1 files changed, 83 insertions, 58 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md
index 5661d8cab31..3e1922ddcc2 100644
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@@ -20,19 +20,28 @@ In addition to numerous new and upgraded packages, this release has the followin
   This allows activation scripts to output what they would change if the activation was really run.
   The users/modules activation script supports this and outputs some of is actions.
 
+- bash now defaults to major version 5.
+
+- Systemd was updated to version 249 (from 247).
+
 - Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn't work for you, please try `gsettings set org.gnome.desktop.lockdown disable-lock-screen false`.
 
+- `kubernetes-helm` now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See [HIP 6](https://github.com/helm/community/blob/main/hips/hip-0006.md) for more details.
+
 ## New Services {#sec-release-21.11-new-services}
 
 - [btrbk](https://digint.ch/btrbk/index.html), a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as [services.btrbk](options.html#opt-services.brtbk.instances).
 
-- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#o
-pt-services.clipcat.enable).
+- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#opt-services.clipcat.enable).
+
+- [dex](https://github.com/dexidp/dex), an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at [services.dex](options.html#opt-services.dex.enable).
 
 - [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP database updater from MaxMind. Available as [services.geoipupdate](options.html#opt-services.geoipupdate.enable).
 
 - [Kea](https://www.isc.org/kea/), ISCs 2nd generation DHCP and DDNS server suite. Available at [services.kea](options.html#opt-services.kea).
 
+- [owncast](https://owncast.online/), self-hosted video live streaming solution. Available at [services.owncast](options.html#opt-services.owncast).
+
 - [sourcehut](https://sr.ht), a collection of tools useful for software development. Available as [services.sourcehut](options.html#opt-services.sourcehut.enable).
 
 - [ucarp](https://download.pureftpd.org/pub/ucarp/README), an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as [networking.ucarp](options.html#opt-networking.ucarp.enable).
@@ -41,6 +50,8 @@ pt-services.clipcat.enable).
 
 - [vikunja](https://vikunja.io), a to-do list app. Available as [services.vikunja](#opt-services.vikunja.enable).
 
+- [opensnitch](https://github.com/evilsocket/opensnitch), an application firewall. Available as [services.opensnitch](#opt-services.opensnitch.enable).
+
 - [snapraid](https://www.snapraid.it/), a backup program for disk arrays.
   Available as [snapraid](#opt-snapraid.enable).
 
@@ -63,7 +74,7 @@ pt-services.clipcat.enable).
   Available as [isso](#opt-services.isso.enable)
 
 - [navidrome](https://www.navidrome.org/), a personal music streaming server with
-subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable).
+  subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable).
 
 - [fluidd](https://docs.fluidd.xyz/), a Klipper web interface for managing 3d printers using moonraker. Available as [fluidd](#opt-services.fluidd.enable).
 
@@ -86,8 +97,12 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
 
 - [touchegg](https://github.com/JoseExposito/touchegg), a multi-touch gesture recognizer. Available as [services.touchegg](#opt-services.touchegg.enable).
 
+- [pantheon-tweaks](https://github.com/pantheon-tweaks/pantheon-tweaks), an unofficial system settings panel for Pantheon. Available as [programs.pantheon-tweaks](#opt-programs.pantheon-tweaks.enable).
+
 ## Backward Incompatibilities {#sec-release-21.11-incompatibilities}
 
+- The `security.wrappers` option now requires to always specify an owner, group and whether the setuid/setgid bit should be set.
+  This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.
 
 - The `paperless` module and package have been removed. All users should migrate to the
   successor `paperless-ng` instead. The Paperless project [has been
@@ -95,46 +110,49 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
   and advises all users to use `paperless-ng` instead.
 
   Users can use the `services.paperless-ng` module as a replacement while noting the following incompatibilities:
-    - `services.paperless.ocrLanguages` has no replacement. Users should migrate to [`services.paperless-ng.extraConfig`](options.html#opt-services.paperless-ng.extraConfig) instead:
-     ```nix
-     {
-       services.paperless-ng.extraConfig = {
-         # Provide languages as ISO 639-2 codes
-         # separated by a plus (+) sign.
-         # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
-         PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
-       };
-     }
-     ```
-
-    - If you previously specified `PAPERLESS_CONSUME_MAIL_*` settings in
-      `services.paperless.extraConfig` you should remove those options now. You
-      now *must* define those settings in the admin interface of paperless-ng.
-
-    - Option `services.paperless.manage` no longer exists.
-      Use the script at `${services.paperless-ng.dataDir}/paperless-ng-manage` instead.
-      Note that this script only exists after the `paperless-ng` service has been
-      started at least once.
-
-    - After switching to the new system configuration you should run the Django
-      management command to reindex your documents and optionally create a user,
-      if you don't have one already.
-
-      To do so, enter the data directory (the value of
-      `services.paperless-ng.dataDir`, `/var/lib/paperless` by default), switch
-      to the paperless user and execute the management command like below:
-      ```
-      $ cd /var/lib/paperless
-      $ su paperless -s /bin/sh
-      $ ./paperless-ng-manage document_index reindex
-      # if not already done create a user account, paperless-ng requires a login
-      $ ./paperless-ng-manage createsuperuser
-      Username (leave blank to use 'paperless'): my-user-name
-      Email address: me@example.com
-      Password: **********
-      Password (again): **********
-      Superuser created successfully.
-      ```
+
+  - `services.paperless.ocrLanguages` has no replacement. Users should migrate to [`services.paperless-ng.extraConfig`](options.html#opt-services.paperless-ng.extraConfig) instead:
+
+  ```nix
+  {
+    services.paperless-ng.extraConfig = {
+      # Provide languages as ISO 639-2 codes
+      # separated by a plus (+) sign.
+      # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
+      PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
+    };
+  }
+  ```
+
+  - If you previously specified `PAPERLESS_CONSUME_MAIL_*` settings in
+    `services.paperless.extraConfig` you should remove those options now. You
+    now _must_ define those settings in the admin interface of paperless-ng.
+
+  - Option `services.paperless.manage` no longer exists.
+    Use the script at `${services.paperless-ng.dataDir}/paperless-ng-manage` instead.
+    Note that this script only exists after the `paperless-ng` service has been
+    started at least once.
+
+  - After switching to the new system configuration you should run the Django
+    management command to reindex your documents and optionally create a user,
+    if you don't have one already.
+
+    To do so, enter the data directory (the value of
+    `services.paperless-ng.dataDir`, `/var/lib/paperless` by default), switch
+    to the paperless user and execute the management command like below:
+
+    ```
+    $ cd /var/lib/paperless
+    $ su paperless -s /bin/sh
+    $ ./paperless-ng-manage document_index reindex
+    # if not already done create a user account, paperless-ng requires a login
+    $ ./paperless-ng-manage createsuperuser
+    Username (leave blank to use 'paperless'): my-user-name
+    Email address: me@example.com
+    Password: **********
+    Password (again): **********
+    Superuser created successfully.
+    ```
 
 - The `staticjinja` package has been upgraded from 1.0.4 to 4.1.0
 
@@ -231,28 +249,32 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
 * The `bitwarden_rs` packages and modules were renamed to `vaultwarden`
   [following upstream](https://github.com/dani-garcia/vaultwarden/discussions/1642). More specifically,
 
-  * `pkgs.bitwarden_rs`, `pkgs.bitwarden_rs-sqlite`, `pkgs.bitwarden_rs-mysql` and
+  - `pkgs.bitwarden_rs`, `pkgs.bitwarden_rs-sqlite`, `pkgs.bitwarden_rs-mysql` and
     `pkgs.bitwarden_rs-postgresql` were renamed to `pkgs.vaultwarden`, `pkgs.vaultwarden-sqlite`,
     `pkgs.vaultwarden-mysql` and `pkgs.vaultwarden-postgresql`, respectively.
-    * Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
-    * The `bitwarden_rs` executable was also renamed to `vaultwarden` in all packages.
 
-  * `pkgs.bitwarden_rs-vault` was renamed to `pkgs.vaultwarden-vault`.
-    * `pkgs.bitwarden_rs-vault` is preserved as an alias for backwards compatibility, but may be removed in the future.
-    * The static files were moved from `/usr/share/bitwarden_rs` to `/usr/share/vaultwarden`.
+    - Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
+    - The `bitwarden_rs` executable was also renamed to `vaultwarden` in all packages.
+
+  - `pkgs.bitwarden_rs-vault` was renamed to `pkgs.vaultwarden-vault`.
 
-  * The `services.bitwarden_rs` config module was renamed to `services.vaultwarden`.
-    * `services.bitwarden_rs` is preserved as an alias for backwards compatibility, but may be removed in the future.
+    - `pkgs.bitwarden_rs-vault` is preserved as an alias for backwards compatibility, but may be removed in the future.
+    - The static files were moved from `/usr/share/bitwarden_rs` to `/usr/share/vaultwarden`.
 
-  * `systemd.services.bitwarden_rs`, `systemd.services.backup-bitwarden_rs` and `systemd.timers.backup-bitwarden_rs`
+  - The `services.bitwarden_rs` config module was renamed to `services.vaultwarden`.
+
+    - `services.bitwarden_rs` is preserved as an alias for backwards compatibility, but may be removed in the future.
+
+  - `systemd.services.bitwarden_rs`, `systemd.services.backup-bitwarden_rs` and `systemd.timers.backup-bitwarden_rs`
     were renamed to `systemd.services.vaultwarden`, `systemd.services.backup-vaultwarden` and
     `systemd.timers.backup-vaultwarden`, respectively.
-    * Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
 
-  * `users.users.bitwarden_rs` and `users.groups.bitwarden_rs` were renamed to `users.users.vaultwarden` and
+    - Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
+
+  - `users.users.bitwarden_rs` and `users.groups.bitwarden_rs` were renamed to `users.users.vaultwarden` and
     `users.groups.vaultwarden`, respectively.
 
-  * The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility.
+  - The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility.
 
 - `yggdrasil` was upgraded to a new major release with breaking changes, see [upstream changelog](https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0).
 
@@ -265,6 +287,7 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
 - `tt-rss` was upgraded to the commit on 2021-06-21, which has breaking changes. If you use `services.tt-rss.extraConfig` you should migrate to the `putenv`-style configuration. See [this Discourse post](https://community.tt-rss.org/t/rip-config-php-hello-classes-config-php/4337) in the tt-rss forums for more details.
 
 - The following Visual Studio Code extensions were renamed to keep the naming convention uniform.
+
   - `bbenoist.Nix` -> `bbenoist.nix`
   - `CoenraadS.bracket-pair-colorizer` -> `coenraads.bracket-pair-colorizer`
   - `golang.Go` -> `golang.go`
@@ -284,12 +307,12 @@ subsonic-compatible api. Available as [navidrome](#opt-services.navidrome.enable
 - The `yambar` package has been split into `yambar` and `yambar-wayland`, corresponding to the xorg and wayland backend respectively. Please switch to `yambar-wayland` if you are on wayland.
 
 - The `services.minio` module gained an additional option `consoleAddress`, that
-configures the address and port the web UI is listening, it defaults to `:9001`.
-To be able to access the web UI this port needs to be opened in the firewall.
+  configures the address and port the web UI is listening, it defaults to `:9001`.
+  To be able to access the web UI this port needs to be opened in the firewall.
 
 - The `varnish` package was upgraded from 6.3.x to 6.5.x. `varnish60` for the last LTS release is also still available.
 
-- The `kubernetes` package was upgraded to 1.22.  The `kubernetes.apiserver.kubeletHttps` option was removed and HTTPS is always used.
+- The `kubernetes` package was upgraded to 1.22. The `kubernetes.apiserver.kubeletHttps` option was removed and HTTPS is always used.
 
 - The attribute `linuxPackages_latest_hardened` was dropped because the hardened patches
   lag behind the upstream kernel which made version bumps harder. If you want to use
@@ -325,6 +348,8 @@ To be able to access the web UI this port needs to be opened in the firewall.
 
   However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs.
 
+- The [`services.xserver.extraLayouts`](options.html#opt-services.xserver.extraLayouts) no longer cause additional rebuilds when a layout is added or modified.
+
 - Sway: The terminal emulator `rxvt-unicode` is no longer installed by default via `programs.sway.extraPackages`. The current default configuration uses `alacritty` (and soon `foot`) so this is only an issue when using a customized configuration and not installing `rxvt-unicode` explicitly.
 
 - `python3` now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the [What's New In Python 3.9 post](https://docs.python.org/3/whatsnew/3.9.html) for more information.