In addition to numerous new and upgraded packages, this release has the following highlights: Support is planned until the end of December 2022, handing over to 22.11.

security.acme.defaults has been added to simplify configuring settings for many certificates at once. This also opens up the the option to use DNS-01 validation when using enableACME on web server virtual hosts (e.g. services.nginx.virtualHosts.*.enableACME). PHP 8.1 is now available Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is reaching its end of life. Migrations may take a while, see the changelog and important upgrade notes. systemd services can now set systemd.services.<name>.reloadTriggers instead of reloadIfChanged for a more granular distinction between reloads and restarts. kops defaults to 1.22.4, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes 1.22. This will increase security by default, but may break some types of workloads. See the release notes for details.

aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd. rootless Docker, a systemd --user Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable. matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit. filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat. apfs, a kernel module for mounting the Apple File System (APFS). FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as services.frr heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge. snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy. ergochat, a modern IRC with IRCv3 features. Available as services.ergochat. PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin. pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin. input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper. InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane. maddy, a composable all-in-one mail server. Available as services.maddy. K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the k40 group to be able to access the device. mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter. prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve. tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd. agate, a very simple server for the Gemini hypertext protocol. Available as services.agate. ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm. teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport. BaGet, a lightweight NuGet and symbol server. Available at services.baget. moosefs, fault tolerant petabyte distributed file system. Available as moosefs. prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer. systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications. ethercalc, an online collaborative spreadsheet. Available as services.ethercalc. nbd, a Network Block Device server. Available as services.nbd. timetagger, an open source time-tracker with an intuitive user experience and powerful reporting. services.timetagger. rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server. headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features. pacemaker cluster resource manager

pkgs.ghc now refers to pkgs.targetPackages.haskellPackages.ghc. This only makes a difference if you are cross-compiling and will ensure that pkgs.ghc always runs on the host platform and compiles for the target platform (similar to pkgs.gcc for example). haskellPackages.ghc still behaves as before, running on the build platform and compiling for the host platform (similar to stdenv.cc). This means you don’t have to adjust your derivations if you use haskellPackages.callPackage, but when using pkgs.callPackage and taking ghc as an input, you should now use buildPackages.ghc instead to ensure cross compilation keeps working (or switch to haskellPackages.callPackage). pkgs.ghc.withPackages as well as haskellPackages.ghcWithPackages etc. now needs be overridden directly, as opposed to overriding the result of calling it. Additionally, the withLLVM parameter has been renamed to useLLVM. So instead of (ghc.withPackages (p: [])).override { withLLVM = true; }, one needs to use (ghc.withPackages.override { useLLVM = true; }) (p: []). The home-assistant module now requires users that don’t want their configuration to be managed declaratively to set services.home-assistant.config = null;. This is required due to the way default settings are handled with the new settings style. Additionally the default list of extraComponents now includes the minimal dependencies to successfully complete the onboarding procedure. pkgs.emacsPackages.orgPackages is removed because org elpa is deprecated. The packages in the top level of pkgs.emacsPackages, such as org and org-contrib, refer to the ones in pkgs.emacsPackages.elpaPackages and pkgs.emacsPackages.nongnuPackages where the new versions will release. services.kubernetes.addons.dashboard was removed due to it being an outdated version. services.kubernetes.scheduler.{port,address} now set --secure-port and --bind-address instead of --port and --address, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. services.k3s.enable no longer implies systemd.enableUnifiedCgroupHierarchy = false, and will default to the systemd cgroup driver when using services.k3s.docker = true. This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly setting systemd.enableUnifiedCgroupHierarchy = false in your configuration. fonts.fonts no longer includes ancient bitmap fonts when both config.services.xserver.enable and config.nixpkgs.config.allowUnfree are enabled. If you still want these fonts, use: { fonts.fonts = [ pkgs.xorg.fontbhlucidatypewriter100dpi pkgs.xorg.fontbhlucidatypewriter75dpi pkgs.xorg.fontbh100dpi ]; } The DHCP server (services.dhcpd4, services.dhcpd6) has been hardened. The service is now using the systemd’s DynamicUser mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in /var/lib/dhcpd{4,6} and the services.dhcpd4.stateDir and service.dhcpd6.stateDir options have been removed. If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. systemd.services.dhcpd6.serviceConfig.AmbientCapabilities. The mailpile email webclient (services.mailpile) has been removed due to its reliance on python2. The matrix-synapse service (services.matrix-synapse) has been converted to use the settings option defined in RFC42. This means that options that are part of your homeserver.yaml configuration, and that were specified at the top-level of the module (services.matrix-synapse) now need to be moved into services.matrix-synapse.settings. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type. An example to make the required migration clearer: Before: { services.matrix-synapse = { enable = true; server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_address = ""; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; } After: { services.matrix-synapse = { enable = true; # this attribute set holds all values that go into your homeserver.yaml configuration # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for # possible values. settings = { server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_address = [ "::" "0.0.0.0" ]; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; extraConfigFiles = [ /run/keys/matrix-synapse/secrets.yaml ]; }; } The secrets in your original config should be migrated into a YAML file that is included via extraConfigFiles. Additionally a few option defaults have been synced up with upstream default values, for example the max_upload_size grew from 10M to 50M. The MoinMoin wiki engine (services.moinmoin) has been removed, because Python 2 is being retired from nixpkgs. Services in the hadoop module previously set openFirewall to true by default. This has now been changed to false. Node definitions for multi-node clusters would need openFirewall = true; to be added to to hadoop services when upgrading from NixOS 21.11. services.hadoop.yarn.nodemanager now uses cgroup-based CPU limit enforcement by default. Additionally, the option useCGroups was added to nodemanagers as an easy way to switch back to the old behavior. The wafHook hook now honors NIX_BUILD_CORES when enableParallelBuilding is not set explicitly. Packages can restore the old behaviour by setting enableParallelBuilding=false. pkgs.claws-mail-gtk2, representing Claws Mail’s older release version three, was removed in order to get rid of Python 2. Please switch to claws-mail, which is Claws Mail’s latest release based on GTK+3 and Python 3. The writers.writePython2 and corresponding writers.writePython2Bin convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use with writers.writePython3 or writers.writePyPy2 needs to be used. buildGoModule was updated to use go_1_17, third party derivations that specify >= go 1.17 in the main go.mod will need to regenerate their vendorSha256 hash. The gnome-passwordsafe package updated to version 6.x and renamed to gnome-secrets. If you previously used /etc/docker/daemon.json, you need to incorporate the changes into the new option virtualisation.docker.daemon.settings. Ntopng (services.ntopng) is updated to 5.2.1 and uses a separate Redis instance if system.stateVersion is at least 22.05. Existing setups shouldn’t be affected. The backward compatibility in services.wordpress to configure sites with the old interface has been removed. Please use services.wordpress.sites instead. The backward compatibility in services.dokuwiki to configure sites with the old interface has been removed. Please use services.dokuwiki.sites instead. opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs services.miniflux.adminCredentialFiles is now required, instead of defaulting to admin and password. The autorestic package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details. For pkgs.python3.pkgs.ipython, its direct dependency pkgs.python3.pkgs.matplotlib-inline (which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend on pkgs.python3.pkgs.matplotlib anymore. This is closer to a non-Nix install of ipython. This has the added benefit to reduce the closure size of ipython from ~400MB to ~160MB (including ~100MB for python itself). documentation.man has been refactored to support choosing a man implementation other than GNU’s man-db. For this, documentation.man.manualPages has been renamed to documentation.man.man-db.manualPages. If you want to use the new alternative man implementation mandoc, add documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; } to your configuration. Normal users (with isNormalUser = true) which have non-empty subUidRanges or subGidRanges set no longer have additional implicit ranges allocated. To enable automatic allocation back set autoSubUidGidRange = true. idris2 now requires --package when using packages contrib and network, while previously these idris2 packages were automatically loaded. The iputils package, which is installed by default, no longer provides the legacy tools tftpd and traceroute6. More tools (ninfod, rarpd, and rdisc) are going to be removed in the next release. See upstream’s release notes for more details and available replacements. services.thelounge.private was removed in favor of services.thelounge.public, to follow with upstream changes. pkgs.docbookrx was removed since it’s unmaintained pkgs._7zz is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code tilp2 was removed together with its module The F-PROT antivirus (fprot package) and its service module were removed because it reached end-of-life. bird1 and its modules services.bird as well as services.bird6 have been removed. Upgrade to services.bird2. The options networking.interfaces.<name>.ipv4.routes and networking.interfaces.<name>.ipv6.routes are no longer ignored when using networkd instead of the default scripted network backend by setting networking.useNetworkd to true. MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename ~/.local/share/multimc to ~/.local/share/polymc. The main config file’s path has also moved from ~/.local/share/multimc/multimc.cfg to ~/.local/share/polymc/polymc.cfg. systemd-nspawn@.service settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set systemd.nspawn.<name>.execConfig.PrivateUsers = false The terraform 0.12 compatibility has been removed and the terraform.withPlugins and terraform-providers.mkProvider implementations simplified. Providers now need to be stored under $out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version> (which mkProvider does). This breaks back-compat so it’s not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly. The dendrite package has been upgraded from 0.5.1 to 0.6.5. Instances configured with split sqlite databases, which has been the default in NixOS, require merging of the federation sender and signing key databases. See upstream release notes on version 0.6.0 for details on database changes. The existing pkgs.opentelemetry-collector has been moved to pkgs.opentelemetry-collector-contrib to match the actual source being the contrib edition. pkgs.opentelemetry-collector is now the actual core release of opentelemetry-collector. If you use the community contributions you should change the package you refer to. If you don’t need them update your commands from otelcontribcol to otelcorecol and enjoy a 7x smaller binary. pkgs.pgadmin now refers to pkgs.pgadmin4. If you still need pgadmin3, use pkgs.pgadmin3. pkgs.noto-fonts-cjk is now deprecated in favor of pkgs.noto-fonts-cjk-sans and pkgs.noto-fonts-cjk-serif because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs, pkgs.noto-fonts-cjk is currently an alias of pkgs.noto-fonts-cjk-sans and doesn’t include serif fonts. pkgs.epgstation has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format. Some top-level settings under services.epgstation is now deprecated because it was redudant due to the same options being present in services.epgstation.settings. The option services.epgstation.basicAuth was removed because basic authentication support was dropped by upstream. The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary. The services.epgstation.settings option now expects options for config.yml in EPGStation v2. Existing data for the services.epgstation module would have to be backed up prior to the upgrade. To back up exising data to /tmp/epgstation.bak, run sudo -u epgstation epgstation run backup /tmp/epgstation.bak. To import that data after to the upgrade, run sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak switch-to-configuration (the script that is run when running nixos-rebuild switch for example) has been reworked The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file /run/nixos/activation-restart-list that honors restartIfChanged and reloadIfChanged of the units. Preferring to reload instead of restarting can still be achieved using /run/nixos/activation-reload-list. The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don’t use the NixOS systemd moule. RefuseManualStop, X-OnlyManualStart, X-StopOnRemoval, X-StopOnReconfiguration are only searched in the [Unit] section X-ReloadIfChanged, X-RestartIfChanged, X-StopIfChanged are only searched in the [Service] section The services.bookstack.cacheDir option has been removed, since the cache directory is now handled by systemd. The services.bookstack.extraConfig option has been replaced by services.bookstack.config which implements a settings-style configuration. lib.assertMsg and lib.assertOneOf no longer return false if the passed condition is false, throwing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for assert conditions. The vpnc package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. pkgs.vimPlugins.onedark-nvim now refers to navarasu/onedark.nvim (formerly refers to olimorris/onedarkpro.nvim). services.pipewire.enable will default to enabling the WirePlumber session manager instead of pipewire-media-session. pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting services.pipewire.media-session.enable to true and services.pipewire.wireplumber.enable to false. pkgs.makeDesktopItem has been refactored to provide a more idiomatic API. Specifically: All valid options as of FDO Desktop Entry specification version 1.4 can now be passed in as explicit arguments exec can now be null, for entries that are not of type Application mimeType argument is renamed to mimeTypes for consistency mimeTypes, categories, implements, keywords, onlyShowIn and notShowIn take lists of strings instead of one string with semicolon separators extraDesktopEntries renamed to extraConfig for consistency Actions should now be provided as an attrset actions, the Actions line will be autogenerated. extraEntries is removed. Additional validation is added both at eval time and at build time. See the vscode package for a more detailed example.

The option services.redis.servers was added to support per-application redis-server which is more secure since Redis databases are only mere key prefixes without any configuration or ACL of their own. Backward-compatibility is preserved by mapping old services.redis.settings to services.redis.servers."".settings, but you are strongly encouraged to name each redis-server instance after the application using it, instead of keeping that nameless one. Except for the nameless services.redis.servers."" still accessible at 127.0.0.1:6379, and to the members of the Unix group redis through the Unix socket /run/redis/redis.sock, all other services.redis.servers.${serverName} are only accessible by default to the members of the Unix group redis-${serverName} through the Unix socket /run/redis-${serverName}/redis.sock. The option virtualisation.vmVariant was added to allow users to make changes to the nixos-rebuild build-vm configuration that do not apply to their normal system. The config.system.build.vm attribute now always exists and defaults to the value from vmVariant. Configurations that import the virtualisation/qemu-vm.nix module themselves will override this value, such that vmVariant is not used. Similarly virtualisation.vmVariantWithBootloader was added. The configuration portion of the nix-daemon module has been reworked and exposed as nix.settings: Legacy options have been mapped to the corresponding options under under nix.settings but may be deprecated in the future. nix.buildMachines.publicHostKey has been added. The writers.writePyPy2/writers.writePyPy3 and corresponding writers.writePyPy2Bin/writers.writePyPy3Bin convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. Some improvements have been made to the hadoop module: A gatewayRole option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services Support for older versions of hadoop have been added to the module Overriding and extending site XML files has been made easier If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable NIXOS_OZONE_WL=1 (for example via environment.sessionVariables.NIXOS_OZONE_WL = "1"). This is not enabled by default because Ozone Wayland is still under heavy development and behavior is not always flawless. Furthermore, not all Electron apps use the latest Electron versions. The influxdb2 package was split into influxdb2-server and influxdb2-cli, matching the split that took place upstream. A combined influxdb2 package is still provided in this release for backwards compatibilty, but will be removed at a later date. The unifi package was switched from unifi6 to unifi7. Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6. programs.zsh.autosuggestions.strategy now takes a list of strings instead of a string. The services.unifi.openPorts option default value of true is now deprecated and will be changed to false in 22.11. Configurations using this default will print a warning when rebuilt. security.acme certificates will now correctly check for CA revokation before reaching their minimum age. Removing domains from security.acme.certs._name_.extraDomainNames will now correctly remove those domains during rebuild/renew. MariaDB is now offered in several versions, not just the newest one. So if you have a need for running MariaDB 10.4 for example, you can now just set services.mysql.package = pkgs.mariadb_104;. In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience. Sometimes software is also incompatible with the newest version of MariaDB. The option programs.ssh.enableAskPassword was added, decoupling the setting of SSH_ASKPASS from services.xserver.enable. This allows easy usage in non-X11 environments, e.g. Wayland. programs.ssh.knownHosts has gained an extraHostNames option to replace hostNames. hostNames is deprecated, but still available for now. The services.stubby module was converted to a settings-style configuration. The option services.duplicati.dataDir has been added to allow changing the location of duplicati’s files. The options boot.extraModprobeConfig and boot.blacklistedKernelModules now also take effect in the initrd by copying the file /etc/modprobe.d/nixos.conf into the initrd. nixos-generate-config now puts the dhcp configuration in hardware-configuration.nix instead of configuration.nix. ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes: If you are relying on the SQLite images, update your Docker Pull commands as follows: docker pull oryd/kratos:{version} Additionally, all passwords now have to be at least 8 characters long. For more details, see: Release Notes for v0.8.1-alpha-1 Release Notes for v0.8.2-alpha-1 fetchFromSourcehut now allows fetching repositories recursively using fetchgit or fetchhg if the argument fetchSubmodules is set to true. The element-desktop package now has an useKeytar option (defaults to true), which allows disabling keytar and in turn libsecret usage (which binds to native credential managers / keychain libraries). The option services.thelounge.plugins has been added to allow installing plugins for The Lounge. Plugins can be found in pkgs.theLoungePlugins.plugins and pkgs.theLoungePlugins.themes. The option services.xserver.videoDriver = [ "nvidia" ]; will now also install nvidia VA-API drivers by default. The firmwareLinuxNonfree package has been renamed to linux-firmware. It is now possible to specify wordlists to include as handy to access environment variables using the config.environment.wordlist configuration options. The services.mbpfan module was converted to a RFC 0042 configuration. The default value for programs.spacefm.settings.graphical_su got unset. It previously pointed to gksu which has been removed. A new module was added for the Starship shell prompt, providing the options programs.starship.enable and programs.starship.settings. The Dino XMPP client was updated to 0.3, adding support for audio and video calls. services.mattermost.plugins has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default. The zrepl package has been updated from 0.4.0 to 0.5: The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. A bug involving encrypt-on-receive has been fixed. Read the zrepl documentation and check the output of zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS on the receiver. Renamed option services.openssh.challengeResponseAuthentication to services.openssh.kbdInteractiveAuthentication. Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. The pomerium-cli command has been moved out of the pomerium package into the pomerium-cli package, following upstream’s repository split. If you are using the pomerium-cli command, you should now install the pomerium-cli package. The option services.networking.networkmanager.enableFccUnlock was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See the docs for more details. programs.tmux has a new option plugins that accepts a list of packages from the tmuxPlugins group. The specified packages are added to the system and loaded by tmux. The polkit service, available at security.polkit.enable, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. The hadoop package has added support for aarch64-linux and aarch64-darwin as of 3.3.1 (#158613). The R package now builds again on aarch64-darwin (#158992). The spark3 package has been updated from 3.1.2 to 3.2.1 (#160075): Testing has been enabled for aarch64-linux in addition to x86_64-linux. The spark3 package is now usable on aarch64-darwin as a result of #158613 and #158992.