following line to your NixOS configuration: + </para> + <programlisting language="bash"> +{ + services.httpd.package = pkgs.apacheHttpd_2_2; +} +</programlisting> + </listitem> + <listitem> + <para> + PHP 5.3 has been removed because it is no longer supported by + the PHP project. A + <link xlink:href="http://php.net/migration54">migration + guide</link> is available. + </para> + </listitem> + <listitem> + <para> + The host side of a container virtual Ethernet pair is now called + <literal>ve-container-name</literal> rather than + <literal>c-container-name</literal>. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 support has been dropped. The default GNOME version + is now 3.12. + </para> + </listitem> + <listitem> + <para> + VirtualBox has been upgraded to 4.3.20 release. Users may be + required to run <literal>rm -rf /tmp/.vbox*</literal>. The line + <literal>imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> + is no longer necessary, use + <literal>services.virtualboxHost.enable = true</literal> + instead. + </para> + <para> + Also, hardening mode is now enabled by default, which means that + unless you want to use USB support, you no longer need to be a + member of the <literal>vboxusers</literal> group. + </para> + </listitem> + <listitem> + <para> + Chromium has been updated to 39.0.2171.65. + <literal>enablePepperPDF</literal> is now enabled by default. + <literal>chromium*Wrapper</literal> packages no longer exist, + because upstream removed NSAPI support. + <literal>chromium-stable</literal> has been renamed to + <literal>chromium</literal>. + </para> + </listitem> + <listitem> + <para> + Python packaging documentation is now part of nixpkgs manual. To + override the python packages available to a custom python you + now use <literal>pkgs.pythonFull.buildEnv.override</literal> + instead of <literal>pkgs.pythonFull.override</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>boot.resumeDevice = "8:6"</literal> is no + longer supported. Most users will want to leave it undefined, + which takes the swap partitions automatically. There is an + evaluation assertion to ensure that the string starts with a + slash. + </para> + </listitem> + <listitem> + <para> + The system-wide default timezone for NixOS installations changed + from <literal>CET</literal> to <literal>UTC</literal>. To choose + a different timezone for your system, configure + <literal>time.timeZone</literal> in + <literal>configuration.nix</literal>. A fairly complete list of + possible values for that setting is available at + <link xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">https://en.wikipedia.org/wiki/List_of_tz_database_time_zones</link>. + </para> + </listitem> + <listitem> + <para> + GNU screen has been updated to 4.2.1, which breaks the ability + to connect to sessions created by older versions of screen. + </para> + </listitem> + <listitem> + <para> + The Intel GPU driver was updated to the 3.x prerelease version + (used by most distributions) and supports DRI3 now. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml new file mode 100644 index 00000000000..68d2ab389e8 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1509.section.xml @@ -0,0 +1,776 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-15.09"> + <title>Release 15.09 (<quote>Dingo</quote>, 2015/09/30)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + The <link xlink:href="http://haskell.org/">Haskell</link> + packages infrastructure has been re-designed from the ground up + ("Haskell NG"). NixOS now distributes the latest + version of every single package registered on + <link xlink:href="http://hackage.haskell.org/">Hackage</link> -- + well in excess of 8,000 Haskell packages. Detailed instructions + on how to use that infrastructure can be found in the + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + Guide to the Haskell Infrastructure</link>. Users migrating from + an earlier release may find helpful information below, in the + list of backwards-incompatible changes. Furthermore, we + distribute 51(!) additional Haskell package sets that provide + every single <link xlink:href="http://www.stackage.org/">LTS + Haskell</link> release since version 0.0 as well as the most + recent <link xlink:href="http://www.stackage.org/">Stackage + Nightly</link> snapshot. The announcement + <link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">"Full + Stackage Support in Nixpkgs"</link> gives additional + details. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to version 1.10, which among other + improvements enables cryptographic signatures on binary caches + for improved security. + </para> + </listitem> + <listitem> + <para> + You can now keep your NixOS system up to date automatically by + setting + </para> + </listitem> + </itemizedlist> + <programlisting language="bash"> +{ + system.autoUpgrade.enable = true; +} +</programlisting> + <para> + This will cause the system to periodically check for updates in your + current channel and run <literal>nixos-rebuild</literal>. + </para> + <itemizedlist> + <listitem> + <para> + This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18. + </para> + </listitem> + <listitem> + <para> + GNOME has been upgraded to 3.16. + </para> + </listitem> + <listitem> + <para> + Xfce has been upgraded to 4.12. + </para> + </listitem> + <listitem> + <para> + KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and + Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10. + </para> + </listitem> + <listitem> + <para> + E19 has been upgraded to 0.16.8.15. + </para> + </listitem> + </itemizedlist> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>services/mail/exim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/apache-kafka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/canto-daemon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/confd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/devmon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gitit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mbpfan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mediatomb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mwlib.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/parsoid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/plex.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-rest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-data-api.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/subsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sundtek.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/cadvisor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/das_watchdog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/grafana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/riemann-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/teamviewer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/u9fs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/aiccu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/asterisk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/bird.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/charybdis.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/docker-registry-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/firefox/sync-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gateone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/heyefi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/i2p.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lambdabot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/mstpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nix-serve.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nylon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/racoon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/skydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/softether.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/sslh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinc.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tlsdated.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tox-bootstrapd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tvheadend.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/zerotierone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/scheduling/marathon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/fprintd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/hologram.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/munge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cloud-init.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/shellinabox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/uwsgi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/sddm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/coredump.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/generic-extlinux-compatible</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/timesyncd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/exfat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/ntfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/vboxsf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/virtualbox-host.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/vmware-guest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/xen-dom0.nix</literal> + </para> + </listitem> + </itemizedlist> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>sshd</literal> no longer supports DSA and ECDSA host + keys by default. If you have existing systems with such host + keys and want to continue to use them, please set + </para> + </listitem> + </itemizedlist> + <programlisting language="bash"> +{ + system.stateVersion = "14.12"; +} +</programlisting> + <para> + The new option <literal>system.stateVersion</literal> ensures that + certain configuration changes that could break existing systems + (such as the <literal>sshd</literal> host key setting) will maintain + compatibility with the specified NixOS release. NixOps sets the + state version of existing deployments automatically. + </para> + <itemizedlist> + <listitem> + <para> + <literal>cron</literal> is no longer enabled by default, unless + you have a non-empty + <literal>services.cron.systemCronJobs</literal>. To force + <literal>cron</literal> to be enabled, set + <literal>services.cron.enable = true</literal>. + </para> + </listitem> + <listitem> + <para> + Nix now requires binary caches to be cryptographically signed. + If you have unsigned binary caches that you want to continue to + use, you should set + <literal>nix.requireSignedBinaryCaches = false</literal>. + </para> + </listitem> + <listitem> + <para> + Steam now doesn't need root rights to work. Instead of using + <literal>*-steam-chrootenv</literal>, you should now just run + <literal>steam</literal>. <literal>steamChrootEnv</literal> + package was renamed to <literal>steam</literal>, and old + <literal>steam</literal> package -- to + <literal>steamOriginal</literal>. + </para> + </listitem> + <listitem> + <para> + CMPlayer has been renamed to bomi upstream. Package + <literal>cmplayer</literal> was accordingly renamed to + <literal>bomi</literal> + </para> + </listitem> + <listitem> + <para> + Atom Shell has been renamed to Electron upstream. Package + <literal>atom-shell</literal> was accordingly renamed to + <literal>electron</literal> + </para> + </listitem> + <listitem> + <para> + Elm is not released on Hackage anymore. You should now use + <literal>elmPackages.elm</literal> which contains the latest Elm + platform. + </para> + </listitem> + <listitem> + <para> + The CUPS printing service has been updated to version + <literal>2.0.2</literal>. Furthermore its systemd service has + been renamed to <literal>cups.service</literal>. + </para> + <para> + Local printers are no longer shared or advertised by default. + This behavior can be changed by enabling + <literal>services.printing.defaultShared</literal> or + <literal>services.printing.browsing</literal> respectively. + </para> + </listitem> + <listitem> + <para> + The VirtualBox host and guest options have been named more + consistently. They can now found in + <literal>virtualisation.virtualbox.host.*</literal> instead of + <literal>services.virtualboxHost.*</literal> and + <literal>virtualisation.virtualbox.guest.*</literal> instead of + <literal>services.virtualboxGuest.*</literal>. + </para> + <para> + Also, there now is support for the <literal>vboxsf</literal> + file system using the <literal>fileSystems</literal> + configuration attribute. An example of how this can be used in a + configuration: + </para> + </listitem> + </itemizedlist> + <programlisting language="bash"> +{ + fileSystems."/shiny" = { + device = "myshinysharedfolder"; + fsType = "vboxsf"; + }; +} +</programlisting> + <itemizedlist spacing="compact"> + <listitem> + <para> + "<literal>nix-env -qa</literal>" no longer discovers + Haskell packages by name. The only packages visible in the + global scope are <literal>ghc</literal>, + <literal>cabal-install</literal>, and <literal>stack</literal>, + but all other packages are hidden. The reason for this + inconvenience is the sheer size of the Haskell package set. + Name-based lookups are expensive, and most + <literal>nix-env -qa</literal> operations would become much + slower if we'd add the entire Hackage database into the top + level attribute set. Instead, the list of Haskell packages can + be displayed by running: + </para> + </listitem> + </itemizedlist> + <programlisting> +nix-env -f "<nixpkgs>" -qaP -A haskellPackages +</programlisting> + <para> + Executable programs written in Haskell can be installed with: + </para> + <programlisting> +nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc +</programlisting> + <para> + Installing Haskell <emphasis>libraries</emphasis> this way, however, + is no longer supported. See the next item for more details. + </para> + <itemizedlist> + <listitem> + <para> + Previous versions of NixOS came with a feature called + <literal>ghc-wrapper</literal>, a small script that allowed GHC + to transparently pick up on libraries installed in the user's + profile. This feature has been deprecated; + <literal>ghc-wrapper</literal> was removed from the + distribution. The proper way to register Haskell libraries with + the compiler now is the + <literal>haskellPackages.ghcWithPackages</literal> function. The + <link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + Guide to the Haskell Infrastructure</link> provides more + information about this subject. + </para> + </listitem> + <listitem> + <para> + All Haskell builds that have been generated with version 1.x of + the <literal>cabal2nix</literal> utility are now invalid and + need to be re-generated with a current version of + <literal>cabal2nix</literal> to function. The most recent + version of this tool can be installed by running + <literal>nix-env -i cabal2nix</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>haskellPackages</literal> set in Nixpkgs used to + have a function attribute called <literal>extension</literal> + that users could override in their + <literal>~/.nixpkgs/config.nix</literal> files to configure + additional attributes, etc. That function still exists, but it's + now called <literal>overrides</literal>. + </para> + </listitem> + <listitem> + <para> + The OpenBLAS library has been updated to version + <literal>0.2.14</literal>. Support for the + <literal>x86_64-darwin</literal> platform was added. Dynamic + architecture detection was enabled; OpenBLAS now selects + microarchitecture-optimized routines at runtime, so optimal + performance is achieved without the need to rebuild OpenBLAS + locally. OpenBLAS has replaced ATLAS in most packages which use + an optimized BLAS or LAPACK implementation. + </para> + </listitem> + <listitem> + <para> + The <literal>phpfpm</literal> is now using the default PHP + version (<literal>pkgs.php</literal>) instead of PHP 5.4 + (<literal>pkgs.php54</literal>). + </para> + </listitem> + <listitem> + <para> + The <literal>locate</literal> service no longer indexes the Nix + store by default, preventing packages with potentially numerous + versions from cluttering the output. Indexing the store can be + activated by setting + <literal>services.locate.includeStore = true</literal>. + </para> + </listitem> + <listitem> + <para> + The Nix expression search path (<literal>NIX_PATH</literal>) no + longer contains <literal>/etc/nixos/nixpkgs</literal> by + default. You can override <literal>NIX_PATH</literal> by setting + <literal>nix.nixPath</literal>. + </para> + </listitem> + <listitem> + <para> + Python 2.6 has been marked as broken (as it no longer receives + security updates from upstream). + </para> + </listitem> + <listitem> + <para> + Any use of module arguments such as <literal>pkgs</literal> to + access library functions, or to define + <literal>imports</literal> attributes will now lead to an + infinite loop at the time of the evaluation. + </para> + <para> + In case of an infinite loop, use the + <literal>--show-trace</literal> command line argument and read + the line just above the error message. + </para> + <programlisting> +$ nixos-rebuild build --show-trace +… +while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix": +infinite recursion encountered +</programlisting> + <para> + Any use of <literal>pkgs.lib</literal>, should be replaced by + <literal>lib</literal>, after adding it as argument of the + module. The following module + </para> + <programlisting language="bash"> +{ config, pkgs, ... }: + +with pkgs.lib; + +{ + options = { + foo = mkOption { … }; + }; + config = mkIf config.foo { … }; +} +</programlisting> + <para> + should be modified to look like: + </para> + <programlisting language="bash"> +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + foo = mkOption { option declaration }; + }; + config = mkIf config.foo { option definition }; +} +</programlisting> + <para> + When <literal>pkgs</literal> is used to download other projects + to import their modules, and only in such cases, it should be + replaced by <literal>(import <nixpkgs> {})</literal>. The + following module + </para> + <programlisting language="bash"> +{ config, pkgs, ... }: + +let + myProject = pkgs.fetchurl { + src = url; + sha256 = hash; + }; +in + +{ + imports = [ "${myProject}/module.nix" ]; +} +</programlisting> + <para> + should be modified to look like: + </para> + <programlisting language="bash"> +{ config, pkgs, ... }: + +let + myProject = (import <nixpkgs> {}).fetchurl { + src = url; + sha256 = hash; + }; +in + +{ + imports = [ "${myProject}/module.nix" ]; +} +</programlisting> + </listitem> + </itemizedlist> + <para> + Other notable improvements: + </para> + <itemizedlist> + <listitem> + <para> + The nixos and nixpkgs channels were unified, so one + <emphasis>can</emphasis> use + <literal>nix-env -iA nixos.bash</literal> instead of + <literal>nix-env -iA nixos.pkgs.bash</literal>. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the + commit</link> for details. + </para> + </listitem> + <listitem> + <para> + Users running an SSH server who worry about the quality of their + <literal>/etc/ssh/moduli</literal> file with respect to the + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities + discovered in the Diffie-Hellman key exchange</link> can now + replace OpenSSH's default version with one they generated + themselves using the new + <literal>services.openssh.moduliFile</literal> option. + </para> + </listitem> + <listitem> + <para> + A newly packaged TeX Live 2015 is provided in + <literal>pkgs.texlive</literal>, split into 6500 nix packages. + For basic user documentation see + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1">the + source</link>. Beware of + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757">an + issue</link> when installing a too large package set. The plan + is to deprecate and maybe delete the original TeX packages until + the next release. + </para> + </listitem> + <listitem> + <para> + <literal>buildEnv.env</literal> on all Python interpreters is + now available for nix-shell interoperability. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml new file mode 100644 index 00000000000..172b800b599 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1603.section.xml @@ -0,0 +1,695 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.03"> + <title>Release 16.03 (<quote>Emu</quote>, 2016/03/31)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Systemd 229, bringing + <link xlink:href="https://github.com/systemd/systemd/blob/v229/NEWS">numerous + improvements</link> over 217. + </para> + </listitem> + <listitem> + <para> + Linux 4.4 (was 3.18). + </para> + </listitem> + <listitem> + <para> + GCC 5.3 (was 4.9). Note that GCC 5 + <link xlink:href="https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html">changes + the C++ ABI in an incompatible way</link>; this may cause + problems if you try to link objects compiled with different + versions of GCC. + </para> + </listitem> + <listitem> + <para> + Glibc 2.23 (was 2.21). + </para> + </listitem> + <listitem> + <para> + Binutils 2.26 (was 2.23.1). See #909 + </para> + </listitem> + <listitem> + <para> + Improved support for ensuring + <link xlink:href="https://reproducible-builds.org/">bitwise + reproducible builds</link>. For example, + <literal>stdenv</literal> now sets the environment variable + <literal>SOURCE_DATE_EPOCH</literal> to a deterministic value, + and Nix has + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.11">gained + an option</link> to repeat a build a number of times to test + determinism. An ongoing project, the goal of exact + reproducibility is to allow binaries to be verified + independently (e.g., a user might only trust binaries that + appear in three independent binary caches). + </para> + </listitem> + <listitem> + <para> + Perl 5.22. + </para> + </listitem> + </itemizedlist> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/webcam/facetimehd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/fcitx.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/ibus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/nabi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/uim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/fish.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/acme.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/audit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/oath.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/irqbalance.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/dspam.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/opendkim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postsrsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rspamd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rmilter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autofs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/bepasty.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/calibre-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/cfdyndns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gammu-smsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mathics.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/matrix-synapse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/octoprint.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/hdaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/heapster.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/netatalk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/xtreemfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/autossh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnschain.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gale.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miniupnpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/namecoind.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/ostinato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdnsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shairport-sync.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/supplicant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/search/kibana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/haka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/physlock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pump.io.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/hardware/libinput.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/window-managers/windowlab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-network.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-ssh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/rkt.nix</literal> + </para> + </listitem> + </itemizedlist> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + We no longer produce graphical ISO images and VirtualBox images + for <literal>i686-linux</literal>. A minimal ISO image is still + provided. + </para> + </listitem> + <listitem> + <para> + Firefox and similar browsers are now <emphasis>wrapped by + default</emphasis>. The package and attribute names are plain + <literal>firefox</literal> or <literal>midori</literal>, etc. + Backward-compatibility attributes were set up, but note that + <literal>nix-env -u</literal> will <emphasis>not</emphasis> + update your current <literal>firefox-with-plugins</literal>; you + have to uninstall it and install <literal>firefox</literal> + instead. + </para> + </listitem> + <listitem> + <para> + <literal>wmiiSnap</literal> has been replaced with + <literal>wmii_hg</literal>, but + <literal>services.xserver.windowManager.wmii.enable</literal> + has been updated respectively so this only affects you if you + have explicitly installed <literal>wmiiSnap</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>jobs</literal> NixOS option has been removed. It served + as compatibility layer between Upstart jobs and SystemD + services. All services have been rewritten to use + <literal>systemd.services</literal> + </para> + </listitem> + <listitem> + <para> + <literal>wmiimenu</literal> is removed, as it has been removed + by the developers upstream. Use <literal>wimenu</literal> from + the <literal>wmii-hg</literal> package. + </para> + </listitem> + <listitem> + <para> + Gitit is no longer automatically added to the module list in + NixOS and as such there will not be any manual entries for it. + You will need to add an import statement to your NixOS + configuration in order to use it, e.g. + </para> + <programlisting language="bash"> +{ + imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; +} +</programlisting> + <para> + will include the Gitit service configuration options. + </para> + </listitem> + <listitem> + <para> + <literal>nginx</literal> does not accept flags for enabling and + disabling modules anymore. Instead it accepts + <literal>modules</literal> argument, which is a list of modules + to be built in. All modules now reside in + <literal>nginxModules</literal> set. Example configuration: + </para> + <programlisting language="bash"> +nginx.override { + modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>s3sync</literal> is removed, as it hasn't been + developed by upstream for 4 years and only runs with ruby 1.8. + For an actively-developer alternative look at + <literal>tarsnap</literal> and others. + </para> + </listitem> + <listitem> + <para> + <literal>ruby_1_8</literal> has been removed as it's not + supported from upstream anymore and probably contains security + issues. + </para> + </listitem> + <listitem> + <para> + <literal>tidy-html5</literal> package is removed. Upstream only + provided <literal>(lib)tidy5</literal> during development, and + now they went back to <literal>(lib)tidy</literal> to work as a + drop-in replacement of the original package that has been + unmaintained for years. You can (still) use the + <literal>html-tidy</literal> package, which got updated to a + stable release from this new upstream. + </para> + </listitem> + <listitem> + <para> + <literal>extraDeviceOptions</literal> argument is removed from + <literal>bumblebee</literal> package. Instead there are now two + separate arguments: <literal>extraNvidiaDeviceOptions</literal> + and <literal>extraNouveauDeviceOptions</literal> for setting + extra X11 options for nvidia and nouveau drivers, respectively. + </para> + </listitem> + <listitem> + <para> + The <literal>Ctrl+Alt+Backspace</literal> key combination no + longer kills the X server by default. There's a new option + <literal>services.xserver.enableCtrlAltBackspace</literal> + allowing to enable the combination again. + </para> + </listitem> + <listitem> + <para> + <literal>emacsPackagesNg</literal> now contains all packages + from the ELPA, MELPA, and MELPA Stable repositories. + </para> + </listitem> + <listitem> + <para> + Data directory for Postfix MTA server is moved from + <literal>/var/postfix</literal> to + <literal>/var/lib/postfix</literal>. Old configurations are + migrated automatically. <literal>service.postfix</literal> + module has also received many improvements, such as correct + directories' access rights, new <literal>aliasFiles</literal> + and <literal>mapFiles</literal> options and more. + </para> + </listitem> + <listitem> + <para> + Filesystem options should now be configured as a list of + strings, not a comma-separated string. The old style will + continue to work, but print a warning, until the 16.09 release. + An example of the new style: + </para> + <programlisting language="bash"> +{ + fileSystems."/example" = { + device = "/dev/sdc"; + fsType = "btrfs"; + options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ]; + }; +} +</programlisting> + </listitem> + <listitem> + <para> + CUPS, installed by <literal>services.printing</literal> module, + now has its data directory in <literal>/var/lib/cups</literal>. + Old configurations from <literal>/etc/cups</literal> are moved + there automatically, but there might be problems. Also + configuration options + <literal>services.printing.cupsdConf</literal> and + <literal>services.printing.cupsdFilesConf</literal> were removed + because they had been allowing one to override configuration + variables required for CUPS to work at all on NixOS. For most + use cases, <literal>services.printing.extraConf</literal> and + new option <literal>services.printing.extraFilesConf</literal> + should be enough; if you encounter a situation when they are + not, please file a bug. + </para> + <para> + There are also Gutenprint improvements; in particular, a new + option <literal>services.printing.gutenprint</literal> is added + to enable automatic updating of Gutenprint PPMs; it's greatly + recommended to enable it instead of adding + <literal>gutenprint</literal> to the <literal>drivers</literal> + list. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.vaapiDrivers</literal> has been + removed. Use + <literal>hardware.opengl.extraPackages{,32}</literal> instead. + You can also specify VDPAU drivers there. + </para> + </listitem> + <listitem> + <para> + <literal>programs.ibus</literal> moved to + <literal>i18n.inputMethod.ibus</literal>. The option + <literal>programs.ibus.plugins</literal> changed to + <literal>i18n.inputMethod.ibus.engines</literal> and the option + to enable ibus changed from + <literal>programs.ibus.enable</literal> to + <literal>i18n.inputMethod.enabled</literal>. + <literal>i18n.inputMethod.enabled</literal> should be set to the + used input method name, <literal>"ibus"</literal> for + ibus. An example of the new style: + </para> + <programlisting language="bash"> +{ + i18n.inputMethod.enabled = "ibus"; + i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; +} +</programlisting> + <para> + That is equivalent to the old version: + </para> + <programlisting language="bash"> +{ + programs.ibus.enable = true; + programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>services.udev.extraRules</literal> option now writes + rules to <literal>99-local.rules</literal> instead of + <literal>10-local.rules</literal>. This makes all the user rules + apply after others, so their results wouldn't be overriden by + anything else. + </para> + </listitem> + <listitem> + <para> + Large parts of the <literal>services.gitlab</literal> module has + been been rewritten. There are new configuration options + available. The <literal>stateDir</literal> option was renamned + to <literal>statePath</literal> and the + <literal>satellitesDir</literal> option was removed. Please + review the currently available options. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.nsd.zones.<name>.data</literal> no + longer interpret the dollar sign ($) as a shell variable, as + such it should not be escaped anymore. Thus the following zone + data: + </para> + <programlisting> +$ORIGIN example.com. +$TTL 1800 +@ IN SOA ns1.vpn.nbp.name. admin.example.com. ( +</programlisting> + <para> + Should modified to look like the actual file expected by nsd: + </para> + <programlisting> +$ORIGIN example.com. +$TTL 1800 +@ IN SOA ns1.vpn.nbp.name. admin.example.com. ( +</programlisting> + </listitem> + <listitem> + <para> + <literal>service.syncthing.dataDir</literal> options now has to + point to exact folder where syncthing is writing to. Example + configuration should look something like: + </para> + <programlisting language="bash"> +{ + services.syncthing = { + enable = true; + dataDir = "/home/somebody/.syncthing"; + user = "somebody"; + }; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>networking.firewall.allowPing</literal> is now enabled + by default. Users are encouraged to configure an appropriate + rate limit for their machines using the Kernel interface at + <literal>/proc/sys/net/ipv4/icmp_ratelimit</literal> and + <literal>/proc/sys/net/ipv6/icmp/ratelimit</literal> or using + the firewall itself, i.e. by setting the NixOS option + <literal>networking.firewall.pingLimit</literal>. + </para> + </listitem> + <listitem> + <para> + Systems with some broadcom cards used to result into a generated + config that is no longer accepted. If you get errors like + </para> + <programlisting> +error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created +</programlisting> + <para> + you should either re-run + <literal>nixos-generate-config</literal> or manually replace + <literal>"${config.boot.kernelPackages.broadcom_sta}"</literal> + by <literal>config.boot.kernelPackages.broadcom_sta</literal> in + your <literal>/etc/nixos/hardware-configuration.nix</literal>. + More discussion is on + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595"> + the github issue</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.xserver.startGnuPGAgent</literal> option + has been removed. GnuPG 2.1.x changed the way the gpg-agent + works, and that new approach no longer requires (or even + supports) the "start everything as a child of the + agent" scheme we've implemented in NixOS for older + versions. To configure the gpg-agent for your X session, add the + following code to <literal>~/.bashrc</literal> or some file + that’s sourced when your shell is started: + </para> + <programlisting> +GPG_TTY=$(tty) +export GPG_TTY +</programlisting> + <para> + If you want to use gpg-agent for SSH, too, add the following to + your session initialization (e.g. + <literal>displayManager.sessionCommands</literal>) + </para> + <programlisting> + gpg-connect-agent /bye + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh" +</programlisting> + <para> + and make sure that + </para> + <programlisting> + enable-ssh-support +</programlisting> + <para> + is included in your <literal>~/.gnupg/gpg-agent.conf</literal>. + You will need to use <literal>ssh-add</literal> to re-add your + ssh keys. If gpg’s automatic transformation of the private keys + to the new format fails, you will need to re-import your private + keyring as well: + </para> + <programlisting> + gpg --import ~/.gnupg/secring.gpg +</programlisting> + <para> + The <literal>gpg-agent(1)</literal> man page has more details + about this subject, i.e. in the "EXAMPLES" section. + </para> + </listitem> + </itemizedlist> + <para> + Other notable improvements: + </para> + <itemizedlist> + <listitem> + <para> + <literal>ejabberd</literal> module is brought back and now works + on NixOS. + </para> + </listitem> + <listitem> + <para> + Input method support was improved. New NixOS modules (fcitx, + nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and + table-other) and ibus engines (hangul and m17n) have been added. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml new file mode 100644 index 00000000000..0fba40a0e78 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml @@ -0,0 +1,273 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.09"> + <title>Release 16.09 (<quote>Flounder</quote>, 2016/09/30)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Many NixOS configurations and Nix packages now use significantly + less disk space, thanks to the + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive + work on closure size reduction</link>. For example, the closure + size of a minimal NixOS container went down from ~424 MiB in + 16.03 to ~212 MiB in 16.09, while the closure size of Firefox + went from ~651 MiB to ~259 MiB. + </para> + </listitem> + <listitem> + <para> + To improve security, packages are now + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built + using various hardening features</link>. See the Nixpkgs manual + for more information. + </para> + </listitem> + <listitem> + <para> + Support for PXE netboot. See + <xref linkend="sec-booting-from-pxe" /> for documentation. + </para> + </listitem> + <listitem> + <para> + X.org server 1.18. If you use the <literal>ati_unfree</literal> + driver, 1.17 is still used due to an ABI incompatibility. + </para> + </listitem> + <listitem> + <para> + This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. + The default Linux kernel remains 4.4. + </para> + </listitem> + </itemizedlist> + <para> + The following new services were added since the last release: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>(this will get automatically generated at release time)</literal> + </para> + </listitem> + </itemizedlist> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + A large number of packages have been converted to use the + multiple outputs feature of Nix to greatly reduce the amount of + required disk space, as mentioned above. This may require + changes to any custom packages to make them build again; see the + relevant chapter in the Nixpkgs manual for more information. + (Additional caveat to packagers: some packaging conventions + related to multiple-output packages + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were + changed</link> late (August 2016) in the release cycle and + differ from the initial introduction of multiple outputs.) + </para> + </listitem> + <listitem> + <para> + Previous versions of Nixpkgs had support for all versions of the + LTS Haskell package set. That support has been dropped. The + previously provided <literal>haskell.packages.lts-x_y</literal> + package sets still exist in name to aviod breaking user code, + but these package sets don't actually contain the versions + mandated by the corresponding LTS release. Instead, our package + set it loosely based on the latest available LTS release, i.e. + LTS 7.x at the time of this writing. New releases of NixOS and + Nixpkgs will drop those old names entirely. + <link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The + motivation for this change</link> has been discussed at length + on the <literal>nix-dev</literal> mailing list and in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github + issue #14897</link>. Development strategies for Haskell hackers + who want to rely on Nix and NixOS have been described in + <link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another + nix-dev article</link>. + </para> + </listitem> + <listitem> + <para> + Shell aliases for systemd sub-commands + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were + dropped</link>: <literal>start</literal>, + <literal>stop</literal>, <literal>restart</literal>, + <literal>status</literal>. + </para> + </listitem> + <listitem> + <para> + Redis now binds to 127.0.0.1 only instead of listening to all + network interfaces. This is the default behavior of Redis 3.2 + </para> + </listitem> + <listitem> + <para> + <literal>/var/empty</literal> is now immutable. Activation + script runs <literal>chattr +i</literal> to forbid any + modifications inside the folder. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> + the pull request</link> for what bugs this caused. + </para> + </listitem> + <listitem> + <para> + Gitlab's maintainance script <literal>gitlab-runner</literal> + was removed and split up into the more clearer + <literal>gitlab-run</literal> and <literal>gitlab-rake</literal> + scripts, because <literal>gitlab-runner</literal> is a component + of Gitlab CI. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.libinput.accelProfile</literal> + default changed from <literal>flat</literal> to + <literal>adaptive</literal>, as per + <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> + official documentation</link>. + </para> + </listitem> + <listitem> + <para> + <literal>fonts.fontconfig.ultimate.rendering</literal> was + removed because our presets were obsolete for some time. New + presets are hardcoded into FreeType; you can select a preset via + <literal>fonts.fontconfig.ultimate.preset</literal>. You can + customize those presets via ordinary environment variables, + using <literal>environment.variables</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>audit</literal> service is no longer enabled by + default. Use <literal>security.audit.enable = true</literal> to + explicitly enable it. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.linuxPackages.virtualbox</literal> now contains + only the kernel modules instead of the VirtualBox user space + binaries. If you want to reference the user space binaries, you + have to use the new <literal>pkgs.virtualbox</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>goPackages</literal> was replaced with separated Go + applications in appropriate <literal>nixpkgs</literal> + categories. Each Go package uses its own dependency set. There's + also a new <literal>go2nix</literal> tool introduced to generate + a Go package definition from its Go source automatically. + </para> + </listitem> + <listitem> + <para> + <literal>services.mongodb.extraConfig</literal> configuration + format was changed to YAML. + </para> + </listitem> + <listitem> + <para> + PHP has been upgraded to 7.0 + </para> + </listitem> + </itemizedlist> + <para> + Other notable improvements: + </para> + <itemizedlist> + <listitem> + <para> + Revamped grsecurity/PaX support. There is now only a single + general-purpose distribution kernel and the configuration + interface has been streamlined. Desktop users should be able to + simply set + </para> + <programlisting language="bash"> +{ + security.grsecurity.enable = true; +} +</programlisting> + <para> + to get a reasonably secure system without having to sacrifice + too much functionality. + </para> + </listitem> + <listitem> + <para> + Special filesystems, like <literal>/proc</literal>, + <literal>/run</literal> and others, now have the same mount + options as recommended by systemd and are unified across + different places in NixOS. Mount options are updated during + <literal>nixos-rebuild switch</literal> if possible. One benefit + from this is improved security — most such filesystems are now + mounted with <literal>noexec</literal>, <literal>nodev</literal> + and/or <literal>nosuid</literal> options. + </para> + </listitem> + <listitem> + <para> + The reverse path filter was interfering with DHCPv4 server + operation in the past. An exception for DHCPv4 and a new option + to log packets that were dropped due to the reverse path filter + was added + (<literal>networking.firewall.logReversePathDrops</literal>) for + easier debugging. + </para> + </listitem> + <listitem> + <para> + Containers configuration within + <literal>containers.<name>.config</literal> is + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now + properly typed and checked</link>. In particular, partial + configurations are merged correctly. + </para> + </listitem> + <listitem> + <para> + The directory container setuid wrapper programs, + <literal>/var/setuid-wrappers</literal>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is + now updated atomically to prevent failures if the switch to a + new configuration is interrupted.</link> + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.startGnuPGAgent</literal> has been + removed due to GnuPG 2.1.x bump. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c"> + how to achieve similar behavior</link>. You might need to + <literal>pkill gpg-agent</literal> after the upgrade to prevent + a stale agent being in the way. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147"> + Declarative users could share the uid due to the bug in the + script handling conflict resolution. </link> + </para> + </listitem> + <listitem> + <para> + Gummi boot has been replaced using systemd-boot. + </para> + </listitem> + <listitem> + <para> + Hydra package and NixOS module were added for convenience. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml new file mode 100644 index 00000000000..1119ec53dfc --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1703.section.xml @@ -0,0 +1,818 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-17.03"> + <title>Release 17.03 (<quote>Gorilla</quote>, 2017/03/31)</title> + <section xml:id="sec-release-17.03-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Nixpkgs is now extensible through overlays. See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs + manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + This release is based on Glibc 2.25, GCC 5.4.0 and systemd + 232. The default Linux kernel is 4.9 and Nix is at 1.11.8. + </para> + </listitem> + <listitem> + <para> + The default desktop environment now is KDE's Plasma 5. KDE 4 + has been removed + </para> + </listitem> + <listitem> + <para> + The setuid wrapper functionality now supports setting + capabilities. + </para> + </listitem> + <listitem> + <para> + X.org server uses branch 1.19. Due to ABI incompatibilities, + <literal>ati_unfree</literal> keeps forcing 1.17 and + <literal>amdgpu-pro</literal> starts forcing 1.18. + </para> + </listitem> + <listitem> + <para> + Cross compilation has been rewritten. See the nixpkgs manual + for details. The most obvious breaking change is that in + derivations there is no <literal>.nativeDrv</literal> nor + <literal>.crossDrv</literal> are now cross by default, not + native. + </para> + </listitem> + <listitem> + <para> + The <literal>overridePackages</literal> function has been + rewritten to be replaced by + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> + overlays</link> + </para> + </listitem> + <listitem> + <para> + Packages in nixpkgs can be marked as insecure through listed + vulnerabilities. See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs + manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.1 + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.03-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>hardware/ckb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/mcelog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/usb-wwan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/capture/mwprocapture.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/adb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/chromium.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gphoto2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/java.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/mtr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/oblogout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/vim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/wireshark.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/dhparams.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/ympd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/computing/boinc/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/worker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/gitlab-runner.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/riak-cs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/stanchion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-terminal-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/editors/infinoted.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/illum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/trezord.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/offlineimap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postgrey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/couchpotato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/docker-registry.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/errbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/geoip-updater.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gogs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/leaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/nix-optimise.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ssm-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sssd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/arbtt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/netdata.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/alertmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/blackbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/json-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/nginx-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/node-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/snmp-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/unifi-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/varnish-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/sysstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/telegraf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/vnstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/cachefilesd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/glusterfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/ipfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dante.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscrypt-wrapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fakeroute.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/flannel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/htpdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miredo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nftables.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/powerdns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdns-recursor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/quagga.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/redsocks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/wireguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cgmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/torrent/opentracker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/confluence.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/crowd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/jira.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/frab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nixbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/selfoss.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/quassel-webserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter-xfixes.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/urxvtd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/systemd-nspawn.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/ecs-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxcfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/keystone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/glance.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.03-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + Derivations have no <literal>.nativeDrv</literal> nor + <literal>.crossDrv</literal> and are now cross by default, not + native. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.overrides</literal> is now expected to take + <literal>self</literal> and <literal>super</literal> + arguments. See <literal>lib.trivial.extends</literal> for what + those parameters represent. + </para> + </listitem> + <listitem> + <para> + <literal>ansible</literal> now defaults to ansible version 2 + as version 1 has been removed due to a serious + <link xlink:href="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt"> + vulnerability</link> unpatched by upstream. + </para> + </listitem> + <listitem> + <para> + <literal>gnome</literal> alias has been removed along with + <literal>gtk</literal>, <literal>gtkmm</literal> and several + others. Now you need to use versioned attributes, like + <literal>gnome3</literal>. + </para> + </listitem> + <listitem> + <para> + The attribute name of the Radicale daemon has been changed + from <literal>pythonPackages.radicale</literal> to + <literal>radicale</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>stripHash</literal> bash function in + <literal>stdenv</literal> changed according to its + documentation; it now outputs the stripped name to + <literal>stdout</literal> instead of putting it in the + variable <literal>strippedName</literal>. + </para> + </listitem> + <listitem> + <para> + PHP now scans for extra configuration .ini files in /etc/php.d + instead of /etc. This prevents accidentally loading non-PHP + .ini files that may be in /etc. + </para> + </listitem> + <listitem> + <para> + Two lone top-level dict dbs moved into + <literal>dictdDBs</literal>. This affects: + <literal>dictdWordnet</literal> which is now at + <literal>dictdDBs.wordnet</literal> and + <literal>dictdWiktionary</literal> which is now at + <literal>dictdDBs.wiktionary</literal> + </para> + </listitem> + <listitem> + <para> + Parsoid service now uses YAML configuration format. + <literal>service.parsoid.interwikis</literal> is now called + <literal>service.parsoid.wikis</literal> and is a list of + either API URLs or attribute sets as specified in parsoid's + documentation. + </para> + </listitem> + <listitem> + <para> + <literal>Ntpd</literal> was replaced by + <literal>systemd-timesyncd</literal> as the default service to + synchronize system time with a remote NTP server. The old + behavior can be restored by setting + <literal>services.ntp.enable</literal> to + <literal>true</literal>. Upstream time servers for all NTP + implementations are now configured using + <literal>networking.timeServers</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>service.nylon</literal> is now declared using named + instances. As an example: + </para> + <programlisting language="bash"> +{ + services.nylon = { + enable = true; + acceptInterface = "br0"; + bindInterface = "tun1"; + port = 5912; + }; +} +</programlisting> + <para> + should be replaced with: + </para> + <programlisting language="bash"> +{ + services.nylon.myvpn = { + enable = true; + acceptInterface = "br0"; + bindInterface = "tun1"; + port = 5912; + }; +} +</programlisting> + <para> + this enables you to declare a SOCKS proxy for each uplink. + </para> + </listitem> + <listitem> + <para> + <literal>overridePackages</literal> function no longer exists. + It is replaced by + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> + overlays</link>. For example, the following code: + </para> + <programlisting language="bash"> +let + pkgs = import <nixpkgs> {}; +in + pkgs.overridePackages (self: super: ...) +</programlisting> + <para> + should be replaced by: + </para> + <programlisting language="bash"> +let + pkgs = import <nixpkgs> {}; +in + import pkgs.path { overlays = [(self: super: ...)]; } +</programlisting> + </listitem> + <listitem> + <para> + Autoloading connection tracking helpers is now disabled by + default. This default was also changed in the Linux kernel and + is considered insecure if not configured properly in your + firewall. If you need connection tracking helpers (i.e. for + active FTP) please enable + <literal>networking.firewall.autoLoadConntrackHelpers</literal> + and tune + <literal>networking.firewall.connectionTrackingModules</literal> + to suit your needs. + </para> + </listitem> + <listitem> + <para> + <literal>local_recipient_maps</literal> is not set to empty + value by Postfix service. It's an insecure default as stated + by Postfix documentation. Those who want to retain this + setting need to set it via + <literal>services.postfix.extraConfig</literal>. + </para> + </listitem> + <listitem> + <para> + Iputils no longer provide ping6 and traceroute6. The + functionality of these tools has been integrated into ping and + traceroute respectively. To enforce an address family the new + flags <literal>-4</literal> and <literal>-6</literal> have + been added. One notable incompatibility is that specifying an + interface (for link-local IPv6 for instance) is no longer done + with the <literal>-I</literal> flag, but by encoding the + interface into the address + (<literal>ping fe80::1%eth0</literal>). + </para> + </listitem> + <listitem> + <para> + The socket handling of the <literal>services.rmilter</literal> + module has been fixed and refactored. As rmilter doesn't + support binding to more than one socket, the options + <literal>bindUnixSockets</literal> and + <literal>bindInetSockets</literal> have been replaced by + <literal>services.rmilter.bindSocket.*</literal>. The default + is still a unix socket in + <literal>/run/rmilter/rmilter.sock</literal>. Refer to the + options documentation for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>fetch*</literal> functions no longer support md5, + please use sha256 instead. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy module interface has been streamlined + around the <literal>extraArgs</literal> option. Where + possible, legacy option declarations are mapped to + <literal>extraArgs</literal> but will emit warnings. The + <literal>resolverList</literal> has been outright removed: to + use an unlisted resolver, use the + <literal>customResolver</literal> option. + </para> + </listitem> + <listitem> + <para> + torbrowser now stores local state under + <literal>~/.local/share/tor-browser</literal> by default. Any + browser profile data from the old location, + <literal>~/.torbrowser4</literal>, must be migrated manually. + </para> + </listitem> + <listitem> + <para> + The ihaskell, monetdb, offlineimap and sitecopy services have + been removed. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.03-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + Module type system have a new extensible option types feature + that allow to extend certain types, such as enum, through + multiple option declarations of the same option across + multiple modules. + </para> + </listitem> + <listitem> + <para> + <literal>jre</literal> now defaults to GTK UI by default. This + improves visual consistency and makes Java follow system font + style, improving the situation on HighDPI displays. This has a + cost of increased closure size; for server and other headless + workloads it's recommended to use + <literal>jre_headless</literal>. + </para> + </listitem> + <listitem> + <para> + Python 2.6 interpreter and package set have been removed. + </para> + </listitem> + <listitem> + <para> + The Python 2.7 interpreter does not use modules anymore. + Instead, all CPython interpreters now include the whole + standard library except for `tkinter`, which is available in + the Python package set. + </para> + </listitem> + <listitem> + <para> + Python 2.7, 3.5 and 3.6 are now built deterministically and + 3.4 mostly. Minor modifications had to be made to the + interpreters in order to generate deterministic bytecode. This + has security implications and is relevant for those using + Python in a <literal>nix-shell</literal>. See the Nixpkgs + manual for details. + </para> + </listitem> + <listitem> + <para> + The Python package sets now use a fixed-point combinator and + the sets are available as attributes of the interpreters. + </para> + </listitem> + <listitem> + <para> + The Python function <literal>buildPythonPackage</literal> has + been improved and can be used to build from Setuptools source, + Flit source, and precompiled Wheels. + </para> + </listitem> + <listitem> + <para> + When adding new or updating current Python libraries, the + expressions should be put in separate files in + <literal>pkgs/development/python-modules</literal> and called + from <literal>python-packages.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy service supports synchronizing the list of + public resolvers without working DNS resolution. This fixes + issues caused by the resolver list becoming outdated. It also + improves the viability of DNSCrypt only configurations. + </para> + </listitem> + <listitem> + <para> + Containers using bridged networking no longer lose their + connection after changes to the host networking. + </para> + </listitem> + <listitem> + <para> + ZFS supports pool auto scrubbing. + </para> + </listitem> + <listitem> + <para> + The bind DNS utilities (e.g. dig) have been split into their + own output and are now also available in + <literal>pkgs.dnsutils</literal> and it is no longer necessary + to pull in all of <literal>bind</literal> to use them. + </para> + </listitem> + <listitem> + <para> + Per-user configuration was moved from + <literal>~/.nixpkgs</literal> to + <literal>~/.config/nixpkgs</literal>. The former is still + valid for <literal>config.nix</literal> for backwards + compatibility. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml new file mode 100644 index 00000000000..8f0efe816e5 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1709.section.xml @@ -0,0 +1,922 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-17.09"> + <title>Release 17.09 (<quote>Hummingbird</quote>, 2017/09/??)</title> + <section xml:id="sec-release-17.09-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + The GNOME version is now 3.24. KDE Plasma was upgraded to + 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37. + </para> + </listitem> + <listitem> + <para> + The user handling now keeps track of deallocated UIDs/GIDs. + When a user or group is revived, this allows it to be + allocated the UID/GID it had before. A consequence is that + UIDs and GIDs are no longer reused. + </para> + </listitem> + <listitem> + <para> + The module option + <literal>services.xserver.xrandrHeads</literal> now causes the + first head specified in this list to be set as the primary + head. Apart from that, it's now possible to also set + additional options by using an attribute set, for example: + </para> + <programlisting language="bash"> +{ services.xserver.xrandrHeads = [ + "HDMI-0" + { + output = "DVI-0"; + primary = true; + monitorConfig = '' + Option "Rotate" "right" + ''; + } + ]; +} +</programlisting> + <para> + This will set the <literal>DVI-0</literal> output to be the + primary head, even though <literal>HDMI-0</literal> is the + first head in the list. + </para> + </listitem> + <listitem> + <para> + The handling of SSL in the <literal>services.nginx</literal> + module has been cleaned up, renaming the misnamed + <literal>enableSSL</literal> to <literal>onlySSL</literal> + which reflects its original intention. This is not to be used + with the already existing <literal>forceSSL</literal> which + creates a second non-SSL virtual host redirecting to the SSL + virtual host. This by chance had worked earlier due to + specific implementation details. In case you had specified + both please remove the <literal>enableSSL</literal> option to + keep the previous behaviour. + </para> + <para> + Another <literal>addSSL</literal> option has been introduced + to configure both a non-SSL virtual host and an SSL virtual + host with the same configuration. + </para> + <para> + Options to configure <literal>resolver</literal> options and + <literal>upstream</literal> blocks have been introduced. See + their information for further details. + </para> + <para> + The <literal>port</literal> option has been replaced by a more + generic <literal>listen</literal> option which makes it + possible to specify multiple addresses, ports and SSL configs + dependant on the new SSL handling mentioned above. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.09-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>config/fonts/fontconfig-penultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/fonts/fontconfig-ultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/terminfo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/sensor/iio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/nitrokey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/raid/hpsa.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/browserpass.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gnupg.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/qt5ct.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/slock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/thefuck.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/auditd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/lock-kernel-modules.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/docker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/trivial.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/minion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/slimserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dashboard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/hail.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/clickhouse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/postage.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-disks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gpaste.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/SystemdJournal2Gelf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/heartbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalwatch.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/syslogd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/mailhog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/nullmailer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/airsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autorandr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/exhibitor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/fstrim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gollum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/irkerd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/jackett.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/radarr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/snapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/osquery.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/collectd-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/kbfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fireqos.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/iwd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keepalived/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keybase.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lldpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/matterbridge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/squid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/xrdp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/shibboleth-sp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sshguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/torify.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/usbguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/vault.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/earlyoom.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/saslauthd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nexus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pgpkeyserver-lite.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/piwik.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/lighttpd/collectd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/minio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/xpra.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/xautolock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/bcachefs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/powertop.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.09-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + <emphasis role="strong">In an Qemu-based virtualization + environment, the network interface names changed from i.e. + <literal>enp0s3</literal> to + <literal>ens3</literal>.</emphasis> + </para> + <para> + This is due to a kernel configuration change. The new naming + is consistent with those of other Linux distributions with + systemd. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link> + for more information. + </para> + <para> + A machine is affected if the <literal>virt-what</literal> tool + either returns <literal>qemu</literal> or + <literal>kvm</literal> <emphasis>and</emphasis> has interface + names used in any part of its NixOS configuration, in + particular if a static network configuration with + <literal>networking.interfaces</literal> is used. + </para> + <para> + Before rebooting affected machines, please ensure: + </para> + <itemizedlist> + <listitem> + <para> + Change the interface names in your NixOS configuration. + The first interface will be called + <literal>ens3</literal>, the second one + <literal>ens8</literal> and starting from there + incremented by 1. + </para> + </listitem> + <listitem> + <para> + After changing the interface names, rebuild your system + with <literal>nixos-rebuild boot</literal> to activate the + new configuration after a reboot. If you switch to the new + configuration right away you might lose network + connectivity! If using <literal>nixops</literal>, deploy + with <literal>nixops deploy --force-reboot</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The following changes apply if the + <literal>stateVersion</literal> is changed to 17.09 or higher. + For <literal>stateVersion = "17.03"</literal> or + lower the old behavior is preserved. + </para> + <itemizedlist> + <listitem> + <para> + The <literal>postgres</literal> default version was + changed from 9.5 to 9.6. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> superuser name has changed + from <literal>root</literal> to + <literal>postgres</literal> to more closely follow what + other Linux distributions are doing. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> default + <literal>dataDir</literal> has changed from + <literal>/var/db/postgres</literal> to + <literal>/var/lib/postgresql/$psqlSchema</literal> where + $psqlSchema is 9.6 for example. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql</literal> default + <literal>dataDir</literal> has changed from + <literal>/var/mysql</literal> to + <literal>/var/lib/mysql</literal>. + </para> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 1.x to 2.x. + Instructions to migrate can be found + <link xlink:href="http://radicale.org/1to2/"> here + </link>. It is also possible to use the newer version by + setting the <literal>package</literal> to + <literal>radicale2</literal>, which is done automatically + when <literal>stateVersion</literal> is 17.09 or higher. + The <literal>extraArgs</literal> option has been added to + allow passing the data migration arguments specified in + the instructions; see the <literal>radicale.nix</literal> + NixOS test for an example migration. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>aiccu</literal> package was removed. This is due + to SixXS <link xlink:href="https://www.sixxs.net/main/"> + sunsetting</link> its IPv6 tunnel. + </para> + </listitem> + <listitem> + <para> + The <literal>fanctl</literal> package and + <literal>fan</literal> module have been removed due to the + developers not upstreaming their iproute2 patches and lagging + with compatibility to recent iproute2 versions. + </para> + </listitem> + <listitem> + <para> + Top-level <literal>idea</literal> package collection was + renamed. All JetBrains IDEs are now at + <literal>jetbrains</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>flexget</literal>'s state database cannot be upgraded + to its new internal format, requiring removal of any existing + <literal>db-config.sqlite</literal> which will be + automatically recreated. + </para> + </listitem> + <listitem> + <para> + The <literal>ipfs</literal> service now doesn't ignore the + <literal>dataDir</literal> option anymore. If you've ever set + this option to anything other than the default you'll have to + either unset it (so the default gets used) or migrate the old + data manually with + </para> + <programlisting> +dataDir=<valueOfDataDir> +mv /var/lib/ipfs/.ipfs/* $dataDir +rmdir /var/lib/ipfs/.ipfs +</programlisting> + </listitem> + <listitem> + <para> + The <literal>caddy</literal> service was previously using an + extra <literal>.caddy</literal> directory in the data + directory specified with the <literal>dataDir</literal> + option. The contents of the <literal>.caddy</literal> + directory are now expected to be in the + <literal>dataDir</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>ssh-agent</literal> user service is not started + by default anymore. Use + <literal>programs.ssh.startAgent</literal> to enable it if + needed. There is also a new + <literal>programs.gnupg.agent</literal> module that creates a + <literal>gpg-agent</literal> user service. It can also serve + as a SSH agent if <literal>enableSSHSupport</literal> is set. + </para> + </listitem> + <listitem> + <para> + The + <literal>services.tinc.networks.<name>.listenAddress</literal> + option had a misleading name that did not correspond to its + behavior. It now correctly defines the ip to listen for + incoming connections on. To keep the previous behaviour, use + <literal>services.tinc.networks.<name>.bindToAddress</literal> + instead. Refer to the description of the options for more + details. + </para> + </listitem> + <listitem> + <para> + <literal>tlsdate</literal> package and module were removed. + This is due to the project being dead and not building with + openssl 1.1. + </para> + </listitem> + <listitem> + <para> + <literal>wvdial</literal> package and module were removed. + This is due to the project being dead and not building with + openssl 1.1. + </para> + </listitem> + <listitem> + <para> + <literal>cc-wrapper</literal>'s setup-hook now exports a + number of environment variables corresponding to binutils + binaries, (e.g. <literal>LD</literal>, + <literal>STRIP</literal>, <literal>RANLIB</literal>, etc). + This is done to prevent packages' build systems guessing, + which is harder to predict, especially when cross-compiling. + However, some packages have broken due to this—their build + systems either not supporting, or claiming to support without + adequate testing, taking such environment variables as + parameters. + </para> + </listitem> + <listitem> + <para> + <literal>services.firefox.syncserver</literal> now runs by + default as a non-root user. To accomodate this change, the + default sqlite database location has also been changed. + Migration should work automatically. Refer to the description + of the options for more details. + </para> + </listitem> + <listitem> + <para> + The <literal>compiz</literal> window manager and package was + removed. The system support had been broken for several years. + </para> + </listitem> + <listitem> + <para> + Touchpad support should now be enabled through + <literal>libinput</literal> as <literal>synaptics</literal> is + now deprecated. See the option + <literal>services.xserver.libinput.enable</literal>. + </para> + </listitem> + <listitem> + <para> + grsecurity/PaX support has been dropped, following upstream's + decision to cease free support. See + <link xlink:href="https://grsecurity.net/passing_the_baton.php"> + upstream's announcement</link> for more information. No + complete replacement for grsecurity/PaX is available + presently. + </para> + </listitem> + <listitem> + <para> + <literal>services.mysql</literal> now has declarative + configuration of databases and users with the + <literal>ensureDatabases</literal> and + <literal>ensureUsers</literal> options. + </para> + <para> + These options will never delete existing databases and users, + especially not when the value of the options are changed. + </para> + <para> + The MySQL users will be identified using + <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/"> + Unix socket authentication</link>. This authenticates the Unix + user with the same name only, and that without the need for a + password. + </para> + <para> + If you have previously created a MySQL <literal>root</literal> + user <emphasis>with a password</emphasis>, you will need to + add <literal>root</literal> user for unix socket + authentication before using the new options. This can be done + by running the following SQL script: + </para> + <programlisting language="SQL"> +CREATE USER 'root'@'%' IDENTIFIED BY ''; +GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; +FLUSH PRIVILEGES; + +-- Optionally, delete the password-authenticated user: +-- DROP USER 'root'@'localhost'; +</programlisting> + </listitem> + <listitem> + <para> + <literal>services.mysqlBackup</literal> now works by default + without any user setup, including for users other than + <literal>mysql</literal>. + </para> + <para> + By default, the <literal>mysql</literal> user is no longer the + user which performs the backup. Instead a system account + <literal>mysqlbackup</literal> is used. + </para> + <para> + The <literal>mysqlBackup</literal> service is also now using + systemd timers instead of <literal>cron</literal>. + </para> + <para> + Therefore, the <literal>services.mysqlBackup.period</literal> + option no longer exists, and has been replaced with + <literal>services.mysqlBackup.calendar</literal>, which is in + the format of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>. + </para> + <para> + If you expect to be sent an e-mail when the backup fails, + consider using a script which monitors the systemd journal for + errors. Regretfully, at present there is no built-in + functionality for this. + </para> + <para> + You can check that backups still work by running + <literal>systemctl start mysql-backup</literal> then + <literal>systemctl status mysql-backup</literal>. + </para> + </listitem> + <listitem> + <para> + Templated systemd services e.g + <literal>container@name</literal> are now handled currectly + when switching to a new configuration, resulting in them being + reloaded. + </para> + </listitem> + <listitem> + <para> + Steam: the <literal>newStdcpp</literal> parameter was removed + and should not be needed anymore. + </para> + </listitem> + <listitem> + <para> + Redis has been updated to version 4 which mandates a cluster + mass-restart, due to changes in the network handling, in order + to ensure compatibility with networks NATing traffic. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-17.09-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + Modules can now be disabled by using + <link xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules"> + disabledModules</link>, allowing another to take it's place. + This can be used to import a set of modules from another + channel while keeping the rest of the system on a stable + release. + </para> + </listitem> + <listitem> + <para> + Updated to FreeType 2.7.1, including a new TrueType engine. + The new engine replaces the Infinality engine which was the + default in NixOS. The default font rendering settings are now + provided by fontconfig-penultimate, replacing + fontconfig-ultimate; the new defaults are less invasive and + provide rendering that is more consistent with other systems + and hopefully with each font designer's intent. Some + system-wide configuration has been removed from the Fontconfig + NixOS module where user Fontconfig settings are available. + </para> + </listitem> + <listitem> + <para> + ZFS/SPL have been updated to 0.7.0, + <literal>zfsUnstable, splUnstable</literal> have therefore + been removed. + </para> + </listitem> + <listitem> + <para> + The <literal>time.timeZone</literal> option now allows the + value <literal>null</literal> in addition to timezone strings. + This value allows changing the timezone of a system + imperatively using + <literal>timedatectl set-timezone</literal>. The default + timezone is still UTC. + </para> + </listitem> + <listitem> + <para> + Nixpkgs overlays may now be specified with a file as well as a + directory. The value of + <literal><nixpkgs-overlays></literal> may be a file, and + <literal>~/.config/nixpkgs/overlays.nix</literal> can be used + instead of the <literal>~/.config/nixpkgs/overlays</literal> + directory. + </para> + <para> + See the overlays chapter of the Nixpkgs manual for more + details. + </para> + </listitem> + <listitem> + <para> + Definitions for <literal>/etc/hosts</literal> can now be + specified declaratively with + <literal>networking.hosts</literal>. + </para> + </listitem> + <listitem> + <para> + Two new options have been added to the installer loader, in + addition to the default having changed. The kernel log + verbosity has been lowered to the upstream default for the + default options, in order to not spam the console when e.g. + joining a network. + </para> + <para> + This therefore leads to adding a new <literal>debug</literal> + option to set the log level to the previous verbose mode, to + make debugging easier, but still accessible easily. + </para> + <para> + Additionally a <literal>copytoram</literal> option has been + added, which makes it possible to remove the install medium + after booting. This allows tethering from your phone after + booting from it. + </para> + </listitem> + <listitem> + <para> + <literal>services.gitlab-runner.configOptions</literal> has + been added to specify the configuration of gitlab-runners + declaratively. + </para> + </listitem> + <listitem> + <para> + <literal>services.jenkins.plugins</literal> has been added to + install plugins easily, this can be generated with + jenkinsPlugins2nix. + </para> + </listitem> + <listitem> + <para> + <literal>services.postfix.config</literal> has been added to + specify the main.cf with NixOS options. Additionally other + options have been added to the postfix module and has been + improved further. + </para> + </listitem> + <listitem> + <para> + The GitLab package and module have been updated to the latest + 10.0 release. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-boot</literal> boot loader now lists the + NixOS version, kernel version and build date of all bootable + generations. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy service now defaults to using a random + upstream resolver, selected from the list of public + non-logging resolvers with DNSSEC support. Existing + configurations can be migrated to this mode of operation by + omitting the + <literal>services.dnscrypt-proxy.resolverName</literal> option + or setting it to <literal>"random"</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml new file mode 100644 index 00000000000..f54f6129e0d --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1803.section.xml @@ -0,0 +1,871 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-18.03"> + <title>Release 18.03 (<quote>Impala</quote>, 2018/04/04)</title> + <section xml:id="sec-release-18.03-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + End of support is planned for end of October 2018, handing + over to 18.09. + </para> + </listitem> + <listitem> + <para> + Platform support: x86_64-linux and x86_64-darwin since release + time (the latter isn't NixOS, really). Binaries for + aarch64-linux are available, but no channel exists yet, as + it's waiting for some test fixes, etc. + </para> + </listitem> + <listitem> + <para> + Nix now defaults to 2.0; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.0">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> + 2.26, gcc: 6 -> 7, systemd: 234 -> 237. + </para> + </listitem> + <listitem> + <para> + Desktop version changes: gnome: 3.24 -> 3.26, (KDE) + plasma-desktop: 5.10 -> 5.12. + </para> + </listitem> + <listitem> + <para> + MariaDB 10.2, updated from 10.1, is now the default MySQL + implementation. While upgrading a few changes have been made + to the infrastructure involved: + </para> + <itemizedlist> + <listitem> + <para> + <literal>libmysql</literal> has been deprecated, please + use <literal>mysql.connector-c</literal> instead, a + compatibility passthru has been added to the MySQL + packages. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql57</literal> package has a new + <literal>static</literal> output containing the static + libraries including <literal>libmysqld.a</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.2, updated from 7.1. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.03-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>./config/krb5/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/digitalbitbox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./misc/label.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/ccache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/criu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/digitalbitbox/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/less.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/npm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/plotinus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/rootston.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/systemtap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/sway.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/udevil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/way-cooler.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/yabar.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/zsh/zsh-autoenv.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/borgbackup.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/crashplan-small-business.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-renderer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/pipewire.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/chrome-gnome-shell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/tracker-miners.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/fwupd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/interception-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/u2f.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/usbmuxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/clamsmtp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/dkimproxy-out.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/pfix-srsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/gitea.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/home-assistant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/logkeys.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/novacomd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/osrm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/plexpy.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/pykms.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/tzupdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/fusion-inventory.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/prometheus/exporters.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/beegfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/davfs2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/ceph.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/aria2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/monero.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nghttpx/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nixops-dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/rxe.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/stunnel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/matomo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/restya-board.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/mighttpd2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/fractalart.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/binfmt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/grow-partition.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./tasks/filesystems/ecryptfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/hyperv-guest.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.03-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + <literal>sound.enable</literal> now defaults to false. + </para> + </listitem> + <listitem> + <para> + Dollar signs in options under + <literal>services.postfix</literal> are passed verbatim to + Postfix, which will interpret them as the beginning of a + parameter expression. This was already true for string-valued + options in the previous release, but not for list-valued + options. If you need to pass literal dollar signs through + Postfix, double them. + </para> + </listitem> + <listitem> + <para> + The <literal>postage</literal> package (for web-based + PostgreSQL administration) has been renamed to + <literal>pgmanage</literal>. The corresponding module has also + been renamed. To migrate please rename all + <literal>services.postage</literal> options to + <literal>services.pgmanage</literal>. + </para> + </listitem> + <listitem> + <para> + Package attributes starting with a digit have been prefixed + with an underscore sign. This is to avoid quoting in the + configuration and other issues with command-line tools like + <literal>nix-env</literal>. The change affects the following + packages: + </para> + <itemizedlist> + <listitem> + <para> + <literal>2048-in-terminal</literal> → + <literal>_2048-in-terminal</literal> + </para> + </listitem> + <listitem> + <para> + <literal>90secondportraits</literal> → + <literal>_90secondportraits</literal> + </para> + </listitem> + <listitem> + <para> + <literal>2bwm</literal> → <literal>_2bwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>389-ds-base</literal> → + <literal>_389-ds-base</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <emphasis role="strong">The OpenSSH service no longer enables + support for DSA keys by default, which could cause a system + lock out. Update your keys or, unfavorably, re-enable DSA + support manually.</emphasis> + </para> + <para> + DSA support was + <link xlink:href="https://www.openssh.com/legacy.html">deprecated + in OpenSSH 7.0</link>, due to it being too weak. To re-enable + support, add + <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end + of your <literal>services.openssh.extraConfig</literal>. + </para> + <para> + After updating the keys to be stronger, anyone still on a + pre-17.03 version is safe to jump to 17.03, as vetted + <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>openssh</literal> package now includes Kerberos + support by default; the + <literal>openssh_with_kerberos</literal> package is now a + deprecated alias. If you do not want Kerberos support, you can + do + <literal>openssh.override { withKerberos = false; }</literal>. + Note, this also applies to the <literal>openssh_hpn</literal> + package. + </para> + </listitem> + <listitem> + <para> + <literal>cc-wrapper</literal> has been split in two; there is + now also a <literal>bintools-wrapper</literal>. The most + commonly used files in <literal>nix-support</literal> are now + split between the two wrappers. Some commonly used ones, like + <literal>nix-support/dynamic-linker</literal>, are duplicated + for backwards compatability, even though they rightly belong + only in <literal>bintools-wrapper</literal>. Other more + obscure ones are just moved. + </para> + </listitem> + <listitem> + <para> + The propagation logic has been changed. The new logic, along + with new types of dependencies that go with, is thoroughly + documented in the "Specifying dependencies" section + of the "Standard Environment" chapter of the nixpkgs + manual. The old logic isn't but is easy to describe: + dependencies were propagated as the same type of dependency no + matter what. In practice, that means that many + <literal>propagatedNativeBuildInputs</literal> should instead + be <literal>propagatedBuildInputs</literal>. Thankfully, that + was and is the least used type of dependency. Also, it means + that some <literal>propagatedBuildInputs</literal> should + instead be <literal>depsTargetTargetPropagated</literal>. + Other types dependencies should be unaffected. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addPassthru drv passthru</literal> is removed. + Use <literal>lib.extendDerivation true passthru drv</literal> + instead. + </para> + </listitem> + <listitem> + <para> + The <literal>memcached</literal> service no longer accept + dynamic socket paths via + <literal>services.memcached.socket</literal>. Unix sockets can + be still enabled by + <literal>services.memcached.enableUnixSocket</literal> and + will be accessible at + <literal>/run/memcached/memcached.sock</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>hardware.amdHybridGraphics.disable</literal> + option was removed for lack of a maintainer. If you still need + this module, you may wish to include a copy of it from an + older version of nixos in your imports. + </para> + </listitem> + <listitem> + <para> + The merging of config options for + <literal>services.postfix.config</literal> was buggy. + Previously, if other options in the Postfix module like + <literal>services.postfix.useSrs</literal> were set and the + user set config options that were also set by such options, + the resulting config wouldn't include all options that were + needed. They are now merged correctly. If config options need + to be overridden, <literal>lib.mkForce</literal> or + <literal>lib.mkOverride</literal> can be used. + </para> + </listitem> + <listitem> + <para> + The following changes apply if the + <literal>stateVersion</literal> is changed to 18.03 or higher. + For <literal>stateVersion = "17.09"</literal> or + lower the old behavior is preserved. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>matrix-synapse</literal> uses postgresql by + default instead of sqlite. Migration instructions can be + found + <link xlink:href="https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst#porting-from-sqlite"> + here </link>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>jid</literal> package has been removed, due to + maintenance overhead of a go package having non-versioned + dependencies. + </para> + </listitem> + <listitem> + <para> + When using <literal>services.xserver.libinput</literal> + (enabled by default in GNOME), it now handles all input + devices, not just touchpads. As a result, you might need to + re-evaluate any custom Xorg configuration. In particular, + <literal>Option "XkbRules" "base"</literal> + may result in broken keyboard layout. + </para> + </listitem> + <listitem> + <para> + The <literal>attic</literal> package was removed. A maintained + fork called + <link xlink:href="https://www.borgbackup.org/">Borg</link> + should be used instead. Migration instructions can be found + <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. + </para> + </listitem> + <listitem> + <para> + The Piwik analytics software was renamed to Matomo: + </para> + <itemizedlist> + <listitem> + <para> + The package <literal>pkgs.piwik</literal> was renamed to + <literal>pkgs.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The service <literal>services.piwik</literal> was renamed + to <literal>services.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The data directory <literal>/var/lib/piwik</literal> was + renamed to <literal>/var/lib/matomo</literal>. All files + will be moved automatically on first startup, but you + might need to adjust your backup scripts. + </para> + </listitem> + <listitem> + <para> + The default <literal>serverName</literal> for the nginx + configuration changed from + <literal>piwik.${config.networking.hostName}</literal> to + <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> + if <literal>config.networking.domain</literal> is set, + <literal>matomo.${config.networking.hostName}</literal> if + it is not set. If you change your + <literal>serverName</literal>, remember you'll need to + update the <literal>trustedHosts[]</literal> array in + <literal>/var/lib/matomo/config/config.ini.php</literal> + as well. + </para> + </listitem> + <listitem> + <para> + The <literal>piwik</literal> user was renamed to + <literal>matomo</literal>. The service will adjust + ownership automatically for files in the data directory. + If you use unix socket authentication, remember to give + the new <literal>matomo</literal> user access to the + database and to change the <literal>username</literal> to + <literal>matomo</literal> in the + <literal>[database]</literal> section of + <literal>/var/lib/matomo/config/config.ini.php</literal>. + </para> + </listitem> + <listitem> + <para> + If you named your database `piwik`, you might want to + rename it to `matomo` to keep things clean, but this is + neither enforced nor required. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>nodejs-4_x</literal> is end-of-life. + <literal>nodejs-4_x</literal>, + <literal>nodejs-slim-4_x</literal> and + <literal>nodePackages_4_x</literal> are removed. + </para> + </listitem> + <listitem> + <para> + The <literal>pump.io</literal> NixOS module was removed. It is + now maintained as an + <link xlink:href="https://github.com/rvl/pump.io-nixos">external + module</link>. + </para> + </listitem> + <listitem> + <para> + The Prosody XMPP server has received a major update. The + following modules were renamed: + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.prosody.modules.httpserver</literal> is + now <literal>services.prosody.modules.http_files</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.prosody.modules.console</literal> is now + <literal>services.prosody.modules.admin_telnet</literal> + </para> + </listitem> + </itemizedlist> + <para> + Many new modules are now core modules, most notably + <literal>services.prosody.modules.carbons</literal> and + <literal>services.prosody.modules.mam</literal>. + </para> + <para> + The better-performing <literal>libevent</literal> backend is + now enabled by default. + </para> + <para> + <literal>withCommunityModules</literal> now passes through the + modules to <literal>services.prosody.extraModules</literal>. + Use <literal>withOnlyInstalledCommunityModules</literal> for + modules that should not be enabled directly, e.g + <literal>lib_ldap</literal>. + </para> + </listitem> + <listitem> + <para> + All prometheus exporter modules are now defined as submodules. + The exporters are configured using + <literal>services.prometheus.exporters</literal>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.03-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + ZNC option <literal>services.znc.mutable</literal> now + defaults to <literal>true</literal>. That means that old + configuration is not overwritten by default when update to the + znc options are made. + </para> + </listitem> + <listitem> + <para> + The option + <literal>networking.wireless.networks.<name>.auth</literal> + has been added for wireless networks with WPA-Enterprise + authentication. There is also a new + <literal>extraConfig</literal> option to directly configure + <literal>wpa_supplicant</literal> and + <literal>hidden</literal> to connect to hidden networks. + </para> + </listitem> + <listitem> + <para> + In the module + <literal>networking.interfaces.<name></literal> the + following options have been removed: + </para> + <itemizedlist> + <listitem> + <para> + <literal>ipAddress</literal> + </para> + </listitem> + <listitem> + <para> + <literal>ipv6Address</literal> + </para> + </listitem> + <listitem> + <para> + <literal>prefixLength</literal> + </para> + </listitem> + <listitem> + <para> + <literal>ipv6PrefixLength</literal> + </para> + </listitem> + <listitem> + <para> + <literal>subnetMask</literal> + </para> + </listitem> + </itemizedlist> + <para> + To assign static addresses to an interface the options + <literal>ipv4.addresses</literal> and + <literal>ipv6.addresses</literal> should be used instead. The + options <literal>ip4</literal> and <literal>ip6</literal> have + been renamed to <literal>ipv4.addresses</literal> + <literal>ipv6.addresses</literal> respectively. The new + options <literal>ipv4.routes</literal> and + <literal>ipv6.routes</literal> have been added to set up + static routing. + </para> + </listitem> + <listitem> + <para> + The option <literal>services.logstash.listenAddress</literal> + is now <literal>127.0.0.1</literal> by default. Previously the + default behaviour was to listen on all interfaces. + </para> + </listitem> + <listitem> + <para> + <literal>services.btrfs.autoScrub</literal> has been added, to + periodically check btrfs filesystems for data corruption. If + there's a correct copy available, it will automatically repair + corrupted blocks. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.clock-format.</literal> + has been added, the clock format string (as expected by + strftime, e.g. <literal>%H:%M</literal>) to use with the + lightdm gtk greeter panel. + </para> + <para> + If set to null the default clock format is used. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.indicators</literal> + has been added, a list of allowed indicator modules to use + with the lightdm gtk greeter panel. + </para> + <para> + Built-in indicators include <literal>~a11y</literal>, + <literal>~language</literal>, <literal>~session</literal>, + <literal>~power</literal>, <literal>~clock</literal>, + <literal>~host</literal>, <literal>~spacer</literal>. Unity + indicators can be represented by short name (e.g. + <literal>sound</literal>, <literal>power</literal>), service + file name, or absolute path. + </para> + <para> + If set to <literal>null</literal> the default indicators are + used. + </para> + <para> + In order to have the previous default configuration add + </para> + <programlisting language="bash"> +{ + services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ + "~host" "~spacer" + "~clock" "~spacer" + "~session" + "~language" + "~a11y" + "~power" + ]; +} +</programlisting> + <para> + to your <literal>configuration.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The NixOS test driver supports user services declared by + <literal>systemd.user.services</literal>. The methods + <literal>waitForUnit</literal>, + <literal>getUnitInfo</literal>, <literal>startJob</literal> + and <literal>stopJob</literal> provide an optional + <literal>$user</literal> argument for that purpose. + </para> + </listitem> + <listitem> + <para> + Enabling bash completion on NixOS, + <literal>programs.bash.enableCompletion</literal>, will now + also enable completion for the Nix command line tools by + installing the + <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> + package. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml new file mode 100644 index 00000000000..aa4637a99b6 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1809.section.xml @@ -0,0 +1,941 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-18.09"> + <title>Release 18.09 (<quote>Jellyfish</quote>, 2018/10/05)</title> + <section xml:id="sec-release-18.09-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following notable updates: + </para> + <itemizedlist> + <listitem> + <para> + End of support is planned for end of April 2019, handing over + to 19.03. + </para> + </listitem> + <listitem> + <para> + Platform support: x86_64-linux and x86_64-darwin as always. + Support for aarch64-linux is as with the previous releases, + not equivalent to the x86-64-linux release, but with efforts + to reach parity. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 2.1; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.1">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → + 2.27, gcc: 7 (unchanged), systemd: 237 → 239. + </para> + </listitem> + <listitem> + <para> + Desktop version changes: gnome: 3.26 → 3.28, (KDE) + plasma-desktop: 5.12 → 5.13. + </para> + </listitem> + </itemizedlist> + <para> + Notable changes and additions for 18.09 include: + </para> + <itemizedlist> + <listitem> + <para> + Support for wrapping binaries using + <literal>firejail</literal> has been added through + <literal>programs.firejail.wrappedBinaries</literal>. + </para> + <para> + For example + </para> + <programlisting language="bash"> +{ + programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; + mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; + }; + }; +} +</programlisting> + <para> + This will place <literal>firefox</literal> and + <literal>mpv</literal> binaries in the global path wrapped by + firejail. + </para> + </listitem> + <listitem> + <para> + User channels are now in the default + <literal>NIX_PATH</literal>, allowing users to use their + personal <literal>nix-channel</literal> defined channels in + <literal>nix-build</literal> and <literal>nix-shell</literal> + commands, as well as in imports like + <literal>import <mychannel></literal>. + </para> + <para> + For example + </para> + <programlisting> +$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable +$ nix-channel --update +$ nix-build '<nixpkgsunstable>' -A gitFull +$ nix run -f '<nixpkgsunstable>' gitFull +$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' +</programlisting> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.09-new-services"> + <title>New Services</title> + <para> + A curated selection of new services that were added since the last + release: + </para> + <itemizedlist> + <listitem> + <para> + The <literal>services.cassandra</literal> module has been + reworked and was rewritten from scratch. The service has + succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of + <link xlink:href="https://cassandra.apache.org/">Apache + Cassandra</link>. + </para> + </listitem> + <listitem> + <para> + There is a new <literal>services.foundationdb</literal> module + for deploying + <link xlink:href="https://www.foundationdb.org">FoundationDB</link> + clusters. + </para> + </listitem> + <listitem> + <para> + When enabled the <literal>iproute2</literal> will copy the + files expected by ip route (e.g., + <literal>rt_tables</literal>) in + <literal>/etc/iproute2</literal>. This allows to write aliases + for routing tables for instance. + </para> + </listitem> + <listitem> + <para> + <literal>services.strongswan-swanctl</literal> is a modern + replacement for <literal>services.strongswan</literal>. You + can use either one of them to setup IPsec VPNs but not both at + the same time. + </para> + <para> + <literal>services.strongswan-swanctl</literal> uses the + <link xlink:href="https://wiki.strongswan.org/projects/strongswan/wiki/swanctl">swanctl</link> + command which uses the modern + <link xlink:href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md">vici</link> + <emphasis>Versatile IKE Configuration Interface</emphasis>. + The deprecated <literal>ipsec</literal> command used in + <literal>services.strongswan</literal> is using the legacy + <link xlink:href="https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md">stroke + configuration interface</link>. + </para> + </listitem> + <listitem> + <para> + The new <literal>services.elasticsearch-curator</literal> + service periodically curates or manages, your Elasticsearch + indices and snapshots. + </para> + </listitem> + </itemizedlist> + <para> + Every new services: + </para> + <itemizedlist> + <listitem> + <para> + <literal>./config/xdg/autostart.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/icons.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/menus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/mime.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/brightnessctl.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/onlykey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/video/uvcvideo/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./misc/documentation.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/firejail.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/iftop.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/sedutil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/singularity.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/xss-lock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/zsh/zsh-autosuggestions.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/admin/oxidized.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/duplicati.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/restic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/restic-rest-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/cluster/hadoop/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/databases/aerospike.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/databases/monetdb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/bamf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/flatpak.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/zeitgeist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/development/bloop.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/development/jupyter/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/lcd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/undervolt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/clipmenu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/gitweb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/serviio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/safeeyes.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/sysprof.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/weechat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/datadog-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/incron.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/dnsdist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/freeradius.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/hans.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/morty.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/ndppd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/ocserv.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/owamp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/quagga.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/shadowsocks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/stubby.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/zeronet.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/certmgr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/cfssl.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/oauth2_proxy_nginx.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/virtlyst.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/youtrack.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/hitch/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/hydron.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/meguca.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/nginx/gitweb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/kvmgt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/qemu-guest-agent.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.09-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + Some licenses that were incorrectly not marked as unfree now + are. This is the case for: + </para> + <itemizedlist> + <listitem> + <para> + cc-by-nc-sa-20: Creative Commons Attribution Non + Commercial Share Alike 2.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-25: Creative Commons Attribution Non + Commercial Share Alike 2.5 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-30: Creative Commons Attribution Non + Commercial Share Alike 3.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-40: Creative Commons Attribution Non + Commercial Share Alike 4.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nd-30: Creative Commons Attribution-No Derivative + Works v3.00 + </para> + </listitem> + <listitem> + <para> + msrla: Microsoft Research License Agreement + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The deprecated <literal>services.cassandra</literal> module + has seen a complete rewrite. (See above.) + </para> + </listitem> + <listitem> + <para> + <literal>lib.strict</literal> is removed. Use + <literal>builtins.seq</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>clementine</literal> package points now to the + free derivation. <literal>clementineFree</literal> is removed + now and <literal>clementineUnfree</literal> points to the + package which is bundled with the unfree + <literal>libspotify</literal> package. + </para> + </listitem> + <listitem> + <para> + The <literal>netcat</literal> package is now taken directly + from OpenBSD's <literal>libressl</literal>, instead of relying + on Debian's fork. The new version should be very close to the + old version, but there are some minor differences. + Importantly, flags like -b, -q, -C, and -Z are no longer + accepted by the nc command. + </para> + </listitem> + <listitem> + <para> + The <literal>services.docker-registry.extraConfig</literal> + object doesn't contain environment variables anymore. Instead + it needs to provide an object structure that can be mapped + onto the YAML configuration defined in + <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the + <literal>docker/distribution</literal> docs</link>. + </para> + </listitem> + <listitem> + <para> + <literal>gnucash</literal> has changed from version 2.4 to + 3.x. If you've been using <literal>gnucash</literal> (version + 2.4) instead of <literal>gnucash26</literal> (version 2.6) you + must open your Gnucash data file(s) with + <literal>gnucash26</literal> and then save them to upgrade the + file format. Then you may use your data file(s) with Gnucash + 3.x. See the upgrade + <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>. + Gnucash 2.4 is still available under the attribute + <literal>gnucash24</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>services.munge</literal> now runs as user (and group) + <literal>munge</literal> instead of root. Make sure the key + file is accessible to the daemon. + </para> + </listitem> + <listitem> + <para> + <literal>dockerTools.buildImage</literal> now uses + <literal>null</literal> as default value for + <literal>tag</literal>, which indicates that the nix output + hash will be used as tag. + </para> + </listitem> + <listitem> + <para> + The ELK stack: <literal>elasticsearch</literal>, + <literal>logstash</literal> and <literal>kibana</literal> has + been upgraded from 2.* to 6.3.*. The 2.* versions have been + <link xlink:href="https://www.elastic.co/support/eol">unsupported + since last year</link> so they have been removed. You can + still use the 5.* versions under the names + <literal>elasticsearch5</literal>, + <literal>logstash5</literal> and <literal>kibana5</literal>. + </para> + <para> + The elastic beats: <literal>filebeat</literal>, + <literal>heartbeat</literal>, <literal>metricbeat</literal> + and <literal>packetbeat</literal> have had the same treatment: + they now target 6.3.* as well. The 5.* versions are available + under the names: <literal>filebeat5</literal>, + <literal>heartbeat5</literal>, <literal>metricbeat5</literal> + and <literal>packetbeat5</literal> + </para> + <para> + The ELK-6.3 stack now comes with + <link xlink:href="https://www.elastic.co/products/x-pack/open">X-Pack + by default</link>. Since X-Pack is licensed under the + <link xlink:href="https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt">Elastic + License</link> the ELK packages now have an unfree license. To + use them you need to specify + <literal>allowUnfree = true;</literal> in your nixpkgs + configuration. + </para> + <para> + Fortunately there is also a free variant of the ELK stack + without X-Pack. The packages are available under the names: + <literal>elasticsearch-oss</literal>, + <literal>logstash-oss</literal> and + <literal>kibana-oss</literal>. + </para> + </listitem> + <listitem> + <para> + Options + <literal>boot.initrd.luks.devices.name.yubikey.ramfsMountPoint</literal> + <literal>boot.initrd.luks.devices.name.yubikey.storage.mountPoint</literal> + were removed. <literal>luksroot.nix</literal> module never + supported more than one YubiKey at a time anyway, hence those + options never had any effect. You should be able to remove + them from your config without any issues. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.system</literal> and <literal>system</literal> + in nixpkgs now refer to the host platform instead of the build + platform. For native builds this is not change, let alone a + breaking one. For cross builds, it is a breaking change, and + <literal>stdenv.buildPlatform.system</literal> can be used + instead for the old behavior. They should be using that + anyways for clarity. + </para> + </listitem> + <listitem> + <para> + Groups <literal>kvm</literal> and <literal>render</literal> + are introduced now, as systemd requires them. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-18.09-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + <literal>dockerTools.pullImage</literal> relies on image + digest instead of image tag to download the image. The + <literal>sha256</literal> of a pulled image has to be updated. + </para> + </listitem> + <listitem> + <para> + <literal>lib.attrNamesToStr</literal> has been deprecated. Use + more specific concatenation + (<literal>lib.concat(Map)StringsSep</literal>) instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addErrorContextToAttrs</literal> has been + deprecated. Use <literal>builtins.addErrorContext</literal> + directly. + </para> + </listitem> + <listitem> + <para> + <literal>lib.showVal</literal> has been deprecated. Use + <literal>lib.traceSeqN</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLVal</literal> has been deprecated. Use + <literal>lib.traceValFn builtins.toXml</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLValMarked</literal> has been deprecated. + Use + <literal>lib.traceValFn (x: str + builtins.toXML x)</literal> + instead. + </para> + </listitem> + <listitem> + <para> + The <literal>pkgs</literal> argument to NixOS modules can now + be set directly using <literal>nixpkgs.pkgs</literal>. + Previously, only the <literal>system</literal>, + <literal>config</literal> and <literal>overlays</literal> + arguments could be used to influence <literal>pkgs</literal>. + </para> + </listitem> + <listitem> + <para> + A NixOS system can now be constructed more easily based on a + preexisting invocation of Nixpkgs. For example: + </para> + <programlisting language="bash"> +{ + inherit (pkgs.nixos { + boot.loader.grub.enable = false; + fileSystems."/".device = "/dev/xvda1"; + }) toplevel kernel initialRamdisk manual; +} +</programlisting> + <para> + This benefits evaluation performance, lets you write Nixpkgs + packages that depend on NixOS images and is consistent with a + deployment architecture that would be centered around Nixpkgs + overlays. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceValIfNot</literal> has been deprecated. Use + <literal>if/then/else</literal> and + <literal>lib.traceValSeq</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceCallXml</literal> has been deprecated. + Please complain if you use the function regularly. + </para> + </listitem> + <listitem> + <para> + The attribute <literal>lib.nixpkgsVersion</literal> has been + deprecated in favor of <literal>lib.version</literal>. Please + refer to the discussion in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link> + for further reference. + </para> + </listitem> + <listitem> + <para> + <literal>lib.recursiveUpdateUntil</literal> was not acting + according to its specification. It has been fixed to act + according to the docstring, and a test has been added. + </para> + </listitem> + <listitem> + <para> + The module for <literal>security.dhparams</literal> has two + new options now: + </para> + <variablelist> + <varlistentry> + <term> + <literal>security.dhparams.stateless</literal> + </term> + <listitem> + <para> + Puts the generated Diffie-Hellman parameters into the + Nix store instead of managing them in a stateful manner + in <literal>/var/lib/dhparams</literal>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <literal>security.dhparams.defaultBitSize</literal> + </term> + <listitem> + <para> + The default bit size to use for the generated + Diffie-Hellman parameters. + </para> + </listitem> + </varlistentry> + </variablelist> + <note> + <para> + The path to the actual generated parameter files should now + be queried using + <literal>config.security.dhparams.params.name.path</literal> + because it might be either in the Nix store or in a + directory configured by + <literal>security.dhparams.path</literal>. + </para> + </note> + <note> + <para> + <emphasis role="strong">For developers:</emphasis> + </para> + <para> + Module implementers should not set a specific bit size in + order to let users configure it by themselves if they want + to have a different bit size than the default (2048). + </para> + <para> + An example usage of this would be: + </para> + <programlisting language="bash"> +{ config, ... }: + +{ + security.dhparams.params.myservice = {}; + environment.etc."myservice.conf".text = '' + dhparams = ${config.security.dhparams.params.myservice.path} + ''; +} +</programlisting> + </note> + </listitem> + <listitem> + <para> + <literal>networking.networkmanager.useDnsmasq</literal> has + been deprecated. Use + <literal>networking.networkmanager.dns</literal> instead. + </para> + </listitem> + <listitem> + <para> + The Kubernetes package has been bumped to major version 1.11. + Please consult the + <link xlink:href="https://github.com/kubernetes/kubernetes/blob/release-1.11/CHANGELOG-1.11.md">release + notes</link> for details on new features and api changes. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.kubernetes.apiserver.admissionControl</literal> + was renamed to + <literal>services.kubernetes.apiserver.enableAdmissionPlugins</literal>. + </para> + </listitem> + <listitem> + <para> + Recommended way to access the Kubernetes Dashboard is via + HTTPS (TLS) Therefore; public service port for the dashboard + has changed to 443 (container port 8443) and scheme to https. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.kubernetes.apiserver.address</literal> was + renamed to + <literal>services.kubernetes.apiserver.bindAddress</literal>. + Note that the default value has changed from 127.0.0.1 to + 0.0.0.0. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.kubernetes.apiserver.publicAddress</literal> + was not used and thus has been removed. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.kubernetes.addons.dashboard.enableRBAC</literal> + was renamed to + <literal>services.kubernetes.addons.dashboard.rbac.enable</literal>. + </para> + </listitem> + <listitem> + <para> + The Kubernetes Dashboard now has only minimal RBAC permissions + by default. If dashboard cluster-admin rights are desired, set + <literal>services.kubernetes.addons.dashboard.rbac.clusterAdmin</literal> + to true. On existing clusters, in order for the revocation of + privileges to take effect, the current ClusterRoleBinding for + kubernetes-dashboard must be manually removed: + <literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal> + </para> + </listitem> + <listitem> + <para> + The <literal>programs.screen</literal> module provides allows + to configure <literal>/etc/screenrc</literal>, however the + module behaved fairly counterintuitive as the config exists, + but the package wasn't available. Since 18.09 + <literal>pkgs.screen</literal> will be added to + <literal>environment.systemPackages</literal>. + </para> + </listitem> + <listitem> + <para> + The module <literal>services.networking.hostapd</literal> now + uses WPA2 by default. + </para> + </listitem> + <listitem> + <para> + <literal>s6Dns</literal>, <literal>s6Networking</literal>, + <literal>s6LinuxUtils</literal> and + <literal>s6PortableUtils</literal> renamed to + <literal>s6-dns</literal>, <literal>s6-networking</literal>, + <literal>s6-linux-utils</literal> and + <literal>s6-portable-utils</literal> respectively. + </para> + </listitem> + <listitem> + <para> + The module option <literal>nix.useSandbox</literal> is now + defaulted to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The config activation script of + <literal>nixos-rebuild</literal> now + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemctl.html#Manager%20Lifecycle%20Commands">reloads</link> + all user units for each authenticated user. + </para> + </listitem> + <listitem> + <para> + The default display manager is now LightDM. To use SLiM set + <literal>services.xserver.displayManager.slim.enable</literal> + to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + NixOS option descriptions are now automatically broken up into + individual paragraphs if the text contains two consecutive + newlines, so it's no longer necessary to use + <literal></para><para></literal> to start a new + paragraph. + </para> + </listitem> + <listitem> + <para> + Top-level <literal>buildPlatform</literal>, + <literal>hostPlatform</literal>, and + <literal>targetPlatform</literal> in Nixpkgs are deprecated. + Please use their equivalents in <literal>stdenv</literal> + instead: <literal>stdenv.buildPlatform</literal>, + <literal>stdenv.hostPlatform</literal>, and + <literal>stdenv.targetPlatform</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml new file mode 100644 index 00000000000..f26e68e1320 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1903.section.xml @@ -0,0 +1,790 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.03"> + <title>Release 19.03 (<quote>Koi</quote>, 2019/04/11)</title> + <section xml:id="sec-release-19.03-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + End of support is planned for end of October 2019, handing + over to 19.09. + </para> + </listitem> + <listitem> + <para> + The default Python 3 interpreter is now CPython 3.7 instead of + CPython 3.6. + </para> + </listitem> + <listitem> + <para> + Added the Pantheon desktop environment. It can be enabled + through + <literal>services.xserver.desktopManager.pantheon.enable</literal>. + </para> + <note> + <para> + By default, + <literal>services.xserver.desktopManager.pantheon</literal> + enables LightDM as a display manager, as pantheon's screen + locking implementation relies on it. Because of that it is + recommended to leave LightDM enabled. If you'd like to + disable it anyway, set + <literal>services.xserver.displayManager.lightdm.enable</literal> + to <literal>false</literal> and enable your preferred + display manager. + </para> + </note> + <para> + Also note that Pantheon's LightDM greeter is not enabled by + default, because it has numerous issues in NixOS and isn't + optimal for use here yet. + </para> + </listitem> + <listitem> + <para> + A major refactoring of the Kubernetes module has been + completed. Refactorings primarily focus on decoupling + components and enhancing security. Two-way TLS and RBAC has + been enabled by default for all components, which slightly + changes the way the module is configured. See: + <xref linkend="sec-kubernetes" /> for details. + </para> + </listitem> + <listitem> + <para> + There is now a set of <literal>confinement</literal> options + for <literal>systemd.services</literal>, which allows to + restrict services into a chroot 2 ed environment that only + contains the store paths from the runtime closure of the + service. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.03-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>./programs/nm-applet.nix</literal> + </para> + </listitem> + <listitem> + <para> + There is a new <literal>security.googleOsLogin</literal> + module for using + <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS + Login</link> to manage SSH access to Google Compute Engine + instances, which supersedes the imperative and broken + <literal>google-accounts-daemon</literal> used in + <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/beanstalkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + There is a new <literal>services.cockroachdb</literal> module + for running CockroachDB databases. NixOS now ships with + CockroachDB 2.1.x as well, available on + <literal>x86_64-linux</literal> and + <literal>aarch64-linux</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>./security/duosec.nix</literal> + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://duo.com/docs/duounix">PAM module + for Duo Security</link> has been enabled for use. One can + configure it using the <literal>security.duosec</literal> + options along with the corresponding PAM option in + <literal>security.pam.services.<name?>.duoSecurity.enable</literal>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.03-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + The minimum version of Nix required to evaluate Nixpkgs is now + 2.0. + </para> + <itemizedlist> + <listitem> + <para> + For users of NixOS 18.03 and 19.03, NixOS defaults to Nix + 2.0, but supports using Nix 1.11 by setting + <literal>nix.package = pkgs.nix1;</literal>. If this + option is set to a Nix 1.11 package, you will need to + either unset the option or upgrade it to Nix 2.0. + </para> + </listitem> + <listitem> + <para> + For users of NixOS 17.09, you will first need to upgrade + Nix by setting + <literal>nix.package = pkgs.nixStable2;</literal> and run + <literal>nixos-rebuild switch</literal> as the + <literal>root</literal> user. + </para> + </listitem> + <listitem> + <para> + For users of a daemon-less Nix installation on Linux or + macOS, you can upgrade Nix by running + <literal>curl -L https://nixos.org/nix/install | sh</literal>, + or prior to doing a channel update, running + <literal>nix-env -iA nix</literal>. If you have already + run a channel update and Nix is no longer able to evaluate + Nixpkgs, the error message printed should provide adequate + directions for upgrading Nix. + </para> + </listitem> + <listitem> + <para> + For users of the Nix daemon on macOS, you can upgrade Nix + by running + <literal>sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>buildPythonPackage</literal> function now sets + <literal>strictDeps = true</literal> to help distinguish + between native and non-native dependencies in order to improve + cross-compilation compatibility. Note however that this may + break user expressions. + </para> + </listitem> + <listitem> + <para> + The <literal>buildPythonPackage</literal> function now sets + <literal>LANG = C.UTF-8</literal> to enable Unicode support. + The <literal>glibcLocales</literal> package is no longer + needed as a build input. + </para> + </listitem> + <listitem> + <para> + The Syncthing state and configuration data has been moved from + <literal>services.syncthing.dataDir</literal> to the newly + defined <literal>services.syncthing.configDir</literal>, which + default to + <literal>/var/lib/syncthing/.config/syncthing</literal>. This + change makes possible to share synced directories using ACLs + without Syncthing resetting the permission on every start. + </para> + </listitem> + <listitem> + <para> + The <literal>ntp</literal> module now has sane default + restrictions. If you're relying on the previous defaults, + which permitted all queries and commands from all + firewall-permitted sources, you can set + <literal>services.ntp.restrictDefault</literal> and + <literal>services.ntp.restrictSource</literal> to + <literal>[]</literal>. + </para> + </listitem> + <listitem> + <para> + Package <literal>rabbitmq_server</literal> is renamed to + <literal>rabbitmq-server</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>light</literal> module no longer uses setuid + binaries, but udev rules. As a consequence users of that + module have to belong to the <literal>video</literal> group in + order to use the executable (i.e. + <literal>users.users.yourusername.extraGroups = ["video"];</literal>). + </para> + </listitem> + <listitem> + <para> + Buildbot now supports Python 3 and its packages have been + moved to <literal>pythonPackages</literal>. The options + <literal>services.buildbot-master.package</literal> and + <literal>services.buildbot-worker.package</literal> can be + used to select the Python 2 or 3 version of the package. + </para> + </listitem> + <listitem> + <para> + Options + <literal>services.znc.confOptions.networks.name.userName</literal> + and + <literal>services.znc.confOptions.networks.name.modulePackages</literal> + were removed. They were never used for anything and can + therefore safely be removed. + </para> + </listitem> + <listitem> + <para> + Package <literal>wasm</literal> has been renamed + <literal>proglodyte-wasm</literal>. The package + <literal>wasm</literal> will be pointed to + <literal>ocamlPackages.wasm</literal> in 19.09, so make sure + to update your configuration if you want to keep + <literal>proglodyte-wasm</literal> + </para> + </listitem> + <listitem> + <para> + When the <literal>nixpkgs.pkgs</literal> option is set, NixOS + will no longer ignore the <literal>nixpkgs.overlays</literal> + option. The old behavior can be recovered by setting + <literal>nixpkgs.overlays = lib.mkForce [];</literal>. + </para> + </listitem> + <listitem> + <para> + OpenSMTPD has been upgraded to version 6.4.0p1. This release + makes backwards-incompatible changes to the configuration file + format. See <literal>man smtpd.conf</literal> for more + information on the new file format. + </para> + </listitem> + <listitem> + <para> + The versioned <literal>postgresql</literal> have been renamed + to use underscore number seperators. For example, + <literal>postgresql96</literal> has been renamed to + <literal>postgresql_9_6</literal>. + </para> + </listitem> + <listitem> + <para> + Package <literal>consul-ui</literal> and passthrough + <literal>consul.ui</literal> have been removed. The package + <literal>consul</literal> now uses upstream releases that + vendor the UI into the binary. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link> + for details. + </para> + </listitem> + <listitem> + <para> + Slurm introduces the new option + <literal>services.slurm.stateSaveLocation</literal>, which is + now set to <literal>/var/spool/slurm</literal> by default + (instead of <literal>/var/spool</literal>). Make sure to move + all files to the new directory or to set the option + accordingly. + </para> + <para> + The slurmctld now runs as user <literal>slurm</literal> + instead of <literal>root</literal>. If you want to keep + slurmctld running as <literal>root</literal>, set + <literal>services.slurm.user = root</literal>. + </para> + <para> + The options <literal>services.slurm.nodeName</literal> and + <literal>services.slurm.partitionName</literal> are now sets + of strings to correctly reflect that fact that each of these + options can occour more than once in the configuration. + </para> + </listitem> + <listitem> + <para> + The <literal>solr</literal> package has been upgraded from + 4.10.3 to 7.5.0 and has undergone some major changes. The + <literal>services.solr</literal> module has been updated to + reflect these changes. Please review + http://lucene.apache.org/solr/ carefully before upgrading. + </para> + </listitem> + <listitem> + <para> + Package <literal>ckb</literal> is renamed to + <literal>ckb-next</literal>, and options + <literal>hardware.ckb.*</literal> are renamed to + <literal>hardware.ckb-next.*</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.xserver.displayManager.job.logToFile</literal> + which was previously set to <literal>true</literal> when using + the display managers <literal>lightdm</literal>, + <literal>sddm</literal> or <literal>xpra</literal> has been + reset to the default value (<literal>false</literal>). + </para> + </listitem> + <listitem> + <para> + Network interface indiscriminate NixOS firewall options + (<literal>networking.firewall.allow*</literal>) are now + preserved when also setting interface specific rules such as + <literal>networking.firewall.interfaces.en0.allow*</literal>. + These rules continue to use the pseudo device + "default" + (<literal>networking.firewall.interfaces.default.*</literal>), + and assigning to this pseudo device will override the + (<literal>networking.firewall.allow*</literal>) options. + </para> + </listitem> + <listitem> + <para> + The <literal>nscd</literal> service now disables all caching + of <literal>passwd</literal> and <literal>group</literal> + databases by default. This was interferring with the correct + functioning of the <literal>libnss_systemd.so</literal> module + which is used by <literal>systemd</literal> to manage uids and + usernames in the presence of <literal>DynamicUser=</literal> + in systemd services. This was already the default behaviour in + presence of <literal>services.sssd.enable = true</literal> + because nscd caching would interfere with + <literal>sssd</literal> in unpredictable ways as well. Because + we're using nscd not for caching, but for convincing glibc to + find NSS modules in the nix store instead of an absolute path, + we have decided to disable caching globally now, as it's + usually not the behaviour the user wants and can lead to + surprising behaviour. Furthermore, negative caching of host + lookups is also disabled now by default. This should fix the + issue of dns lookups failing in the presence of an unreliable + network. + </para> + <para> + If the old behaviour is desired, this can be restored by + setting the <literal>services.nscd.config</literal> option + with the desired caching parameters. + </para> + <programlisting language="bash"> +{ + services.nscd.config = + '' + server-user nscd + threads 1 + paranoia no + debug-level 0 + + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd no + shared passwd yes + + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group no + shared group yes + + enable-cache hosts yes + positive-time-to-live hosts 600 + negative-time-to-live hosts 5 + suggested-size hosts 211 + check-files hosts yes + persistent hosts no + shared hosts yes + ''; +} +</programlisting> + <para> + See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link> + for details. + </para> + </listitem> + <listitem> + <para> + GitLab Shell previously used the nix store paths for the + <literal>gitlab-shell</literal> command in its + <literal>authorized_keys</literal> file, which might stop + working after garbage collection. To circumvent that, we + regenerated that file on each startup. As + <literal>gitlab-shell</literal> has now been changed to use + <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, + this is not necessary anymore, but there might be leftover + lines with a nix store path. Regenerate the + <literal>authorized_keys</literal> file via + <literal>sudo -u git -H gitlab-rake gitlab:shell:setup</literal> + in that case. + </para> + </listitem> + <listitem> + <para> + The <literal>pam_unix</literal> account module is now loaded + with its control field set to <literal>required</literal> + instead of <literal>sufficient</literal>, so that later PAM + account modules that might do more extensive checks are being + executed. Previously, the whole account module verification + was exited prematurely in case a nss module provided the + account name to <literal>pam_unix</literal>. The LDAP and SSSD + NixOS modules already add their NSS modules when enabled. In + case your setup breaks due to some later PAM account module + previosuly shadowed, or failing NSS lookups, please file a + bug. You can get back the old behaviour by manually setting + <literal>security.pam.services.<name?>.text</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>pam_unix</literal> password module is now loaded + with its control field set to <literal>sufficient</literal> + instead of <literal>required</literal>, so that password + managed only by later PAM password modules are being executed. + Previously, for example, changing an LDAP account's password + through PAM was not possible: the whole password module + verification was exited prematurely by + <literal>pam_unix</literal>, preventing + <literal>pam_ldap</literal> to manage the password as it + should. + </para> + </listitem> + <listitem> + <para> + <literal>fish</literal> has been upgraded to 3.0. It comes + with a number of improvements and backwards incompatible + changes. See the <literal>fish</literal> + <link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release + notes</link> for more information. + </para> + </listitem> + <listitem> + <para> + The ibus-table input method has had a change in config format, + which causes all previous settings to be lost. See + <link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this + commit message</link> for details. + </para> + </listitem> + <listitem> + <para> + NixOS module system type <literal>types.optionSet</literal> + and <literal>lib.mkOption</literal> argument + <literal>options</literal> are deprecated. Use + <literal>types.submodule</literal> instead. + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>) + </para> + </listitem> + <listitem> + <para> + <literal>matrix-synapse</literal> has been updated to version + 0.99. It will + <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no + longer generate a self-signed certificate on first + launch</link> and will be + <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the + last version to accept self-signed certificates</link>. As + such, it is now recommended to use a proper certificate + verified by a root CA (for example Let's Encrypt). The new + <link linkend="module-services-matrix">manual chapter on + Matrix</link> contains a working example of using nginx as a + reverse proxy in front of <literal>matrix-synapse</literal>, + using Let's Encrypt certificates. + </para> + </listitem> + <listitem> + <para> + <literal>mailutils</literal> now works by default when + <literal>sendmail</literal> is not in a setuid wrapper. As a + consequence, the <literal>sendmailPath</literal> argument, + having lost its main use, has been removed. + </para> + </listitem> + <listitem> + <para> + <literal>graylog</literal> has been upgraded from version 2.* + to 3.*. Some setups making use of extraConfig (especially + those exposing Graylog via reverse proxies) need to be updated + as upstream removed/replaced some settings. See + <link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading + Graylog</link> for details. + </para> + </listitem> + <listitem> + <para> + The option <literal>users.ldap.bind.password</literal> was + renamed to <literal>users.ldap.bind.passwordFile</literal>, + and needs to be readable by the <literal>nslcd</literal> user. + Same applies to the new + <literal>users.ldap.daemon.rootpwmodpwFile</literal> option. + </para> + </listitem> + <listitem> + <para> + <literal>nodejs-6_x</literal> is end-of-life. + <literal>nodejs-6_x</literal>, + <literal>nodejs-slim-6_x</literal> and + <literal>nodePackages_6_x</literal> are removed. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.03-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The <literal>services.matomo</literal> module gained the + option <literal>services.matomo.package</literal> which + determines the used Matomo version. + </para> + <para> + The Matomo module now also comes with the systemd service + <literal>matomo-archive-processing.service</literal> and a + timer that automatically triggers archive processing every + hour. This means that you can safely + <link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour"> + disable browser triggers for Matomo archiving </link> at + <literal>Administration > System > General Settings</literal>. + </para> + <para> + Additionally, you can enable to + <link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs"> + delete old visitor logs </link> at + <literal>Administration > System > Privacy</literal>, + but make sure that you run + <literal>systemctl start matomo-archive-processing.service</literal> + at least once without errors if you have already collected + data before, so that the reports get archived before the + source data gets deleted. + </para> + </listitem> + <listitem> + <para> + <literal>composableDerivation</literal> along with supporting + library functions has been removed. + </para> + </listitem> + <listitem> + <para> + The deprecated <literal>truecrypt</literal> package has been + removed and <literal>truecrypt</literal> attribute is now an + alias for <literal>veracrypt</literal>. VeraCrypt is + backward-compatible with TrueCrypt volumes. Note that + <literal>cryptsetup</literal> also supports loading TrueCrypt + volumes. + </para> + </listitem> + <listitem> + <para> + The Kubernetes DNS addons, kube-dns, has been replaced with + CoreDNS. This change is made in accordance with Kubernetes + making CoreDNS the official default starting from + <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes + v1.11</link>. Please beware that upgrading DNS-addon on + existing clusters might induce minor downtime while the + DNS-addon terminates and re-initializes. Also note that the + DNS-service now runs with 2 pod replicas by default. The + desired number of replicas can be configured using: + <literal>services.kubernetes.addons.dns.replicas</literal>. + </para> + </listitem> + <listitem> + <para> + The quassel-webserver package and module was removed from + nixpkgs due to the lack of maintainers. + </para> + </listitem> + <listitem> + <para> + The manual gained a <link linkend="module-services-matrix"> + new chapter on self-hosting <literal>matrix-synapse</literal> + and <literal>riot-web</literal> </link>, the most prevalent + server and client implementations for the + <link xlink:href="https://matrix.org/">Matrix</link> federated + communication network. + </para> + </listitem> + <listitem> + <para> + The astah-community package was removed from nixpkgs due to it + being discontinued and the downloads not being available + anymore. + </para> + </listitem> + <listitem> + <para> + The httpd service now saves log files with a .log file + extension by default for easier integration with the logrotate + service. + </para> + </listitem> + <listitem> + <para> + The owncloud server packages and httpd subservice module were + removed from nixpkgs due to the lack of maintainers. + </para> + </listitem> + <listitem> + <para> + It is possible now to uze ZRAM devices as general purpose + ephemeral block devices, not only as swap. Using more than 1 + device as ZRAM swap is no longer recommended, but is still + possible by setting <literal>zramSwap.swapDevices</literal> + explicitly. + </para> + <para> + ZRAM algorithm can be changed now. + </para> + <para> + Changes to ZRAM algorithm are applied during + <literal>nixos-rebuild switch</literal>, so make sure you have + enough swap space on disk to survive ZRAM device rebuild. + Alternatively, use + <literal>nixos-rebuild boot; reboot</literal>. + </para> + </listitem> + <listitem> + <para> + Flat volumes are now disabled by default in + <literal>hardware.pulseaudio</literal>. This has been done to + prevent applications, which are unaware of this feature, + setting their volumes to 100% on startup causing harm to your + audio hardware and potentially your ears. + </para> + <note> + <para> + With this change application specific volumes are relative + to the master volume which can be adjusted independently, + whereas before they were absolute; meaning that in effect, + it scaled the device-volume with the volume of the loudest + application. + </para> + </note> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link> + module now supports + <link xlink:href="options.html#opt-services.ndppd.enable">all + config options</link> provided by the current upstream version + as service options. Additionally the <literal>ndppd</literal> + package doesn't contain the systemd unit configuration from + upstream anymore, the unit is completely configured by the + NixOS module now. + </para> + </listitem> + <listitem> + <para> + New installs of NixOS will default to the Redmine 4.x series + unless otherwise specified in + <literal>services.redmine.package</literal> while existing + installs of NixOS will default to the Redmine 3.x series. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.grafana.enable">Grafana + module</link> now supports declarative + <link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource + and dashboard</link> provisioning. + </para> + </listitem> + <listitem> + <para> + The use of insecure ports on kubernetes has been deprecated. + Thus options: + <literal>services.kubernetes.apiserver.port</literal> and + <literal>services.kubernetes.controllerManager.port</literal> + has been renamed to <literal>.insecurePort</literal>, and + default of both options has changed to 0 (disabled). + </para> + </listitem> + <listitem> + <para> + Note that the default value of + <literal>services.kubernetes.apiserver.bindAddress</literal> + has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver + to be accessible from outside the master node itself. If the + apiserver insecurePort is enabled, it is strongly recommended + to only bind on the loopback interface. See: + <literal>services.kubernetes.apiserver.insecurebindAddress</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.kubernetes.apiserver.allowPrivileged</literal> + and + <literal>services.kubernetes.kubelet.allowPrivileged</literal> + now defaults to false. Disallowing privileged containers on + the cluster. + </para> + </listitem> + <listitem> + <para> + The kubernetes module does no longer add the kubernetes + package to <literal>environment.systemPackages</literal> + implicitly. + </para> + </listitem> + <listitem> + <para> + The <literal>intel</literal> driver has been removed from the + default list of + <link xlink:href="options.html#opt-services.xserver.videoDrivers">X.org + video drivers</link>. The <literal>modesetting</literal> + driver should take over automatically, it is better maintained + upstream and has less problems with advanced X11 features. + This can lead to a change in the output names used by + <literal>xrandr</literal>. Some performance regressions on + some GPU models might happen. Some OpenCL and VA-API + applications might also break (Beignet seems to provide OpenCL + support with <literal>modesetting</literal> driver, too). + Kernel mode setting API does not support backlight control, so + <literal>xbacklight</literal> tool will not work; backlight + level can be controlled directly via <literal>/sys/</literal> + or with <literal>brightnessctl</literal>. Users who need this + functionality more than multi-output XRandR are advised to add + `intel` to `videoDrivers` and report an issue (or provide + additional details in an existing one) + </para> + </listitem> + <listitem> + <para> + Openmpi has been updated to version 4.0.0, which removes some + deprecated MPI-1 symbols. This may break some older + applications that still rely on those symbols. An upgrade + guide can be found + <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>. + </para> + <para> + The nginx package now relies on OpenSSL 1.1 and supports TLS + 1.3 by default. You can set the protocols used by the nginx + service using + <link xlink:href="options.html#opt-services.nginx.sslProtocols">services.nginx.sslProtocols</link>. + </para> + </listitem> + <listitem> + <para> + A new subcommand <literal>nixos-rebuild edit</literal> was + added. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml new file mode 100644 index 00000000000..83cd649f4ea --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-1909.section.xml @@ -0,0 +1,1197 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.09"> + <title>Release 19.09 (<quote>Loris</quote>, 2019/10/09)</title> + <section xml:id="sec-release-19.09-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + End of support is planned for end of April 2020, handing over + to 20.03. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 2.3; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core version changes: + </para> + <para> + systemd: 239 -> 243 + </para> + <para> + gcc: 7 -> 8 + </para> + <para> + glibc: 2.27 (unchanged) + </para> + <para> + linux: 4.19 LTS (unchanged) + </para> + <para> + openssl: 1.0 -> 1.1 + </para> + </listitem> + <listitem> + <para> + Desktop version changes: + </para> + <para> + plasma5: 5.14 -> 5.16 + </para> + <para> + gnome3: 3.30 -> 3.32 + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.3, updated from 7.2. + </para> + </listitem> + <listitem> + <para> + PHP 7.1 is no longer supported due to upstream not supporting + this version for the entire lifecycle of the 19.09 release. + </para> + </listitem> + <listitem> + <para> + The binfmt module is now easier to use. Additional systems can + be added through + <literal>boot.binfmt.emulatedSystems</literal>. For instance, + <literal>boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> + will set up binfmt interpreters for each of those listed + systems. + </para> + </listitem> + <listitem> + <para> + The installer now uses a less privileged + <literal>nixos</literal> user whereas before we logged in as + root. To gain root privileges use <literal>sudo -i</literal> + without a password. + </para> + </listitem> + <listitem> + <para> + We've updated to Xfce 4.14, which brings a new module + <literal>services.xserver.desktopManager.xfce4-14</literal>. + If you'd like to upgrade, please switch from the + <literal>services.xserver.desktopManager.xfce</literal> module + as it will be deprecated in a future release. They're + incompatibilities with the current Xfce module; it doesn't + support <literal>thunarPlugins</literal> and it isn't + recommended to use + <literal>services.xserver.desktopManager.xfce</literal> and + <literal>services.xserver.desktopManager.xfce4-14</literal> + simultaneously or to downgrade from Xfce 4.14 after upgrading. + </para> + </listitem> + <listitem> + <para> + The GNOME 3 desktop manager module sports an interface to + enable/disable core services, applications, and optional GNOME + packages like games. + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.gnome3.core-os-services.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.gnome3.core-shell.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.gnome3.core-utilities.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.gnome3.games.enable</literal> + </para> + </listitem> + </itemizedlist> + <para> + With these options we hope to give users finer grained control + over their systems. Prior to this change you'd either have to + manually disable options or use + <literal>environment.gnome3.excludePackages</literal> which + only excluded the optional applications. + <literal>environment.gnome3.excludePackages</literal> is now + unguarded, it can exclude any package installed with + <literal>environment.systemPackages</literal> in the GNOME 3 + module. + </para> + </listitem> + <listitem> + <para> + Orthogonal to the previous changes to the GNOME 3 desktop + manager module, we've updated all default services and + applications to match as close as possible to a default + reference GNOME 3 experience. + </para> + <para> + <emphasis role="strong">The following changes were enacted in + <literal>services.gnome3.core-utilities.enable</literal></emphasis> + </para> + <itemizedlist> + <listitem> + <para> + <literal>accerciser</literal> + </para> + </listitem> + <listitem> + <para> + <literal>dconf-editor</literal> + </para> + </listitem> + <listitem> + <para> + <literal>evolution</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-documents</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-nettool</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-power-manager</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-todo</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-tweaks</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome-usage</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gucharmap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>nautilus-sendto</literal> + </para> + </listitem> + <listitem> + <para> + <literal>vinagre</literal> + </para> + </listitem> + <listitem> + <para> + <literal>cheese</literal> + </para> + </listitem> + <listitem> + <para> + <literal>geary</literal> + </para> + </listitem> + </itemizedlist> + <para> + <emphasis role="strong">The following changes were enacted in + <literal>services.gnome3.core-shell.enable</literal></emphasis> + </para> + <itemizedlist> + <listitem> + <para> + <literal>gnome-color-manager</literal> + </para> + </listitem> + <listitem> + <para> + <literal>orca</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.avahi.enable</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.09-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <literal>./programs/dwm-status.nix</literal> + </para> + </listitem> + <listitem> + <para> + The new <literal>hardware.printers</literal> module allows to + declaratively configure CUPS printers via the + <literal>ensurePrinters</literal> and + <literal>ensureDefaultPrinter</literal> options. + <literal>ensurePrinters</literal> will never delete existing + printers, but will make sure that the given printers are + configured as declared. + </para> + </listitem> + <listitem> + <para> + There is a new + <link xlink:href="options.html#opt-services.system-config-printer.enable">services.system-config-printer.enable</link> + and + <link xlink:href="options.html#opt-programs.system-config-printer.enable">programs.system-config-printer.enable</link> + module for the program of the same name. If you previously had + <literal>system-config-printer</literal> enabled through some + other means you should migrate to using one of these modules. + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.xserver.desktopManager.plasma5</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.desktopManager.gnome3</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.desktopManager.pantheon</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.desktopManager.mate</literal> + Note Mate uses + <literal>programs.system-config-printer</literal> as it + doesn't use it as a service, but its graphical interface + directly. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.blueman.enable">services.blueman.enable</link> + has been added. If you previously had blueman installed via + <literal>environment.systemPackages</literal> please migrate + to using the NixOS module, as this would result in an + insufficiently configured blueman. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.09-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + Buildbot no longer supports Python 2, as support was dropped + upstream in version 2.0.0. Configurations may need to be + modified to make them compatible with Python 3. + </para> + </listitem> + <listitem> + <para> + PostgreSQL now uses <literal>/run/postgresql</literal> as its + socket directory instead of <literal>/tmp</literal>. So if you + run an application like eg. Nextcloud, where you need to use + the Unix socket path as the database host name, you need to + change it accordingly. + </para> + </listitem> + <listitem> + <para> + PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle + and has been removed. + </para> + </listitem> + <listitem> + <para> + The options + <literal>services.prometheus.alertmanager.user</literal> and + <literal>services.prometheus.alertmanager.group</literal> have + been removed because the alertmanager service is now using + systemd's + <link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html"> + DynamicUser mechanism</link> which obviates these options. + </para> + </listitem> + <listitem> + <para> + The NetworkManager systemd unit was renamed back from + network-manager.service to NetworkManager.service for better + compatibility with other applications expecting this name. The + same applies to ModemManager where modem-manager.service is + now called ModemManager.service again. + </para> + </listitem> + <listitem> + <para> + The <literal>services.nzbget.configFile</literal> and + <literal>services.nzbget.openFirewall</literal> options were + removed as they are managed internally by the nzbget. The + <literal>services.nzbget.dataDir</literal> option hadn't + actually been used by the module for some time and so was + removed as cleanup. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mysql.pidDir</literal> option was + removed, as it was only used by the wordpress apache-httpd + service to wait for mysql to have started up. This can be + accomplished by either describing a dependency on + mysql.service (preferred) or waiting for the (hardcoded) + <literal>/run/mysqld/mysql.sock</literal> file to appear. + </para> + </listitem> + <listitem> + <para> + The <literal>services.emby.enable</literal> module has been + removed, see <literal>services.jellyfin.enable</literal> + instead for a free software fork of Emby. See the Jellyfin + documentation: + <link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/"> + Migrating from Emby to Jellyfin </link> + </para> + </listitem> + <listitem> + <para> + IPv6 Privacy Extensions are now enabled by default for + undeclared interfaces. The previous behaviour was quite + misleading — even though the default value for + <literal>networking.interfaces.*.preferTempAddress</literal> + was <literal>true</literal>, undeclared interfaces would not + prefer temporary addresses. Now, interfaces not mentioned in + the config will prefer temporary addresses. EUI64 addresses + can still be set as preferred by explicitly setting the option + to <literal>false</literal> for the interface in question. + </para> + </listitem> + <listitem> + <para> + Since Bittorrent Sync was superseded by Resilio Sync in 2016, + the <literal>bittorrentSync</literal>, + <literal>bittorrentSync14</literal>, and + <literal>bittorrentSync16</literal> packages have been removed + in favor of <literal>resilio-sync</literal>. + </para> + <para> + The corresponding module, <literal>services.btsync</literal> + has been replaced by the <literal>services.resilio</literal> + module. + </para> + </listitem> + <listitem> + <para> + The httpd service no longer attempts to start the postgresql + service. If you have come to depend on this behaviour then you + can preserve the behavior with the following configuration: + <literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal> + </para> + <para> + The option <literal>services.httpd.extraSubservices</literal> + has been marked as deprecated. You may still use this feature, + but it will be removed in a future release of NixOS. You are + encouraged to convert any httpd subservices you may have + written to a full NixOS module. + </para> + <para> + Most of the httpd subservices packaged with NixOS have been + replaced with full NixOS modules including LimeSurvey, + WordPress, and Zabbix. These modules can be enabled using the + <literal>services.limesurvey.enable</literal>, + <literal>services.mediawiki.enable</literal>, + <literal>services.wordpress.enable</literal>, and + <literal>services.zabbixWeb.enable</literal> options. + </para> + </listitem> + <listitem> + <para> + The option + <literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</literal> + was renamed to + <literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</literal> + (capital <literal>L</literal>). This follows + <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c"> + upstreams renaming </link> of the setting. + </para> + </listitem> + <listitem> + <para> + As of this release the NixOps feature + <literal>autoLuks</literal> is deprecated. It no longer works + with our systemd version without manual intervention. + </para> + <para> + Whenever the usage of the module is detected the evaluation + will fail with a message explaining why and how to deal with + the situation. + </para> + <para> + A new knob named + <literal>nixops.enableDeprecatedAutoLuks</literal> has been + introduced to disable the eval failure and to acknowledge the + notice was received and read. If you plan on using the feature + please note that it might break with subsequent updates. + </para> + <para> + Make sure you set the <literal>_netdev</literal> option for + each of the file systems referring to block devices provided + by the autoLuks module. Not doing this might render the system + in a state where it doesn't boot anymore. + </para> + <para> + If you are actively using the <literal>autoLuks</literal> + module please let us know in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue + #62211</link>. + </para> + </listitem> + <listitem> + <para> + The setopt declarations will be evaluated at the end of + <literal>/etc/zshrc</literal>, so any code in + <link xlink:href="options.html#opt-programs.zsh.interactiveShellInit">programs.zsh.interactiveShellInit</link>, + <link xlink:href="options.html#opt-programs.zsh.loginShellInit">programs.zsh.loginShellInit</link> + and + <link xlink:href="options.html#opt-programs.zsh.promptInit">programs.zsh.promptInit</link> + may break if it relies on those options being set. + </para> + </listitem> + <listitem> + <para> + The <literal>prometheus-nginx-exporter</literal> package now + uses the offical exporter provided by NGINX Inc. Its metrics + are differently structured and are incompatible to the old + ones. For information about the metrics, have a look at the + <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official + repo</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>shibboleth-sp</literal> package has been updated + to version 3. It is largely backward compatible, for further + information refer to the + <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release + notes</link> and + <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade + guide</link>. + </para> + <para> + Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has + been dropped. + </para> + </listitem> + <listitem> + <para> + By default, prometheus exporters are now run with + <literal>DynamicUser</literal> enabled. Exporters that need a + real user, now run under a seperate user and group which + follow the pattern + <literal><exporter-name>-exporter</literal>, instead of + the previous default <literal>nobody</literal> and + <literal>nogroup</literal>. Only some exporters are affected + by the latter, namely the exporters + <literal>dovecot</literal>, <literal>node</literal>, + <literal>postfix</literal> and <literal>varnish</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>ibus-qt</literal> package is not installed by + default anymore when + <link xlink:href="options.html#opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link> + is set to <literal>ibus</literal>. If IBus support in Qt 4.x + applications is required, add the <literal>ibus-qt</literal> + package to your + <link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link> + manually. + </para> + </listitem> + <listitem> + <para> + The CUPS Printing service now uses socket-based activation by + default, only starting when needed. The previous behavior can + be restored by setting + <literal>services.cups.startWhenNeeded</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.systemhealth</literal> module has been + removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mantisbt</literal> module has been + removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + Squid 3 has been removed and the <literal>squid</literal> + derivation now refers to Squid 4. + </para> + </listitem> + <listitem> + <para> + The <literal>services.pdns-recursor.extraConfig</literal> + option has been replaced by + <literal>services.pdns-recursor.settings</literal>. The new + option allows setting extra configuration while being better + type-checked and mergeable. + </para> + </listitem> + <listitem> + <para> + No service depends on <literal>keys.target</literal> anymore + which is a systemd target that indicates if all + <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps + keys</link> were successfully uploaded. Instead, + <literal><key-name>-key.service</literal> should be used + to define a dependency of a key in a service. The full issue + behind the <literal>keys.target</literal> dependency is + described at + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>. + </para> + <para> + The following services are affected by this: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nsd.enable"><literal>services.nsd</literal></link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.softether.enable"><literal>services.softether</literal></link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.strongswan.enable"><literal>services.strongswan</literal></link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.httpd.enable"><literal>services.httpd</literal></link> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>security.acme.directory</literal> option has been + replaced by a read-only + <literal>security.acme.certs.<cert>.directory</literal> + option for each certificate you define. This will be a + subdirectory of <literal>/var/lib/acme</literal>. You can use + this read-only option to figure out where the certificates are + stored for a specific certificate. For example, the + <literal>services.nginx.virtualhosts.<name>.enableACME</literal> + option will use this directory option to find the certs for + the virtual host. + </para> + <para> + <literal>security.acme.preDelay</literal> and + <literal>security.acme.activationDelay</literal> options have + been removed. To execute a service before certificates are + provisioned or renewed add a + <literal>RequiredBy=acme-${cert}.service</literal> to any + service. + </para> + <para> + Furthermore, the acme module will not automatically add a + dependency on <literal>lighttpd.service</literal> anymore. If + you are using certficates provided by letsencrypt for + lighttpd, then you should depend on the certificate service + <literal>acme-${cert}.service></literal> manually. + </para> + <para> + For nginx, the dependencies are still automatically managed + when + <literal>services.nginx.virtualhosts.<name>.enableACME</literal> + is enabled just like before. What changed is that nginx now + directly depends on the specific certificates that it needs, + instead of depending on the catch-all + <literal>acme-certificates.target</literal>. This target unit + was also removed from the codebase. This will mean nginx will + no longer depend on certificates it isn't explicitly managing + and fixes a bug with certificate renewal ordering racing with + nginx restarting which could lead to nginx getting in a broken + state as described at + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>. + </para> + </listitem> + <listitem> + <para> + The old deprecated <literal>emacs</literal> package sets have + been dropped. What used to be called + <literal>emacsPackagesNg</literal> is now simply called + <literal>emacsPackages</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.desktopManager.xterm</literal> is + now disabled by default if <literal>stateVersion</literal> is + 19.09 or higher. Previously the xterm desktopManager was + enabled when xserver was enabled, but it isn't useful for all + people so it didn't make sense to have any desktopManager + enabled default. + </para> + </listitem> + <listitem> + <para> + The WeeChat plugin + <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been + removed as it doesn't receive any updates from upstream and + depends on outdated Python2-based modules. + </para> + </listitem> + <listitem> + <para> + Old unsupported versions (<literal>logstash5</literal>, + <literal>kibana5</literal>, <literal>filebeat5</literal>, + <literal>heartbeat5</literal>, <literal>metricbeat5</literal>, + <literal>packetbeat5</literal>) of the ELK-stack and Elastic + beats have been removed. + </para> + </listitem> + <listitem> + <para> + For NixOS 19.03, both Prometheus 1 and 2 were available to + allow for a seamless transition from version 1 to 2 with + existing setups. Because Prometheus 1 is no longer developed, + it was removed. Prometheus 2 is now configured with + <literal>services.prometheus</literal>. + </para> + </listitem> + <listitem> + <para> + Citrix Receiver (<literal>citrix_receiver</literal>) has been + dropped in favor of Citrix Workspace + (<literal>citrix_workspace</literal>). + </para> + </listitem> + <listitem> + <para> + The <literal>services.gitlab</literal> module has had its + literal secret options + (<literal>services.gitlab.smtp.password</literal>, + <literal>services.gitlab.databasePassword</literal>, + <literal>services.gitlab.initialRootPassword</literal>, + <literal>services.gitlab.secrets.secret</literal>, + <literal>services.gitlab.secrets.db</literal>, + <literal>services.gitlab.secrets.otp</literal> and + <literal>services.gitlab.secrets.jws</literal>) replaced by + file-based versions + (<literal>services.gitlab.smtp.passwordFile</literal>, + <literal>services.gitlab.databasePasswordFile</literal>, + <literal>services.gitlab.initialRootPasswordFile</literal>, + <literal>services.gitlab.secrets.secretFile</literal>, + <literal>services.gitlab.secrets.dbFile</literal>, + <literal>services.gitlab.secrets.otpFile</literal> and + <literal>services.gitlab.secrets.jwsFile</literal>). This was + done so that secrets aren't stored in the world-readable nix + store, but means that for each option you'll have to create a + file with the same exact string, add "File" to the + end of the option name, and change the definition to a string + pointing to the corresponding file; e.g. + <literal>services.gitlab.databasePassword = "supersecurepassword"</literal> + becomes + <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal> + where the file <literal>secret_file</literal> contains the + string <literal>supersecurepassword</literal>. + </para> + <para> + The state path (<literal>services.gitlab.statePath</literal>) + now has the following restriction: no parent directory can be + owned by any other user than <literal>root</literal> or the + user specified in <literal>services.gitlab.user</literal>; + i.e. if <literal>services.gitlab.statePath</literal> is set to + <literal>/var/lib/gitlab/state</literal>, + <literal>gitlab</literal> and all parent directories must be + owned by either <literal>root</literal> or the user specified + in <literal>services.gitlab.user</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>networking.useDHCP</literal> option is + unsupported in combination with + <literal>networking.useNetworkd</literal> in anticipation of + defaulting to it. It has to be set to <literal>false</literal> + and enabled per interface with + <literal>networking.interfaces.<name>.useDHCP = true;</literal> + </para> + </listitem> + <listitem> + <para> + The Twitter client <literal>corebird</literal> has been + dropped as + <link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it + is discontinued and does not work against the new Twitter + API</link>. Please use the fork <literal>cawbird</literal> + instead which has been adapted to the API changes and is still + maintained. + </para> + </listitem> + <listitem> + <para> + The <literal>nodejs-11_x</literal> package has been removed as + it's EOLed by upstream. + </para> + </listitem> + <listitem> + <para> + Because of the systemd upgrade, systemd-timesyncd will no + longer work if <literal>system.stateVersion</literal> is not + set correctly. When upgrading from NixOS 19.03, please make + sure that <literal>system.stateVersion</literal> is set to + <literal>"19.03"</literal>, or lower if the + installation dates back to an earlier version of NixOS. + </para> + </listitem> + <listitem> + <para> + Due to the short lifetime of non-LTS kernel releases package + attributes like <literal>linux_5_1</literal>, + <literal>linux_5_2</literal> and <literal>linux_5_3</literal> + have been removed to discourage dependence on specific non-LTS + kernel versions in stable NixOS releases. Going forward, + versioned attributes like <literal>linux_4_9</literal> will + exist for LTS versions only. Please use + <literal>linux_latest</literal> or + <literal>linux_testing</literal> if you depend on non-LTS + releases. Keep in mind that <literal>linux_latest</literal> + and <literal>linux_testing</literal> will change versions + under the hood during the lifetime of a stable release and + might include breaking changes. + </para> + </listitem> + <listitem> + <para> + Because of the systemd upgrade, some network interfaces might + change their name. For details see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History"> + upstream docs</link> or + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086"> + our ticket</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-19.09-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The <literal>documentation</literal> module gained an option + named <literal>documentation.nixos.includeAllModules</literal> + which makes the generated configuration.nix 5 manual page + include all options from all NixOS modules included in a given + <literal>configuration.nix</literal> configuration file. + Currently, it is set to <literal>false</literal> by default as + enabling it frequently prevents evaluation. But the plan is to + eventually have it set to <literal>true</literal> by default. + Please set it to <literal>true</literal> now in your + <literal>configuration.nix</literal> and fix all the bugs it + uncovers. + </para> + </listitem> + <listitem> + <para> + The <literal>vlc</literal> package gained support for + Chromecast streaming, enabled by default. TCP port 8010 must + be open for it to work, so something like + <literal>networking.firewall.allowedTCPPorts = [ 8010 ];</literal> + may be required in your configuration. Also consider enabling + <link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback"> + Accelerated Video Playback</link> for better transcoding + performance. + </para> + </listitem> + <listitem> + <para> + The following changes apply if the + <literal>stateVersion</literal> is changed to 19.09 or higher. + For <literal>stateVersion = "19.03"</literal> or + lower the old behavior is preserved. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>solr.package</literal> defaults to + <literal>pkgs.solr_8</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>hunspellDicts.fr-any</literal> dictionary now + ships with <literal>fr_FR.{aff,dic}</literal> which is linked + to <literal>fr-toutesvariantes.{aff,dic}</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql</literal> service now runs as + <literal>mysql</literal> user. Previously, systemd did execute + it as root, and mysql dropped privileges itself. This includes + <literal>ExecStartPre=</literal> and + <literal>ExecStartPost=</literal> phases. To accomplish that, + runtime and data directory setup was delegated to + RuntimeDirectory and tmpfiles. + </para> + </listitem> + <listitem> + <para> + With the upgrade to systemd version 242 the + <literal>systemd-timesyncd</literal> service is no longer + using <literal>DynamicUser=yes</literal>. In order for the + upgrade to work we rely on an activation script to move the + state from the old to the new directory. The older directory + (prior <literal>19.09</literal>) was + <literal>/var/lib/private/systemd/timesync</literal>. + </para> + <para> + As long as the <literal>system.config.stateVersion</literal> + is below <literal>19.09</literal> the state folder will + migrated to its proper location + (<literal>/var/lib/systemd/timesync</literal>), if required. + </para> + </listitem> + <listitem> + <para> + The package <literal>avahi</literal> is now built to look up + service definitions from + <literal>/etc/avahi/services</literal> instead of its output + directory in the nix store. Accordingly the module + <literal>avahi</literal> now supports custom service + definitions via + <literal>services.avahi.extraServiceFiles</literal>, which are + then placed in the aforementioned directory. See + avahi.service5 for more information on custom service + definitions. + </para> + </listitem> + <listitem> + <para> + Since version 0.1.19, <literal>cargo-vendor</literal> honors + package includes that are specified in the + <literal>Cargo.toml</literal> file of Rust crates. + <literal>rustPlatform.buildRustPackage</literal> uses + <literal>cargo-vendor</literal> to collect and build dependent + crates. Since this change in <literal>cargo-vendor</literal> + changes the set of vendored files for most Rust packages, the + hash that use used to verify the dependencies, + <literal>cargoSha256</literal>, also changes. + </para> + <para> + The <literal>cargoSha256</literal> hashes of all in-tree + derivations that use <literal>buildRustPackage</literal> have + been updated to reflect this change. However, third-party + derivations that use <literal>buildRustPackage</literal> may + have to be updated as well. + </para> + </listitem> + <listitem> + <para> + The <literal>consul</literal> package was upgraded past + version <literal>1.5</literal>, so its deprecated legacy UI is + no longer available. + </para> + </listitem> + <listitem> + <para> + The default resample-method for PulseAudio has been changed + from the upstream default <literal>speex-float-1</literal> to + <literal>speex-float-5</literal>. Be aware that low-powered + ARM-based and MIPS-based boards will struggle with this so + you'll need to set + <literal>hardware.pulseaudio.daemon.config.resample-method</literal> + back to <literal>speex-float-1</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>phabricator</literal> package and associated + <literal>httpd.extraSubservice</literal>, as well as the + <literal>phd</literal> service have been removed from nixpkgs + due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>mercurial</literal> + <literal>httpd.extraSubservice</literal> has been removed from + nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>trac</literal> + <literal>httpd.extraSubservice</literal> has been removed from + nixpkgs because it was unmaintained. + </para> + </listitem> + <listitem> + <para> + The <literal>foswiki</literal> package and associated + <literal>httpd.extraSubservice</literal> have been removed + from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>tomcat-connector</literal> + <literal>httpd.extraSubservice</literal> has been removed from + nixpkgs. + </para> + </listitem> + <listitem> + <para> + It's now possible to change configuration in + <link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link> + after the initial deploy since all config parameters are + persisted in an additional config file generated by the + module. Previously core configuration like database parameters + were set using their imperative installer after creating + <literal>/var/lib/nextcloud</literal>. + </para> + </listitem> + <listitem> + <para> + There exists now <literal>lib.forEach</literal>, which is like + <literal>map</literal>, but with arguments flipped. When + mapping function body spans many lines (or has nested + <literal>map</literal>s), it is often hard to follow which + list is modified. + </para> + <para> + Previous solution to this problem was either to use + <literal>lib.flip map</literal> idiom or extract that + anonymous mapping function to a named one. Both can still be + used but <literal>lib.forEach</literal> is preferred over + <literal>lib.flip map</literal>. + </para> + <para> + The <literal>/etc/sysctl.d/nixos.conf</literal> file + containing all the options set via + <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + was moved to <literal>/etc/sysctl.d/60-nixos.conf</literal>, + as sysctl.d5 recommends prefixing all filenames in + <literal>/etc/sysctl.d</literal> with a two-digit number and a + dash to simplify the ordering of the files. + </para> + </listitem> + <listitem> + <para> + We now install the sysctl snippets shipped with systemd. + </para> + <itemizedlist> + <listitem> + <para> + Loose reverse path filtering + </para> + </listitem> + <listitem> + <para> + Source route filtering + </para> + </listitem> + <listitem> + <para> + <literal>fq_codel</literal> as a packet scheduler (this + helps to fight bufferbloat) + </para> + </listitem> + </itemizedlist> + <para> + This also configures the kernel to pass core dumps to + <literal>systemd-coredump</literal>, and restricts the SysRq + key combinations to the sync command only. These sysctl + snippets can be found in + <literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via + <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + (which will place the parameters in + <literal>/etc/sysctl.d/60-nixos.conf</literal>). + </para> + </listitem> + <listitem> + <para> + Core dumps are now processed by + <literal>systemd-coredump</literal> by default. + <literal>systemd-coredump</literal> behaviour can still be + modified via <literal>systemd.coredump.extraConfig</literal>. + To stick to the old behaviour (having the kernel dump to a + file called <literal>core</literal> in the working directory), + without piping it through <literal>systemd-coredump</literal>, + set <literal>systemd.coredump.enable</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>systemd.packages</literal> option now also supports + generators and shutdown scripts. Old + <literal>systemd.generator-packages</literal> option has been + removed. + </para> + </listitem> + <listitem> + <para> + The <literal>rmilter</literal> package was removed with + associated module and options due deprecation by upstream + developer. Use <literal>rspamd</literal> in proxy mode + instead. + </para> + </listitem> + <listitem> + <para> + systemd cgroup accounting via the + <link xlink:href="options.html#opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link> + option is now enabled by default. It now also enables the more + recent Block IO and IP accounting features. + </para> + </listitem> + <listitem> + <para> + We no longer enable custom font rendering settings with + <literal>fonts.fontconfig.penultimate.enable</literal> by + default. The defaults from fontconfig are sufficient. + </para> + </listitem> + <listitem> + <para> + The <literal>crashplan</literal> package and the + <literal>crashplan</literal> service have been removed from + nixpkgs due to crashplan shutting down the service, while the + <literal>crashplansb</literal> package and + <literal>crashplan-small-business</literal> service have been + removed from nixpkgs due to lack of maintainer. + </para> + <para> + The + <link xlink:href="options.html#opt-services.redis.enable">redis + module</link> was hardcoded to use the + <literal>redis</literal> user, <literal>/run/redis</literal> + as runtime directory and <literal>/var/lib/redis</literal> as + state directory. Note that the NixOS module for Redis now + disables kernel support for Transparent Huge Pages (THP), + because this features causes major performance problems for + Redis, e.g. (https://redis.io/topics/latency). + </para> + </listitem> + <listitem> + <para> + Using <literal>fonts.enableDefaultFonts</literal> adds a + default emoji font <literal>noto-fonts-emoji</literal>. + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.xserver.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs.sway.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs.way-cooler.enable</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.xrdp.enable</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>altcoins</literal> categorization of packages has + been removed. You now access these packages at the top level, + ie. <literal>nix-shell -p dogecoin</literal> instead of + <literal>nix-shell -p altcoins.dogecoin</literal>, etc. + </para> + </listitem> + <listitem> + <para> + Ceph has been upgraded to v14.2.1. See the + <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release + notes</link> for details. The mgr dashboard as well as osds + backed by loop-devices is no longer explicitly supported by + the package and module. Note: There's been some issues with + python-cherrypy, which is used by the dashboard and prometheus + mgr modules (and possibly others), hence + 0000-dont-check-cherrypy-version.patch. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.weechat</literal> is now compiled against + <literal>pkgs.python3</literal>. Weechat also recommends + <link xlink:href="https://weechat.org/scripts/python3/">to use + Python3 in their docs.</link> + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml new file mode 100644 index 00000000000..53e6e1329a9 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2003.section.xml @@ -0,0 +1,1497 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-20.03"> + <title>Release 20.03 (<quote>Markhor</quote>, 2020.04/20)</title> + <section xml:id="sec-release-20.03-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Support is planned until the end of October 2020, handing over + to 20.09. + </para> + </listitem> + <listitem> + <para> + Core version changes: + </para> + <para> + gcc: 8.3.0 -> 9.2.0 + </para> + <para> + glibc: 2.27 -> 2.30 + </para> + <para> + linux: 4.19 -> 5.4 + </para> + <para> + mesa: 19.1.5 -> 19.3.3 + </para> + <para> + openssl: 1.0.2u -> 1.1.1d + </para> + </listitem> + <listitem> + <para> + Desktop version changes: + </para> + <para> + plasma5: 5.16.5 -> 5.17.5 + </para> + <para> + kdeApplications: 19.08.2 -> 19.12.3 + </para> + <para> + gnome3: 3.32 -> 3.34 + </para> + <para> + pantheon: 5.0 -> 5.1.3 + </para> + </listitem> + <listitem> + <para> + Linux kernel is updated to branch 5.4 by default (from 4.19). + </para> + </listitem> + <listitem> + <para> + Grub is updated to 2.04, adding support for booting from F2FS + filesystems and Btrfs volumes using zstd compression. Note + that some users have been unable to boot after upgrading to + 2.04 - for more information, please see + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/61718#issuecomment-617618503">this + discussion</link>. + </para> + </listitem> + <listitem> + <para> + Postgresql for NixOS service now defaults to v11. + </para> + </listitem> + <listitem> + <para> + The graphical installer image starts the graphical session + automatically. Before you'd be greeted by a tty and asked to + enter <literal>systemctl start display-manager</literal>. It + is now possible to disable the display-manager from running by + selecting the <literal>Disable display-manager</literal> quirk + in the boot menu. + </para> + </listitem> + <listitem> + <para> + GNOME 3 has been upgraded to 3.34. Please take a look at their + <link xlink:href="https://help.gnome.org/misc/release-notes/3.34">Release + Notes</link> for details. + </para> + </listitem> + <listitem> + <para> + If you enable the Pantheon Desktop Manager via + <link xlink:href="options.html#opt-services.xserver.desktopManager.pantheon.enable">services.xserver.desktopManager.pantheon.enable</link>, + we now default to also use + <link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/"> + Pantheon's newly designed greeter </link>. Contrary to NixOS's + usual update policy, Pantheon will receive updates during the + cycle of NixOS 20.03 when backwards compatible. + </para> + </listitem> + <listitem> + <para> + By default zfs pools will now be trimmed on a weekly basis. + Trimming is only done on supported devices (i.e. NVME or SSDs) + and should improve throughput and lifetime of these devices. + It is controlled by the + <literal>services.zfs.trim.enable</literal> varname. The zfs + scrub service + (<literal>services.zfs.autoScrub.enable</literal>) and the zfs + autosnapshot service + (<literal>services.zfs.autoSnapshot.enable</literal>) are now + only enabled if zfs is set in + <literal>config.boot.initrd.supportedFilesystems</literal> or + <literal>config.boot.supportedFilesystems</literal>. These + lists will automatically contain zfs as soon as any zfs + mountpoint is configured in <literal>fileSystems</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>nixos-option</literal> has been rewritten in C++, + speeding it up, improving correctness, and adding a + <literal>-r</literal> option which prints all options and + their values recursively. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.desktopManager.default</literal> and + <literal>services.xserver.windowManager.default</literal> + options were replaced by a single + <link xlink:href="options.html#opt-services.xserver.displayManager.defaultSession">services.xserver.displayManager.defaultSession</link> + option to improve support for upstream session files. If you + used something like: + </para> + <programlisting language="bash"> +{ + services.xserver.desktopManager.default = "xfce"; + services.xserver.windowManager.default = "icewm"; +} +</programlisting> + <para> + you should change it to: + </para> + <programlisting language="bash"> +{ + services.xserver.displayManager.defaultSession = "xfce+icewm"; +} +</programlisting> + </listitem> + <listitem> + <para> + The testing driver implementation in NixOS is now in Python + <literal>make-test-python.nix</literal>. This was done by + Jacek Galowicz + (<link xlink:href="https://github.com/tfc">@tfc</link>), and + with the collaboration of Julian Stecklina + (<link xlink:href="https://github.com/blitz">@blitz</link>) + and Jana Traue + (<link xlink:href="https://github.com/jtraue">@jtraue</link>). + All documentation has been updated to use this testing driver, + and a vast majority of the 286 tests in NixOS were ported to + python driver. In 20.09 the Perl driver implementation, + <literal>make-test.nix</literal>, is slated for removal. This + should give users of the NixOS integration framework a + transitory period to rewrite their tests to use the Python + implementation. Users of the Perl driver will see this warning + everytime they use it: + </para> + <programlisting> +$ warning: Perl VM tests are deprecated and will be removed for 20.09. +Please update your tests to use the python test driver. +See https://github.com/NixOS/nixpkgs/pull/71684 for details. +</programlisting> + <para> + API compatibility is planned to be kept for at least the next + release with the perl driver. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.03-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + The kubernetes kube-proxy now supports a new hostname + configuration + <literal>services.kubernetes.proxy.hostname</literal> which + has to be set if the hostname of the node should be non + default. + </para> + </listitem> + <listitem> + <para> + UPower's configuration is now managed by NixOS and can be + customized via <literal>services.upower</literal>. + </para> + </listitem> + <listitem> + <para> + To use Geary you should enable + <link xlink:href="options.html#opt-programs.geary.enable">programs.geary.enable</link> + instead of just adding it to + <link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>. + It was created so Geary could function properly outside of + GNOME. + </para> + </listitem> + <listitem> + <para> + <literal>./config/console.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/brillo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/tuxedo-keyboard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/bandwhich.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/bash-my-aws.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/liboping.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/traceroute.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/sanoid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/syncoid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/zfs-replication.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/continuous-integration/buildkite-agents.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/databases/victoriametrics.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/gnome-initial-setup.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/neard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/games/openarena.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/fancontrol.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/sympa.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/freeswitch.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/mame.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/do-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/prometheus/xmpp-alerts.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/orangefs/server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/orangefs/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/3proxy.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/corerad.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/go-shadowsocks2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/ntp/openntpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/shorewall.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/shorewall6.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/spacecookie.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/trickster.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/v2ray.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/xandikos.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/yggdrasil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/dokuwiki.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/gotify-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/grocy.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/ihatemoney</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/moinmoin.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/trac.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/trilium.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/shiori.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/ttyd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/picom.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/hardware/digimend.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/imwheel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/cri-o.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.03-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + The dhcpcd package + <link xlink:href="https://roy.marples.name/archives/dhcpcd-discuss/0002621.html"> + does not request IPv4 addresses for tap and bridge interfaces + anymore by default</link>. In order to still get an address on + a bridge interface, one has to disable + <literal>networking.useDHCP</literal> and explicitly enable + <literal>networking.interfaces.<name>.useDHCP</literal> + on every interface, that should get an address via DHCP. This + way, dhcpcd is configured in an explicit way about which + interface to run on. + </para> + </listitem> + <listitem> + <para> + GnuPG is now built without support for a graphical passphrase + entry by default. Please enable the + <literal>gpg-agent</literal> user service via the NixOS option + <literal>programs.gnupg.agent.enable</literal>. Note that + upstream recommends using <literal>gpg-agent</literal> and + will spawn a <literal>gpg-agent</literal> on the first + invocation of GnuPG anyway. + </para> + </listitem> + <listitem> + <para> + The <literal>dynamicHosts</literal> option has been removed + from the + <link xlink:href="options.html#opt-networking.networkmanager.enable">NetworkManager</link> + module. Allowing (multiple) regular users to override host + entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be + useful. Consider setting system-wide host entries using + <link xlink:href="options.html#opt-networking.hosts">networking.hosts</link>, + provide them via the DNS server in your network, or use + <link xlink:href="options.html#opt-environment.etc">environment.etc</link> + to add a file into + <literal>/etc/NetworkManager/dnsmasq.d</literal> reconfiguring + <literal>hostsdir</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>99-main.network</literal> file was removed. + Matching all network interfaces caused many breakages, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link> + and + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>. + </para> + <para> + We already don't support the global + <link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link>, + <link xlink:href="options.html#opt-networking.defaultGateway">networking.defaultGateway</link> + and + <link xlink:href="options.html#opt-networking.defaultGateway6">networking.defaultGateway6</link> + options if + <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link> + is enabled, but direct users to configure the per-device + <link xlink:href="options.html#opt-networking.interfaces">networking.interfaces.<name>….</link> + options. + </para> + </listitem> + <listitem> + <para> + The stdenv now runs all bash with <literal>set -u</literal>, + to catch the use of undefined variables. Before, it itself + used <literal>set -u</literal> but was careful to unset it so + other packages' code ran as before. Now, all bash code is held + to the same high standard, and the rather complex stateful + manipulation of the options can be discarded. + </para> + </listitem> + <listitem> + <para> + The SLIM Display Manager has been removed, as it has been + unmaintained since 2013. Consider migrating to a different + display manager such as LightDM (current default in NixOS), + SDDM, GDM, or using the startx module which uses Xinitrc. + </para> + </listitem> + <listitem> + <para> + The Way Cooler wayland compositor has been removed, as the + project has been officially canceled. There are no more + <literal>way-cooler</literal> attribute and + <literal>programs.way-cooler</literal> options. + </para> + </listitem> + <listitem> + <para> + The BEAM package set has been deleted. You will only find + there the different interpreters. You should now use the + different build tools coming with the languages with sandbox + mode disabled. + </para> + </listitem> + <listitem> + <para> + There is now only one Xfce package-set and module. This means + that attributes <literal>xfce4-14</literal> and + <literal>xfceUnstable</literal> all now point to the latest + Xfce 4.14 packages. And in the future NixOS releases will be + the latest released version of Xfce available at the time of + the release's development (if viable). + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.phpfpm.pools">phpfpm</link> + module now sets <literal>PrivateTmp=true</literal> in its + systemd units for better process isolation. If you rely on + <literal>/tmp</literal> being shared with other services, + explicitly override this by setting + <literal>serviceConfig.PrivateTmp</literal> to + <literal>false</literal> for each phpfpm unit. + </para> + </listitem> + <listitem> + <para> + KDE’s old multimedia framework Phonon no longer supports Qt 4. + For that reason, Plasma desktop also does not have + <literal>enableQt4Support</literal> option any more. + </para> + </listitem> + <listitem> + <para> + The BeeGFS module has been removed. + </para> + </listitem> + <listitem> + <para> + The osquery module has been removed. + </para> + </listitem> + <listitem> + <para> + Going forward, <literal>~/bin</literal> in the users home + directory will no longer be in <literal>PATH</literal> by + default. If you depend on this you should set the option + <literal>environment.homeBinInPath</literal> to + <literal>true</literal>. The aforementioned option was added + this release. + </para> + </listitem> + <listitem> + <para> + The <literal>buildRustCrate</literal> infrastructure now + produces <literal>lib</literal> outputs in addition to the + <literal>out</literal> output. This has led to drastically + reduced closure sizes for some rust crates since development + dependencies are now in the <literal>lib</literal> output. + </para> + </listitem> + <listitem> + <para> + Pango was upgraded to 1.44, which no longer uses freetype for + font loading. This means that type1 and bitmap fonts are no + longer supported in applications relying on Pango for font + rendering (notably, GTK application). See + <link xlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386"> + upstream issue</link> for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>roundcube</literal> module has been hardened. + </para> + <itemizedlist> + <listitem> + <para> + The password of the database is not written world readable + in the store any more. If <literal>database.host</literal> + is set to <literal>localhost</literal>, then a unix user + of the same name as the database will be created and + PostreSQL peer authentication will be used, removing the + need for a password. Otherwise, a password is still needed + and can be provided with the new option + <literal>database.passwordFile</literal>, which should be + set to the path of a file containing the password and + readable by the user <literal>nginx</literal> only. The + <literal>database.password</literal> option is insecure + and deprecated. Usage of this option will print a warning. + </para> + </listitem> + <listitem> + <para> + A random <literal>des_key</literal> is set by default in + the configuration of roundcube, instead of using the + hardcoded and insecure default. To ensure a clean + migration, all users will be logged out when you upgrade + to this release. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The packages <literal>openobex</literal> and + <literal>obexftp</literal> are no longer installed when + enabling Bluetooth via + <literal>hardware.bluetooth.enable</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>dump1090</literal> derivation has been changed to + use FlightAware's dump1090 as its upstream. However, this + version does not have an internal webserver anymore. The + assets in the <literal>share/dump1090</literal> directory of + the derivation can be used in conjunction with an external + webserver to replace this functionality. + </para> + </listitem> + <listitem> + <para> + The fourStore and fourStoreEndpoint modules have been removed. + </para> + </listitem> + <listitem> + <para> + Polkit no longer has the user of uid 0 (root) as an admin + identity. We now follow the upstream default of only having + every member of the wheel group admin privileged. Before it + was root and members of wheel. The positive outcome of this is + pkexec GUI popups or terminal prompts will no longer require + the user to choose between two essentially equivalent choices + (whether to perform the action as themselves with wheel + permissions, or as the root user). + </para> + </listitem> + <listitem> + <para> + NixOS containers no longer build NixOS manual by default. This + saves evaluation time, especially if there are many + declarative containers defined. Note that this is already done + when + <literal><nixos/modules/profiles/minimal.nix></literal> + module is included in container config. + </para> + </listitem> + <listitem> + <para> + The <literal>kresd</literal> services deprecates the + <literal>interfaces</literal> option in favor of the + <literal>listenPlain</literal> option which requires full + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=">systemd.socket + compatible</link> declaration which always include a port. + </para> + </listitem> + <listitem> + <para> + Virtual console options have been reorganized and can be found + under a single top-level attribute: + <literal>console</literal>. The full set of changes is as + follows: + </para> + <itemizedlist> + <listitem> + <para> + <literal>i18n.consoleFont</literal> renamed to + <link xlink:href="options.html#opt-console.font">console.font</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleKeyMap</literal> renamed to + <link xlink:href="options.html#opt-console.keyMap">console.keyMap</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleColors</literal> renamed to + <link xlink:href="options.html#opt-console.colors">console.colors</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consolePackages</literal> renamed to + <link xlink:href="options.html#opt-console.packages">console.packages</link> + </para> + </listitem> + <listitem> + <para> + <literal>i18n.consoleUseXkbConfig</literal> renamed to + <link xlink:href="options.html#opt-console.useXkbConfig">console.useXkbConfig</link> + </para> + </listitem> + <listitem> + <para> + <literal>boot.earlyVconsoleSetup</literal> renamed to + <link xlink:href="options.html#opt-console.earlySetup">console.earlySetup</link> + </para> + </listitem> + <listitem> + <para> + <literal>boot.extraTTYs</literal> renamed to + <literal>console.extraTTYs</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.awstats.enable">awstats</link> + module has been rewritten to serve stats via static html + pages, updated on a timer, over + <link xlink:href="options.html#opt-services.nginx.virtualHosts">nginx</link>, + instead of dynamic cgi pages over + <link xlink:href="options.html#opt-services.httpd.enable">apache</link>. + </para> + <para> + Minor changes will be required to migrate existing + configurations. Details of the required changes can seen by + looking through the + <link xlink:href="options.html#opt-services.awstats.enable">awstats</link> + module. + </para> + </listitem> + <listitem> + <para> + The httpd module no longer provides options to support serving + web content without defining a virtual host. As a result of + this the + <link xlink:href="options.html#opt-services.httpd.logPerVirtualHost">services.httpd.logPerVirtualHost</link> + option now defaults to <literal>true</literal> instead of + <literal>false</literal>. Please update your configuration to + make use of + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts</link>. + </para> + <para> + The + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name></link> + option has changed type from a list of submodules to an + attribute set of submodules, better matching + <link xlink:href="options.html#opt-services.nginx.virtualHosts">services.nginx.virtualHosts.<name></link>. + </para> + <para> + This change comes with the addition of the following options + which mimic the functionality of their + <literal>nginx</literal> counterparts: + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.addSSL</link>, + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.forceSSL</link>, + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.onlySSL</link>, + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.enableACME</link>, + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.acmeRoot</link>, + and + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.useACMEHost</link>. + </para> + </listitem> + <listitem> + <para> + For NixOS configuration options, the <literal>loaOf</literal> + type has been deprecated and will be removed in a future + release. In nixpkgs, options of this type will be changed to + <literal>attrsOf</literal> instead. If you were using one of + these in your configuration, you will see a warning suggesting + what changes will be required. + </para> + <para> + For example, + <link xlink:href="options.html#opt-users.users">users.users</link> + is a <literal>loaOf</literal> option that is commonly used as + follows: + </para> + <programlisting language="bash"> +{ + users.users = + [ { name = "me"; + description = "My personal user."; + isNormalUser = true; + } + ]; +} +</programlisting> + <para> + This should be rewritten by removing the list and using the + value of <literal>name</literal> as the name of the attribute + set: + </para> + <programlisting language="bash"> +{ + users.users.me = + { description = "My personal user."; + isNormalUser = true; + }; +} +</programlisting> + <para> + For more information on this change have look at these links: + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue + #1800</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR + #63103</link>. + </para> + </listitem> + <listitem> + <para> + For NixOS modules, the types + <literal>types.submodule</literal> and + <literal>types.submoduleWith</literal> now support paths as + allowed values, similar to how <literal>imports</literal> + supports paths. Because of this, if you have a module that + defines an option of type + <literal>either (submodule ...) path</literal>, it will break + since a path is now treated as the first type instead of the + second. To fix this, change the type to + <literal>either path (submodule ...)</literal>. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.buildkite-agents">Buildkite + Agent</link> module and corresponding packages have been + updated to 3.x, and to support multiple instances of the agent + running at the same time. This means you will have to rename + <literal>services.buildkite-agent</literal> to + <literal>services.buildkite-agents.<name></literal>. + Furthermore, the following options have been changed: + </para> + <itemizedlist> + <listitem> + <para> + <literal>services.buildkite-agent.meta-data</literal> has + been renamed to + <link xlink:href="options.html#opt-services.buildkite-agents">services.buildkite-agents.<name>.tags</link>, + to match upstreams naming for 3.x. Its type has also + changed - it now accepts an attrset of strings. + </para> + </listitem> + <listitem> + <para> + The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> + option has been removed, as it's not necessary to deploy + public keys to clone private repositories. + </para> + </listitem> + <listitem> + <para> + <literal>services.buildkite-agent.openssh.privateKeyPath</literal> + has been renamed to + <link xlink:href="options.html#opt-services.buildkite-agents">buildkite-agents.<name>.privateSshKeyPath</link>, + as the whole <literal>openssh</literal> now only contained + that single option. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.buildkite-agents">services.buildkite-agents.<name>.shell</link> + has been introduced, allowing to specify a custom shell to + be used. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>citrix_workspace_19_3_0</literal> package has + been removed as it will be EOLed within the lifespan of 20.03. + For further information, please refer to the + <link xlink:href="https://www.citrix.com/de-de/support/product-lifecycle/milestones/receiver.html">support + and maintenance information</link> from upstream. + </para> + </listitem> + <listitem> + <para> + The <literal>gcc5</literal> and <literal>gfortran5</literal> + packages have been removed. + </para> + </listitem> + <listitem> + <para> + The <literal>services.xserver.displayManager.auto</literal> + module has been removed. It was only intended for use in + internal NixOS tests, and gave the false impression of it + being a special display manager when it's actually LightDM. + Please use the + <literal>services.xserver.displayManager.lightdm.autoLogin</literal> + options instead, or any other display manager in NixOS as they + all support auto-login. If you used this module specifically + because it permitted root auto-login you can override the + lightdm-autologin pam module like: + </para> + <programlisting language="bash"> +{ + security.pam.services.lightdm-autologin.text = lib.mkForce '' + auth requisite pam_nologin.so + auth required pam_succeed_if.so quiet + auth required pam_permit.so + + account include lightdm + + password include lightdm + + session include lightdm + ''; +} +</programlisting> + <para> + The difference is the: + </para> + <programlisting> +auth required pam_succeed_if.so quiet +</programlisting> + <para> + line, where default it's: + </para> + <programlisting> + auth required pam_succeed_if.so uid >= 1000 quiet +</programlisting> + <para> + not permitting users with uid's below 1000 (like root). All + other display managers in NixOS are configured like this. + </para> + </listitem> + <listitem> + <para> + There have been lots of improvements to the Mailman module. As + a result, + </para> + <itemizedlist> + <listitem> + <para> + The <literal>services.mailman.hyperkittyBaseUrl</literal> + option has been renamed to + <link xlink:href="options.html#opt-services.mailman.hyperkitty.baseUrl">services.mailman.hyperkitty.baseUrl</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mailman.hyperkittyApiKey</literal> + option has been removed. This is because having an option + for the Hyperkitty API key meant that the API key would be + stored in the world-readable Nix store, which was a + security vulnerability. A new Hyperkitty API key will be + generated the first time the new Hyperkitty service is + run, and it will then be persisted outside of the Nix + store. To continue using Hyperkitty, you must set + <link xlink:href="options.html#opt-services.mailman.hyperkitty.enable">services.mailman.hyperkitty.enable</link> + to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + Additionally, some Postfix configuration must now be set + manually instead of automatically by the Mailman module: + </para> + <programlisting language="bash"> +{ + services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; + services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + services.postfix.config.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; +} +</programlisting> + <para> + This is because some users may want to include other + values in these lists as well, and this was not possible + if they were set automatically by the Mailman module. It + would not have been possible to just concatenate values + from multiple modules each setting the values they needed, + because the order of elements in the list is significant. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The LLVM versions 3.5, 3.9 and 4 (including the corresponding + CLang versions) have been dropped. + </para> + </listitem> + <listitem> + <para> + The + <literal>networking.interfaces.*.preferTempAddress</literal> + option has been replaced by + <literal>networking.interfaces.*.tempAddress</literal>. The + new option allows better control of the IPv6 temporary + addresses, including completely disabling them for interfaces + where they are not needed. + </para> + </listitem> + <listitem> + <para> + Rspamd was updated to version 2.2. Read + <link xlink:href="https://rspamd.com/doc/migration.html#migration-to-rspamd-20"> + the upstream migration notes</link> carefully. Please be + especially aware that some modules were removed and the + default Bayes backend is now Redis. + </para> + </listitem> + <listitem> + <para> + The <literal>*psu</literal> versions of oraclejdk8 have been + removed as they aren't provided by upstream anymore. + </para> + </listitem> + <listitem> + <para> + The <literal>services.dnscrypt-proxy</literal> module has been + removed as it used the deprecated version of dnscrypt-proxy. + We've added + <link xlink:href="options.html#opt-services.dnscrypt-proxy2.enable">services.dnscrypt-proxy2.enable</link> + to use the supported version. This module supports + configuration via the Nix attribute set + <link xlink:href="options.html#opt-services.dnscrypt-proxy2.settings">services.dnscrypt-proxy2.settings</link>, + or by passing a TOML configuration file via + <link xlink:href="options.html#opt-services.dnscrypt-proxy2.configFile">services.dnscrypt-proxy2.configFile</link>. + </para> + <programlisting language="bash"> +{ + # Example configuration: + services.dnscrypt-proxy2.enable = true; + services.dnscrypt-proxy2.settings = { + listen_addresses = [ "127.0.0.1:43" ]; + sources.public-resolvers = { + urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; + cache_file = "public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + refresh_delay = 72; + }; + }; + + services.dnsmasq.enable = true; + services.dnsmasq.servers = [ "127.0.0.1#43" ]; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>qesteidutil</literal> has been deprecated in favor of + <literal>qdigidoc</literal>. + </para> + </listitem> + <listitem> + <para> + sqldeveloper_18 has been removed as it's not maintained + anymore, sqldeveloper has been updated to version + <literal>19.4</literal>. Please note that this means that this + means that the oraclejdk is now required. For further + information please read the + <link xlink:href="https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Haskell <literal>env</literal> and <literal>shellFor</literal> + dev shell environments now organize dependencies the same way + as regular builds. In particular, rather than receiving all + the different lists of dependencies mashed together as one big + list, and then partitioning into Haskell and non-Hakell + dependencies, they work from the original many different + dependency parameters and don't need to algorithmically + partition anything. + </para> + <para> + This means that if you incorrectly categorize a dependency, + e.g. non-Haskell library dependency as a + <literal>buildDepends</literal> or run-time Haskell dependency + as a <literal>setupDepends</literal>, whereas things would + have worked before they may not work now. + </para> + </listitem> + <listitem> + <para> + The gcc-snapshot-package has been removed. It's marked as + broken for >2 years and used to point to a fairly old + snapshot from the gcc7-branch. + </para> + </listitem> + <listitem> + <para> + The nixos-build-vms8 -script now uses the python test-driver. + </para> + </listitem> + <listitem> + <para> + The riot-web package now accepts configuration overrides as an + attribute set instead of a string. A formerly used JSON + configuration can be converted to an attribute set with + <literal>builtins.fromJSON</literal>. + </para> + <para> + The new default configuration also disables automatic guest + account registration and analytics to improve privacy. The + previous behavior can be restored by setting + <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>. + </para> + </listitem> + <listitem> + <para> + Stand-alone usage of <literal>Upower</literal> now requires + <literal>services.upower.enable</literal> instead of just + installing into + <link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>. + </para> + </listitem> + <listitem> + <para> + nextcloud has been updated to <literal>v18.0.2</literal>. This + means that users from NixOS 19.09 can't upgrade directly since + you can only move one version forward and 19.09 uses + <literal>v16.0.8</literal>. + </para> + <para> + To provide a safe upgrade-path and to circumvent similar + issues in the future, the following measures were taken: + </para> + <itemizedlist> + <listitem> + <para> + The pkgs.nextcloud-attribute has been removed and replaced + with versioned attributes (currently pkgs.nextcloud17 and + pkgs.nextcloud18). With this change major-releases can be + backported without breaking stuff and to make + upgrade-paths easier. + </para> + </listitem> + <listitem> + <para> + Existing setups will be detected using + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>: + by default, nextcloud17 will be used, but will raise a + warning which notes that after that deploy it's + recommended to update to the latest stable version + (nextcloud18) by declaring the newly introduced setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>. + </para> + </listitem> + <listitem> + <para> + Users with an overlay (e.g. to use nextcloud at version + <literal>v18</literal> on <literal>19.09</literal>) will + get an evaluation error by default. This is done to ensure + that our + <link xlink:href="options.html#opt-services.nextcloud.package">package</link>-option + doesn't select an older version by accident. It's + recommended to use pkgs.nextcloud18 or to set + <link xlink:href="options.html#opt-services.nextcloud.package">package</link> + to pkgs.nextcloud explicitly. + </para> + </listitem> + </itemizedlist> + <warning> + <para> + Please note that if you're coming from + <literal>19.03</literal> or older, you have to manually + upgrade to <literal>19.09</literal> first to upgrade your + server to Nextcloud v16. + </para> + </warning> + </listitem> + <listitem> + <para> + Hydra has gained a massive performance improvement due to + <link xlink:href="https://github.com/NixOS/hydra/pull/710">some + database schema changes</link> by adding several IDs and + better indexing. However, it's necessary to upgrade Hydra in + multiple steps: + </para> + <itemizedlist> + <listitem> + <para> + At first, an older version of Hydra needs to be deployed + which adds those (nullable) columns. When having set + <link xlink:href="options.html#opt-system.stateVersion">stateVersion + </link> to a value older than <literal>20.03</literal>, + this package will be selected by default from the module + when upgrading. Otherwise, the package can be deployed + using the following config: + </para> + <programlisting language="bash"> +{ pkgs, ... }: { + services.hydra.package = pkgs.hydra-migration; +} +</programlisting> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Automatically fill the newly added ID columns on the server by + running the following command: + </para> + <programlisting> +$ hydra-backfill-ids +</programlisting> + <warning> + <para> + Please note that this process can take a while depending on + your database-size! + </para> + </warning> + </listitem> + <listitem> + <para> + Deploy a newer version of Hydra to activate the DB + optimizations. This can be done by using hydra-unstable. This + package already includes + <link xlink:href="https://github.com/nixos/rfcs/pull/49">flake-support</link> + and is therefore compiled against pkgs.nixFlakes. + </para> + <warning> + <para> + If your + <link xlink:href="options.html#opt-system.stateVersion">stateVersion</link> + is set to <literal>20.03</literal> or greater, + hydra-unstable will be used automatically! This will break + your setup if you didn't run the migration. + </para> + </warning> + <para> + Please note that Hydra is currently not available with + nixStable as this doesn't compile anymore. + </para> + <warning> + <para> + pkgs.hydra has been removed to ensure a graceful + database-migration using the dedicated package-attributes. + If you still have pkgs.hydra defined in e.g. an overlay, an + assertion error will be thrown. To circumvent this, you need + to set + <link xlink:href="options.html#opt-services.hydra.package">services.hydra.package</link> + to pkgs.hydra explicitly and make sure you know what you're + doing! + </para> + </warning> + </listitem> + <listitem> + <para> + The TokuDB storage engine will be disabled in mariadb 10.5. It + is recommended to switch to RocksDB. See also + <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.03-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + SD images are now compressed by default using + <literal>bzip2</literal>. + </para> + </listitem> + <listitem> + <para> + The nginx web server previously started its master process as + root privileged, then ran worker processes as a less + privileged identity user (the <literal>nginx</literal> user). + This was changed to start all of nginx as a less privileged + user (defined by <literal>services.nginx.user</literal> and + <literal>services.nginx.group</literal>). As a consequence, + all files that are needed for nginx to run (included + configuration fragments, SSL certificates and keys, etc.) must + now be readable by this less privileged user/group. + </para> + <para> + To continue to use the old approach, you can configure: + </para> + <programlisting language="bash"> +{ + services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; + systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; +} +</programlisting> + </listitem> + <listitem> + <para> + OpenSSH has been upgraded from 7.9 to 8.1, improving security + and adding features but with potential incompatibilities. + Consult the + <link xlink:href="https://www.openssh.com/txt/release-8.1"> + release announcement</link> for more information. + </para> + </listitem> + <listitem> + <para> + <literal>PRETTY_NAME</literal> in + <literal>/etc/os-release</literal> now uses the short rather + than full version string. + </para> + </listitem> + <listitem> + <para> + The ACME module has switched from simp-le to + <link xlink:href="https://github.com/go-acme/lego">lego</link> + which allows us to support DNS-01 challenges and wildcard + certificates. The following options have been added: + <link xlink:href="options.html#opt-security.acme.acceptTerms">security.acme.acceptTerms</link>, + <link xlink:href="options.html#opt-security.acme.certs">security.acme.certs.<name>.dnsProvider</link>, + <link xlink:href="options.html#opt-security.acme.certs">security.acme.certs.<name>.credentialsFile</link>, + <link xlink:href="options.html#opt-security.acme.certs">security.acme.certs.<name>.dnsPropagationCheck</link>. + As well as this, the options + <literal>security.acme.acceptTerms</literal> and either + <literal>security.acme.email</literal> or + <literal>security.acme.certs.<name>.email</literal> must + be set in order to use the ACME module. Certificates will be + regenerated on activation, no account or certificate will be + migrated from simp-le. In particular private keys will not be + preserved. However, the credentials for simp-le are preserved + and thus it is possible to roll back to previous versions + without breaking certificate generation. Note also that in + contrary to simp-le a new private key is recreated at each + renewal by default, which can have consequences if you embed + your public key in apps. + </para> + </listitem> + <listitem> + <para> + It is now possible to unlock LUKS-Encrypted file systems using + a FIDO2 token via + <literal>boot.initrd.luks.fido2Support</literal>. + </para> + </listitem> + <listitem> + <para> + Predictably named network interfaces get renamed in stage-1. + This means that it is possible to use the proper interface + name for e.g. Dropbear setups. + </para> + <para> + For further reference, please read + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> + or the corresponding + <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse + thread</link>. + </para> + </listitem> + <listitem> + <para> + The matrix-synapse-package has been updated to + <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>. + Due to + <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter + requirements</link> for database configuration when using + postgresql, the automated database setup of the module has + been removed to avoid any further edge-cases. + </para> + <para> + matrix-synapse expects <literal>postgresql</literal>-databases + to have the options <literal>LC_COLLATE</literal> and + <literal>LC_CTYPE</literal> set to + <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> + which basically instructs <literal>postgresql</literal> to + ignore any locale-based preferences. + </para> + <para> + Depending on your setup, you need to incorporate one of the + following changes in your setup to upgrade to 20.03: + </para> + <itemizedlist> + <listitem> + <para> + If you use <literal>sqlite3</literal> you don't need to do + anything. + </para> + </listitem> + <listitem> + <para> + If you use <literal>postgresql</literal> on a different + server, you don't need to change anything as well since + this module was never designed to configure remote + databases. + </para> + </listitem> + <listitem> + <para> + If you use <literal>postgresql</literal> and configured + your synapse initially on <literal>19.09</literal> or + older, you simply need to enable postgresql-support + explicitly: + </para> + <programlisting language="bash"> +{ ... }: { + services.matrix-synapse = { + enable = true; + /* and all the other config you've defined here */ + }; + services.postgresql.enable = true; +} +</programlisting> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + If you deploy a fresh matrix-synapse, you need to configure + the database yourself (e.g. by using the + <link xlink:href="options.html#opt-services.postgresql.initialScript">services.postgresql.initialScript</link> + option). An example for this can be found in the + <link linkend="module-services-matrix">documentation of the + Matrix module</link>. + </para> + </listitem> + <listitem> + <para> + If you initially deployed your matrix-synapse on + <literal>nixos-unstable</literal> <emphasis>after</emphasis> + the <literal>19.09</literal>-release, your database is + misconfigured due to a regression in NixOS. For now, + matrix-synapse will startup with a warning, but it's + recommended to reconfigure the database to set the values + <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> + to + <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link> + option is now respected even when + <link xlink:href="options.html#opt-systemd.network.enable">systemd-networkd</link> + is disabled. This mirrors the behaviour of systemd - It's udev + that parses <literal>.link</literal> files, not + <literal>systemd-networkd</literal>. + </para> + </listitem> + <listitem> + <para> + mongodb has been updated to version <literal>3.4.24</literal>. + </para> + <warning> + <para> + Please note that mongodb has been relicensed under their own + <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal> sspl</literal></link>-license. + Since it's not entirely free and not OSI-approved, it's + listed as non-free. This means that Hydra doesn't provide + prebuilt mongodb-packages and needs to be built locally. + </para> + </warning> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml new file mode 100644 index 00000000000..edebd92b327 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml @@ -0,0 +1,2210 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-20.09"> + <title>Release 20.09 (<quote>Nightingale</quote>, 2020.10/27)</title> + <para> + Support is planned until the end of June 2021, handing over to + 21.05. (Plans + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md#core-changes"> + have shifted</link> by two months since release of 20.09.) + </para> + <section xml:id="sec-release-20.09-highlights"> + <title>Highlights</title> + <para> + In addition to 7349 new, 14442 updated, and 8181 removed packages, + this release has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Core version changes: + </para> + <itemizedlist> + <listitem> + <para> + gcc: 9.2.0 -> 9.3.0 + </para> + </listitem> + <listitem> + <para> + glibc: 2.30 -> 2.31 + </para> + </listitem> + <listitem> + <para> + linux: still defaults to 5.4.x, all supported kernels + available + </para> + </listitem> + <listitem> + <para> + mesa: 19.3.5 -> 20.1.7 + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Desktop Environments: + </para> + <itemizedlist> + <listitem> + <para> + plasma5: 5.17.5 -> 5.18.5 + </para> + </listitem> + <listitem> + <para> + kdeApplications: 19.12.3 -> 20.08.1 + </para> + </listitem> + <listitem> + <para> + gnome3: 3.34 -> 3.36, see its + <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release + notes</link> + </para> + </listitem> + <listitem> + <para> + cinnamon: added at 4.6 + </para> + </listitem> + <listitem> + <para> + NixOS now distributes an official + <link xlink:href="https://nixos.org/download.html#nixos-iso">GNOME + ISO</link> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programming Languages and Frameworks: + </para> + <itemizedlist> + <listitem> + <para> + Agda ecosystem was heavily reworked (see more details + below) + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.4, updated from 7.3 + </para> + </listitem> + <listitem> + <para> + PHP 7.2 is no longer supported due to upstream not + supporting this version for the entire lifecycle of the + 20.09 release + </para> + </listitem> + <listitem> + <para> + Python 3 now defaults to Python 3.8 instead of 3.7 + </para> + </listitem> + <listitem> + <para> + Python 3.5 reached its upstream EOL at the end of + September 2020: it has been removed from the list of + available packages + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Databases and Service Monitoring: + </para> + <itemizedlist> + <listitem> + <para> + MariaDB has been updated to 10.4, MariaDB Galera to 26.4. + Please read the related upgrade instructions under + <link linkend="sec-release-20.09-incompatibilities">backwards + incompatibilities</link> before upgrading. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please read + related sections under + <link linkend="sec-release-20.09-incompatibilities">backwards + compatibilities</link> before upgrading. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Major module changes: + </para> + <itemizedlist> + <listitem> + <para> + Quickly configure a complete, private, self-hosted video + conferencing solution with the new Jitsi Meet module. + </para> + </listitem> + <listitem> + <para> + Two new options, + <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> + and + <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, + have been added to the <literal>openssh</literal> module. + If you have <literal>AuthorizedKeysCommand</literal> in + your + <link xlink:href="options.html#opt-services.openssh.extraConfig">services.openssh.extraConfig</link> + you should make use of these new options instead. + </para> + </listitem> + <listitem> + <para> + There is a new module for Podman + (<literal>virtualisation.podman</literal>), a drop-in + replacement for the Docker command line. + </para> + </listitem> + <listitem> + <para> + The new <literal>virtualisation.containers</literal> + module manages configuration shared by the CRI-O and + Podman modules. + </para> + </listitem> + <listitem> + <para> + Declarative Docker containers are renamed from + <literal>docker-containers</literal> to + <literal>virtualisation.oci-containers.containers</literal>. + This is to make it possible to use + <literal>podman</literal> instead of + <literal>docker</literal>. + </para> + </listitem> + <listitem> + <para> + The new option + <link xlink:href="options.html#opt-documentation.man.generateCaches">documentation.man.generateCaches</link> + has been added to automatically generate the + <literal>man-db</literal> caches, which are needed by + utilities like <literal>whatis</literal> and + <literal>apropos</literal>. The caches are generated + during the build of the NixOS configuration: since this + can be expensive when a large number of packages are + installed, the feature is disabled by default. + </para> + </listitem> + <listitem> + <para> + <literal>services.postfix.sslCACert</literal> was replaced + by + <literal>services.postfix.tlsTrustedAuthorities</literal> + which now defaults to system certificate authorities. + </para> + </listitem> + <listitem> + <para> + The various documented workarounds to use steam have been + converted to a module. + <literal>programs.steam.enable</literal> enables steam, + controller support and the workarounds. + </para> + </listitem> + <listitem> + <para> + Support for built-in LCDs in various pieces of Logitech + hardware (keyboards and USB speakers). + <literal>hardware.logitech.lcd.enable</literal> enables + support for all hardware supported by the + <link xlink:href="https://sourceforge.net/projects/g15daemon/">g15daemon + project</link>. + </para> + </listitem> + <listitem> + <para> + The GRUB module gained support for basic password + protection, which allows to restrict non-default entries + in the boot menu to one or more users. The users and + passwords are defined via the option + <literal>boot.loader.grub.users</literal>. Note: Password + support is only available in GRUB version 2. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + NixOS module changes: + </para> + <itemizedlist> + <listitem> + <para> + The NixOS module system now supports freeform modules as a + mix between <literal>types.attrsOf</literal> and + <literal>types.submodule</literal>. These allow you to + explicitly declare a subset of options while still + permitting definitions without an associated option. See + <xref linkend="sec-freeform-modules" /> for how to use + them. + </para> + </listitem> + <listitem> + <para> + Following its deprecation in 20.03, the Perl NixOS test + driver has been removed. All remaining tests have been + ported to the Python test framework. Code outside nixpkgs + using <literal>make-test.nix</literal> or + <literal>testing.nix</literal> needs to be ported to + <literal>make-test-python.nix</literal> and + <literal>testing-python.nix</literal> respectively. + </para> + </listitem> + <listitem> + <para> + Subordinate GID and UID mappings are now set up + automatically for all normal users. This will make + container tools like Podman work as non-root users out of + the box. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Starting with this release, the hydra-build-result + <literal>nixos-YY.MM</literal> branches no longer exist in the + <link xlink:href="https://github.com/nixos/nixpkgs-channels">deprecated + nixpkgs-channels repository</link>. These branches are now in + <link xlink:href="https://github.com/nixos/nixpkgs">the main + nixpkgs repository</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-new-services"> + <title>New Services</title> + <para> + In addition to 1119 new, 118 updated, and 476 removed options; 61 + new modules were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + Hardware: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.system76.firmware-daemon.enable">hardware.system76.firmware-daemon.enable</link> + adds easy support of system76 firmware + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.uinput.enable">hardware.uinput.enable</link> + loads uinput kernel module + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.video.hidpi.enable">hardware.video.hidpi.enable</link> + enable good defaults for HiDPI displays + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.wooting.enable">hardware.wooting.enable</link> + support for Wooting keyboards + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-hardware.xpadneo.enable">hardware.xpadneo.enable</link> + xpadneo driver for Xbox One wireless controllers + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programs: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-programs.hamster.enable">programs.hamster.enable</link> + enable hamster time tracking + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-programs.steam.enable">programs.steam.enable</link> + adds easy enablement of steam and related system + configuration + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Security: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-security.doas.enable">security.doas.enable</link> + alternative to sudo, allows non-root users to execute + commands as root + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-security.tpm2.enable">security.tpm2.enable</link> + add Trusted Platform Module 2 support + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + System: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="options.html#opt-boot.initrd.network.openvpn.enable">boot.initrd.network.openvpn.enable</link> + start an OpenVPN client during initrd boot + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Virtualization: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-boot.enableContainers">boot.enableContainers</link> + use nixos-containers + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.oci-containers.containers">virtualisation.oci-containers.containers</link> + run OCI (Docker) containers + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.podman.enable">virtualisation.podman.enable</link> + daemonless container engine + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Services: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="options.html#opt-services.ankisyncd.enable">services.ankisyncd.enable</link> + Anki sync server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.bazarr.enable">services.bazarr.enable</link> + Subtitle manager for Sonarr and Radarr + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.biboumi.enable">services.biboumi.enable</link> + Biboumi XMPP gateway to IRC + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.blockbook-frontend">services.blockbook-frontend</link> + Blockbook-frontend, a service for the Trezor wallet + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.cage.enable">services.cage.enable</link> + Wayland cage service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.convos.enable">services.convos.enable</link> + IRC daemon, which can be accessed throught the browser + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.engelsystem.enable">services.engelsystem.enable</link> + Tool for coordinating volunteers and shifts on large + events + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.espanso.enable">services.espanso.enable</link> + text-expander written in rust + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.foldingathome.enable">services.foldingathome.enable</link> + Folding@home client + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.gerrit.enable">services.gerrit.enable</link> + Web-based team code collaboration tool + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.go-neb.enable">services.go-neb.enable</link> + Matrix bot + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.hardware.xow.enable">services.hardware.xow.enable</link> + xow as a systemd service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.hercules-ci-agent.enable">services.hercules-ci-agent.enable</link> + Hercules CI build agent + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jicofo.enable">services.jicofo.enable</link> + Jitsi Conference Focus, component of Jitsi Meet + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jirafeau.enable">services.jirafeau.enable</link> + A web file repository + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jitsi-meet.enable">services.jitsi-meet.enable</link> + Secure, simple and scalable video conferences + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jitsi-videobridge.enable">services.jitsi-videobridge.enable</link> + Jitsi Videobridge, a WebRTC compatible router + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.jupyterhub.enable">services.jupyterhub.enable</link> + Jupyterhub development server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.k3s.enable">services.k3s.enable</link> + Lightweight Kubernetes distribution + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.magic-wormhole-mailbox-server.enable">services.magic-wormhole-mailbox-server.enable</link> + Magic Wormhole Mailbox Server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.malcontent.enable">services.malcontent.enable</link> + Parental Control support + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.matrix-appservice-discord.enable">services.matrix-appservice-discord.enable</link> + Matrix and Discord bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mautrix-telegram.enable">services.mautrix-telegram.enable</link> + Matrix-Telegram puppeting/relaybot bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mirakurun.enable">services.mirakurun.enable</link> + Japanese DTV Tuner Server Service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.molly-brown.enable">services.molly-brown.enable</link> + Molly-Brown Gemini server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.mullvad-vpn.enable">services.mullvad-vpn.enable</link> + Mullvad VPN daemon + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.ncdns.enable">services.ncdns.enable</link> + Namecoin to DNS bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nextdns.enable">services.nextdns.enable</link> + NextDNS to DoH Proxy service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nix-store-gcs-proxy">services.nix-store-gcs-proxy</link> + Google storage bucket to be used as a nix store + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.onedrive.enable">services.onedrive.enable</link> + OneDrive sync service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.pinnwand.enable">services.pinnwand.enable</link> + Pastebin-like service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.pixiecore.enable">services.pixiecore.enable</link> + Manage network booting of machines + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.privacyidea.enable">services.privacyidea.enable</link> + Privacy authentication server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.quorum.enable">services.quorum.enable</link> + Quorum blockchain daemon + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.robustirc-bridge.enable">services.robustirc-bridge.enable</link> + RobustIRC bridge + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.rss-bridge.enable">services.rss-bridge.enable</link> + Generate RSS and Atom feeds + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.rtorrent.enable">services.rtorrent.enable</link> + rTorrent service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.smartdns.enable">services.smartdns.enable</link> + SmartDNS DNS server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.sogo.enable">services.sogo.enable</link> + SOGo groupware + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.teeworlds.enable">services.teeworlds.enable</link> + Teeworlds game server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.torque.mom.enable">services.torque.mom.enable</link> + torque computing node + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.torque.server.enable">services.torque.server.enable</link> + torque server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.tuptime.enable">services.tuptime.enable</link> + A total uptime service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.urserver.enable">services.urserver.enable</link> + X11 remote server + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.wasabibackend.enable">services.wasabibackend.enable</link> + Wasabi backend service + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.yubikey-agent.enable">services.yubikey-agent.enable</link> + Yubikey agent + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.zigbee2mqtt.enable">services.zigbee2mqtt.enable</link> + Zigbee to MQTT bridge + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + MariaDB has been updated to 10.4, MariaDB Galera to 26.4. + Before you upgrade, it would be best to take a backup of your + database. For MariaDB Galera Cluster, see + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading + from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link> + instead. Before doing the upgrade read + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible + Changes Between 10.3 and 10.4</link>. After the upgrade you + will need to run <literal>mysql_upgrade</literal>. MariaDB + 10.4 introduces a number of changes to the authentication + process, intended to make things easier and more intuitive. + See + <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication + from MariaDB 10.4</link>. unix_socket auth plugin does not use + a password, and uses the connecting user's UID instead. When a + new MariaDB data directory is initialized, two MariaDB users + are created and can be used with new unix_socket auth plugin, + as well as traditional mysql_native_password plugin: + root@localhost and mysql@localhost. To actually use the + traditional mysql_native_password plugin method, one must run + the following: + </para> + <programlisting language="bash"> +{ +services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' + ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); +''; +} +</programlisting> + <para> + When MariaDB data directory is just upgraded (not + initialized), the users are not created or modified. + </para> + </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd + sandbox/hardening options for better security. The PrivateTmp, + ProtectHome, and ProtectSystem options may be problematic when + MySQL is attempting to read from or write to your filesystem + anywhere outside of its own state directory, for example when + calling + <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. + In this scenario a variant of the following may be required: - + allow MySQL to read from /home and /tmp directories when using + <literal>LOAD DATA INFILE</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +} +</programlisting> + <para> + - allow MySQL to write to custom folder + <literal>/var/data</literal> when using + <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql + user has write access to <literal>/var/data</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +} +</programlisting> + <para> + The MySQL service no longer runs its + <literal>systemd</literal> service startup script as + <literal>root</literal> anymore. A dedicated non + <literal>root</literal> super user account is required for + operation. This means users with an existing MySQL or MariaDB + database server are required to run the following SQL + statements as a super admin user before upgrading: + </para> + <programlisting language="SQL"> +CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; +GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; +</programlisting> + <para> + If you use MySQL instead of MariaDB please replace + <literal>unix_socket</literal> with + <literal>auth_socket</literal>. If you have changed the value + of + <link xlink:href="options.html#opt-services.mysql.user">services.mysql.user</link> + from the default of <literal>mysql</literal> to a different + user please change <literal>'mysql'@'localhost'</literal> to + the corresponding user instead. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please carefully + read through + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the + upgrade guide</link> and apply any changes required. Be sure + to take special note of the section on + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling + extended range of numeric (float) values</link> as you will + need to apply this database migration manually. + </para> + <para> + If you are using Zabbix Server with a MySQL or MariaDB + database you should note that using a character set of + <literal>utf8</literal> and a collate of + <literal>utf8_bin</literal> has become mandatory with this + release. See the upstream + <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> + for further discussion. Before upgrading you should check the + character set and collation used by your database and ensure + they are correct: + </para> + <programlisting language="SQL"> +SELECT + default_character_set_name, + default_collation_name +FROM + information_schema.schemata +WHERE + schema_name = 'zabbix'; +</programlisting> + <para> + If these values are not correct you should take a backup of + your database and convert the character set and collation as + required. Here is an + <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> + of how to do so, taken from the Zabbix forums: + </para> + <programlisting language="SQL"> +ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; + +-- the following will produce a list of SQL commands you should subsequently execute +SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString +FROM information_schema.`COLUMNS` +WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci"; +</programlisting> + </listitem> + <listitem> + <para> + maxx package removed along with + <literal>services.xserver.desktopManager.maxx</literal> + module. Please migrate to cdesktopenv and + <literal>services.xserver.desktopManager.cde</literal> module. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.matrix-synapse.enable">matrix-synapse</link> + module no longer includes optional dependencies by default, + they have to be added through the + <link xlink:href="options.html#opt-services.matrix-synapse.plugins">plugins</link> + option. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> now internally creates a + vendor directory in the source tree for downloaded modules + instead of using go's + <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module + proxy protocol</link>. This storage format is simpler and + therefore less likely to break with future versions of go. As + a result <literal>buildGoModule</literal> switched from + <literal>modSha256</literal> to the + <literal>vendorSha256</literal> attribute to pin fetched + version data. + </para> + </listitem> + <listitem> + <para> + Grafana is now built without support for phantomjs by default. + Phantomjs support has been + <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated + in Grafana</link> and the phantomjs project is + <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently + unmaintained</link>. It can still be enabled by providing + <literal>phantomJsSupport = true</literal> to the package + instantiation: + </para> + <programlisting language="bash"> +{ + services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { + phantomJsSupport = true; + }); +} +</programlisting> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.supybot.enable">supybot</link> + module now uses <literal>/var/lib/supybot</literal> as its + default + <link xlink:href="options.html#opt-services.supybot.stateDir">stateDir</link> + path if <literal>stateVersion</literal> is 20.09 or higher. It + also enables a number of + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd + sandboxing options</link> which may possibly interfere with + some plugins. If this is the case you can disable the options + through attributes in + <literal>systemd.services.supybot.serviceConfig</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.duosec.skey</literal> option, which + stored a secret in the nix store, has been replaced by a new + <link xlink:href="options.html#opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link> + option for better security. + </para> + <para> + <literal>security.duosec.ikey</literal> has been renamed to + <link xlink:href="options.html#opt-security.duosec.integrationKey">security.duosec.integrationKey</link>. + </para> + </listitem> + <listitem> + <para> + <literal>vmware</literal> has been removed from the + <literal>services.x11.videoDrivers</literal> defaults. For + VMWare guests set + <literal>virtualisation.vmware.guest.enable</literal> to + <literal>true</literal> which will include the appropriate + drivers. + </para> + </listitem> + <listitem> + <para> + The initrd SSH support now uses OpenSSH rather than Dropbear + to allow the use of Ed25519 keys and other OpenSSH-specific + functionality. Host keys must now be in the OpenSSH format, + and at least one pre-generated key must be specified. + </para> + <para> + If you used the + <literal>boot.initrd.network.ssh.host*Key</literal> options, + you'll get an error explaining how to convert your host keys + and migrate to the new + <literal>boot.initrd.network.ssh.hostKeys</literal> option. + Otherwise, if you don't have any host keys set, you'll need to + generate some; see the <literal>hostKeys</literal> option + documentation for instructions. + </para> + </listitem> + <listitem> + <para> + Since this release there's an easy way to customize your PHP + install to get a much smaller base PHP with only wanted + extensions enabled. See the following snippet installing a + smaller PHP with the extensions <literal>imagick</literal>, + <literal>opcache</literal>, <literal>pdo</literal> and + <literal>pdo_mysql</literal> loaded: + </para> + <programlisting language="bash"> +{ + environment.systemPackages = [ + (pkgs.php.withExtensions + ({ all, ... }: with all; [ + imagick + opcache + pdo + pdo_mysql + ]) + ) + ]; +} +</programlisting> + <para> + The default <literal>php</literal> attribute hasn't lost any + extensions. The <literal>opcache</literal> extension has been + added. All upstream PHP extensions are available under + php.extensions.<name?>. + </para> + <para> + All PHP <literal>config</literal> flags have been removed for + the following reasons: + </para> + </listitem> + <listitem> + <para> + The updated <literal>php</literal> attribute is now easily + customizable to your liking by using + <literal>php.withExtensions</literal> or + <literal>php.buildEnv</literal> instead of writing config + files or changing configure flags. + </para> + </listitem> + <listitem> + <para> + The remaining configuration flags can now be set directly on + the <literal>php</literal> attribute. For example, instead of + </para> + <programlisting language="bash"> +{ + php.override { + config.php.embed = true; + config.php.apxs2 = false; + } +} +</programlisting> + <para> + you should now write + </para> + <programlisting language="bash"> +{ + php.override { + embedSupport = true; + apxs2Support = false; + } +} +</programlisting> + </listitem> + <listitem> + <para> + The ACME module has been overhauled for simplicity and + maintainability. Cert generation now implicitly uses the + <literal>acme</literal> user, and the + <literal>security.acme.certs._name_.user</literal> option has + been removed. Instead, certificate access from other services + is now managed through group permissions. The module no longer + runs lego twice under certain conditions, and will correctly + renew certificates if their configuration is changed. Services + which reload nginx and httpd after certificate renewal are now + properly configured too so you no longer have to do this + manually if you are using HTTPS enabled virtual hosts. A + mechanism for regenerating certs on demand has also been added + and documented. + </para> + </listitem> + <listitem> + <para> + Gollum received a major update to version 5.x and you may have + to change some links in your wiki when migrating from gollum + 4.x. More information can be found + <link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>. + </para> + </listitem> + <listitem> + <para> + Deluge 2.x was added and is used as default for new NixOS + installations where stateVersion is >= 20.09. If you are + upgrading from a previous NixOS version, you can set + <literal>service.deluge.package = pkgs.deluge-2_x</literal> to + upgrade to Deluge 2.x and migrate the state to the new format. + Be aware that backwards state migrations are not supported by + Deluge. + </para> + </listitem> + <listitem> + <para> + Nginx web server now starting with additional + sandbox/hardening options. By default, write access to + <literal>/var/log/nginx</literal> and + <literal>/var/cache/nginx</literal> is allowed. To allow + writing to other folders, use + <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> + </para> + <programlisting language="bash"> +{ + systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; +} +</programlisting> + <para> + Nginx is also started with the systemd option + <literal>ProtectHome = mkDefault true;</literal> which forbids + it to read anything from <literal>/home</literal>, + <literal>/root</literal> and <literal>/run/user</literal> (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome + docs</link> for details). If you require serving files from + home directories, you may choose to set e.g. + </para> + <programlisting language="bash"> +{ + systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; +} +</programlisting> + </listitem> + <listitem> + <para> + The NixOS options <literal>nesting.clone</literal> and + <literal>nesting.children</literal> have been deleted, and + replaced with named + <link xlink:href="options.html#opt-specialisation">specialisation</link> + configurations. + </para> + <para> + Replace a <literal>nesting.clone</literal> entry with: + </para> + <programlisting language="bash"> +{ + specialisation.example-sub-configuration = { + configuration = { + ... + }; +}; +</programlisting> + <para> + Replace a <literal>nesting.children</literal> entry with: + </para> + <programlisting language="bash"> +{ + specialisation.example-sub-configuration = { + inheritParentConfig = false; + configuration = { + ... + }; +}; +</programlisting> + <para> + To switch to a specialised configuration at runtime you need + to run: + </para> + <programlisting> +$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test +</programlisting> + <para> + Before you would have used: + </para> + <programlisting> +$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test +</programlisting> + </listitem> + <listitem> + <para> + The Nginx log directory has been moved to + <literal>/var/log/nginx</literal>, the cache directory to + <literal>/var/cache/nginx</literal>. The option + <literal>services.nginx.stateDir</literal> has been removed. + </para> + </listitem> + <listitem> + <para> + The httpd web server previously started its main process as + root privileged, then ran worker processes as a less + privileged identity user. This was changed to start all of + httpd as a less privileged user (defined by + <link xlink:href="options.html#opt-services.httpd.user">services.httpd.user</link> + and + <link xlink:href="options.html#opt-services.httpd.group">services.httpd.group</link>). + As a consequence, all files that are needed for httpd to run + (included configuration fragments, SSL certificates and keys, + etc.) must now be readable by this less privileged user/group. + </para> + <para> + The default value for + <link xlink:href="options.html#opt-services.httpd.mpm">services.httpd.mpm</link> + has been changed from <literal>prefork</literal> to + <literal>event</literal>. Along with this change the default + value for + <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link> + has been set to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-networkd</literal> option + <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal> + has been removed following upstream systemd's deprecation of + the same. It is recommended to use + <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> + instead. See systemd.network 5 for details. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-networkd</literal> option + <literal>systemd.network.networks._name_.dhcpConfig</literal> + has been renamed to + <link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link> + following upstream systemd's documentation change. See + systemd.network 5 for details. + </para> + </listitem> + <listitem> + <para> + In the <literal>picom</literal> module, several options that + accepted floating point numbers encoded as strings (for + example + <link xlink:href="options.html#opt-services.picom.activeOpacity">services.picom.activeOpacity</link>) + have been changed to the (relatively) new native + <literal>float</literal> type. To migrate your configuration + simply remove the quotes around the numbers. + </para> + </listitem> + <listitem> + <para> + When using <literal>buildBazelPackage</literal> from Nixpkgs, + <literal>flat</literal> hash mode is now used for dependencies + instead of <literal>recursive</literal>. This is to better + allow using hashed mirrors where needed. As a result, these + hashes will have changed. + </para> + </listitem> + <listitem> + <para> + The syntax of the PostgreSQL configuration file is now checked + at build time. If your configuration includes a file + inaccessible inside the build sandbox, set + <literal>services.postgresql.checkConfig</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + The rkt module has been removed, it was archived by upstream. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://bazaar.canonical.com">Bazaar</link> + VCS is unmaintained and, as consequence of the Python 2 EOL, + the packages <literal>bazaar</literal> and + <literal>bazaarTools</literal> were removed. Breezy, the + backward compatible fork of Bazaar (see the + <link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>), + was packaged as <literal>breezy</literal> and can be used + instead. + </para> + <para> + Regarding Nixpkgs, <literal>fetchbzr</literal>, + <literal>nix-prefetch-bzr</literal> and Bazaar support in + Hydra will continue to work through Breezy. + </para> + </listitem> + <listitem> + <para> + In addition to the hostname, the fully qualified domain name + (FQDN), which consists of + <literal>${networking.hostName}</literal> and + <literal>${networking.domain}</literal> is now added to + <literal>/etc/hosts</literal>, to allow local FQDN resolution, + as used by the <literal>hostname --fqdn</literal> command and + other applications that try to determine the FQDN. These new + entries take precedence over entries from the DNS which could + cause regressions in some very specific setups. Additionally + the hostname is now resolved to <literal>127.0.0.2</literal> + instead of <literal>127.0.1.1</literal> to be consistent with + what <literal>nss-myhostname</literal> (from systemd) returns. + The old behaviour can e.g. be restored by using + <literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>. + </para> + </listitem> + <listitem> + <para> + The hostname (<literal>networking.hostName</literal>) must now + be a valid DNS label (see RFC 1035, RFC 1123) and as such must + not contain the domain part. This means that the hostname must + start with a letter or digit, end with a letter or digit, and + have as interior characters only letters, digits, and hyphen. + The maximum length is 63 characters. Additionally it is + recommended to only use lower-case characters. If (e.g. for + legacy reasons) a FQDN is required as the Linux kernel network + node hostname (<literal>uname --nodename</literal>) the option + <literal>boot.kernel.sysctl."kernel.hostname"</literal> + can be used as a workaround (but be aware of the 64 character + limit). + </para> + </listitem> + <listitem> + <para> + The GRUB specific option + <literal>boot.loader.grub.extraInitrd</literal> has been + replaced with the generic option + <literal>boot.initrd.secrets</literal>. This option creates a + secondary initrd from the specified files, rather than using a + manually created initrd file. Due to an existing bug with + <literal>boot.loader.grub.extraInitrd</literal>, it is not + possible to directly boot an older generation that used that + option. It is still possible to rollback to that generation if + the required initrd file has not been deleted. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> + package and NixOS module have been removed from Nixpkgs as the + software is unmaintained and can't be built. For more + information see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. + </para> + </listitem> + <listitem> + <para> + In the <literal>resilio</literal> module, + <link xlink:href="options.html#opt-services.resilio.httpListenAddr">services.resilio.httpListenAddr</link> + has been changed to listen to <literal>[::1]</literal> instead + of <literal>0.0.0.0</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>sslh</literal> has been updated to version + <literal>1.21</literal>. The <literal>ssl</literal> probe must + be renamed to <literal>tls</literal> in + <link xlink:href="options.html#opt-services.sslh.appendConfig">services.sslh.appendConfig</link>. + </para> + </listitem> + <listitem> + <para> + Users of <link xlink:href="http://openafs.org">OpenAFS + 1.6</link> must upgrade their services to OpenAFS 1.8! In this + release, the OpenAFS package version 1.6.24 is marked broken + but can be used during transition to OpenAFS 1.8.x. Use the + options + <literal>services.openafsClient.packages.module</literal>, + <literal>services.openafsClient.packages.programs</literal> + and <literal>services.openafsServer.package</literal> to + select a different OpenAFS package. OpenAFS 1.6 will be + removed in the next release. The package + <literal>openafs</literal> and the service options will then + silently point to the OpenAFS 1.8 release. + </para> + <para> + See also the OpenAFS + <link xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator + Guide</link> for instructions. Beware of the following when + updating servers: + </para> + <itemizedlist> + <listitem> + <para> + The storage format of the server key has changed and the + key must be converted before running the new release. + </para> + </listitem> + <listitem> + <para> + When updating multiple database servers, turn off the + database servers from the highest IP down to the lowest + with resting periods in between. Start up in reverse + order. Do not concurrently run database servers working + with different OpenAFS releases! + </para> + </listitem> + <listitem> + <para> + Update servers first, then clients. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 2.x to 3.x. An + upgrade checklist can be found + <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. + You can use the newer version in the NixOS service by setting + the <literal>package</literal> to + <literal>radicale3</literal>, which is done automatically if + <literal>stateVersion</literal> is 20.09 or higher. + </para> + </listitem> + <listitem> + <para> + <literal>udpt</literal> experienced a complete rewrite from + C++ to rust. The configuration format changed from ini to + toml. The new configuration documentation can be found at + <link xlink:href="https://naim94a.github.io/udpt/config.html">the + official website</link> and example configuration is packaged + in <literal>${udpt}/share/udpt/udpt.toml</literal>. + </para> + </listitem> + <listitem> + <para> + We now have a unified + <link xlink:href="options.html#opt-services.xserver.displayManager.autoLogin">services.xserver.displayManager.autoLogin</link> + option interface to be used for every display-manager in + NixOS. + </para> + </listitem> + <listitem> + <para> + The <literal>bitcoind</literal> module has changed to + multi-instance, using submodules. Therefore, it is now + mandatory to name each instance. To use this new + multi-instance config with an existing bitcoind data directory + and user, you have to adjust the original config, e.g.: + </para> + <programlisting language="bash"> +{ + services.bitcoind = { + enable = true; + extraConfig = "..."; + ... + }; +} +</programlisting> + <para> + To something similar: + </para> + <programlisting language="bash"> +{ + services.bitcoind.mainnet = { + enable = true; + dataDir = "/var/lib/bitcoind"; + user = "bitcoin"; + extraConfig = "..."; + ... + }; +} +</programlisting> + <para> + The key settings are: + </para> + <itemizedlist> + <listitem> + <para> + <literal>dataDir</literal> - to continue using the same + data directory. + </para> + </listitem> + <listitem> + <para> + <literal>user</literal> - to continue using the same user + so that bitcoind maintains access to its files. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Graylog introduced a change in the LDAP server certificate + validation behaviour for version 3.3.3 which might break + existing setups. When updating Graylog from a version before + 3.3.3 make sure to check the Graylog + <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release + info</link> for information on how to avoid the issue. + </para> + </listitem> + <listitem> + <para> + The <literal>dokuwiki</literal> module has changed to + multi-instance, using submodules. Therefore, it is now + mandatory to name each instance. Moreover, forcing SSL by + default has been dropped, so <literal>nginx.forceSSL</literal> + and <literal>nginx.enableACME</literal> are no longer set to + <literal>true</literal>. To continue using your service with + the original SSL settings, you have to adjust the original + config, e.g.: + </para> + <programlisting language="bash"> +{ + services.dokuwiki = { + enable = true; + ... + }; +} +</programlisting> + <para> + To something similar: + </para> + <programlisting language="bash"> +{ + services.dokuwiki."mywiki" = { + enable = true; + nginx = { + forceSSL = true; + enableACME = true; + }; + ... + }; +} +</programlisting> + <para> + The base package has also been upgraded to the 2020-07-29 + "Hogfather" release. Plugins might be incompatible + or require upgrading. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link> + option is now set to + <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> + regardless of your + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + Users with an existing postgresql install that have a + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link> + of <literal>17.03</literal> or below should double check what + the value of their + <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link> + option is (<literal>/var/db/postgresql</literal>) and then + explicitly set this value to maintain compatibility: + </para> + <programlisting language="bash"> +{ + services.postgresql.dataDir = "/var/db/postgresql"; +} +</programlisting> + <para> + The postgresql module now expects there to be a database super + user account called <literal>postgres</literal> regardless of + your + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>. + Users with an existing postgresql install that have a + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link> + of <literal>17.03</literal> or below should run the following + SQL statements as a database super admin user before + upgrading: + </para> + <programlisting language="SQL"> +CREATE ROLE postgres LOGIN SUPERUSER; +</programlisting> + </listitem> + <listitem> + <para> + The USBGuard module now removes options and instead hardcodes + values for <literal>IPCAccessControlFiles</literal>, + <literal>ruleFiles</literal>, and + <literal>auditFilePath</literal>. Audit logs can be found in + the journal. + </para> + </listitem> + <listitem> + <para> + The NixOS module system now evaluates option definitions more + strictly, allowing it to detect a larger set of problems. As a + result, what previously evaluated may not do so anymore. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the + PR that changed this</link> for more info. + </para> + </listitem> + <listitem> + <para> + For NixOS configuration options, the type + <literal>loaOf</literal>, after its initial deprecation in + release 20.03, has been removed. In NixOS and Nixpkgs options + using this type have been converted to + <literal>attrsOf</literal>. For more information on this + change have look at these links: + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue + #1800</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR + #63103</link>. + </para> + </listitem> + <listitem> + <para> + <literal>config.systemd.services.${name}.path</literal> now + returns a list of paths instead of a colon-separated string. + </para> + </listitem> + <listitem> + <para> + Caddy module now uses Caddy v2 by default. Caddy v1 can still + be used by setting + <link xlink:href="options.html#opt-services.caddy.package">services.caddy.package</link> + to <literal>pkgs.caddy1</literal>. + </para> + <para> + New option + <link xlink:href="options.html#opt-services.caddy.adapter">services.caddy.adapter</link> + has been added. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.jellyfin.enable">jellyfin</link> + module will use and stay on the Jellyfin version + <literal>10.5.5</literal> if <literal>stateVersion</literal> + is lower than <literal>20.09</literal>. This is because + significant changes were made to the database schema, and it + is highly recommended to backup your instance before + upgrading. After making your backup, you can upgrade to the + latest version either by setting your + <literal>stateVersion</literal> to <literal>20.09</literal> or + higher, or set the + <literal>services.jellyfin.package</literal> to + <literal>pkgs.jellyfin</literal>. If you do not wish to + upgrade Jellyfin, but want to change your + <literal>stateVersion</literal>, you can set the value of + <literal>services.jellyfin.package</literal> to + <literal>pkgs.jellyfin_10_5</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.rngd</literal> service is now disabled + by default. This choice was made because there's krngd in the + linux kernel space making it (for most usecases) functionally + redundent. + </para> + </listitem> + <listitem> + <para> + The <literal>hardware.nvidia.optimus_prime.enable</literal> + service has been renamed to + <literal>hardware.nvidia.prime.sync.enable</literal> and has + many new enhancements. Related nvidia prime settings may have + also changed. + </para> + </listitem> + <listitem> + <para> + The package nextcloud17 has been removed and nextcloud18 was + marked as insecure since both of them will + <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html"> + will be EOL (end of life) within the lifetime of 20.09</link>. + </para> + <para> + It's necessary to upgrade to nextcloud19: + </para> + <itemizedlist> + <listitem> + <para> + From nextcloud17, you have to upgrade to nextcloud18 first + as Nextcloud doesn't allow going multiple major revisions + forward in a single upgrade. This is possible by setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> + to nextcloud18. + </para> + </listitem> + <listitem> + <para> + From nextcloud18, it's possible to directly upgrade to + nextcloud19 by setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> + to nextcloud19. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The GNOME desktop manager no longer default installs + gnome3.epiphany. It was chosen to do this as it has a + usability breaking issue (see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>) + that makes it unsuitable to be a default app. + </para> + <note> + <para> + Issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link> + is now fixed and gnome3.epiphany is once again installed by + default. + </para> + </note> + </listitem> + <listitem> + <para> + If you want to manage the configuration of wpa_supplicant + outside of NixOS you must ensure that none of + <link xlink:href="options.html#opt-networking.wireless.networks">networking.wireless.networks</link>, + <link xlink:href="options.html#opt-networking.wireless.extraConfig">networking.wireless.extraConfig</link> + or + <link xlink:href="options.html#opt-networking.wireless.userControlled.enable">networking.wireless.userControlled.enable</link> + is being used or <literal>true</literal>. Using any of those + options will cause wpa_supplicant to be started with a NixOS + generated configuration file instead of your own. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + SD images are now compressed by default using + <literal>zstd</literal>. The compression for ISO images has + also been changed to <literal>zstd</literal>, but ISO images + are still not compressed by default. + </para> + </listitem> + <listitem> + <para> + <literal>services.journald.rateLimitBurst</literal> was + updated from <literal>1000</literal> to + <literal>10000</literal> to follow the new upstream systemd + default. + </para> + </listitem> + <listitem> + <para> + The notmuch package moves its emacs-related binaries and emacs + lisp files to a separate output. They're not part of the + default <literal>out</literal> output anymore - if you relied + on the <literal>notmuch-emacs-mua</literal> binary or the + emacs lisp files, access them via the + <literal>notmuch.emacs</literal> output. + </para> + </listitem> + <listitem> + <para> + Device tree overlay support was improved in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link> + and now uses + <link xlink:href="options.html#opt-hardware.deviceTree.kernelPackage">hardware.deviceTree.kernelPackage</link> + instead of <literal>hardware.deviceTree.base</literal>. + <link xlink:href="options.html#opt-hardware.deviceTree.overlays">hardware.deviceTree.overlays</link> + configuration was extended to support <literal>.dts</literal> + files with symbols. Device trees can now be filtered by + setting + <link xlink:href="options.html#opt-hardware.deviceTree.filter">hardware.deviceTree.filter</link> + option. + </para> + </listitem> + <listitem> + <para> + The default output of <literal>buildGoPackage</literal> is now + <literal>$out</literal> instead of <literal>$bin</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> <literal>doCheck</literal> + now defaults to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + Packages built using <literal>buildRustPackage</literal> now + use <literal>release</literal> mode for the + <literal>checkPhase</literal> by default. + </para> + <para> + Please note that Rust packages utilizing a custom + build/install procedure (e.g. by using a + <literal>Makefile</literal>) or test suites that rely on the + structure of the <literal>target/</literal> directory may + break due to those assumptions. For further information, + please read the Rust section in the Nixpkgs manual. + </para> + </listitem> + <listitem> + <para> + The cc- and binutils-wrapper's "infix salt" and + <literal>_BUILD_</literal> and <literal>_TARGET_</literal> + user infixes have been replaced with with a "suffix + salt" and suffixes and <literal>_FOR_BUILD</literal> and + <literal>_FOR_TARGET</literal>. This matches the autotools + convention for env vars which standard for these things, + making interfacing with other tools easier. + </para> + </listitem> + <listitem> + <para> + Additional Git documentation (HTML and text files) is now + available via the <literal>git-doc</literal> package. + </para> + </listitem> + <listitem> + <para> + Default algorithm for ZRAM swap was changed to + <literal>zstd</literal>. + </para> + </listitem> + <listitem> + <para> + The installer now enables sshd by default. This improves + installation on headless machines especially ARM + single-board-computer. To login through ssh, either a password + or an ssh key must be set for the root user or the nixos user. + </para> + </listitem> + <listitem> + <para> + The scripted networking system now uses + <literal>.link</literal> files in + <literal>/etc/systemd/network</literal> to configure mac + address and link MTU, instead of the sometimes buggy + <literal>network-link-*</literal> units, which have been + removed. Bringing the interface up has been moved to the + beginning of the <literal>network-addresses-*</literal> unit. + Note this doesn't require <literal>systemd-networkd</literal> + - it's udev that parses <literal>.link</literal> files. Extra + care needs to be taken in the presence of + <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy + udev rules</link> to rename interfaces, as MAC Address and MTU + defined in these options can only match on the original link + name. In such cases, you most likely want to create a + <literal>10-*.link</literal> file through + <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link> + and set both name and MAC Address / MTU there. + </para> + </listitem> + <listitem> + <para> + Grafana received a major update to version 7.x. A plugin is + now needed for image rendering support, and plugins must now + be signed by default. More information can be found + <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in + the Grafana documentation</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was + installing udev rules was removed, as udev gained native + support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + The <literal>services.transmission</literal> module was + enhanced with the new options: + <link xlink:href="options.html#opt-services.transmission.credentialsFile">services.transmission.credentialsFile</link>, + <link xlink:href="options.html#opt-services.transmission.openFirewall">services.transmission.openFirewall</link>, + and + <link xlink:href="options.html#opt-services.transmission.performanceNetParameters">services.transmission.performanceNetParameters</link>. + </para> + <para> + <literal>transmission-daemon</literal> is now started with + additional systemd sandbox/hardening options for better + security. Please + <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link> + any use case where this is not working well. In particular, + the <literal>RootDirectory</literal> option newly set forbids + uploading or downloading a torrent outside of the default + directory configured at + <link xlink:href="options.html#opt-services.transmission.settings">settings.download-dir</link>. + If you really need Transmission to access other directories, + you must include those directories into the + <literal>BindPaths</literal> of the service: + </para> + <programlisting language="bash"> +{ + systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; +} +</programlisting> + <para> + Also, connection to the RPC (Remote Procedure Call) of + <literal>transmission-daemon</literal> is now only available + on the local network interface by default. Use: + </para> + <programlisting language="bash"> +{ + services.transmission.settings.rpc-bind-address = "0.0.0.0"; +} +</programlisting> + <para> + to get the previous behavior of listening on all network + interfaces. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when + enabled through + <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>) + has it's netlink socket created through a + <literal>systemd.socket</literal> unit. This gives us control + over socket buffer sizes and other parameters. For larger + setups where networkd has to create a lot of (virtual) devices + the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard + tunnels, VLANs, …), that all have to be brought up during + system startup, the receive buffer size will spike for a brief + period. Eventually some of the message will be dropped since + there is not enough (permitted) buffer space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a + netlink socket created by <literal>systemd</literal> we can + configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. + <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, + timing, exact configurations etc. it isn't currently possible + to infer a good default from within the NixOS module system. + Administrators are advised to monitor the logs of + <literal>systemd-networkd</literal> for + <literal>rtnl: kernel receive buffer overrun</literal> spam + and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> + doesn't allocate any memory. It just increases the upper bound + on the kernel side. The memory allocation depends on the + amount of messages that are queued on the kernel side of the + netlink socket. + </para> + </listitem> + <listitem> + <para> + Specifying + <link xlink:href="options.html#opt-services.dovecot2.mailboxes">mailboxes</link> + in the dovecot2 module as a list is deprecated and will break + eval in 21.05. Instead, an attribute-set should be specified + where the <literal>name</literal> should be the key of the + attribute. + </para> + <para> + This means that a configuration like this + </para> + <programlisting language="bash"> +{ + services.dovecot2.mailboxes = [ + { name = "Junk"; + auto = "create"; + } + ]; +} +</programlisting> + <para> + should now look like this: + </para> + <programlisting language="bash"> +{ + services.dovecot2.mailboxes = { + Junk.auto = "create"; + }; +} +</programlisting> + </listitem> + <listitem> + <para> + netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. + This might cause problems if your projects depend on packages + that were removed in Java 11. + </para> + </listitem> + <listitem> + <para> + nextcloud has been updated to + <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>. + </para> + <para> + If you have an existing installation, please make sure that + you're on nextcloud18 before upgrading to nextcloud19 since + Nextcloud doesn't support upgrades across multiple major + versions. + </para> + </listitem> + <listitem> + <para> + The <literal>nixos-run-vms</literal> script now deletes the + previous run machines states on test startup. You can use the + <literal>--keep-vm-state</literal> flag to match the previous + behaviour and keep the same VM state between different test + runs. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-nix.buildMachines">nix.buildMachines</link> + option is now type-checked. There are no functional changes, + however this may require updating some configurations to use + correct types for all attributes. + </para> + </listitem> + <listitem> + <para> + The <literal>fontconfig</literal> module stopped generating + config and cache files for fontconfig 2.10.x, the + <literal>/etc/fonts/fonts.conf</literal> now belongs to the + latest fontconfig, just like on other Linux distributions, and + we will + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no + longer</link> be versioning the config directories. + </para> + <para> + Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t + been used in any Nixpkgs package for years now. + </para> + </listitem> + <listitem> + <para> + Nginx module + <literal>nginxModules.fastcgi-cache-purge</literal> renamed to + official name <literal>nginxModules.cache-purge</literal>. + Nginx module <literal>nginxModules.ngx_aws_auth</literal> + renamed to official name + <literal>nginxModules.aws-auth</literal>. + </para> + </listitem> + <listitem> + <para> + The option <literal>defaultPackages</literal> was added. It + installs the packages perl, rsync and strace for now. They + were added unconditionally to + <literal>systemPackages</literal> before, but are not strictly + necessary for a minimal NixOS install. You can set it to an + empty list to have a more minimal system. Be aware that some + functionality might still have an impure dependency on those + packages, so things might break. + </para> + </listitem> + <listitem> + <para> + The <literal>undervolt</literal> option no longer needs to + apply its settings every 30s. If they still become undone, + open an issue and restore the previous behaviour using + <literal>undervolt.useTimer</literal>. + </para> + </listitem> + <listitem> + <para> + Agda has been heavily reworked. + </para> + <itemizedlist> + <listitem> + <para> + <literal>agda.mkDerivation</literal> has been heavily + changed and is now located at agdaPackages.mkDerivation. + </para> + </listitem> + <listitem> + <para> + New top-level packages agda and + <literal>agda.withPackages</literal> have been added, the + second of which sets up agda with access to chosen + libraries. + </para> + </listitem> + <listitem> + <para> + All agda libraries now live under + <literal>agdaPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Many broken libraries have been removed. + </para> + </listitem> + </itemizedlist> + <para> + See the + <link xlink:href="https://nixos.org/nixpkgs/manual/#agda">new + documentation</link> for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>deepin</literal> package set has been removed + from nixpkgs. It was a work in progress to package the + <link xlink:href="https://www.deepin.org/en/dde/">Deepin + Desktop Environment (DDE)</link>, including libraries, tools + and applications, and it was still missing a service to launch + the desktop environment. It has shown to no longer be a + feasible goal due to reasons discussed in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue + #94870</link>. The package + <literal>netease-cloud-music</literal> has also been removed, + as it depends on libraries from deepin. + </para> + </listitem> + <listitem> + <para> + The <literal>opendkim</literal> module now uses systemd + sandboxing features to limit the exposure of the system + towards the opendkim service. + </para> + </listitem> + <listitem> + <para> + Kubernetes has been upgraded to 1.19.1, which also means that + the golang version to build it has been bumped to 1.15. This + may have consequences for your existing clusters and their + certificates. Please consider + <link xlink:href="https://relnotes.k8s.io/?markdown=93264"> + the release notes for Kubernetes 1.19 carefully </link> before + upgrading. + </para> + </listitem> + <listitem> + <para> + For AMD GPUs, Vulkan can now be used by adding + <literal>amdvlk</literal> to + <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Similarly, still for AMD GPUs, the ROCm OpenCL stack can now + be used by adding <literal>rocm-opencl-icd</literal> to + <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-20.09-contributions"> + <title>Contributions</title> + <para> + I, Jonathan Ringer, would like to thank the following individuals + for their work on nixpkgs. This release could not be done without + the hard work of the NixOS community. There were 31282 + contributions across 1313 contributors. + </para> + <orderedlist numeration="arabic"> + <listitem> + <para> + 2288 Mario Rodas + </para> + </listitem> + <listitem> + <para> + 1837 Frederik Rietdijk + </para> + </listitem> + <listitem> + <para> + 946 Jörg Thalheim + </para> + </listitem> + <listitem> + <para> + 925 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 687 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 651 Jan Tojnar + </para> + </listitem> + <listitem> + <para> + 622 Daniël de Kok + </para> + </listitem> + <listitem> + <para> + 605 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 597 Florian Klink + </para> + </listitem> + <listitem> + <para> + 528 José Romildo Malaquias + </para> + </listitem> + <listitem> + <para> + 281 volth + </para> + </listitem> + <listitem> + <para> + 101 Robert Scott + </para> + </listitem> + <listitem> + <para> + 86 Tim Steinbach + </para> + </listitem> + <listitem> + <para> + 76 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 49 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 42 Thomas Tuegel + </para> + </listitem> + <listitem> + <para> + 37 Doron Behar + </para> + </listitem> + <listitem> + <para> + 36 Vladimír Čunát + </para> + </listitem> + <listitem> + <para> + 27 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 27 Maciej Krüger + </para> + </listitem> + </orderedlist> + <para> + I, Jonathan Ringer, would also like to personally thank + @WORLDofPEACE for their help in mentoring me on the release + process. Special thanks also goes to Thomas Tuegel for helping + immensely with stabilizing Qt, KDE, and Plasma5; I would also like + to thank Robert Scott for his numerous fixes and pull request + reviews. + </para> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml new file mode 100644 index 00000000000..fb11b19229e --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2105.section.xml @@ -0,0 +1,1567 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.05"> + <title>Release 21.05 (<quote>Okapi</quote>, 2021.05/31)</title> + <para> + Support is planned until the end of December 2021, handing over to + 21.11. + </para> + <section xml:id="sec-release-21.05-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Core version changes: + </para> + <itemizedlist> + <listitem> + <para> + gcc: 9.3.0 -> 10.3.0 + </para> + </listitem> + <listitem> + <para> + glibc: 2.30 -> 2.32 + </para> + </listitem> + <listitem> + <para> + default linux: 5.4 -> 5.10, all supported kernels + available + </para> + </listitem> + <listitem> + <para> + mesa: 20.1.7 -> 21.0.1 + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Desktop Environments: + </para> + <itemizedlist> + <listitem> + <para> + GNOME: 3.36 -> 40, see its + <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">release + notes</link> + </para> + </listitem> + <listitem> + <para> + Plasma5: 5.18.5 -> 5.21.3 + </para> + </listitem> + <listitem> + <para> + kdeApplications: 20.08.1 -> 20.12.3 + </para> + </listitem> + <listitem> + <para> + cinnamon: 4.6 -> 4.8.1 + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programming Languages and Frameworks: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Python optimizations were disabled again. Builds with + optimizations enabled are not reproducible. Optimizations + can now be enabled with an option. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The linux_latest kernel was updated to the 5.13 series. It + currently is not officially supported for use with the zfs + filesystem. If you use zfs, you should use a different kernel + version (either the LTS kernel, or track a specific one). + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.05-new-services"> + <title>New Services</title> + <para> + The following new services were added since the last release: + </para> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://www.gnuradio.org/">GNURadio</link> + 3.8 and 3.9 were + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link> + packaged, along with a rewrite to the Nix expressions, + allowing users to override the features upstream supports + selecting to compile or not to. Additionally, the attribute + <literal>gnuradio</literal> (3.9), + <literal>gnuradio3_8</literal> and + <literal>gnuradio3_7</literal> now point to an externally + wrapped by default derivations, that allow you to also add + `extraPythonPackages` to the Python interpreter used by + GNURadio. Missing environmental variables needed for + operational GUI were also added + (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.keycloak.org/">Keycloak</link>, + an open source identity and access management server with + support for + <link xlink:href="https://openid.net/connect/">OpenID + Connect</link>, <link xlink:href="https://oauth.net/2/">OAUTH + 2.0</link> and + <link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML + 2.0</link>. + </para> + <para> + See the <link linkend="module-services-keycloak">Keycloak + section of the NixOS manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.samba-wsdd.enable">services.samba-wsdd.enable</link> + Web Services Dynamic Discovery host daemon + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.discourse.org/">Discourse</link>, + a modern and open source discussion platform. + </para> + <para> + See the <link linkend="module-services-discourse">Discourse + section of the NixOS manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.nebula.networks">services.nebula.networks</link> + <link xlink:href="https://github.com/slackhq/nebula">Nebula + VPN</link> + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.05-incompatibilities"> + <title>Backward Incompatibilities</title> + <para> + When upgrading from a previous release, please be aware of the + following incompatible changes: + </para> + <itemizedlist> + <listitem> + <para> + GNOME desktop environment was upgraded to 40, see the release + notes for + <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link> + and + <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>. + The <literal>gnome3</literal> attribute set has been renamed + to <literal>gnome</literal> and so have been the NixOS + options. + </para> + </listitem> + <listitem> + <para> + If you are using <literal>services.udev.extraRules</literal> + to assign custom names to network interfaces, this may stop + working due to a change in the initialisation of dhcpcd and + systemd networkd. To avoid this, either move them to + <literal>services.udev.initrdRules</literal> or see the new + <link linkend="sec-custom-ifnames">Assigning custom + names</link> section of the NixOS manual for an example using + networkd links. + </para> + </listitem> + <listitem> + <para> + The <literal>security.hideProcessInformation</literal> module + has been removed. It was broken since the switch to + cgroups-v2. + </para> + </listitem> + <listitem> + <para> + The <literal>linuxPackages.ati_drivers_x11</literal> kernel + modules have been removed. The drivers only supported kernels + prior to 4.2, and thus have become obsolete. + </para> + </listitem> + <listitem> + <para> + The <literal>systemConfig</literal> kernel parameter is no + longer added to boot loader entries. It has been unused since + September 2010, but if do have a system generation from that + era, you will now be unable to boot into them. + </para> + </listitem> + <listitem> + <para> + <literal>systemd-journal2gelf</literal> no longer parses json + and expects the receiving system to handle it. How to achieve + this with Graylog is described in this + <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub + issue</link>. + </para> + </listitem> + <listitem> + <para> + If the <literal>services.dbus</literal> module is enabled, + then the user D-Bus session is now always socket activated. + The associated options + <literal>services.dbus.socketActivated</literal> and + <literal>services.xserver.startDbusSession</literal> have + therefore been removed and you will receive a warning if they + are present in your configuration. This change makes the user + D-Bus session available also for non-graphical logins. + </para> + </listitem> + <listitem> + <para> + The <literal>networking.wireless.iwd</literal> module now + installs the upstream-provided 80-iwd.link file, which sets + the NamePolicy= for all wlan devices to "keep + kernel", to avoid race conditions between iwd and + networkd. If you don't want this, you can set + <literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>rubyMinimal</literal> was removed due to being unused + and unusable. The default ruby interpreter includes JIT + support, which makes it reference it's compiler. Since JIT + support is probably needed by some Gems, it was decided to + enable this feature with all cc references by default, and + allow to build a Ruby derivation without references to cc, by + setting <literal>jitSupport = false;</literal> in an overlay. + See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link> + for more info. + </para> + </listitem> + <listitem> + <para> + Setting + <literal>services.openssh.authorizedKeysFiles</literal> now + also affects which keys + <literal>security.pam.enableSSHAgentAuth</literal> will use. + WARNING: If you are using these options in combination do make + sure that any key paths you use are present in + <literal>services.openssh.authorizedKeysFiles</literal>! + </para> + </listitem> + <listitem> + <para> + The option <literal>fonts.enableFontDir</literal> has been + renamed to + <link xlink:href="options.html#opt-fonts.fontDir.enable">fonts.fontDir.enable</link>. + The path of font directory has also been changed to + <literal>/run/current-system/sw/share/X11/fonts</literal>, for + consistency with other X11 resources. + </para> + </listitem> + <listitem> + <para> + A number of options have been renamed in the kicad interface. + <literal>oceSupport</literal> has been renamed to + <literal>withOCE</literal>, <literal>withOCCT</literal> has + been renamed to <literal>withOCC</literal>, + <literal>ngspiceSupport</literal> has been renamed to + <literal>withNgspice</literal>, and + <literal>scriptingSupport</literal> has been renamed to + <literal>withScripting</literal>. Additionally, + <literal>kicad/base.nix</literal> no longer provides default + argument values since these are provided by + <literal>kicad/default.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The socket for the <literal>pdns-recursor</literal> module was + moved from <literal>/var/lib/pdns-recursor</literal> to + <literal>/run/pdns-recursor</literal> to match upstream. + </para> + </listitem> + <listitem> + <para> + Paperwork was updated to version 2. The on-disk format + slightly changed, and it is not possible to downgrade from + Paperwork 2 back to Paperwork 1.3. Back your documents up + before upgrading. See + <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this + thread</link> for more details. + </para> + </listitem> + <listitem> + <para> + PowerDNS has been updated from <literal>4.2.x</literal> to + <literal>4.3.x</literal>. Please be sure to review the + <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade + Notes</link> provided by upstream before upgrading. Worth + specifically noting is that the service now runs entirely as a + dedicated <literal>pdns</literal> user, instead of starting as + <literal>root</literal> and dropping privileges, as well as + the default <literal>socket-dir</literal> location changing + from <literal>/var/lib/powerdns</literal> to + <literal>/run/pdns</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mediatomb</literal> service is now using by + default the new and maintained fork <literal>gerbera</literal> + package instead of the unmaintained + <literal>mediatomb</literal> package. If you want to keep the + old behavior, you must declare it with: + </para> + <programlisting language="bash"> +{ + services.mediatomb.package = pkgs.mediatomb; +} +</programlisting> + <para> + One new option <literal>openFirewall</literal> has been + introduced which defaults to false. If you relied on the + service declaration to add the firewall rules itself before, + you should now declare it with: + </para> + <programlisting language="bash"> +{ + services.mediatomb.openFirewall = true; +} +</programlisting> + </listitem> + <listitem> + <para> + xfsprogs was update from 4.19 to 5.11. It now enables reflink + support by default on filesystem creation. Support for + reflinks was added with an experimental status to kernel 4.9 + and deemed stable in kernel 4.16. If you want to be able to + mount XFS filesystems created with this release of xfsprogs on + kernel releases older than those, you need to format them with + <literal>mkfs.xfs -m reflink=0</literal>. + </para> + </listitem> + <listitem> + <para> + The uWSGI server is now built with POSIX capabilities. As a + consequence, root is no longer required in emperor mode and + the service defaults to running as the unprivileged + <literal>uwsgi</literal> user. Any additional capability can + be added via the new option + <link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>. + The previous behaviour can be restored by setting: + </para> + <programlisting language="bash"> +{ + services.uwsgi.user = "root"; + services.uwsgi.group = "root"; + services.uwsgi.instance = + { + uid = "uwsgi"; + gid = "uwsgi"; + }; +} +</programlisting> + <para> + Another incompatibility from the previous release is that + vassals running under a different user or group need to use + <literal>immediate-{uid,gid}</literal> instead of the usual + <literal>uid,gid</literal> options. + </para> + </listitem> + <listitem> + <para> + btc1 has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + cpp_ethereum (aleth) has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + riak-cs package removed along with + <literal>services.riak-cs</literal> module. + </para> + </listitem> + <listitem> + <para> + stanchion package removed along with + <literal>services.stanchion</literal> module. + </para> + </listitem> + <listitem> + <para> + mutt has been updated to a new major version (2.x), which + comes with some backward incompatible changes that are + described in the + <link xlink:href="http://www.mutt.org/relnotes/2.0/">release + notes for Mutt 2.0</link>. + </para> + </listitem> + <listitem> + <para> + <literal>vim</literal> and <literal>neovim</literal> switched + to Python 3, dropping all Python 2 support. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, + which is off by default, had a <literal>chmod</literal> race + condition fixed. As an aside, the parent directory's + permissions were widened, and the key files were made + owner-writable. This only affects newly created keys. However, + if the exact permissions are important for your setup, read + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link> + previously did nothing, but has been fixed. However its + default has been changed to <literal>false</literal> to + preserve the existing default behaviour. If you have this + explicitly set to <literal>true</literal>, please note that + your non-root pools will now be forcibly imported. + </para> + </listitem> + <listitem> + <para> + openafs now points to openafs_1_8, which is the new stable + release. OpenAFS 1.6 was removed. + </para> + </listitem> + <listitem> + <para> + The WireGuard module gained a new option + <literal>networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds</literal> + that implements refreshing the IP of DNS-based endpoints + periodically (which WireGuard itself + <link xlink:href="https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html">cannot + do</link>). + </para> + </listitem> + <listitem> + <para> + MariaDB has been updated to 10.5. Before you upgrade, it would + be best to take a backup of your database and read + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105"> + Incompatible Changes Between 10.4 and 10.5</link>. After the + upgrade you will need to run <literal>mysql_upgrade</literal>. + </para> + </listitem> + <listitem> + <para> + The TokuDB storage engine dropped in mariadb 10.5 and removed + in mariadb 10.6. It is recommended to switch to RocksDB. See + also + <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link> + and + <link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780: + Remove the TokuDB storage engine</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>openldap</literal> module now has support for + OLC-style configuration, users of the + <literal>configDir</literal> option may wish to migrate. If + you continue to use <literal>configDir</literal>, ensure that + <literal>olcPidFile</literal> is set to + <literal>/run/slapd/slapd.pid</literal>. + </para> + <para> + As a result, <literal>extraConfig</literal> and + <literal>extraDatabaseConfig</literal> are removed. To help + with migration, you can convert your + <literal>slapd.conf</literal> file to OLC configuration with + the following script (find the location of this configuration + file by running <literal>systemctl status openldap</literal>, + it is the <literal>-f</literal> option. + </para> + <programlisting> +$ TMPDIR=$(mktemp -d) +$ slaptest -f /path/to/slapd.conf -F $TMPDIR +$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' +</programlisting> + <para> + This will dump your current configuration in LDIF format, + which should be straightforward to convert into Nix settings. + This does not show your schema configuration, as this is + unnecessarily verbose for users of the default schemas and + <literal>slaptest</literal> is buggy with schemas directly in + the config file. + </para> + </listitem> + <listitem> + <para> + Amazon EC2 and OpenStack Compute (nova) images now re-fetch + instance meta data and user data from the instance metadata + service (IMDS) on each boot. For example: stopping an EC2 + instance, changing its user data, and restarting the instance + will now cause it to fetch and apply the new user data. + </para> + <warning> + <para> + Specifically, <literal>/etc/ec2-metadata</literal> is + re-populated on each boot. Some NixOS scripts that read from + this directory are guarded to only run if the files they + want to manipulate do not already exist, and so will not + re-apply their changes if the IMDS response changes. + Examples: <literal>root</literal>'s SSH key is only added if + <literal>/root/.ssh/authorized_keys</literal> does not + exist, and SSH host keys are only set from user data if they + do not exist in <literal>/etc/ssh</literal>. + </para> + </warning> + </listitem> + <listitem> + <para> + The <literal>rspamd</literal> services is now sandboxed. It is + run as a dynamic user instead of root, so secrets and other + files may have to be moved or their permissions may have to be + fixed. The sockets are now located in + <literal>/run/rspamd</literal> instead of + <literal>/run</literal>. + </para> + </listitem> + <listitem> + <para> + Enabling the Tor client no longer silently also enables and + configures Privoxy, and the + <literal>services.tor.client.privoxy.enable</literal> option + has been removed. To enable Privoxy, and to configure it to + use Tor's faster port, use the following configuration: + </para> + <programlisting language="bash"> +{ + opt-services.privoxy.enable = true; + opt-services.privoxy.enableTor = true; +} +</programlisting> + </listitem> + <listitem> + <para> + The <literal>services.tor</literal> module has a new + exhaustively typed + <link xlink:href="options.html#opt-services.tor.settings">services.tor.settings</link> + option following RFC 0042; backward compatibility with old + options has been preserved when aliasing was possible. The + corresponding systemd service has been hardened, but there is + a chance that the service still requires more permissions, so + please report any related trouble on the bugtracker. Onion + services v3 are now supported in + <link xlink:href="options.html#opt-services.tor.relay.onionServices">services.tor.relay.onionServices</link>. + A new + <link xlink:href="options.html#opt-services.tor.openFirewall">services.tor.openFirewall</link> + option as been introduced for allowing connections on all the + TCP ports configured. + </para> + </listitem> + <listitem> + <para> + The options + <literal>services.slurm.dbdserver.storagePass</literal> and + <literal>services.slurm.dbdserver.configFile</literal> have + been removed. Use + <literal>services.slurm.dbdserver.storagePassFile</literal> + instead to provide the database password. Extra config options + can be given via the option + <literal>services.slurm.dbdserver.extraConfig</literal>. The + actual configuration file is created on the fly on startup of + the service. This avoids that the password gets exposed in the + nix store. + </para> + </listitem> + <listitem> + <para> + The <literal>wafHook</literal> hook does not wrap Python + anymore. Packages depending on <literal>wafHook</literal> need + to include any Python into their + <literal>nativeBuildInputs</literal>. + </para> + </listitem> + <listitem> + <para> + Starting with version 1.7.0, the project formerly named + <literal>CodiMD</literal> is now named + <literal>HedgeDoc</literal>. New installations will no longer + use the old name for users, state directories and such, this + needs to be considered when moving state to a more recent + NixOS installation. Based on + <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>, + existing installations will continue to work. + </para> + </listitem> + <listitem> + <para> + The fish-foreign-env package has been replaced with + fishPlugins.foreign-env, in which the fish functions have been + relocated to the <literal>vendor_functions.d</literal> + directory to be loaded automatically. + </para> + </listitem> + <listitem> + <para> + The prometheus json exporter is now managed by the prometheus + community. Together with additional features some backwards + incompatibilities were introduced. Most importantly the + exporter no longer accepts a fixed command-line parameter to + specify the URL of the endpoint serving JSON. It now expects + this URL to be passed as an URL parameter, when scraping the + exporter's <literal>/probe</literal> endpoint. In the + prometheus scrape configuration the scrape target might look + like this: + </para> + <programlisting> +http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint +</programlisting> + <para> + Existing configuration for the exporter needs to be updated, + but can partially be re-used. Documentation is available in + the upstream repository and a small example for NixOS is + available in the corresponding NixOS test. + </para> + <para> + These changes also affect + <link xlink:href="options.html#opt-services.prometheus.exporters.rspamd.enable">services.prometheus.exporters.rspamd.enable</link>, + which is just a preconfigured instance of the json exporter. + </para> + <para> + For more information, take a look at the + <link xlink:href="https://github.com/prometheus-community/json_exporter"> + official documentation</link> of the json_exporter. + </para> + </listitem> + <listitem> + <para> + Androidenv was updated, removing the + <literal>includeDocs</literal> and + <literal>lldbVersions</literal> arguments. Docs only covered a + single version of the Android SDK, LLDB is now bundled with + the NDK, and both are no longer available to download from the + Android package repositories. Additionally, since the package + lists have been updated, some older versions of Android + packages may not be bundled. If you depend on older versions + of Android packages, we recommend overriding the repo. + </para> + <para> + Android packages are now loaded from a repo.json file created + by parsing Android repo XML files. The arguments + <literal>repoJson</literal> and <literal>repoXmls</literal> + have been added to allow overriding the built-in androidenv + repo.json with your own. Additionally, license files are now + written to allow compatibility with Gradle-based tools, and + the <literal>extraLicenses</literal> argument has been added + to accept more SDK licenses if your project requires it. See + the androidenv documentation for more details. + </para> + </listitem> + <listitem> + <para> + The attribute <literal>mpi</literal> is now consistently used + to provide a default, system-wide MPI implementation. The + default implementation is openmpi, which has been used before + by all derivations affects by this change. Note that all + packages that have used <literal>mpi ? null</literal> in the + input for optional MPI builds, have been changed to the + boolean input paramater <literal>useMpi</literal> to enable + building with MPI. Building all packages with + <literal>mpich</literal> instead of the default + <literal>openmpi</literal> can now be achived like this: + </para> + <programlisting language="bash"> +self: super: +{ + mpi = super.mpich; +} +</programlisting> + </listitem> + <listitem> + <para> + The Searx module has been updated with the ability to + configure the service declaratively and uWSGI integration. The + option <literal>services.searx.configFile</literal> has been + renamed to + <link xlink:href="options.html#opt-services.searx.settingsFile">services.searx.settingsFile</link> + for consistency with the new + <link xlink:href="options.html#opt-services.searx.settings">services.searx.settings</link>. + In addition, the <literal>searx</literal> uid and gid + reservations have been removed since they were not necessary: + the service is now running with a dynamically allocated uid. + </para> + </listitem> + <listitem> + <para> + The libinput module has been updated with the ability to + configure mouse and touchpad settings separately. The options + in <literal>services.xserver.libinput</literal> have been + renamed to + <literal>services.xserver.libinput.touchpad</literal>, while + there is a new + <literal>services.xserver.libinput.mouse</literal> for mouse + related configuration. + </para> + <para> + Since touchpad options no longer apply to all devices, you may + want to replicate your touchpad configuration in mouse + section. + </para> + </listitem> + <listitem> + <para> + ALSA OSS emulation + (<literal>sound.enableOSSEmulation</literal>) is now disabled + by default. + </para> + </listitem> + <listitem> + <para> + Thinkfan as been updated to <literal>1.2.x</literal>, which + comes with a new YAML based configuration format. For this + reason, several NixOS options of the thinkfan module have been + changed to non-backward compatible types. In addition, a new + <link xlink:href="options.html#opt-services.thinkfan.settings">services.thinkfan.settings</link> + option has been added. + </para> + <para> + Please read the + <link xlink:href="https://github.com/vmatare/thinkfan#readme"> + thinkfan documentation</link> before updating. + </para> + </listitem> + <listitem> + <para> + Adobe Flash Player support has been dropped from the tree. In + particular, the following packages no longer support it: + </para> + <itemizedlist> + <listitem> + <para> + chromium + </para> + </listitem> + <listitem> + <para> + firefox + </para> + </listitem> + <listitem> + <para> + qt48 + </para> + </listitem> + <listitem> + <para> + qt5.qtwebkit + </para> + </listitem> + </itemizedlist> + <para> + Additionally, packages flashplayer and hal-flash were removed + along with the <literal>services.flashpolicyd</literal> + module. + </para> + </listitem> + <listitem> + <para> + The <literal>security.rngd</literal> module has been removed. + It was disabled by default in 20.09 as it was functionally + redundant with krngd in the linux kernel. It is not necessary + for any device that the kernel recognises as an hardware RNG, + as it will automatically run the krngd task to periodically + collect random data from the device and mix it into the + kernel's RNG. + </para> + <para> + The default SMTP port for GitLab has been changed to + <literal>25</literal> from its previous default of + <literal>465</literal>. If you depended on this default, you + should now set the + <link xlink:href="options.html#opt-services.gitlab.smtp.port">services.gitlab.smtp.port</link> + option. + </para> + </listitem> + <listitem> + <para> + The default version of ImageMagick has been updated from 6 to + 7. You can use imagemagick6, imagemagick6_light, and + imagemagick6Big if you need the older version. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-services.xserver.videoDrivers">services.xserver.videoDrivers</link> + no longer uses the deprecated <literal>cirrus</literal> and + <literal>vesa</literal> device dependent X drivers by default. + It also enables both <literal>amdgpu</literal> and + <literal>nouveau</literal> drivers by default now. + </para> + </listitem> + <listitem> + <para> + The <literal>kindlegen</literal> package is gone, because it + is no longer supported or hosted by Amazon. Sadly, its + replacement, Kindle Previewer, has no Linux support. However, + there are other ways to generate MOBI files. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/96439">the + discussion</link> for more info. + </para> + </listitem> + <listitem> + <para> + The apacheKafka packages are now built with version-matched + JREs. Versions 2.6 and above, the ones that recommend it, use + jdk11, while versions below remain on jdk8. The NixOS service + has been adjusted to start the service using the same version + as the package, adjustable with the new + <link xlink:href="options.html#opt-services.apache-kafka.jre">services.apache-kafka.jre</link> + option. Furthermore, the default list of + <link xlink:href="options.html#opt-services.apache-kafka.jvmOptions">services.apache-kafka.jvmOptions</link> + have been removed. You should set your own according to the + <link xlink:href="https://kafka.apache.org/documentation/#java">upstream + documentation</link> for your Kafka version. + </para> + </listitem> + <listitem> + <para> + The kodi package has been modified to allow concise addon + management. Consider the following configuration from previous + releases of NixOS to install kodi, including the + kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp + addons: + </para> + <programlisting language="bash"> +{ + environment.systemPackages = [ + pkgs.kodi + ]; + + nixpkgs.config.kodi = { + enableInputStreamAdaptive = true; + enableVFSSFTP = true; + }; +} +</programlisting> + <para> + All Kodi <literal>config</literal> flags have been removed, + and as a result the above configuration should now be written + as: + </para> + <programlisting language="bash"> +{ + environment.systemPackages = [ + (pkgs.kodi.withPackages (p: with p; [ + inputstream-adaptive + vfs-sftp + ])) + ]; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>environment.defaultPackages</literal> now includes + the nano package. If pkgs.nano is not added to the list, make + sure another editor is installed and the + <literal>EDITOR</literal> environment variable is set to it. + Environment variables can be set using + <literal>environment.variables</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>services.minio.dataDir</literal> changed type to a + list of paths, required for specifiyng multiple data + directories for using with erasure coding. Currently, the + service doesn't enforce nor checks the correct number of paths + to correspond to minio requirements. + </para> + </listitem> + <listitem> + <para> + All CUDA toolkit versions prior to CUDA 10 have been removed. + </para> + </listitem> + <listitem> + <para> + The kbdKeymaps package was removed since dvp and neo are now + included in kbd. If you want to use the Programmer Dvorak + Keyboard Layout, you have to use + <literal>dvorak-programmer</literal> in + <literal>console.keyMap</literal> now instead of + <literal>dvp</literal>. In + <literal>services.xserver.xkbVariant</literal> it's still + <literal>dvp</literal>. + </para> + </listitem> + <listitem> + <para> + The babeld service is now being run as an unprivileged user. + To achieve that the module configures + <literal>skip-kernel-setup true</literal> and takes care of + setting forwarding and rp_filter sysctls by itself as well as + for each interface in + <literal>services.babeld.interfaces</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.zigbee2mqtt.config</literal> option has + been renamed to + <literal>services.zigbee2mqtt.settings</literal> and now + follows + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link>. + </para> + </listitem> + </itemizedlist> + <para> + The yadm dotfile manager has been updated from 2.x to 3.x, which + has new (XDG) default locations for some data/state files. Most + yadm commands will fail and print a legacy path warning (which + describes how to upgrade/migrate your repository). If you have + scripts, daemons, scheduled jobs, shell profiles, etc. that invoke + yadm, expect them to fail or misbehave until you perform this + migration and prepare accordingly. + </para> + <itemizedlist> + <listitem> + <para> + Instead of determining + <literal>services.radicale.package</literal> automatically + based on <literal>system.stateVersion</literal>, the latest + version is always used because old versions are not officially + supported. + </para> + <para> + Furthermore, Radicale's systemd unit was hardened which might + break some deployments. In particular, a non-default + <literal>filesystem_folder</literal> has to be added to + <literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal> + if the deprecated <literal>services.radicale.config</literal> + is used. + </para> + </listitem> + <listitem> + <para> + In the <literal>security.acme</literal> module, use of + <literal>--reuse-key</literal> parameter for Lego has been + removed. It was introduced for HKPK, but this security feature + is now deprecated. It is a better security practice to rotate + key pairs instead of always keeping the same. If you need to + keep this parameter, you can add it back using + <literal>extraLegoRenewFlags</literal> as an option for the + appropriate certificate. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.05-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + <literal>stdenv.lib</literal> has been deprecated and will + break eval in 21.11. Please use <literal>pkgs.lib</literal> + instead. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link> + for details. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.gnuradio.org/">GNURadio</link> + has a <literal>pkgs</literal> attribute set, and there's a + <literal>gnuradio.callPackage</literal> function that extends + <literal>pkgs</literal> with a + <literal>mkDerivation</literal>, and a + <literal>mkDerivationWith</literal>, like Qt5. Now all + <literal>gnuradio.pkgs</literal> are defined with + <literal>gnuradio.callPackage</literal> and some packages that + depend on gnuradio are defined with this as well. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.privoxy.org/">Privoxy</link> has + been updated to version 3.0.32 (See + <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>). + Compared to the previous release, Privoxy has gained support + for HTTPS inspection (still experimental), Brotli + decompression, several new filters and lots of bug fixes, + including security ones. In addition, the package is now built + with compression and external filters support, which were + previously disabled. + </para> + <para> + Regarding the NixOS module, new options for HTTPS inspection + have been added and + <literal>services.privoxy.extraConfig</literal> has been + replaced by the new + <link xlink:href="options.html#opt-services.privoxy.settings">services.privoxy.settings</link> + (See + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> for the motivation). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://kodi.tv/">Kodi</link> has been + updated to version 19.1 "Matrix". See the + <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link> + for further details. + </para> + </listitem> + <listitem> + <para> + The <literal>services.packagekit.backend</literal> option has + been removed as it only supported a single setting which would + always be the default. Instead new + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> compliant + <link xlink:href="options.html#opt-services.packagekit.settings">services.packagekit.settings</link> + and + <link xlink:href="options.html#opt-services.packagekit.vendorSettings">services.packagekit.vendorSettings</link> + options have been introduced. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nginx.org">Nginx</link> has been + updated to stable version 1.20.0. Now nginx uses the zlib-ng + library by default. + </para> + </listitem> + <listitem> + <para> + KDE Gear (formerly KDE Applications) is upgraded to 21.04, see + its + <link xlink:href="https://kde.org/announcements/gear/21.04/">release + notes</link> for details. + </para> + <para> + The <literal>kdeApplications</literal> package set is now + <literal>kdeGear</literal>, in keeping with the new name. The + old name remains for compatibility, but it is deprecated. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://libreswan.org/">Libreswan</link> has + been updated to version 4.4. The package now includes example + configurations and manual pages by default. The NixOS module + has been changed to use the upstream systemd units and write + the configuration in the <literal>/etc/ipsec.d/ </literal> + directory. In addition, two new options have been added to + specify connection policies + (<link xlink:href="options.html#opt-services.libreswan.policies">services.libreswan.policies</link>) + and disable send/receive redirects + (<link xlink:href="options.html#opt-services.libreswan.disableRedirects">services.libreswan.disableRedirects</link>). + </para> + </listitem> + <listitem> + <para> + The Mailman NixOS module (<literal>services.mailman</literal>) + has a new option + <link xlink:href="options.html#opt-services.mailman.enablePostfix">services.mailman.enablePostfix</link>, + defaulting to true, that controls integration with Postfix. + </para> + <para> + If this option is disabled, default MTA config becomes not set + and you should set the options in + <literal>services.mailman.settings.mta</literal> according to + the desired configuration as described in + <link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman + documentation</link>. + </para> + </listitem> + <listitem> + <para> + The default-version of <literal>nextcloud</literal> is + nextcloud21. Please note that it's <emphasis>not</emphasis> + possible to upgrade <literal>nextcloud</literal> across + multiple major versions! This means that it's e.g. not + possible to upgrade from nextcloud18 to nextcloud20 in a + single deploy and most <literal>20.09</literal> users will + have to upgrade to nextcloud20 first. + </para> + <para> + The package can be manually upgraded by setting + <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link> + to nextcloud21. + </para> + </listitem> + <listitem> + <para> + The setting + <link xlink:href="options.html#opt-services.redis.bind">services.redis.bind</link> + defaults to <literal>127.0.0.1</literal> now, making Redis + listen on the loopback interface only, and not all public + network interfaces. + </para> + </listitem> + <listitem> + <para> + NixOS now emits a deprecation warning if systemd's + <literal>StartLimitInterval</literal> setting is used in a + <literal>serviceConfig</literal> section instead of in a + <literal>unitConfig</literal>; that setting is deprecated and + now undocumented for the service section by systemd upstream, + but still effective and somewhat buggy there, which can be + confusing. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> + for details. + </para> + <para> + All services should use + <link xlink:href="options.html#opt-systemd.services._name_.startLimitIntervalSec">systemd.services.<emphasis>name</emphasis>.startLimitIntervalSec</link> + or <literal>StartLimitIntervalSec</literal> in + <link xlink:href="options.html#opt-systemd.services._name_.unitConfig">systemd.services.<emphasis>name</emphasis>.unitConfig</link> + instead. + </para> + </listitem> + <listitem> + <para> + The <literal>mediatomb</literal> service declares new options. + It also adapts existing options so the configuration + generation is now lazy. The existing option + <literal>customCfg</literal> (defaults to false), when + enabled, stops the service configuration generation + completely. It then expects the users to provide their own + correct configuration at the right location (whereas the + configuration was generated and not used at all before). The + new option <literal>transcodingOption</literal> (defaults to + no) allows a generated configuration. It makes the mediatomb + service pulls the necessary runtime dependencies in the nix + store (whereas it was generated with hardcoded values before). + The new option <literal>mediaDirectories</literal> allows the + users to declare autoscan media directories from their nixos + configuration: + </para> + <programlisting language="bash"> +{ + services.mediatomb.mediaDirectories = [ + { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; } + { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; } + ]; +} +</programlisting> + </listitem> + <listitem> + <para> + The Unbound DNS resolver service + (<literal>services.unbound</literal>) has been refactored to + allow reloading, control sockets and to fix startup ordering + issues. + </para> + <para> + It is now possible to enable a local UNIX control socket for + unbound by setting the + <link xlink:href="options.html#opt-services.unbound.localControlSocketPath">services.unbound.localControlSocketPath</link> + option. + </para> + <para> + Previously we just applied a very minimal set of restrictions + and trusted unbound to properly drop root privs and + capabilities. + </para> + <para> + As of this we are (for the most part) just using the upstream + example unit file for unbound. The main difference is that we + start unbound as <literal>unbound</literal> user with the + required capabilities instead of letting unbound do the chroot + & uid/gid changes. + </para> + <para> + The upstream unit configuration this is based on is a lot + stricter with all kinds of permissions then our previous + variant. It also came with the default of having the + <literal>Type</literal> set to <literal>notify</literal>, + therefore we are now also using the + <literal>unbound-with-systemd</literal> package here. Unbound + will start up, read the configuration files and start + listening on the configured ports before systemd will declare + the unit <literal>active (running)</literal>. This will likely + help with startup order and the occasional race condition + during system activation where the DNS service is started but + not yet ready to answer queries. Services depending on + <literal>nss-lookup.target</literal> or + <literal>unbound.service</literal> are now be able to use + unbound when those targets have been reached. + </para> + <para> + Additionally to the much stricter runtime environment the + <literal>/dev/urandom</literal> mount lines we previously had + in the code (that randomly failed during the stop-phase) have + been removed as systemd will take care of those for us. + </para> + <para> + The <literal>preStart</literal> script is now only required if + we enabled the trust anchor updates (which are still enabled + by default). + </para> + <para> + Another benefit of the refactoring is that we can now issue + reloads via either <literal>pkill -HUP unbound</literal> and + <literal>systemctl reload unbound</literal> to reload the + running configuration without taking the daemon offline. A + prerequisite of this was that unbound configuration is + available on a well known path on the file system. We are + using the path <literal>/etc/unbound/unbound.conf</literal> as + that is the default in the CLI tooling which in turn enables + us to use <literal>unbound-control</literal> without passing a + custom configuration location. + </para> + <para> + The module has also been reworked to be + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> compliant. As such, + <literal>sevices.unbound.extraConfig</literal> has been + removed and replaced by + <link xlink:href="options.html#opt-services.unbound.settings">services.unbound.settings</link>. + <literal>services.unbound.interfaces</literal> has been + renamed to + <literal>services.unbound.settings.server.interface</literal>. + </para> + <para> + <literal>services.unbound.forwardAddresses</literal> and + <literal>services.unbound.allowedAccess</literal> have also + been changed to use the new settings interface. You can follow + the instructions when executing + <literal>nixos-rebuild</literal> to upgrade your configuration + to use the new interface. + </para> + </listitem> + <listitem> + <para> + The <literal>services.dnscrypt-proxy2</literal> module now + takes the upstream's example configuration and updates it with + the user's settings. An option has been added to restore the + old behaviour if you prefer to declare the configuration from + scratch. + </para> + </listitem> + <listitem> + <para> + NixOS now defaults to the unified cgroup hierarchy + (cgroupsv2). See the + <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora + Article for 31</link> for details on why this is desirable, + and how it impacts containers. + </para> + <para> + If you want to run containers with a runtime that does not yet + support cgroupsv2, you can switch back to the old behaviour by + setting + <link xlink:href="options.html#opt-systemd.enableUnifiedCgroupHierarchy">systemd.enableUnifiedCgroupHierarchy</link> + = <literal>false</literal>; and rebooting. + </para> + </listitem> + <listitem> + <para> + PulseAudio was upgraded to 14.0, with changes to the handling + of default sinks. See its + <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + GNOME users may wish to delete their + <literal>~/.config/pulse</literal> due to the changes to + stream routing logic. See + <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio + bug 832</link> for more information. + </para> + </listitem> + <listitem> + <para> + The zookeeper package does not provide + <literal>zooInspector.sh</literal> anymore, as that + "contrib" has been dropped from upstream releases. + </para> + </listitem> + <listitem> + <para> + In the ACME module, the data used to build the hash for the + account directory has changed to accomodate new features to + reduce account rate limit issues. This will trigger new + account creation on the first rebuild following this update. + No issues are expected to arise from this, thanks to the new + account creation handling. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-users.users._name_.createHome">users.users.<emphasis>name</emphasis>.createHome</link> + now always ensures home directory permissions to be + <literal>0700</literal>. Permissions had previously been + ignored for already existing home directories, possibly + leaving them readable by others. The option's description was + incorrect regarding ownership management and has been + simplified greatly. + </para> + </listitem> + <listitem> + <para> + When defining a new user, one of + <link xlink:href="options.html#opt-users.users._name_.isNormalUser">users.users.<emphasis>name</emphasis>.isNormalUser</link> + and + <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link> + is now required. This is to prevent accidentally giving a UID + above 1000 to system users, which could have unexpected + consequences, like running user activation scripts for system + users. Note that users defined with an explicit UID below 500 + are exempted from this check, as + <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link> + has no effect for those. + </para> + </listitem> + <listitem> + <para> + The <literal>security.apparmor</literal> module, for the + <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link> + Mandatory Access Control system, has been substantialy + improved along with related tools, so that module maintainers + can now more easily write AppArmor profiles for NixOS. The + most notable change on the user-side is the new option + <link xlink:href="options.html#opt-security.apparmor.policies">security.apparmor.policies</link>, + replacing the previous <literal>profiles</literal> option to + provide a way to disable a profile and to select whether to + confine in enforce mode (default) or in complain mode (see + <literal>journalctl -b --grep apparmor</literal>). + Security-minded users may also want to enable + <link xlink:href="options.html#opt-security.apparmor.killUnconfinedConfinables">security.apparmor.killUnconfinedConfinables</link>, + at the cost of having some of their processes killed when + updating to a NixOS version introducing new AppArmor profiles. + </para> + </listitem> + <listitem> + <para> + The GNOME desktop manager once again installs gnome.epiphany + by default. + </para> + </listitem> + <listitem> + <para> + NixOS now generates empty <literal>/etc/netgroup</literal>. + <literal>/etc/netgroup</literal> defines network-wide groups + and may affect to setups using NIS. + </para> + </listitem> + <listitem> + <para> + Platforms, like <literal>stdenv.hostPlatform</literal>, no + longer have a <literal>platform</literal> attribute. It has + been (mostly) flattened away: + </para> + <itemizedlist> + <listitem> + <para> + <literal>platform.gcc</literal> is now + <literal>gcc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>platform.kernel*</literal> is now + <literal>linux-kernel.*</literal> + </para> + </listitem> + </itemizedlist> + <para> + Additionally, <literal>platform.kernelArch</literal> moved to + the top level as <literal>linuxArch</literal> to match the + other <literal>*Arch</literal> variables. + </para> + <para> + The <literal>platform</literal> grouping of these things never + meant anything, and was just a historial/implementation + artifact that was overdue removal. + </para> + </listitem> + <listitem> + <para> + <literal>services.restic</literal> now uses a dedicated cache + directory for every backup defined in + <literal>services.restic.backups</literal>. The old global + cache directory, <literal>/root/.cache/restic</literal>, is + now unused and can be removed to free up disk space. + </para> + </listitem> + <listitem> + <para> + <literal>isync</literal>: The <literal>isync</literal> + compatibility wrapper was removed and the Master/Slave + terminology has been deprecated and should be replaced with + Far/Near in the configuration file. + </para> + </listitem> + <listitem> + <para> + The nix-gc service now accepts randomizedDelaySec (default: 0) + and persistent (default: true) parameters. By default nix-gc + will now run immediately if it would have been triggered at + least once during the time when the timer was inactive. + </para> + </listitem> + <listitem> + <para> + The <literal>rustPlatform.buildRustPackage</literal> function + is split into several hooks: cargoSetupHook to set up + vendoring for Cargo-based projects, cargoBuildHook to build a + project using Cargo, cargoInstallHook to install a project + using Cargo, and cargoCheckHook to run tests in Cargo-based + projects. With this change, mixed-language projects can use + the relevant hooks within builders other than + <literal>buildRustPackage</literal>. However, these changes + also required several API changes to + <literal>buildRustPackage</literal> itself: + </para> + <itemizedlist> + <listitem> + <para> + The <literal>target</literal> argument was removed. + Instead, <literal>buildRustPackage</literal> will always + use the same target as the C/C++ compiler that is used. + </para> + </listitem> + <listitem> + <para> + The <literal>cargoParallelTestThreads</literal> argument + was removed. Parallel tests are now disabled through + <literal>dontUseCargoParallelTests</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>rustPlatform.maturinBuildHook</literal> hook was + added. This hook can be used with + <literal>buildPythonPackage</literal> to build Python packages + that are written in Rust and use Maturin as their build tool. + </para> + </listitem> + <listitem> + <para> + Kubernetes has + <link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated + docker</link> as container runtime. As a consequence, the + Kubernetes module now has support for configuration of custom + remote container runtimes and enables containerd by default. + Note that containerd is more strict regarding container image + OCI-compliance. As an example, images with CMD or ENTRYPOINT + defined as strings (not lists) will fail on containerd, while + working fine on docker. Please test your setup and container + images with containerd prior to upgrading. + </para> + </listitem> + <listitem> + <para> + The GitLab module now has support for automatic backups. A + schedule can be set with the + <link xlink:href="options.html#opt-services.gitlab.backup.startAt">services.gitlab.backup.startAt</link> + option. + </para> + </listitem> + <listitem> + <para> + Prior to this release, systemd would also read system units + from an undocumented + <literal>/etc/systemd-mutable/system</literal> path. This path + has been dropped from the defaults. That path (or others) can + be re-enabled by adding it to the + <link xlink:href="options.html#opt-boot.extraSystemdUnitPaths">boot.extraSystemdUnitPaths</link> + list. + </para> + </listitem> + <listitem> + <para> + PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle + and has been removed. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.xfce.org/">Xfce4</link> relies + on GIO/GVfs for userspace virtual filesystem access in + applications like + <link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link> + and + <link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>. + For that to work, the gvfs nixos service is enabled by + default, and it can be configured with the specific package + that provides GVfs. Until now Xfce4 was setting it to use a + lighter version of GVfs (without support for samba). To avoid + conflicts with other desktop environments this setting has + been dropped. Users that still want it should add the + following to their system configuration: + </para> + <programlisting language="bash"> +{ + services.gvfs.package = pkgs.gvfs.override { samba = null; }; +} +</programlisting> + </listitem> + <listitem> + <para> + The newly enabled <literal>systemd-pstore.service</literal> + now automatically evacuates crashdumps and panic logs from the + persistent storage to + <literal>/var/lib/systemd/pstore</literal>. This prevents + NVRAM from filling up, which ensures the latest diagnostic + data is always stored and alleviates problems with writing new + boot configurations. + </para> + </listitem> + <listitem> + <para> + Nixpkgs now contains + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically + packaged GNOME Shell extensions</link> from the + <link xlink:href="https://extensions.gnome.org/">GNOME + Extensions</link> portal. You can find them, filed by their + UUID, under <literal>gnome38Extensions</literal> attribute for + GNOME 3.38 and under <literal>gnome40Extensions</literal> for + GNOME 40. Finally, the <literal>gnomeExtensions</literal> + attribute contains extensions for the latest GNOME Shell + version in Nixpkgs, listed under a more human-friendly name. + The unqualified attribute scope also contains manually + packaged extensions. Note that the automatically packaged + extensions are provided for convenience and are not checked or + guaranteed to work. + </para> + </listitem> + <listitem> + <para> + Erlang/OTP versions older than R21 got dropped. We also + dropped the cuter package, as it was purely an example of how + to build a package. We also dropped <literal>lfe_1_2</literal> + as it could not build with R21+. Moving forward, we expect to + only support 3 yearly releases of OTP. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml new file mode 100644 index 00000000000..b61a0268dee --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -0,0 +1,2091 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.11"> + <title>Release 21.11 (“Porcupine”, 2021/11/30)</title> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of June 2022, handing over to + 22.05. + </para> + </listitem> + </itemizedlist> + <section xml:id="sec-release-21.11-highlights"> + <title>Highlights</title> + <para> + In addition to numerous new and upgraded packages, this release + has the following highlights: + </para> + <itemizedlist> + <listitem> + <para> + Nix has been updated to version 2.4, reference its + <link xlink:href="https://discourse.nixos.org/t/nix-2-4-released/15822">release + notes</link> for more information on what has changed. The + previous version of Nix, 2.3.16, remains available for the + time being in the <literal>nix_2_3</literal> package. + </para> + </listitem> + <listitem> + <para> + <literal>iptables</literal> is now using + <literal>nf_tables</literal> under the hood, by using + <literal>iptables-nft</literal>, similar to + <link xlink:href="https://wiki.debian.org/nftables#Current_status">Debian</link> + and + <link xlink:href="https://fedoraproject.org/wiki/Changes/iptables-nft-default">Fedora</link>. + This means, <literal>ip[6]tables</literal>, + <literal>arptables</literal> and <literal>ebtables</literal> + commands will actually show rules from some specific tables in + the <literal>nf_tables</literal> kernel subsystem. In case + you’re migrating from an older release without rebooting, + there might be cases where you end up with iptable rules + configured both in the legacy <literal>iptables</literal> + kernel backend, as well as in the <literal>nf_tables</literal> + backend. This can lead to confusing firewall behaviour. An + <literal>iptables-save</literal> after switching will complain + about <quote>iptables-legacy tables present</quote>. It’s + probably best to reboot after the upgrade, or manually + removing all legacy iptables rules (via the + <literal>iptables-legacy</literal> package). + </para> + </listitem> + <listitem> + <para> + systemd got an <literal>nftables</literal> backend, and + configures (networkd) rules in their own + <literal>io.systemd.*</literal> tables. Check + <literal>nft list ruleset</literal> to see these rules, not + <literal>iptables-save</literal> (which only shows + <literal>iptables</literal>-created rules. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 8.0, updated from 7.4. + </para> + </listitem> + <listitem> + <para> + kops now defaults to 1.21.1, which uses containerd as the + default runtime. + </para> + </listitem> + <listitem> + <para> + <literal>python3</literal> now defaults to Python 3.9, updated + from Python 3.8. + </para> + </listitem> + <listitem> + <para> + PostgreSQL now defaults to major version 13. + </para> + </listitem> + <listitem> + <para> + spark now defaults to spark 3, updated from 2. A + <link xlink:href="https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-24-to-30">migration + guide</link> is available. + </para> + </listitem> + <listitem> + <para> + Improvements have been made to the Hadoop module and package: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + HDFS and YARN now support production-ready highly + available deployments with automatic failover. + </para> + </listitem> + <listitem> + <para> + Hadoop now defaults to Hadoop 3, updated from 2. + </para> + </listitem> + <listitem> + <para> + JournalNode, ZKFS and HTTPFS services have been added. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Activation scripts can now, optionally, be run during a + <literal>nixos-rebuild dry-activate</literal> and can detect + the dry activation by reading + <literal>$NIXOS_ACTION</literal>. This allows activation + scripts to output what they would change if the activation was + really run. The users/modules activation script supports this + and outputs some of is actions. + </para> + </listitem> + <listitem> + <para> + KDE Plasma now finally works on Wayland. + </para> + </listitem> + <listitem> + <para> + bash now defaults to major version 5. + </para> + </listitem> + <listitem> + <para> + Systemd was updated to version 249 (from 247). + </para> + </listitem> + <listitem> + <para> + Pantheon desktop has been updated to version 6. Due to changes + of screen locker, if locking doesn’t work for you, please try + <literal>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>kubernetes-helm</literal> now defaults to 3.7.0, + which introduced some breaking changes to the experimental OCI + manifest format. See + <link xlink:href="https://github.com/helm/community/blob/main/hips/hip-0006.md">HIP + 6</link> for more details. <literal>helmfile</literal> also + defaults to 0.141.0, which is the minimum compatible version. + </para> + </listitem> + <listitem> + <para> + GNOME has been upgraded to 41. Please take a look at their + <link xlink:href="https://help.gnome.org/misc/release-notes/41.0/">Release + Notes</link> for details. + </para> + </listitem> + <listitem> + <para> + LXD support was greatly improved: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + building LXD images from configurations is now directly + possible with just nixpkgs + </para> + </listitem> + <listitem> + <para> + hydra is now building nixOS LXD images that can be used + standalone with full nixos-rebuild support + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + OpenSSH was updated to version 8.8p1 + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This breaks connections to old SSH daemons as ssh-rsa host + keys and ssh-rsa public keys that were signed with SHA-1 + are disabled by default now + </para> + </listitem> + <listitem> + <para> + These can be re-enabled, see the + <link xlink:href="https://www.openssh.com/txt/release-8.8">OpenSSH + changelog</link> for details + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + ORY Kratos was updated to version 0.8.0-alpha.3 + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This release requires you to run SQL migrations. Please, + as always, create a backup of your database first! + </para> + </listitem> + <listitem> + <para> + The SDKs are now generated with tag v0alpha2 to reflect + that some signatures have changed in a breaking fashion. + Please update your imports from v0alpha1 to v0alpha2. + </para> + </listitem> + <listitem> + <para> + The SMTPS scheme used in courier config URL with + cleartext/StartTLS/TLS SMTP connection types is now only + supporting implicit TLS. For StartTLS and cleartext SMTP, + please use the SMTP scheme instead. + </para> + </listitem> + <listitem> + <para> + for more details, see + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.0-alpha.1">Release + Notes</link>. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://digint.ch/btrbk/index.html">btrbk</link>, + a backup tool for btrfs subvolumes, taking advantage of btrfs + specific capabilities to create atomic snapshots and transfer + them incrementally to your backup locations. Available as + <link xlink:href="options.html#opt-services.brtbk.instances">services.btrbk</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>, + an X11 clipboard manager written in Rust. Available at + <link xlink:href="options.html#opt-services.clipcat.enable">services.clipcat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/dexidp/dex">dex</link>, + an OpenID Connect (OIDC) identity and OAuth 2.0 provider. + Available at + <link xlink:href="options.html#opt-services.dex.enable">services.dex</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/maxmind/geoipupdate">geoipupdate</link>, + a GeoIP database updater from MaxMind. Available as + <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jitsi/jibri">Jibri</link>, + a service for recording or streaming a Jitsi Meet conference. + Available as + <link xlink:href="options.html#opt-services.jibri.enable">services.jibri</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.isc.org/kea/">Kea</link>, ISCs + 2nd generation DHCP and DDNS server suite. Available at + <link xlink:href="options.html#opt-services.kea.dhcp4">services.kea</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://owncast.online/">owncast</link>, + self-hosted video live streaming solution. Available at + <link xlink:href="options.html#opt-services.owncast.enable">services.owncast</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://joinpeertube.org/">PeerTube</link>, + developed by Framasoft, is the free and decentralized + alternative to video platforms. Available at + <link xlink:href="options.html#opt-services.peertube.enable">services.peertube</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://sr.ht">sourcehut</link>, a + collection of tools useful for software development. Available + as + <link xlink:href="options.html#opt-services.sourcehut.enable">services.sourcehut</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://download.pureftpd.org/pub/ucarp/README">ucarp</link>, + an userspace implementation of the Common Address Redundancy + Protocol (CARP). Available as + <link xlink:href="options.html#opt-networking.ucarp.enable">networking.ucarp</link>. + </para> + </listitem> + <listitem> + <para> + Users of flashrom should migrate to + <link xlink:href="options.html#opt-programs.flashrom.enable">programs.flashrom.enable</link> + and add themselves to the <literal>flashrom</literal> group to + be able to access programmers supported by flashrom. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://vikunja.io">vikunja</link>, a to-do + list app. Available as + <link linkend="opt-services.vikunja.enable">services.vikunja</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/evilsocket/opensnitch">opensnitch</link>, + an application firewall. Available as + <link linkend="opt-services.opensnitch.enable">services.opensnitch</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.snapraid.it/">snapraid</link>, a + backup program for disk arrays. Available as + <link linkend="opt-snapraid.enable">snapraid</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hockeypuck/hockeypuck">Hockeypuck</link>, + a OpenPGP Key Server. Available as + <link linkend="opt-services.hockeypuck.enable">services.hockeypuck</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/buildkite/buildkite-agent-metrics">buildkite-agent-metrics</link>, + a command-line tool for collecting Buildkite agent metrics, + now has a Prometheus exporter available as + <link linkend="opt-services.prometheus.exporters.buildkite-agent.enable">services.prometheus.exporters.buildkite-agent</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus/influxdb_exporter">influxdb-exporter</link> + a Prometheus exporter that exports metrics received on an + InfluxDB compatible endpoint is now available as + <link linkend="opt-services.prometheus.exporters.influxdb.enable">services.prometheus.exporters.influxdb</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/matrix-discord/mx-puppet-discord">mx-puppet-discord</link>, + a discord puppeting bridge for matrix. Available as + <link linkend="opt-services.mx-puppet-discord.enable">services.mx-puppet-discord</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.meshcommander.com/meshcentral2/overview">MeshCentral</link>, + a remote administration service (<quote>TeamViewer but + self-hosted and with more features</quote>) is now available + with a package and a module: + <link linkend="opt-services.meshcentral.enable">services.meshcentral.enable</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/Arksine/moonraker">moonraker</link>, + an API web server for Klipper. Available as + <link linkend="opt-services.moonraker.enable">moonraker</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/influxdata/influxdb">influxdb2</link>, + a Scalable datastore for metrics, events, and real-time + analytics. Available as + <link linkend="opt-services.influxdb2.enable">services.influxdb2</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://posativ.org/isso/">isso</link>, a + commenting server similar to Disqus. Available as + <link linkend="opt-services.isso.enable">isso</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.navidrome.org/">navidrome</link>, + a personal music streaming server with subsonic-compatible + api. Available as + <link linkend="opt-services.navidrome.enable">navidrome</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.fluidd.xyz/">fluidd</link>, a + Klipper web interface for managing 3d printers using + moonraker. Available as + <link linkend="opt-services.fluidd.enable">fluidd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/earnestly/sx">sx</link>, + a simple alternative to both xinit and startx for starting a + Xorg server. Available as + <link linkend="opt-services.xserver.displayManager.sx.enable">services.xserver.displayManager.sx</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://postfixadmin.sourceforge.io/">postfixadmin</link>, + a web based virtual user administration interface for Postfix + mail servers. Available as + <link linkend="opt-services.postfixadmin.enable">postfixadmin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://wiki.servarr.com/prowlarr">prowlarr</link>, + an indexer manager/proxy built on the popular arr .net/reactjs + base stack + <link linkend="opt-services.prowlarr.enable">services.prowlarr</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://sr.ht/~emersion/soju">soju</link>, a + user-friendly IRC bouncer. Available as + <link xlink:href="options.html#opt-services.soju.enable">services.soju</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nats.io/">nats</link>, a high + performance cloud and edge messaging system. Available as + <link linkend="opt-services.nats.enable">services.nats</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://git-scm.com">git</link>, a + distributed version control system. Available as + <link xlink:href="options.html#opt-programs.git.enable">programs.git</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://domainaware.github.io/parsedmarc/">parsedmarc</link>, + a service which parses incoming + <link xlink:href="https://dmarc.org/">DMARC</link> reports and + stores or sends them to a downstream service for further + analysis. Documented in + <link linkend="module-services-parsedmarc">its manual + entry</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://spark.apache.org/">spark</link>, a + unified analytics engine for large-scale data processing. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/JoseExposito/touchegg">touchegg</link>, + a multi-touch gesture recognizer. Available as + <link linkend="opt-services.touchegg.enable">services.touchegg</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/pantheon-tweaks/pantheon-tweaks">pantheon-tweaks</link>, + an unofficial system settings panel for Pantheon. Available as + <link linkend="opt-programs.pantheon-tweaks.enable">programs.pantheon-tweaks</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/DanielOgorchock/joycond">joycond</link>, + a service that uses <literal>hid-nintendo</literal> to provide + nintendo joycond pairing and better nintendo switch pro + controller support. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/opensvc/multipath-tools">multipath</link>, + the device mapper multipath (DM-MP) daemon. Available as + <link linkend="opt-services.multipath.enable">services.multipath</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.seafile.com/en/home/">seafile</link>, + an open source file syncing & sharing software. Available + as + <link xlink:href="options.html#opt-services.seafile.enable">services.seafile</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mchehab/rasdaemon">rasdaemon</link>, + a hardware error logging daemon. Available as + <link linkend="opt-hardware.rasdaemon.enable">hardware.rasdaemon</link>. + </para> + </listitem> + <listitem> + <para> + <literal>code-server</literal>-module now available + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/xmrig/xmrig">xmrig</link>, + a high performance, open source, cross platform RandomX, + KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and + RandomX benchmark. + </para> + </listitem> + <listitem> + <para> + Auto nice daemons + <link xlink:href="https://github.com/Nefelim4ag/Ananicy">ananicy</link> + and + <link xlink:href="https://gitlab.com/ananicy-cpp/ananicy-cpp/">ananicy-cpp</link>. + Available as + <link linkend="opt-services.ananicy.enable">services.ananicy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-community/smartctl_exporter">smartctl_exporter</link>, + a Prometheus exporter for + <link xlink:href="https://en.wikipedia.org/wiki/S.M.A.R.T.">S.M.A.R.T.</link> + data. Available as + <link xlink:href="options.html#opt-services.prometheus.exporters.smartctl.enable">services.prometheus.exporters.smartctl</link>. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + The NixOS VM test framework, + <literal>pkgs.nixosTest</literal>/<literal>make-test-python.nix</literal>, + now requires detaching commands such as + <literal>succeed("foo &")</literal> and + <literal>succeed("foo | xclip -i")</literal> to + close stdout. This can be done with a redirect such as + <literal>succeed("foo >&2 &")</literal>. + This breaking change was necessitated by a race condition + causing tests to fail or hang. It applies to all methods that + invoke commands on the nodes, including + <literal>execute</literal>, <literal>succeed</literal>, + <literal>fail</literal>, + <literal>wait_until_succeeds</literal>, + <literal>wait_until_fails</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.wakeonlan</literal> option was removed, + and replaced with + <literal>networking.interfaces.<name>.wakeOnLan</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.wrappers</literal> option now requires + to always specify an owner, group and whether the + setuid/setgid bit should be set. This is motivated by the fact + that before NixOS 21.11, specifying either setuid or setgid + but not owner/group resulted in wrappers owned by + nobody/nogroup, which is unsafe. + </para> + </listitem> + <listitem> + <para> + Since <literal>iptables</literal> now uses + <literal>nf_tables</literal> backend and + <literal>ipset</literal> doesn’t support it, some applications + (ferm, shorewall, firehol) may have limited functionality. + </para> + </listitem> + <listitem> + <para> + The <literal>paperless</literal> module and package have been + removed. All users should migrate to the successor + <literal>paperless-ng</literal> instead. The Paperless project + <link xlink:href="https://github.com/the-paperless-project/paperless/commit/9b0063c9731f7c5f65b1852cb8caff97f5e40ba4">has + been archived</link> and advises all users to use + <literal>paperless-ng</literal> instead. + </para> + <para> + Users can use the <literal>services.paperless-ng</literal> + module as a replacement while noting the following + incompatibilities: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.paperless.ocrLanguages</literal> has no + replacement. Users should migrate to + <link xlink:href="options.html#opt-services.paperless-ng.extraConfig"><literal>services.paperless-ng.extraConfig</literal></link> + instead: + </para> + </listitem> + </itemizedlist> + <programlisting language="bash"> +{ + services.paperless-ng.extraConfig = { + # Provide languages as ISO 639-2 codes + # separated by a plus (+) sign. + # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes + PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse + }; +} +</programlisting> + <itemizedlist> + <listitem> + <para> + If you previously specified + <literal>PAPERLESS_CONSUME_MAIL_*</literal> settings in + <literal>services.paperless.extraConfig</literal> you + should remove those options now. You now + <emphasis>must</emphasis> define those settings in the + admin interface of paperless-ng. + </para> + </listitem> + <listitem> + <para> + Option <literal>services.paperless.manage</literal> no + longer exists. Use the script at + <literal>${services.paperless-ng.dataDir}/paperless-ng-manage</literal> + instead. Note that this script only exists after the + <literal>paperless-ng</literal> service has been started + at least once. + </para> + </listitem> + <listitem> + <para> + After switching to the new system configuration you should + run the Django management command to reindex your + documents and optionally create a user, if you don’t have + one already. + </para> + <para> + To do so, enter the data directory (the value of + <literal>services.paperless-ng.dataDir</literal>, + <literal>/var/lib/paperless</literal> by default), switch + to the paperless user and execute the management command + like below: + </para> + <programlisting> +$ cd /var/lib/paperless +$ su paperless -s /bin/sh +$ ./paperless-ng-manage document_index reindex +# if not already done create a user account, paperless-ng requires a login +$ ./paperless-ng-manage createsuperuser +Username (leave blank to use 'paperless'): my-user-name +Email address: me@example.com +Password: ********** +Password (again): ********** +Superuser created successfully. +</programlisting> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>staticjinja</literal> package has been upgraded + from 1.0.4 to 4.1.1 + </para> + </listitem> + <listitem> + <para> + Firefox v91 does not support addons with invalid signature + anymore. Firefox ESR needs to be used for nix addon support. + </para> + </listitem> + <listitem> + <para> + The <literal>erigon</literal> ethereum node has moved to a new + database format in <literal>2021-05-04</literal>, and requires + a full resync + </para> + </listitem> + <listitem> + <para> + The <literal>erigon</literal> ethereum node has moved it’s + database location in <literal>2021-08-03</literal>, users + upgrading must manually move their chaindata (see + <link xlink:href="https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03">release + notes</link>). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-users.users._name_.group">users.users.<name>.group</link> + no longer defaults to <literal>nogroup</literal>, which was + insecure. Out-of-tree modules are likely to require + adaptation: instead of + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + }; +} +</programlisting> + <para> + also create a group for your user: + </para> + <programlisting language="bash"> +{ + users.users.foo = { + isSystemUser = true; + group = "foo"; + }; + users.groups.foo = {}; +} +</programlisting> + </listitem> + <listitem> + <para> + <literal>services.geoip-updater</literal> was broken and has + been replaced by + <link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>. + </para> + </listitem> + <listitem> + <para> + <literal>ihatemoney</literal> has been updated to version + 5.1.1 + (<link xlink:href="https://github.com/spiral-project/ihatemoney/blob/5.1.1/CHANGELOG.rst">release + notes</link>). If you serve ihatemoney by HTTP rather than + HTTPS, you must set + <link xlink:href="options.html#opt-services.ihatemoney.secureCookie">services.ihatemoney.secureCookie</link> + to <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + PHP 7.3 is no longer supported due to upstream not supporting + this version for the entire lifecycle of the 21.11 release. + </para> + </listitem> + <listitem> + <para> + Those making use of <literal>buildBazelPackage</literal> will + need to regenerate the fetch hashes (preferred), or set + <literal>fetchConfigured = false;</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>consul</literal> was upgraded to a new major release + with breaking changes, see + <link xlink:href="https://github.com/hashicorp/consul/releases/tag/v1.10.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + fsharp41 has been removed in preference to use the latest + dotnet-sdk + </para> + </listitem> + <listitem> + <para> + The following F#-related packages have been removed for being + unmaintaned. Please use <literal>fetchNuGet</literal> for + specific packages. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + ExtCore + </para> + </listitem> + <listitem> + <para> + Fake + </para> + </listitem> + <listitem> + <para> + Fantomas + </para> + </listitem> + <listitem> + <para> + FsCheck + </para> + </listitem> + <listitem> + <para> + FsCheck262 + </para> + </listitem> + <listitem> + <para> + FsCheckNunit + </para> + </listitem> + <listitem> + <para> + FSharpAutoComplete + </para> + </listitem> + <listitem> + <para> + FSharpCompilerCodeDom + </para> + </listitem> + <listitem> + <para> + FSharpCompilerService + </para> + </listitem> + <listitem> + <para> + FSharpCompilerTools + </para> + </listitem> + <listitem> + <para> + FSharpCore302 + </para> + </listitem> + <listitem> + <para> + FSharpCore3125 + </para> + </listitem> + <listitem> + <para> + FSharpCore4001 + </para> + </listitem> + <listitem> + <para> + FSharpCore4117 + </para> + </listitem> + <listitem> + <para> + FSharpData + </para> + </listitem> + <listitem> + <para> + FSharpData225 + </para> + </listitem> + <listitem> + <para> + FSharpDataSQLProvider + </para> + </listitem> + <listitem> + <para> + FSharpFormatting + </para> + </listitem> + <listitem> + <para> + FsLexYacc + </para> + </listitem> + <listitem> + <para> + FsLexYacc706 + </para> + </listitem> + <listitem> + <para> + FsLexYaccRuntime + </para> + </listitem> + <listitem> + <para> + FsPickler + </para> + </listitem> + <listitem> + <para> + FsUnit + </para> + </listitem> + <listitem> + <para> + Projekt + </para> + </listitem> + <listitem> + <para> + Suave + </para> + </listitem> + <listitem> + <para> + UnionArgParser + </para> + </listitem> + <listitem> + <para> + ExcelDnaRegistration + </para> + </listitem> + <listitem> + <para> + MathNetNumerics + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>programs.x2goserver</literal> is now + <literal>services.x2goserver</literal> + </para> + </listitem> + <listitem> + <para> + The following dotnet-related packages have been removed for + being unmaintaned. Please use <literal>fetchNuGet</literal> + for specific packages. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Autofac + </para> + </listitem> + <listitem> + <para> + SystemValueTuple + </para> + </listitem> + <listitem> + <para> + MicrosoftDiaSymReader + </para> + </listitem> + <listitem> + <para> + MicrosoftDiaSymReaderPortablePdb + </para> + </listitem> + <listitem> + <para> + SystemCollectionsImmutable + </para> + </listitem> + <listitem> + <para> + SystemCollectionsImmutable131 + </para> + </listitem> + <listitem> + <para> + SystemReflectionMetadata + </para> + </listitem> + <listitem> + <para> + NUnit350 + </para> + </listitem> + <listitem> + <para> + Deedle + </para> + </listitem> + <listitem> + <para> + ExcelDna + </para> + </listitem> + <listitem> + <para> + GitVersionTree + </para> + </listitem> + <listitem> + <para> + NDeskOptions + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + The <literal>antlr</literal> package now defaults to the 4.x + release instead of the old 2.7.7 version. + </para> + </listitem> + <listitem> + <para> + The <literal>pulseeffects</literal> package updated to + <link xlink:href="https://github.com/wwmm/easyeffects/releases/tag/v6.0.0">version + 4.x</link> and renamed to <literal>easyeffects</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>libwnck</literal> package now defaults to the 3.x + release instead of the old 2.31.0 version. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> packages and modules were + renamed to <literal>vaultwarden</literal> + <link xlink:href="https://github.com/dani-garcia/vaultwarden/discussions/1642">following + upstream</link>. More specifically, + </para> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.bitwarden_rs</literal>, + <literal>pkgs.bitwarden_rs-sqlite</literal>, + <literal>pkgs.bitwarden_rs-mysql</literal> and + <literal>pkgs.bitwarden_rs-postgresql</literal> were + renamed to <literal>pkgs.vaultwarden</literal>, + <literal>pkgs.vaultwarden-sqlite</literal>, + <literal>pkgs.vaultwarden-mysql</literal> and + <literal>pkgs.vaultwarden-postgresql</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> executable was + also renamed to <literal>vaultwarden</literal> in all + packages. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> was renamed to + <literal>pkgs.vaultwarden-vault</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> is + preserved as an alias for backwards compatibility, but + may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The static files were moved from + <literal>/usr/share/bitwarden_rs</literal> to + <literal>/usr/share/vaultwarden</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bitwarden_rs</literal> config module + was renamed to <literal>services.vaultwarden</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.bitwarden_rs</literal> is preserved + as an alias for backwards compatibility, but may be + removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>systemd.services.bitwarden_rs</literal>, + <literal>systemd.services.backup-bitwarden_rs</literal> + and <literal>systemd.timers.backup-bitwarden_rs</literal> + were renamed to + <literal>systemd.services.vaultwarden</literal>, + <literal>systemd.services.backup-vaultwarden</literal> and + <literal>systemd.timers.backup-vaultwarden</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>users.users.bitwarden_rs</literal> and + <literal>users.groups.bitwarden_rs</literal> were renamed + to <literal>users.users.vaultwarden</literal> and + <literal>users.groups.vaultwarden</literal>, respectively. + </para> + </listitem> + <listitem> + <para> + The data directory remains located at + <literal>/var/lib/bitwarden_rs</literal>, for backwards + compatibility. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para> + <literal>yggdrasil</literal> was upgraded to a new major + release with breaking changes, see + <link xlink:href="https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + <literal>icingaweb2</literal> was upgraded to a new release + which requires a manual database upgrade, see + <link xlink:href="https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>isabelle</literal> package has been upgraded from + 2020 to 2021 + </para> + </listitem> + <listitem> + <para> + the <literal>mingw-64</literal> package has been upgraded from + 6.0.0 to 9.0.0 + </para> + </listitem> + <listitem> + <para> + <literal>tt-rss</literal> was upgraded to the commit on + 2021-06-21, which has breaking changes. If you use + <literal>services.tt-rss.extraConfig</literal> you should + migrate to the <literal>putenv</literal>-style configuration. + See + <link xlink:href="https://community.tt-rss.org/t/rip-config-php-hello-classes-config-php/4337">this + Discourse post</link> in the tt-rss forums for more details. + </para> + </listitem> + <listitem> + <para> + The following Visual Studio Code extensions were renamed to + keep the naming convention uniform. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>bbenoist.Nix</literal> -> + <literal>bbenoist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>CoenraadS.bracket-pair-colorizer</literal> -> + <literal>coenraads.bracket-pair-colorizer</literal> + </para> + </listitem> + <listitem> + <para> + <literal>golang.Go</literal> -> + <literal>golang.go</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>services.uptimed</literal> now uses + <literal>/var/lib/uptimed</literal> as its stateDirectory + instead of <literal>/var/spool/uptimed</literal>. Make sure to + move all files to the new directory. + </para> + </listitem> + <listitem> + <para> + Deprecated package aliases in <literal>emacs.pkgs.*</literal> + have been removed. These aliases were remnants of the old + Emacs package infrastructure. We now use exact upstream names + wherever possible. + </para> + </listitem> + <listitem> + <para> + <literal>programs.neovim.runtime</literal> switched to a + <literal>linkFarm</literal> internally, making it impossible + to use wildcards in the <literal>source</literal> argument. + </para> + </listitem> + <listitem> + <para> + The <literal>openrazer</literal> and + <literal>openrazer-daemon</literal> packages as well as the + <literal>hardware.openrazer</literal> module now require users + to be members of the <literal>openrazer</literal> group + instead of <literal>plugdev</literal>. With this change, users + no longer need be granted the entire set of + <literal>plugdev</literal> group permissions, which can + include permissions other than those required by + <literal>openrazer</literal>. This is desirable from a + security point of view. The setting + <link xlink:href="options.html#opt-services.hardware.openrazer.users"><literal>harware.openrazer.users</literal></link> + can be used to add users to the <literal>openrazer</literal> + group. + </para> + </listitem> + <listitem> + <para> + The fontconfig service’s dpi option has been removed. + Fontconfig should use Xft settings by default so there’s no + need to override one value in multiple places. The user can + set DPI via ~/.Xresources properly, or at the system level per + monitor, or as a last resort at the system level with + <literal>services.xserver.dpi</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>yambar</literal> package has been split into + <literal>yambar</literal> and + <literal>yambar-wayland</literal>, corresponding to the xorg + and wayland backend respectively. Please switch to + <literal>yambar-wayland</literal> if you are on wayland. + </para> + </listitem> + <listitem> + <para> + The <literal>services.minio</literal> module gained an + additional option <literal>consoleAddress</literal>, that + configures the address and port the web UI is listening, it + defaults to <literal>:9001</literal>. To be able to access the + web UI this port needs to be opened in the firewall. + </para> + </listitem> + <listitem> + <para> + The <literal>varnish</literal> package was upgraded from 6.3.x + to 7.x. <literal>varnish60</literal> for the last LTS release + is also still available. + </para> + </listitem> + <listitem> + <para> + The <literal>kubernetes</literal> package was upgraded to + 1.22. The <literal>kubernetes.apiserver.kubeletHttps</literal> + option was removed and HTTPS is always used. + </para> + </listitem> + <listitem> + <para> + The attribute <literal>linuxPackages_latest_hardened</literal> + was dropped because the hardened patches lag behind the + upstream kernel which made version bumps harder. If you want + to use a hardened kernel, please pin it explicitly with a + versioned attribute such as + <literal>linuxPackages_5_10_hardened</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>nomad</literal> package now defaults to a 1.1.x + release instead of 1.0.x + </para> + </listitem> + <listitem> + <para> + If <literal>exfat</literal> is included in + <literal>boot.supportedFilesystems</literal> and when using + kernel 5.7 or later, the <literal>exfatprogs</literal> + user-space utilities are used instead of + <literal>exfat</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>todoman</literal> package was upgraded from 3.9.0 + to 4.0.0. This introduces breaking changes in the + <link xlink:href="https://todoman.readthedocs.io/en/stable/configure.html#configuration-file">configuration + file</link> format. + </para> + </listitem> + <listitem> + <para> + The <literal>datadog-agent</literal>, + <literal>datadog-integrations-core</literal> and + <literal>datadog-process-agent</literal> packages were + upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and + 6.11.1 to 7.30.2, respectively. As a result + <literal>services.datadog-agent</literal> has had breaking + changes to the configuration file. For details, see the + <link xlink:href="https://github.com/DataDog/datadog-agent/blob/main/CHANGELOG.rst">upstream + changelog</link>. + </para> + </listitem> + <listitem> + <para> + <literal>opencv2</literal> no longer includes the non-free + libraries by default, and consequently + <literal>pfstools</literal> no longer includes OpenCV support + by default. Both packages now support an + <literal>enableUnfree</literal> option to re-enable this + functionality. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.displayManager.defaultSession = "plasma5"</literal> + does not work anymore, instead use either + <literal>"plasma"</literal> for the Plasma X11 + session or <literal>"plasmawayland"</literal> for + the Plasma Wayland sesison. + </para> + </listitem> + <listitem> + <para> + <literal>boot.kernelParams</literal> now only accepts one + command line parameter per string. This change is aimed to + reduce common mistakes like <quote>param = 12</quote>, which + would be parsed as 3 parameters. + </para> + </listitem> + <listitem> + <para> + <literal>nix.daemonNiceLevel</literal> and + <literal>nix.daemonIONiceLevel</literal> have been removed in + favour of the new options + <link xlink:href="options.html#opt-nix.daemonCPUSchedPolicy"><literal>nix.daemonCPUSchedPolicy</literal></link>, + <link xlink:href="options.html#opt-nix.daemonIOSchedClass"><literal>nix.daemonIOSchedClass</literal></link> + and + <link xlink:href="options.html#opt-nix.daemonIOSchedPriority"><literal>nix.daemonIOSchedPriority</literal></link>. + Please refer to the options documentation and the + <literal>sched(7)</literal> and + <literal>ioprio_set(2)</literal> man pages for guidance on how + to use them. + </para> + </listitem> + <listitem> + <para> + The <literal>coursier</literal> package’s binary was renamed + from <literal>coursier</literal> to <literal>cs</literal>. + Completions which haven’t worked for a while should now work + with the renamed binary. To keep using + <literal>coursier</literal>, you can create a shell alias. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mosquitto</literal> module has been + rewritten to support multiple listeners and per-listener + configuration. Module configurations from previous releases + will no longer work and must be updated. + </para> + </listitem> + <listitem> + <para> + The <literal>fluidsynth_1</literal> attribute has been + removed, as this legacy version is no longer needed in + nixpkgs. The actively maintained 2.x series is available as + <literal>fluidsynth</literal> unchanged. + </para> + </listitem> + <listitem> + <para> + Nextcloud 20 (<literal>pkgs.nextcloud20</literal>) has been + dropped because it was EOLed by upstream in 2021-10. + </para> + </listitem> + <listitem> + <para> + The <literal>virtualisation.pathsInNixDB</literal> option was + renamed + <link xlink:href="options.html#opt-virtualisation.additionalPaths"><literal>virtualisation.additionalPaths</literal></link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.ddclient.password</literal> option was + removed, and replaced with + <literal>services.ddclient.passwordFile</literal>. + </para> + </listitem> + <listitem> + <para> + The default GNAT version has been changed: The + <literal>gnat</literal> attribute now points to + <literal>gnat11</literal> instead of <literal>gnat9</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>retroArchCores</literal> has been removed. This means + that using <literal>nixpkgs.config.retroarch</literal> to + customize RetroArch cores is not supported anymore. Instead, + use package overrides, for example: + <literal>retroarch.override { cores = with libretro; [ citra snes9x ]; };</literal>. + Also, <literal>retroarchFull</literal> derivation is available + for those who want to have all RetroArch cores available. + </para> + </listitem> + <listitem> + <para> + The Linux kernel for security reasons now restricts access to + BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>. + Unprivileged access can be reenabled via the + <literal>kernel.unprivileged_bpf_disabled</literal> sysctl + knob. + </para> + </listitem> + <listitem> + <para> + <literal>/usr</literal> will always be included in the initial + ramdisk. See the + <literal>fileSystems.<name>.neededForBoot</literal> + option. If any files exist under <literal>/usr</literal> + (which is not typical for NixOS), they will be included in the + initial ramdisk, increasing its size to a possibly problematic + extent. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-21.11-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The linux kernel package infrastructure was moved out of + <literal>all-packages.nix</literal>, and restructured. Linux + related functions and attributes now live under the + <literal>pkgs.linuxKernel</literal> attribute set. In + particular the versioned <literal>linuxPackages_*</literal> + package sets (such as <literal>linuxPackages_5_4</literal>) + and kernels from <literal>pkgs</literal> were moved there and + now live under <literal>pkgs.linuxKernel.packages.*</literal>. + The unversioned ones (such as + <literal>linuxPackages_latest</literal>) remain untouched. + </para> + </listitem> + <listitem> + <para> + In NixOS virtual machines (QEMU), the + <literal>virtualisation</literal> module has been updated with + new options: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.forwardPorts"><literal>forwardPorts</literal></link> + to configure IPv4 port forwarding, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.sharedDirectories"><literal>sharedDirectories</literal></link> + to set up shared host directories, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.resolution"><literal>resolution</literal></link> + to set the screen resolution, + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-virtualisation.useNixStoreImage"><literal>useNixStoreImage</literal></link> + to use a disk image for the Nix store instead of 9P. + </para> + </listitem> + </itemizedlist> + <para> + In addition, the default + <link xlink:href="options.html#opt-virtualisation.msize"><literal>msize</literal></link> + parameter in 9P filesystems (including /nix/store and all + shared directories) has been increased to 16K for improved + performance. + </para> + </listitem> + <listitem> + <para> + The setting + <link xlink:href="options.html#opt-services.openssh.logLevel"><literal>services.openssh.logLevel</literal></link> + <literal>"VERBOSE"</literal> + <literal>"INFO"</literal>. This brings NixOS in line + with upstream and other Linux distributions, and reduces log + spam on servers due to bruteforcing botnets. + </para> + <para> + However, if + <link xlink:href="options.html#opt-services.fail2ban.enable"><literal>services.fail2ban.enable</literal></link> + is <literal>true</literal>, the <literal>fail2ban</literal> + will override the verbosity to + <literal>"VERBOSE"</literal>, so that + <literal>fail2ban</literal> can observe the failed login + attempts from the SSH logs. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.xserver.extraLayouts"><literal>services.xserver.extraLayouts</literal></link> + no longer cause additional rebuilds when a layout is added or + modified. + </para> + </listitem> + <listitem> + <para> + Sway: The terminal emulator <literal>rxvt-unicode</literal> is + no longer installed by default via + <literal>programs.sway.extraPackages</literal>. The current + default configuration uses <literal>alacritty</literal> (and + soon <literal>foot</literal>) so this is only an issue when + using a customized configuration and not installing + <literal>rxvt-unicode</literal> explicitly. + </para> + </listitem> + <listitem> + <para> + <literal>python3</literal> now defaults to Python 3.9. Python + 3.9 introduces many deprecation warnings, please look at the + <link xlink:href="https://docs.python.org/3/whatsnew/3.9.html">What’s + New In Python 3.9 post</link> for more information. + </para> + </listitem> + <listitem> + <para> + <literal>qtile</literal> hase been updated from + <quote>0.16.0</quote> to <quote>0.18.0</quote>, please check + <link xlink:href="https://github.com/qtile/qtile/blob/master/CHANGELOG">qtile + changelog</link> for changes. + </para> + </listitem> + <listitem> + <para> + The <literal>claws-mail</literal> package now references the + new GTK+ 3 release branch, major version 4. To use the GTK+ 2 + releases, one can install the + <literal>claws-mail-gtk2</literal> package. + </para> + </listitem> + <listitem> + <para> + The wordpress module provides a new interface which allows to + use different webservers with the new option + <link xlink:href="options.html#opt-services.wordpress.webserver"><literal>services.wordpress.webserver</literal></link>. + Currently <literal>httpd</literal>, <literal>caddy</literal> + and <literal>nginx</literal> are supported. The definitions of + wordpress sites should now be set in + <link xlink:href="options.html#opt-services.wordpress.sites"><literal>services.wordpress.sites</literal></link>. + </para> + <para> + Sites definitions that use the old interface are automatically + migrated in the new option. This backward compatibility will + be removed in 22.05. + </para> + </listitem> + <listitem> + <para> + The dokuwiki module provides a new interface which allows to + use different webservers with the new option + <link xlink:href="options.html#opt-services.dokuwiki.webserver"><literal>services.dokuwiki.webserver</literal></link>. + Currently <literal>caddy</literal> and + <literal>nginx</literal> are supported. The definitions of + dokuwiki sites should now be set in + <link xlink:href="options.html#opt-services.dokuwiki.sites"><literal>services.dokuwiki.sites</literal></link>. + </para> + <para> + Sites definitions that use the old interface are automatically + migrated in the new option. This backward compatibility will + be removed in 22.05. + </para> + </listitem> + <listitem> + <para> + The order of NSS (host) modules has been brought in line with + upstream recommendations: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>myhostname</literal> module is placed before + the <literal>resolve</literal> (optional) and + <literal>dns</literal> entries, but after + <literal>file</literal> (to allow overriding via + <literal>/etc/hosts</literal> / + <literal>networking.extraHosts</literal>, and prevent ISPs + with catchall-DNS resolvers from hijacking + <literal>.localhost</literal> domains) + </para> + </listitem> + <listitem> + <para> + The <literal>mymachines</literal> module, which provides + hostname resolution for local containers (registered with + <literal>systemd-machined</literal>) is placed to the + front, to make sure its mappings are preferred over other + resolvers. + </para> + </listitem> + <listitem> + <para> + If systemd-networkd is enabled, the + <literal>resolve</literal> module is placed before + <literal>files</literal> and + <literal>myhostname</literal>, as it provides the same + logic internally, with caching. + </para> + </listitem> + <listitem> + <para> + The <literal>mdns(_minimal)</literal> module has been + updated to the new priorities. + </para> + </listitem> + </itemizedlist> + <para> + If you use your own NSS host modules, make sure to update your + priorities according to these rules: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + NSS modules which should be queried before + <literal>resolved</literal> DNS resolution should use + mkBefore. + </para> + </listitem> + <listitem> + <para> + NSS modules which should be queried after + <literal>resolved</literal>, <literal>files</literal> and + <literal>myhostname</literal>, but before + <literal>dns</literal> should use the default priority + </para> + </listitem> + <listitem> + <para> + NSS modules which should come after <literal>dns</literal> + should use mkAfter. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-networking.wireless.enable">networking.wireless</link> + module (based on wpa_supplicant) has been heavily reworked, + solving a number of issues and adding useful features: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The automatic discovery of wireless interfaces at boot has + been made reliable again (issues + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/101963">#101963</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/23196">#23196</link>). + </para> + </listitem> + <listitem> + <para> + WPA3 and Fast BSS Transition (802.11r) are now enabled by + default for all networks. + </para> + </listitem> + <listitem> + <para> + Secrets like pre-shared keys and passwords can now be + handled safely, meaning without including them in a + world-readable file + (<literal>wpa_supplicant.conf</literal> under /nix/store). + This is achieved by storing the secrets in a secured + <link xlink:href="options.html#opt-networking.wireless.environmentFile">environmentFile</link> + and referring to them though environment variables that + are expanded inside the configuration. + </para> + </listitem> + <listitem> + <para> + With multiple interfaces declared, independent + wpa_supplicant daemons are started, one for each interface + (the services are named + <literal>wpa_supplicant-wlan0</literal>, + <literal>wpa_supplicant-wlan1</literal>, etc.). + </para> + </listitem> + <listitem> + <para> + The generated <literal>wpa_supplicant.conf</literal> file + is now formatted for easier reading. + </para> + </listitem> + <listitem> + <para> + A new + <link xlink:href="options.html#opt-networking.wireless.scanOnLowSignal">scanOnLowSignal</link> + option has been added to facilitate fast roaming between + access points (enabled by default). + </para> + </listitem> + <listitem> + <para> + A new + <link xlink:href="options.html#opt-networking.wireless.networks._name_.authProtocols">networks.<name>.authProtocols</link> + option has been added to change the authentication + protocols used when connecting to a network. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-networking.wireless.iwd.enable">networking.wireless.iwd</link> + module has a new + <link xlink:href="options.html#opt-networking.wireless.iwd.settings">networking.wireless.iwd.settings</link> + option. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.smokeping.host">services.smokeping.host</link> + option was added and defaulted to + <literal>localhost</literal>. Before, + <literal>smokeping</literal> listened to all interfaces by + default. NixOS defaults generally aim to provide + non-Internet-exposed defaults for databases and internal + monitoring tools, see e.g. + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/100192">#100192</link>. + Further, the systemd service for <literal>smokeping</literal> + got reworked defaults for increased operational stability, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/144127">PR + #144127</link> for details. + </para> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.syncoid.enable">services.syncoid.enable</link> + module now properly drops ZFS permissions after usage. Before + it delegated permissions to whole pools instead of datasets + and didn’t clean up after execution. You can manually look + this up for your pools by running + <literal>zfs allow your-pool-name</literal> and use + <literal>zfs unallow syncoid your-pool-name</literal> to clean + this up. + </para> + </listitem> + <listitem> + <para> + Zfs: <literal>latestCompatibleLinuxPackages</literal> is now + exported on the zfs package. One can use + <literal>boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;</literal> + to always track the latest compatible kernel with a given + version of zfs. + </para> + </listitem> + <listitem> + <para> + Nginx will use the value of + <literal>sslTrustedCertificate</literal> if provided for a + virtual host, even if <literal>enableACME</literal> is set. + This is useful for providers not using the same certificate to + sign OCSP responses and server certificates. + </para> + </listitem> + <listitem> + <para> + <literal>lib.formats.yaml</literal>’s + <literal>generate</literal> will not generate JSON anymore, + but instead use more of the YAML-specific syntax. + </para> + </listitem> + <listitem> + <para> + MariaDB was upgraded from 10.5.x to 10.6.x. Please read the + <link xlink:href="https://mariadb.com/kb/en/changes-improvements-in-mariadb-106/">upstream + release notes</link> for changes and upgrade instructions. + </para> + </listitem> + <listitem> + <para> + The MariaDB C client library, also known as libmysqlclient or + mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While + this should hopefully not have any impact, this upgrade comes + with some changes to default behavior, so you might want to + review the + <link xlink:href="https://mariadb.com/kb/en/changes-and-improvements-in-mariadb-connector-c-32/">upstream + release notes</link>. + </para> + </listitem> + <listitem> + <para> + GNOME desktop environment now enables + <literal>QGnomePlatform</literal> as the Qt platform theme, + which should avoid crashes when opening file chooser dialogs + in Qt apps by using XDG desktop portal. Additionally, it will + make the apps fit better visually. + </para> + </listitem> + <listitem> + <para> + <literal>rofi</literal> has been updated from + <quote>1.6.1</quote> to <quote>1.7.0</quote>, one important + thing is the removal of the old xresources based configuration + setup. Read more + <link xlink:href="https://github.com/davatorium/rofi/blob/cb12e6fc058f4a0f4f/Changelog#L1">in + rofi’s changelog</link>. + </para> + </listitem> + <listitem> + <para> + ipfs now defaults to not listening on you local network. This + setting was change as server providers won’t accept port + scanning on their private network. If you have several ipfs + instances running on a network you own, feel free to change + the setting <literal>ipfs.localDiscovery = true;</literal>. + localDiscovery enables different instances to discover each + other and share data. + </para> + </listitem> + <listitem> + <para> + <literal>lua</literal> and <literal>luajit</literal> + interpreters have been patched to avoid looking into /usr/lib + directories, thus increasing the purity of the build. + </para> + </listitem> + <listitem> + <para> + Three new options, + <link linkend="opt-xdg.mime.addedAssociations">xdg.mime.addedAssociations</link>, + <link linkend="opt-xdg.mime.defaultApplications">xdg.mime.defaultApplications</link>, + and + <link linkend="opt-xdg.mime.removedAssociations">xdg.mime.removedAssociations</link> + have been added to the + <link linkend="opt-xdg.mime.enable">xdg.mime</link> module to + allow the configuration of + <literal>/etc/xdg/mimeapps.list</literal>. + </para> + </listitem> + <listitem> + <para> + Kopia was upgraded from 0.8.x to 0.9.x. Please read the + <link xlink:href="https://github.com/kopia/kopia/releases/tag/v0.9.0">upstream + release notes</link> for changes and upgrade instructions. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd.network</literal> module has gained + support for the FooOverUDP link type. + </para> + </listitem> + <listitem> + <para> + The <literal>networking</literal> module has a new + <literal>networking.fooOverUDP</literal> option to configure + Foo-over-UDP encapsulations. + </para> + </listitem> + <listitem> + <para> + <literal>networking.sits</literal> now supports Foo-over-UDP + encapsulation. + </para> + </listitem> + <listitem> + <para> + The <literal>virtualisation.libvirtd</literal> module has been + refactored and updated with new options: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>virtualisation.libvirtd.qemu*</literal> options + (e.g.: + <literal>virtualisation.libvirtd.qemuRunAsRoot</literal>) + were moved to + <link xlink:href="options.html#opt-virtualisation.libvirtd.qemu"><literal>virtualisation.libvirtd.qemu</literal></link> + submodule, + </para> + </listitem> + <listitem> + <para> + software TPM1/TPM2 support (e.g.: Windows 11 guests) + (<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.swtpm"><literal>virtualisation.libvirtd.qemu.swtpm</literal></link>), + </para> + </listitem> + <listitem> + <para> + custom OVMF package (e.g.: + <literal>pkgs.OVMFFull</literal> with HTTP, CSM and Secure + Boot support) + (<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.ovmf.package"><literal>virtualisation.libvirtd.qemu.ovmf.package</literal></link>). + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>cawbird</literal> Twitter client now uses its own + API keys to count as different application than upstream + builds. This is done to evade application-level rate limiting. + While existing accounts continue to work, users may want to + remove and re-register their account in the client to enjoy a + better user experience and benefit from this change. + </para> + </listitem> + <listitem> + <para> + A new option + <literal>services.prometheus.enableReload</literal> has been + added which can be enabled to reload the prometheus service + when its config file changes instead of restarting. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.prometheus.environmentFile</literal> has + been removed since it was causing + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/126083">issues</link> + and Prometheus now has native support for secret files, i.e. + <literal>basic_auth.password_file</literal> and + <literal>authorization.credentials_file</literal>. + </para> + </listitem> + <listitem> + <para> + Dokuwiki now supports caddy! However + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + the nginx option has been removed, in the new + configuration, please use the + <literal>dokuwiki.webserver = "nginx"</literal> + instead. + </para> + </listitem> + <listitem> + <para> + The <quote>${hostname}</quote> option has been deprecated, + please use + <literal>dokuwiki.sites = [ "${hostname}" ]</literal> + instead + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <link xlink:href="options.html#opt-services.unifi.enable">services.unifi</link> + module has been reworked, solving a number of issues. This + leads to several user facing changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The <literal>services.unifi.dataDir</literal> option is + removed and the data is now always located under + <literal>/var/lib/unifi/data</literal>. This is done to + make better use of systemd state direcotiry and thus + making the service restart more reliable. + </para> + </listitem> + <listitem> + <para> + The unifi logs can now be found under: + <literal>/var/log/unifi</literal> instead of + <literal>/var/lib/unifi/logs</literal>. + </para> + </listitem> + <listitem> + <para> + The unifi run directory can now be found under: + <literal>/run/unifi</literal> instead of + <literal>/var/lib/unifi/run</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>security.pam.services.<name>.makeHomeDir</literal> + now uses <literal>umask=0077</literal> instead of + <literal>umask=0022</literal> when creating the home + directory. + </para> + </listitem> + <listitem> + <para> + Loki has had another release. Some default values have been + changed for the configuration and some configuration options + have been renamed. For more details, please check + <link xlink:href="https://grafana.com/docs/loki/latest/upgrading/#240">the + upgrade guide</link>. + </para> + </listitem> + <listitem> + <para> + <literal>julia</literal> now refers to + <literal>julia-stable</literal> instead of + <literal>julia-lts</literal>. In practice this means it has + been upgraded from <literal>1.0.4</literal> to + <literal>1.5.4</literal>. + </para> + </listitem> + <listitem> + <para> + RetroArch has been upgraded from version + <literal>1.8.5</literal> to <literal>1.9.13.2</literal>. Since + the previous release was quite old, if you’re having issues + after the upgrade, please delete your + <literal>$XDG_CONFIG_HOME/retroarch/retroarch.cfg</literal> + file. + </para> + </listitem> + <listitem> + <para> + hydrus has been upgraded from version <literal>438</literal> + to <literal>463</literal>. Since upgrading between releases + this old is advised against, be sure to have a backup of your + data before upgrading. For details, see + <link xlink:href="https://hydrusnetwork.github.io/hydrus/help/getting_started_installing.html#big_updates">the + hydrus manual</link>. + </para> + </listitem> + <listitem> + <para> + More jdk and jre versions are now exposed via + <literal>java-packages.compiler</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml new file mode 100644 index 00000000000..348374026b4 --- /dev/null +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -0,0 +1,1630 @@ +<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.05"> + <title>Release 22.05 (“Quokka”, 2022.05/??)</title> + <para> + In addition to numerous new and upgraded packages, this release has + the following highlights: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Support is planned until the end of December 2022, handing over + to 22.11. + </para> + </listitem> + </itemizedlist> + <section xml:id="sec-release-22.05-highlights"> + <title>Highlights</title> + <itemizedlist> + <listitem> + <para> + <literal>security.acme.defaults</literal> has been added to + simplify configuring settings for many certificates at once. + This also opens up the the option to use DNS-01 validation + when using <literal>enableACME</literal> on web server virtual + hosts (e.g. + <literal>services.nginx.virtualHosts.*.enableACME</literal>). + </para> + </listitem> + <listitem> + <para> + PHP 8.1 is now available + </para> + </listitem> + <listitem> + <para> + Mattermost has been updated to extended support release 6.3, + as the previously packaged extended support release 5.37 is + <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching + its end of life</link>. Migrations may take a while, see the + <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link> + and + <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important + upgrade notes</link>. + </para> + </listitem> + <listitem> + <para> + systemd services can now set + <link linkend="opt-systemd.services">systemd.services.<name>.reloadTriggers</link> + instead of <literal>reloadIfChanged</literal> for a more + granular distinction between reloads and restarts. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link> + defaults to 1.22.4, which will enable + <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance + Metadata Service Version 2</link> and require tokens on new + clusters with Kubernetes 1.22. This will increase security by + default, but may break some types of workloads. See the + <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">release + notes</link> for details. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>, + the Intel SGX Architectural Enclave Service Manager. Available + as + <link linkend="opt-services.aesmd.enable">services.aesmd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless + Docker</link>, a <literal>systemd --user</literal> Docker + service which runs without root permissions. Available as + <link xlink:href="options.html#opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://conduit.rs/">matrix-conduit</link>, + a simple, fast and reliable chat server powered by matrix. + Available as + <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>, + a lightweight shipper for forwarding and centralizing log + data. Available as + <link linkend="opt-services.filebeat.enable">services.filebeat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>, + a kernel module for mounting the Apple File System (APFS). + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://frrouting.org/">FRRouting</link>, a + popular suite of Internet routing protocol daemons (BGP, BFD, + OSPF, IS-IS, VVRP and others). Available as + <link linkend="opt-services.frr.babel.enable">services.frr</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>, + a bouncer-style Matrix IRC bridge. Available as + <link xlink:href="options.html#opt-services.heisenbridge.enable">services.heisenbridge</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>, + a system to defeat internet censorship. Available as + <link xlink:href="options.html#opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ergo.chat">ergochat</link>, a modern + IRC with IRCv3 features. Available as + <link xlink:href="options.html#opt-services.ergochat.enable">services.ergochat</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>, + a web interface for the PowerDNS server. Available at + <link xlink:href="options.html#opt-services.powerdns-admin.enable">services.powerdns-admin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>, + an admin interface for the PostgreSQL database. Available at + <link xlink:href="options.html#opt-services.pgadmin.enable">services.pgadmin</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>, + an easy to use tool to change the mapping of your input device + buttons. Available at + <link xlink:href="options.html#opt-services.input-remapper.enable">services.input-remapper</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://invoiceplane.com">InvoicePlane</link>, + web application for managing and creating invoices. Available + at + <link xlink:href="options.html#opt-services.invoiceplane.enable">services.invoiceplane</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://maddy.email">maddy</link>, a + composable all-in-one mail server. Available as + <link xlink:href="options.html#opt-services.maddy.enable">services.maddy</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.scorchworks.com/K40whisperer/k40whisperer.html">K40-Whisperer</link>, + a program to control cheap Chinese laser cutters. Available as + <link xlink:href="options.html#opt-programs.k4-whisperer.enable">programs.k40-whisperer.enable</link>. + Users must add themselves to the <literal>k40</literal> group + to be able to access the device. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>, + a Prometheus exporter for mtr metrics. Available as + <link xlink:href="options.html#opt-services.mtr-exporter.enable">services.mtr-exporter</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>, + a tool that exposes information from the Proxmox VE API for + use by Prometheus. Available as + <link xlink:href="options.html#opt-services.prometheus.exporters.pve">services.prometheus.exporters.pve</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://tetrd.app">tetrd</link>, share your + internet connection from your device to your PC and vice versa + through a USB cable. Available at + <link linkend="opt-services.tetrd.enable">services.tetrd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mbrubeck/agate">agate</link>, + a very simple server for the Gemini hypertext protocol. + Available as + <link xlink:href="options.html#opt-services.agate.enable">services.agate</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>, + a C# application with primary purpose of idling Steam cards + from multiple accounts simultaneously. Available as + <link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://goteleport.com">teleport</link>, + allows engineers and security professionals to unify access + for SSH servers, Kubernetes clusters, web applications, and + databases across all environments. Available at + <link linkend="opt-services.teleport.enable">services.teleport</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>, + a lightweight NuGet and symbol server. Available at + <link linkend="opt-services.baget.enable">services.baget</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://moosefs.com">moosefs</link>, fault + tolerant petabyte distributed file system. Available as + <link linkend="opt-services.moosefs.client.enable">moosefs</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>, + a server for handling XMPP HTTP Upload requests. Available at + <link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>, + allow system level notifications to reach the users. Available + as + <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>. + Please keep in mind that this service should only be enabled + on machines with fully trusted users, as any local user is + able to DoS user sessions by spamming notifications. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>, + an online collaborative spreadsheet. Available as + <link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a + Network Block Device server. Available as + <link xlink:href="options.html#opt-services.nbd.server.enable">services.nbd</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://timetagger.app">timetagger</link>, + an open source time-tracker with an intuitive user experience + and powerful reporting. + <link xlink:href="options.html#opt-services.timetagger.enable">services.timetagger</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>, + a browser-based version of the RStudio IDE for the R + programming language. Available as + <link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/juanfont/headscale">headscale</link>, + an Open Source implementation of the + <link xlink:href="https://tailscale.io">Tailscale</link> + Control Server. Available as + <link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>, + fast and lightweight DNS proxy as ad-blocker for local network + with many features. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://clusterlabs.org/pacemaker/">pacemaker</link> + cluster resource manager + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-incompatibilities"> + <title>Backward Incompatibilities</title> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.ghc</literal> now refers to + <literal>pkgs.targetPackages.haskellPackages.ghc</literal>. + This <emphasis>only</emphasis> makes a difference if you are + cross-compiling and will ensure that + <literal>pkgs.ghc</literal> always runs on the host platform + and compiles for the target platform (similar to + <literal>pkgs.gcc</literal> for example). + <literal>haskellPackages.ghc</literal> still behaves as + before, running on the build platform and compiling for the + host platform (similar to <literal>stdenv.cc</literal>). This + means you don’t have to adjust your derivations if you use + <literal>haskellPackages.callPackage</literal>, but when using + <literal>pkgs.callPackage</literal> and taking + <literal>ghc</literal> as an input, you should now use + <literal>buildPackages.ghc</literal> instead to ensure cross + compilation keeps working (or switch to + <literal>haskellPackages.callPackage</literal>). + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.ghc.withPackages</literal> as well as + <literal>haskellPackages.ghcWithPackages</literal> etc. now + needs be overridden directly, as opposed to overriding the + result of calling it. Additionally, the + <literal>withLLVM</literal> parameter has been renamed to + <literal>useLLVM</literal>. So instead of + <literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>, + one needs to use + <literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>home-assistant</literal> module now requires + users that don’t want their configuration to be managed + declaratively to set + <literal>services.home-assistant.config = null;</literal>. + This is required due to the way default settings are handled + with the new settings style. + </para> + <para> + Additionally the default list of + <literal>extraComponents</literal> now includes the minimal + dependencies to successfully complete the + <link xlink:href="https://www.home-assistant.io/getting-started/onboarding/">onboarding</link> + procedure. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.emacsPackages.orgPackages</literal> is removed + because org elpa is deprecated. The packages in the top level + of <literal>pkgs.emacsPackages</literal>, such as org and + org-contrib, refer to the ones in + <literal>pkgs.emacsPackages.elpaPackages</literal> and + <literal>pkgs.emacsPackages.nongnuPackages</literal> where the + new versions will release. + </para> + </listitem> + <listitem> + <para> + <literal>services.kubernetes.addons.dashboard</literal> was + removed due to it being an outdated version. + </para> + </listitem> + <listitem> + <para> + <literal>services.kubernetes.scheduler.{port,address}</literal> + now set <literal>--secure-port</literal> and + <literal>--bind-address</literal> instead of + <literal>--port</literal> and <literal>--address</literal>, + since the former have been deprecated and are no longer + functional in kubernetes>=1.23. Ensure that you are not + relying on the insecure behaviour before upgrading. + </para> + </listitem> + <listitem> + <para> + <literal>services.k3s.enable</literal> no longer implies + <literal>systemd.enableUnifiedCgroupHierarchy = false</literal>, + and will default to the <quote>systemd</quote> cgroup driver + when using <literal>services.k3s.docker = true</literal>. This + change may require a reboot to take effect, and k3s may not be + able to run if the boot cgroup hierarchy does not match its + configuration. The previous behavior may be retained by + explicitly setting + <literal>systemd.enableUnifiedCgroupHierarchy = false</literal> + in your configuration. + </para> + </listitem> + <listitem> + <para> + <literal>fonts.fonts</literal> no longer includes ancient + bitmap fonts when both + <literal>config.services.xserver.enable</literal> and + <literal>config.nixpkgs.config.allowUnfree</literal> are + enabled. If you still want these fonts, use: + </para> + <programlisting language="bash"> +{ + fonts.fonts = [ + pkgs.xorg.fontbhlucidatypewriter100dpi + pkgs.xorg.fontbhlucidatypewriter75dpi + pkgs.xorg.fontbh100dpi + ]; +} +</programlisting> + </listitem> + <listitem> + <para> + The DHCP server (<literal>services.dhcpd4</literal>, + <literal>services.dhcpd6</literal>) has been hardened. The + service is now using the systemd’s + <literal>DynamicUser</literal> mechanism to run as an + unprivileged dynamically-allocated user with limited + capabilities. The dhcpd state files are now always stored in + <literal>/var/lib/dhcpd{4,6}</literal> and the + <literal>services.dhcpd4.stateDir</literal> and + <literal>service.dhcpd6.stateDir</literal> options have been + removed. If you were depending on root privileges or + set{uid,gid,cap} binaries in dhcpd shell hooks, you may give + dhcpd more capabilities with e.g. + <literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mailpile</literal> email webclient + (<literal>services.mailpile</literal>) has been removed due to + its reliance on python2. + </para> + </listitem> + <listitem> + <para> + The <literal>matrix-synapse</literal> service + (<literal>services.matrix-synapse</literal>) has been + converted to use the <literal>settings</literal> option + defined in RFC42. This means that options that are part of + your <literal>homeserver.yaml</literal> configuration, and + that were specified at the top-level of the module + (<literal>services.matrix-synapse</literal>) now need to be + moved into + <literal>services.matrix-synapse.settings</literal>. And while + not all options you may use are defined in there, they are + still supported, because you can set arbitrary values in this + freeform type. + </para> + <para> + The <literal>listeners.*.bind_address</literal> option was + renamed to <literal>bind_addresses</literal> in order to match + the upstream <literal>homeserver.yaml</literal> option name. + It is now also a list of strings instead of a string. + </para> + <para> + An example to make the required migration clearer: + </para> + <para> + Before: + </para> + <programlisting language="bash"> +{ + services.matrix-synapse = { + enable = true; + + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; + macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_address = ""; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + + }; +} +</programlisting> + <para> + After: + </para> + <programlisting language="bash"> +{ + services.matrix-synapse = { + enable = true; + + # this attribute set holds all values that go into your homeserver.yaml configuration + # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for + # possible values. + settings = { + server_name = "example.com"; + public_baseurl = "https://example.com:8448"; + + enable_registration = false; + # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead + + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; + + listeners = [ { + port = 8448; + bind_addresses = [ + "::" + "0.0.0.0" + ]; + type = "http"; + tls = true; + resources = [ { + names = [ "client" ]; + compress = true; + } { + names = [ "federation" ]; + compress = false; + } ]; + } ]; + }; + + extraConfigFiles = [ + /run/keys/matrix-synapse/secrets.yaml + ]; + }; +} +</programlisting> + <para> + The secrets in your original config should be migrated into a + YAML file that is included via + <literal>extraConfigFiles</literal>. + </para> + <para> + Additionally a few option defaults have been synced up with + upstream default values, for example the + <literal>max_upload_size</literal> grew from + <literal>10M</literal> to <literal>50M</literal>. For the same + reason, the default <literal>media_store_path</literal> was + changed from <literal>${dataDir}/media</literal> to + <literal>${dataDir}/media_store</literal> if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Files will need to be manually moved + to the new location if the <literal>stateVersion</literal> is + updated. + </para> + </listitem> + <listitem> + <para> + The MoinMoin wiki engine + (<literal>services.moinmoin</literal>) has been removed, + because Python 2 is being retired from nixpkgs. + </para> + </listitem> + <listitem> + <para> + Services in the <literal>hadoop</literal> module previously + set <literal>openFirewall</literal> to true by default. This + has now been changed to false. Node definitions for multi-node + clusters would need <literal>openFirewall = true;</literal> to + be added to to hadoop services when upgrading from NixOS + 21.11. + </para> + </listitem> + <listitem> + <para> + <literal>services.hadoop.yarn.nodemanager</literal> now uses + cgroup-based CPU limit enforcement by default. Additionally, + the option <literal>useCGroups</literal> was added to + nodemanagers as an easy way to switch back to the old + behavior. + </para> + </listitem> + <listitem> + <para> + The <literal>wafHook</literal> hook now honors + <literal>NIX_BUILD_CORES</literal> when + <literal>enableParallelBuilding</literal> is not set + explicitly. Packages can restore the old behaviour by setting + <literal>enableParallelBuilding=false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.claws-mail-gtk2</literal>, representing Claws + Mail’s older release version three, was removed in order to + get rid of Python 2. Please switch to + <literal>claws-mail</literal>, which is Claws Mail’s latest + release based on GTK+3 and Python 3. + </para> + </listitem> + <listitem> + <para> + The <literal>writers.writePython2</literal> and corresponding + <literal>writers.writePython2Bin</literal> convenience + functions to create executable Python 2 scripts in the store + were removed in preparation of removal of the Python 2 + interpreter. Scripts have to be converted to Python 3 for use + with <literal>writers.writePython3</literal> or + <literal>writers.writePyPy2</literal> needs to be used. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> was updated to use + <literal>go_1_17</literal>, third party derivations that + specify >= go 1.17 in the main <literal>go.mod</literal> + will need to regenerate their <literal>vendorSha256</literal> + hash. + </para> + </listitem> + <listitem> + <para> + The <literal>gnome-passwordsafe</literal> package updated to + <link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version + 6.x</link> and renamed to <literal>gnome-secrets</literal>. + </para> + </listitem> + <listitem> + <para> + If you previously used + <literal>/etc/docker/daemon.json</literal>, you need to + incorporate the changes into the new option + <literal>virtualisation.docker.daemon.settings</literal>. + </para> + </listitem> + <listitem> + <para> + Ntopng (<literal>services.ntopng</literal>) is updated to + 5.2.1 and uses a separate Redis instance if + <literal>system.stateVersion</literal> is at least + <literal>22.05</literal>. Existing setups shouldn’t be + affected. + </para> + </listitem> + <listitem> + <para> + The backward compatibility in + <literal>services.wordpress</literal> to configure sites with + the old interface has been removed. Please use + <literal>services.wordpress.sites</literal> instead. + </para> + </listitem> + <listitem> + <para> + The backward compatibility in + <literal>services.dokuwiki</literal> to configure sites with + the old interface has been removed. Please use + <literal>services.dokuwiki.sites</literal> instead. + </para> + </listitem> + <listitem> + <para> + opensmtpd-extras is no longer build with python2 scripting + support due to python2 deprecation in nixpkgs + </para> + </listitem> + <listitem> + <para> + <literal>services.miniflux.adminCredentialFiles</literal> is + now required, instead of defaulting to + <literal>admin</literal> and <literal>password</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>autorestic</literal> package has been upgraded + from 1.3.0 to 1.5.0 which introduces breaking changes in + config file, check + <link xlink:href="https://autorestic.vercel.app/migration/1.4_1.5">their + migration guide</link> for more details. + </para> + </listitem> + <listitem> + <para> + For <literal>pkgs.python3.pkgs.ipython</literal>, its direct + dependency + <literal>pkgs.python3.pkgs.matplotlib-inline</literal> (which + is really an adapter to integrate matplotlib in ipython if it + is installed) does not depend on + <literal>pkgs.python3.pkgs.matplotlib</literal> anymore. This + is closer to a non-Nix install of ipython. This has the added + benefit to reduce the closure size of + <literal>ipython</literal> from ~400MB to ~160MB (including + ~100MB for python itself). + </para> + </listitem> + <listitem> + <para> + <literal>documentation.man</literal> has been refactored to + support choosing a man implementation other than GNU’s + <literal>man-db</literal>. For this, + <literal>documentation.man.manualPages</literal> has been + renamed to + <literal>documentation.man.man-db.manualPages</literal>. If + you want to use the new alternative man implementation + <literal>mandoc</literal>, add + <literal>documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }</literal> + to your configuration. + </para> + </listitem> + <listitem> + <para> + Normal users (with <literal>isNormalUser = true</literal>) + which have non-empty <literal>subUidRanges</literal> or + <literal>subGidRanges</literal> set no longer have additional + implicit ranges allocated. To enable automatic allocation back + set <literal>autoSubUidGidRange = true</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>idris2</literal> now requires + <literal>--package</literal> when using packages + <literal>contrib</literal> and <literal>network</literal>, + while previously these idris2 packages were automatically + loaded. + </para> + </listitem> + <listitem> + <para> + The iputils package, which is installed by default, no longer + provides the legacy tools <literal>tftpd</literal> and + <literal>traceroute6</literal>. More tools + (<literal>ninfod</literal>, <literal>rarpd</literal>, and + <literal>rdisc</literal>) are going to be removed in the next + release. See + <link xlink:href="https://github.com/iputils/iputils/releases/tag/20211215">upstream’s + release notes</link> for more details and available + replacements. + </para> + </listitem> + <listitem> + <para> + <literal>services.thelounge.private</literal> was removed in + favor of <literal>services.thelounge.public</literal>, to + follow with upstream changes. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.docbookrx</literal> was removed since it’s + unmaintained + </para> + </listitem> + <listitem> + <para> + <literal>pkgs._7zz</literal> is now correctly licensed as + LGPL3+ and BSD3 with optional unfree unRAR licensed code + </para> + </listitem> + <listitem> + <para> + <literal>tilp2</literal> was removed together with its module + </para> + </listitem> + <listitem> + <para> + The F-PROT antivirus (<literal>fprot</literal> package) and + its service module were removed because it reached + <link xlink:href="https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/434/0/end-of-sale--end-of-life-for-f-prot-and-csam">end-of-life</link>. + </para> + </listitem> + <listitem> + <para> + <literal>bird1</literal> and its modules + <literal>services.bird</literal> as well as + <literal>services.bird6</literal> have been removed. Upgrade + to <literal>services.bird2</literal>. + </para> + </listitem> + <listitem> + <para> + The options + <literal>networking.interfaces.<name>.ipv4.routes</literal> + and + <literal>networking.interfaces.<name>.ipv6.routes</literal> + are no longer ignored when using networkd instead of the + default scripted network backend by setting + <literal>networking.useNetworkd</literal> to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + MultiMC has been replaced with the fork PolyMC due to upstream + developers being hostile to 3rd party package maintainers. + PolyMC removes all MultiMC branding and is aimed at providing + proper 3rd party packages like the one contained in Nixpkgs. + This change affects the data folder where game instances and + other save and configuration files are stored. Users with + existing installations should rename + <literal>~/.local/share/multimc</literal> to + <literal>~/.local/share/polymc</literal>. The main config + file’s path has also moved from + <literal>~/.local/share/multimc/multimc.cfg</literal> to + <literal>~/.local/share/polymc/polymc.cfg</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>systemd-nspawn@.service</literal> settings have been + reverted to the default systemd behaviour. User namespaces are + now activated by default. If you want to keep running nspawn + containers without user namespaces you need to set + <literal>systemd.nspawn.<name>.execConfig.PrivateUsers = false</literal> + </para> + </listitem> + <listitem> + <para> + The Tor SOCKS proxy is now actually disabled if + <literal>services.tor.client.enable</literal> is set to + <literal>false</literal> (the default). If you are using this + functionality but didn’t change the setting or set it to + <literal>false</literal>, you now need to set it to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The terraform 0.12 compatibility has been removed and the + <literal>terraform.withPlugins</literal> and + <literal>terraform-providers.mkProvider</literal> + implementations simplified. Providers now need to be stored + under + <literal>$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version></literal> + (which mkProvider does). + </para> + <para> + This breaks back-compat so it’s not possible to mix-and-match + with previous versions of nixpkgs. In exchange, it now becomes + possible to use the providers from + <link xlink:href="https://github.com/numtide/nixpkgs-terraform-providers-bin">nixpkgs-terraform-providers-bin</link> + directly. + </para> + </listitem> + <listitem> + <para> + The <literal>dendrite</literal> package has been upgraded from + 0.5.1 to + <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.5">0.6.5</link>. + Instances configured with split sqlite databases, which has + been the default in NixOS, require merging of the federation + sender and signing key databases. See upstream + <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.0">release + notes</link> on version 0.6.0 for details on database changes. + </para> + </listitem> + <listitem> + <para> + The existing <literal>pkgs.opentelemetry-collector</literal> + has been moved to + <literal>pkgs.opentelemetry-collector-contrib</literal> to + match the actual source being the <quote>contrib</quote> + edition. <literal>pkgs.opentelemetry-collector</literal> is + now the actual core release of opentelemetry-collector. If you + use the community contributions you should change the package + you refer to. If you don’t need them update your commands from + <literal>otelcontribcol</literal> to + <literal>otelcorecol</literal> and enjoy a 7x smaller binary. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.pgadmin</literal> now refers to + <literal>pkgs.pgadmin4</literal>. If you still need pgadmin3, + use <literal>pkgs.pgadmin3</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.noto-fonts-cjk</literal> is now deprecated in + favor of <literal>pkgs.noto-fonts-cjk-sans</literal> and + <literal>pkgs.noto-fonts-cjk-serif</literal> because they each + have different release schedules. To maintain compatibility + with prior releases of Nixpkgs, + <literal>pkgs.noto-fonts-cjk</literal> is currently an alias + of <literal>pkgs.noto-fonts-cjk-sans</literal> and doesn’t + include serif fonts. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.epgstation</literal> has been upgraded from v1 + to v2, resulting in incompatible changes in the database + scheme and configuration format. + </para> + </listitem> + <listitem> + <para> + Some top-level settings under + <link linkend="opt-services.epgstation.enable">services.epgstation</link> + is now deprecated because it was redudant due to the same + options being present in + <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link>. + </para> + </listitem> + <listitem> + <para> + The option <literal>services.epgstation.basicAuth</literal> + was removed because basic authentication support was dropped + by upstream. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-services.epgstation.database.passwordFile">services.epgstation.database.passwordFile</link> + no longer has a default value. Make sure to set this option + explicitly before upgrading. Change the database password if + necessary. + </para> + </listitem> + <listitem> + <para> + The + <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link> + option now expects options for <literal>config.yml</literal> + in EPGStation v2. + </para> + </listitem> + <listitem> + <para> + Existing data for the + <link linkend="opt-services.epgstation.enable">services.epgstation</link> + module would have to be backed up prior to the upgrade. To + back up exising data to + <literal>/tmp/epgstation.bak</literal>, run + <literal>sudo -u epgstation epgstation run backup /tmp/epgstation.bak</literal>. + To import that data after to the upgrade, run + <literal>sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak</literal> + </para> + </listitem> + <listitem> + <para> + <literal>switch-to-configuration</literal> (the script that is + run when running <literal>nixos-rebuild switch</literal> for + example) has been reworked + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The interface that allows activation scripts to restart + units has been streamlined. Restarting and reloading is + now done by a single file + <literal>/run/nixos/activation-restart-list</literal> that + honors <literal>restartIfChanged</literal> and + <literal>reloadIfChanged</literal> of the units. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Preferring to reload instead of restarting can still + be achieved using + <literal>/run/nixos/activation-reload-list</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The script now uses a proper ini-file parser to parse + systemd units. Some values are now only searched in one + section instead of in the entire unit. This is only + relevant for units that don’t use the NixOS systemd moule. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>RefuseManualStop</literal>, + <literal>X-OnlyManualStart</literal>, + <literal>X-StopOnRemoval</literal>, + <literal>X-StopOnReconfiguration</literal> are only + searched in the <literal>[Unit]</literal> section + </para> + </listitem> + <listitem> + <para> + <literal>X-ReloadIfChanged</literal>, + <literal>X-RestartIfChanged</literal>, + <literal>X-StopIfChanged</literal> are only searched + in the <literal>[Service]</literal> section + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bookstack.cacheDir</literal> option has + been removed, since the cache directory is now handled by + systemd. + </para> + </listitem> + <listitem> + <para> + The <literal>services.bookstack.extraConfig</literal> option + has been replaced by + <literal>services.bookstack.config</literal> which implements + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link> + configuration. + </para> + </listitem> + <listitem> + <para> + <literal>lib.assertMsg</literal> and + <literal>lib.assertOneOf</literal> no longer return + <literal>false</literal> if the passed condition is + <literal>false</literal>, <literal>throw</literal>ing the + given error message instead (which makes the resulting error + message less cluttered). This will not impact the behaviour of + code using these functions as intended, namely as top-level + wrapper for <literal>assert</literal> conditions. + </para> + </listitem> + <listitem> + <para> + The <literal>vpnc</literal> package has been changed to use + GnuTLS instead of OpenSSL by default for licensing reasons. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to + <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link> + (formerly refers to + <link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>). + </para> + </listitem> + <listitem> + <para> + <literal>services.pipewire.enable</literal> will default to + enabling the WirePlumber session manager instead of + pipewire-media-session. pipewire-media-session is deprecated + by upstream and not recommended, but can still be manually + enabled by setting + <literal>services.pipewire.media-session.enable</literal> to + <literal>true</literal> and + <literal>services.pipewire.wireplumber.enable</literal> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.makeDesktopItem</literal> has been refactored to + provide a more idiomatic API. Specifically: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + All valid options as of FDO Desktop Entry specification + version 1.4 can now be passed in as explicit arguments + </para> + </listitem> + <listitem> + <para> + <literal>exec</literal> can now be null, for entries that + are not of type Application + </para> + </listitem> + <listitem> + <para> + <literal>mimeType</literal> argument is renamed to + <literal>mimeTypes</literal> for consistency + </para> + </listitem> + <listitem> + <para> + <literal>mimeTypes</literal>, + <literal>categories</literal>, + <literal>implements</literal>, + <literal>keywords</literal>, <literal>onlyShowIn</literal> + and <literal>notShowIn</literal> take lists of strings + instead of one string with semicolon separators + </para> + </listitem> + <listitem> + <para> + <literal>extraDesktopEntries</literal> renamed to + <literal>extraConfig</literal> for consistency + </para> + </listitem> + <listitem> + <para> + Actions should now be provided as an attrset + <literal>actions</literal>, the <literal>Actions</literal> + line will be autogenerated. + </para> + </listitem> + <listitem> + <para> + <literal>extraEntries</literal> is removed. + </para> + </listitem> + <listitem> + <para> + Additional validation is added both at eval time and at + build time. + </para> + </listitem> + </itemizedlist> + <para> + See the <literal>vscode</literal> package for a more detailed + example. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.05-notable-changes"> + <title>Other Notable Changes</title> + <itemizedlist> + <listitem> + <para> + The option + <link linkend="opt-services.redis.servers">services.redis.servers</link> + was added to support per-application + <literal>redis-server</literal> which is more secure since + Redis databases are only mere key prefixes without any + configuration or ACL of their own. Backward-compatibility is + preserved by mapping old + <literal>services.redis.settings</literal> to + <literal>services.redis.servers."".settings</literal>, + but you are strongly encouraged to name each + <literal>redis-server</literal> instance after the application + using it, instead of keeping that nameless one. Except for the + nameless + <literal>services.redis.servers.""</literal> still + accessible at <literal>127.0.0.1:6379</literal>, and to the + members of the Unix group <literal>redis</literal> through the + Unix socket <literal>/run/redis/redis.sock</literal>, all + other <literal>services.redis.servers.${serverName}</literal> + are only accessible by default to the members of the Unix + group <literal>redis-${serverName}</literal> through the Unix + socket <literal>/run/redis-${serverName}/redis.sock</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-virtualisation.vmVariant">virtualisation.vmVariant</link> + was added to allow users to make changes to the + <literal>nixos-rebuild build-vm</literal> configuration that + do not apply to their normal system. + </para> + <para> + The <literal>config.system.build.vm</literal> attribute now + always exists and defaults to the value from + <literal>vmVariant</literal>. Configurations that import the + <literal>virtualisation/qemu-vm.nix</literal> module + themselves will override this value, such that + <literal>vmVariant</literal> is not used. + </para> + <para> + Similarly + <link linkend="opt-virtualisation.vmVariantWithBootLoader">virtualisation.vmVariantWithBootloader</link> + was added. + </para> + </listitem> + <listitem> + <para> + The configuration portion of the <literal>nix-daemon</literal> + module has been reworked and exposed as + <link xlink:href="options.html#opt-nix-settings">nix.settings</link>: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Legacy options have been mapped to the corresponding + options under under + <link xlink:href="options.html#opt-nix.settings">nix.settings</link> + but may be deprecated in the future. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="options.html#opt-nix.buildMachines.publicHostKey">nix.buildMachines.publicHostKey</link> + has been added. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The + <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal> + and corresponding + <literal>writers.writePyPy2Bin</literal>/<literal>writers.writePyPy3Bin</literal> + convenience functions to create executable Python 2/3 scripts + using the PyPy interpreter were added. + </para> + </listitem> + <listitem> + <para> + Some improvements have been made to the + <literal>hadoop</literal> module: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + A <literal>gatewayRole</literal> option has been added, + for deploying hadoop cluster configuration files to a node + that does not have any active services + </para> + </listitem> + <listitem> + <para> + Support for older versions of hadoop have been added to + the module + </para> + </listitem> + <listitem> + <para> + Overriding and extending site XML files has been made + easier + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + If you are using Wayland you can choose to use the Ozone + Wayland support in Chrome and several Electron apps by setting + the environment variable <literal>NIXOS_OZONE_WL=1</literal> + (for example via + <literal>environment.sessionVariables.NIXOS_OZONE_WL = "1"</literal>). + This is not enabled by default because Ozone Wayland is still + under heavy development and behavior is not always flawless. + Furthermore, not all Electron apps use the latest Electron + versions. + </para> + </listitem> + <listitem> + <para> + The <literal>influxdb2</literal> package was split into + <literal>influxdb2-server</literal> and + <literal>influxdb2-cli</literal>, matching the split that took + place upstream. A combined <literal>influxdb2</literal> + package is still provided in this release for backwards + compatibilty, but will be removed at a later date. + </para> + </listitem> + <listitem> + <para> + The <literal>unifi</literal> package was switched from + <literal>unifi6</literal> to <literal>unifi7</literal>. Direct + downgrades from Unifi 7 to Unifi 6 are not possible and + require restoring from a backup made by Unifi 6. + </para> + </listitem> + <listitem> + <para> + <literal>programs.zsh.autosuggestions.strategy</literal> now + takes a list of strings instead of a string. + </para> + </listitem> + <listitem> + <para> + The <literal>services.unifi.openPorts</literal> option default + value of <literal>true</literal> is now deprecated and will be + changed to <literal>false</literal> in 22.11. Configurations + using this default will print a warning when rebuilt. + </para> + </listitem> + <listitem> + <para> + <literal>security.acme</literal> certificates will now + correctly check for CA revokation before reaching their + minimum age. + </para> + </listitem> + <listitem> + <para> + Removing domains from + <literal>security.acme.certs._name_.extraDomainNames</literal> + will now correctly remove those domains during rebuild/renew. + </para> + </listitem> + <listitem> + <para> + MariaDB is now offered in several versions, not just the + newest one. So if you have a need for running MariaDB 10.4 for + example, you can now just set + <literal>services.mysql.package = pkgs.mariadb_104;</literal>. + In general, it is recommended to run the newest version, to + get the newest features, while sticking with an LTS version + will most likely provide a more stable experience. Sometimes + software is also incompatible with the newest version of + MariaDB. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-programs.ssh.enableAskPassword">programs.ssh.enableAskPassword</link> + was added, decoupling the setting of + <literal>SSH_ASKPASS</literal> from + <literal>services.xserver.enable</literal>. This allows easy + usage in non-X11 environments, e.g. Wayland. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-programs.ssh.knownHosts">programs.ssh.knownHosts</link> + has gained an <literal>extraHostNames</literal> option to + replace <literal>hostNames</literal>. + <literal>hostNames</literal> is deprecated, but still + available for now. + </para> + </listitem> + <listitem> + <para> + The <literal>services.stubby</literal> module was converted to + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link> + configuration. + </para> + </listitem> + <listitem> + <para> + The option <literal>services.duplicati.dataDir</literal> has + been added to allow changing the location of duplicati’s + files. + </para> + </listitem> + <listitem> + <para> + The options <literal>boot.extraModprobeConfig</literal> and + <literal>boot.blacklistedKernelModules</literal> now also take + effect in the initrd by copying the file + <literal>/etc/modprobe.d/nixos.conf</literal> into the initrd. + </para> + </listitem> + <listitem> + <para> + <literal>nixos-generate-config</literal> now puts the dhcp + configuration in <literal>hardware-configuration.nix</literal> + instead of <literal>configuration.nix</literal>. + </para> + </listitem> + <listitem> + <para> + ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which + introduces some breaking changes: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + If you are relying on the SQLite images, update your + Docker Pull commands as follows: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>docker pull oryd/kratos:{version}</literal> + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Additionally, all passwords now have to be at least 8 + characters long. + </para> + </listitem> + <listitem> + <para> + For more details, see: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1">Release + Notes for v0.8.1-alpha-1</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1">Release + Notes for v0.8.2-alpha-1</link> + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>fetchFromSourcehut</literal> now allows fetching + repositories recursively using <literal>fetchgit</literal> or + <literal>fetchhg</literal> if the argument + <literal>fetchSubmodules</literal> is set to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>element-desktop</literal> package now has an + <literal>useKeytar</literal> option (defaults to + <literal>true</literal>), which allows disabling + <literal>keytar</literal> and in turn + <literal>libsecret</literal> usage (which binds to native + credential managers / keychain libraries). + </para> + </listitem> + <listitem> + <para> + The option <literal>services.thelounge.plugins</literal> has + been added to allow installing plugins for The Lounge. Plugins + can be found in + <literal>pkgs.theLoungePlugins.plugins</literal> and + <literal>pkgs.theLoungePlugins.themes</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.xserver.videoDriver = [ "nvidia" ];</literal> + will now also install + <link xlink:href="https://github.com/elFarto/nvidia-vaapi-driver">nvidia + VA-API drivers</link> by default. + </para> + </listitem> + <listitem> + <para> + The <literal>firmwareLinuxNonfree</literal> package has been + renamed to <literal>linux-firmware</literal>. + </para> + </listitem> + <listitem> + <para> + It is now possible to specify wordlists to include as handy to + access environment variables using the + <literal>config.environment.wordlist</literal> configuration + options. + </para> + </listitem> + <listitem> + <para> + The <literal>services.mbpfan</literal> module was converted to + a + <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC + 0042</link> configuration. + </para> + </listitem> + <listitem> + <para> + The default value for + <literal>programs.spacefm.settings.graphical_su</literal> got + unset. It previously pointed to <literal>gksu</literal> which + has been removed. + </para> + </listitem> + <listitem> + <para> + A new module was added for the + <link xlink:href="https://starship.rs/">Starship</link> shell + prompt, providing the options + <literal>programs.starship.enable</literal> and + <literal>programs.starship.settings</literal>. + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://dino.im">Dino</link> XMPP client + was updated to 0.3, adding support for audio and video calls. + </para> + </listitem> + <listitem> + <para> + <literal>services.mattermost.plugins</literal> has been added + to allow the declarative installation of Mattermost plugins. + Plugins are automatically repackaged using autoPatchelf. + </para> + </listitem> + <listitem> + <para> + <literal>services.logrotate.enable</literal> now defaults to + true if any rotate path has been defined, and some paths have + been added by default. + </para> + </listitem> + <listitem> + <para> + The <literal>zrepl</literal> package has been updated from + 0.4.0 to 0.5: + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + The RPC protocol version was bumped; all zrepl daemons in + a setup must be updated and restarted before replication + can resume. + </para> + </listitem> + <listitem> + <para> + A bug involving encrypt-on-receive has been fixed. Read + the + <link xlink:href="https://zrepl.github.io/configuration/sendrecvoptions.html#job-recv-options-placeholder">zrepl + documentation</link> and check the output of + <literal>zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS</literal> + on the receiver. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Renamed option + <literal>services.openssh.challengeResponseAuthentication</literal> + to + <literal>services.openssh.kbdInteractiveAuthentication</literal>. + Reason is that the old name has been deprecated upstream. + Using the old option name will still work, but produce a + warning. + </para> + </listitem> + <listitem> + <para> + The <literal>pomerium-cli</literal> command has been moved out + of the <literal>pomerium</literal> package into the + <literal>pomerium-cli</literal> package, following upstream’s + repository split. If you are using the + <literal>pomerium-cli</literal> command, you should now + install the <literal>pomerium-cli</literal> package. + </para> + </listitem> + <listitem> + <para> + The option + <link linkend="opt-networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link> + was added to support FCC unlock procedures. Since release + 1.18.4, the ModemManager daemon no longer automatically + performs the FCC unlock procedure by default. See + <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the + docs</link> for more details. + </para> + </listitem> + <listitem> + <para> + <literal>programs.tmux</literal> has a new option + <literal>plugins</literal> that accepts a list of packages + from the <literal>tmuxPlugins</literal> group. The specified + packages are added to the system and loaded by + <literal>tmux</literal>. + </para> + </listitem> + <listitem> + <para> + The polkit service, available at + <literal>security.polkit.enable</literal>, is now disabled by + default. It will automatically be enabled through services and + desktop environments as needed. + </para> + </listitem> + <listitem> + <para> + The <literal>hadoop</literal> package has added support for + <literal>aarch64-linux</literal> and + <literal>aarch64-darwin</literal> as of 3.3.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>R</literal> package now builds again on + <literal>aarch64-darwin</literal> + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>). + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package has been updated from + 3.1.2 to 3.2.1 + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/160075">#160075</link>): + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Testing has been enabled for + <literal>aarch64-linux</literal> in addition to + <literal>x86_64-linux</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>spark3</literal> package is now usable on + <literal>aarch64-darwin</literal> as a result of + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link> + and + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> +</section> |