alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity
nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

2115 lines
80 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.11">
<title>Release 21.11 (“Porcupine”, 2021/11/30)</title>
<itemizedlist spacing="compact">
<listitem>
<para>
Support is planned until the end of June 2022, handing over to
22.05.
</para>
</listitem>
</itemizedlist>
<section xml:id="sec-release-21.11-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Nix has been updated to version 2.4, reference its
<link xlink:href="https://discourse.nixos.org/t/nix-2-4-released/15822">release
notes</link> for more information on what has changed. The
previous version of Nix, 2.3.16, remains available for the
time being in the <literal>nix_2_3</literal> package.
</para>
</listitem>
<listitem>
<para>
<literal>iptables</literal> is now using
<literal>nf_tables</literal> under the hood, by using
<literal>iptables-nft</literal>, similar to
<link xlink:href="https://wiki.debian.org/nftables#Current_status">Debian</link>
and
<link xlink:href="https://fedoraproject.org/wiki/Changes/iptables-nft-default">Fedora</link>.
This means, <literal>ip[6]tables</literal>,
<literal>arptables</literal> and <literal>ebtables</literal>
commands will actually show rules from some specific tables in
the <literal>nf_tables</literal> kernel subsystem. In case
youre migrating from an older release without rebooting,
there might be cases where you end up with iptable rules
configured both in the legacy <literal>iptables</literal>
kernel backend, as well as in the <literal>nf_tables</literal>
backend. This can lead to confusing firewall behaviour. An
<literal>iptables-save</literal> after switching will complain
about <quote>iptables-legacy tables present</quote>. Its
probably best to reboot after the upgrade, or manually
removing all legacy iptables rules (via the
<literal>iptables-legacy</literal> package).
</para>
</listitem>
<listitem>
<para>
systemd got an <literal>nftables</literal> backend, and
configures (networkd) rules in their own
<literal>io.systemd.*</literal> tables. Check
<literal>nft list ruleset</literal> to see these rules, not
<literal>iptables-save</literal> (which only shows
<literal>iptables</literal>-created rules.
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 8.0, updated from 7.4.
</para>
</listitem>
<listitem>
<para>
kops now defaults to 1.21.1, which uses containerd as the
default runtime.
</para>
</listitem>
<listitem>
<para>
<literal>python3</literal> now defaults to Python 3.9, updated
from Python 3.8.
</para>
</listitem>
<listitem>
<para>
PostgreSQL now defaults to major version 13.
</para>
</listitem>
<listitem>
<para>
spark now defaults to spark 3, updated from 2. A
<link xlink:href="https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-24-to-30">migration
guide</link> is available.
</para>
</listitem>
<listitem>
<para>
Improvements have been made to the Hadoop module and package:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
HDFS and YARN now support production-ready highly
available deployments with automatic failover.
</para>
</listitem>
<listitem>
<para>
Hadoop now defaults to Hadoop 3, updated from 2.
</para>
</listitem>
<listitem>
<para>
JournalNode, ZKFS and HTTPFS services have been added.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Activation scripts can now, optionally, be run during a
<literal>nixos-rebuild dry-activate</literal> and can detect
the dry activation by reading
<literal>$NIXOS_ACTION</literal>. This allows activation
scripts to output what they would change if the activation was
really run. The users/modules activation script supports this
and outputs some of is actions.
</para>
</listitem>
<listitem>
<para>
KDE Plasma now finally works on Wayland.
</para>
</listitem>
<listitem>
<para>
bash now defaults to major version 5.
</para>
</listitem>
<listitem>
<para>
Systemd was updated to version 249 (from 247).
</para>
</listitem>
<listitem>
<para>
Pantheon desktop has been updated to version 6. Due to changes
of screen locker, if locking doesnt work for you, please try
<literal>gsettings set org.gnome.desktop.lockdown disable-lock-screen false</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>kubernetes-helm</literal> now defaults to 3.7.0,
which introduced some breaking changes to the experimental OCI
manifest format. See
<link xlink:href="https://github.com/helm/community/blob/main/hips/hip-0006.md">HIP
6</link> for more details. <literal>helmfile</literal> also
defaults to 0.141.0, which is the minimum compatible version.
</para>
</listitem>
<listitem>
<para>
GNOME has been upgraded to 41. Please take a look at their
<link xlink:href="https://help.gnome.org/misc/release-notes/41.0/">Release
Notes</link> for details.
</para>
</listitem>
<listitem>
<para>
LXD support was greatly improved:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
building LXD images from configurations is now directly
possible with just nixpkgs
</para>
</listitem>
<listitem>
<para>
hydra is now building nixOS LXD images that can be used
standalone with full nixos-rebuild support
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
OpenSSH was updated to version 8.8p1
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
This breaks connections to old SSH daemons as ssh-rsa host
keys and ssh-rsa public keys that were signed with SHA-1
are disabled by default now
</para>
</listitem>
<listitem>
<para>
These can be re-enabled, see the
<link xlink:href="https://www.openssh.com/txt/release-8.8">OpenSSH
changelog</link> for details
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
ORY Kratos was updated to version 0.8.0-alpha.3
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
This release requires you to run SQL migrations. Please,
as always, create a backup of your database first!
</para>
</listitem>
<listitem>
<para>
The SDKs are now generated with tag v0alpha2 to reflect
that some signatures have changed in a breaking fashion.
Please update your imports from v0alpha1 to v0alpha2.
</para>
</listitem>
<listitem>
<para>
The SMTPS scheme used in courier config URL with
cleartext/StartTLS/TLS SMTP connection types is now only
supporting implicit TLS. For StartTLS and cleartext SMTP,
please use the SMTP scheme instead.
</para>
</listitem>
<listitem>
<para>
for more details, see
<link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.0-alpha.1">Release
Notes</link>.
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-new-services">
<title>New Services</title>
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://digint.ch/btrbk/index.html">btrbk</link>,
a backup tool for btrfs subvolumes, taking advantage of btrfs
specific capabilities to create atomic snapshots and transfer
them incrementally to your backup locations. Available as
<link xlink:href="options.html#opt-services.brtbk.instances">services.btrbk</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>,
an X11 clipboard manager written in Rust. Available at
<link xlink:href="options.html#opt-services.clipcat.enable">services.clipcat</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/dexidp/dex">dex</link>,
an OpenID Connect (OIDC) identity and OAuth 2.0 provider.
Available at
<link xlink:href="options.html#opt-services.dex.enable">services.dex</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/maxmind/geoipupdate">geoipupdate</link>,
a GeoIP database updater from MaxMind. Available as
<link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/jitsi/jibri">Jibri</link>,
a service for recording or streaming a Jitsi Meet conference.
Available as
<link xlink:href="options.html#opt-services.jibri.enable">services.jibri</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.isc.org/kea/">Kea</link>, ISCs
2nd generation DHCP and DDNS server suite. Available at
<link xlink:href="options.html#opt-services.kea.dhcp4">services.kea</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://owncast.online/">owncast</link>,
self-hosted video live streaming solution. Available at
<link xlink:href="options.html#opt-services.owncast.enable">services.owncast</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://joinpeertube.org/">PeerTube</link>,
developed by Framasoft, is the free and decentralized
alternative to video platforms. Available at
<link xlink:href="options.html#opt-services.peertube.enable">services.peertube</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://sr.ht">sourcehut</link>, a
collection of tools useful for software development. Available
as
<link xlink:href="options.html#opt-services.sourcehut.enable">services.sourcehut</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://download.pureftpd.org/pub/ucarp/README">ucarp</link>,
an userspace implementation of the Common Address Redundancy
Protocol (CARP). Available as
<link xlink:href="options.html#opt-networking.ucarp.enable">networking.ucarp</link>.
</para>
</listitem>
<listitem>
<para>
Users of flashrom should migrate to
<link xlink:href="options.html#opt-programs.flashrom.enable">programs.flashrom.enable</link>
and add themselves to the <literal>flashrom</literal> group to
be able to access programmers supported by flashrom.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://vikunja.io">vikunja</link>, a to-do
list app. Available as
<link linkend="opt-services.vikunja.enable">services.vikunja</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/evilsocket/opensnitch">opensnitch</link>,
an application firewall. Available as
<link linkend="opt-services.opensnitch.enable">services.opensnitch</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.snapraid.it/">snapraid</link>, a
backup program for disk arrays. Available as
<link linkend="opt-snapraid.enable">snapraid</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/hockeypuck/hockeypuck">Hockeypuck</link>,
a OpenPGP Key Server. Available as
<link linkend="opt-services.hockeypuck.enable">services.hockeypuck</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/buildkite/buildkite-agent-metrics">buildkite-agent-metrics</link>,
a command-line tool for collecting Buildkite agent metrics,
now has a Prometheus exporter available as
<link linkend="opt-services.prometheus.exporters.buildkite-agent.enable">services.prometheus.exporters.buildkite-agent</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/prometheus/influxdb_exporter">influxdb-exporter</link>
a Prometheus exporter that exports metrics received on an
InfluxDB compatible endpoint is now available as
<link linkend="opt-services.prometheus.exporters.influxdb.enable">services.prometheus.exporters.influxdb</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/matrix-discord/mx-puppet-discord">mx-puppet-discord</link>,
a discord puppeting bridge for matrix. Available as
<link linkend="opt-services.mx-puppet-discord.enable">services.mx-puppet-discord</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.meshcommander.com/meshcentral2/overview">MeshCentral</link>,
a remote administration service (<quote>TeamViewer but
self-hosted and with more features</quote>) is now available
with a package and a module:
<link linkend="opt-services.meshcentral.enable">services.meshcentral.enable</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/Arksine/moonraker">moonraker</link>,
an API web server for Klipper. Available as
<link linkend="opt-services.moonraker.enable">moonraker</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/influxdata/influxdb">influxdb2</link>,
a Scalable datastore for metrics, events, and real-time
analytics. Available as
<link linkend="opt-services.influxdb2.enable">services.influxdb2</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://posativ.org/isso/">isso</link>, a
commenting server similar to Disqus. Available as
<link linkend="opt-services.isso.enable">isso</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.navidrome.org/">navidrome</link>,
a personal music streaming server with subsonic-compatible
api. Available as
<link linkend="opt-services.navidrome.enable">navidrome</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://docs.fluidd.xyz/">fluidd</link>, a
Klipper web interface for managing 3d printers using
moonraker. Available as
<link linkend="opt-services.fluidd.enable">fluidd</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/earnestly/sx">sx</link>,
a simple alternative to both xinit and startx for starting a
Xorg server. Available as
<link linkend="opt-services.xserver.displayManager.sx.enable">services.xserver.displayManager.sx</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://postfixadmin.sourceforge.io/">postfixadmin</link>,
a web based virtual user administration interface for Postfix
mail servers. Available as
<link linkend="opt-services.postfixadmin.enable">postfixadmin</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://wiki.servarr.com/prowlarr">prowlarr</link>,
an indexer manager/proxy built on the popular arr .net/reactjs
base stack
<link linkend="opt-services.prowlarr.enable">services.prowlarr</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://sr.ht/~emersion/soju">soju</link>, a
user-friendly IRC bouncer. Available as
<link xlink:href="options.html#opt-services.soju.enable">services.soju</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://nats.io/">nats</link>, a high
performance cloud and edge messaging system. Available as
<link linkend="opt-services.nats.enable">services.nats</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://git-scm.com">git</link>, a
distributed version control system. Available as
<link xlink:href="options.html#opt-programs.git.enable">programs.git</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://domainaware.github.io/parsedmarc/">parsedmarc</link>,
a service which parses incoming
<link xlink:href="https://dmarc.org/">DMARC</link> reports and
stores or sends them to a downstream service for further
analysis. Documented in
<link linkend="module-services-parsedmarc">its manual
entry</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://spark.apache.org/">spark</link>, a
unified analytics engine for large-scale data processing.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/JoseExposito/touchegg">touchegg</link>,
a multi-touch gesture recognizer. Available as
<link linkend="opt-services.touchegg.enable">services.touchegg</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/pantheon-tweaks/pantheon-tweaks">pantheon-tweaks</link>,
an unofficial system settings panel for Pantheon. Available as
<link linkend="opt-programs.pantheon-tweaks.enable">programs.pantheon-tweaks</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/DanielOgorchock/joycond">joycond</link>,
a service that uses <literal>hid-nintendo</literal> to provide
nintendo joycond pairing and better nintendo switch pro
controller support.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/opensvc/multipath-tools">multipath</link>,
the device mapper multipath (DM-MP) daemon. Available as
<link linkend="opt-services.multipath.enable">services.multipath</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.seafile.com/en/home/">seafile</link>,
an open source file syncing &amp; sharing software. Available
as
<link xlink:href="options.html#opt-services.seafile.enable">services.seafile</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/mchehab/rasdaemon">rasdaemon</link>,
a hardware error logging daemon. Available as
<link linkend="opt-hardware.rasdaemon.enable">hardware.rasdaemon</link>.
</para>
</listitem>
<listitem>
<para>
<literal>code-server</literal>-module now available
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/xmrig/xmrig">xmrig</link>,
a high performance, open source, cross platform RandomX,
KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and
RandomX benchmark.
</para>
</listitem>
<listitem>
<para>
Auto nice daemons
<link xlink:href="https://github.com/Nefelim4ag/Ananicy">ananicy</link>
and
<link xlink:href="https://gitlab.com/ananicy-cpp/ananicy-cpp/">ananicy-cpp</link>.
Available as
<link linkend="opt-services.ananicy.enable">services.ananicy</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/prometheus-community/smartctl_exporter">smartctl_exporter</link>,
a Prometheus exporter for
<link xlink:href="https://en.wikipedia.org/wiki/S.M.A.R.T.">S.M.A.R.T.</link>
data. Available as
<link xlink:href="options.html#opt-services.prometheus.exporters.smartctl.enable">services.prometheus.exporters.smartctl</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-incompatibilities">
<title>Backward Incompatibilities</title>
<itemizedlist>
<listitem>
<para>
The NixOS VM test framework,
<literal>pkgs.nixosTest</literal>/<literal>make-test-python.nix</literal>
(<literal>pkgs.testers.nixosTest</literal> since 22.05), now
requires detaching commands such as
<literal>succeed(&quot;foo &amp;&quot;)</literal> and
<literal>succeed(&quot;foo | xclip -i&quot;)</literal> to
close stdout. This can be done with a redirect such as
<literal>succeed(&quot;foo &gt;&amp;2 &amp;&quot;)</literal>.
This breaking change was necessitated by a race condition
causing tests to fail or hang. It applies to all methods that
invoke commands on the nodes, including
<literal>execute</literal>, <literal>succeed</literal>,
<literal>fail</literal>,
<literal>wait_until_succeeds</literal>,
<literal>wait_until_fails</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>services.wakeonlan</literal> option was removed,
and replaced with
<literal>networking.interfaces.&lt;name&gt;.wakeOnLan</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>security.wrappers</literal> option now requires
to always specify an owner, group and whether the
setuid/setgid bit should be set. This is motivated by the fact
that before NixOS 21.11, specifying either setuid or setgid
but not owner/group resulted in wrappers owned by
nobody/nogroup, which is unsafe.
</para>
</listitem>
<listitem>
<para>
Since <literal>iptables</literal> now uses
<literal>nf_tables</literal> backend and
<literal>ipset</literal> doesnt support it, some applications
(ferm, shorewall, firehol) may have limited functionality.
</para>
</listitem>
<listitem>
<para>
The <literal>paperless</literal> module and package have been
removed. All users should migrate to the successor
<literal>paperless-ng</literal> instead. The Paperless project
<link xlink:href="https://github.com/the-paperless-project/paperless/commit/9b0063c9731f7c5f65b1852cb8caff97f5e40ba4">has
been archived</link> and advises all users to use
<literal>paperless-ng</literal> instead.
</para>
<para>
Users can use the <literal>services.paperless-ng</literal>
module as a replacement while noting the following
incompatibilities:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>services.paperless.ocrLanguages</literal> has no
replacement. Users should migrate to
<link xlink:href="options.html#opt-services.paperless-ng.extraConfig"><literal>services.paperless-ng.extraConfig</literal></link>
instead:
</para>
</listitem>
</itemizedlist>
<programlisting language="bash">
{
services.paperless-ng.extraConfig = {
# Provide languages as ISO 639-2 codes
# separated by a plus (+) sign.
# https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
PAPERLESS_OCR_LANGUAGE = &quot;deu+eng+jpn&quot;; # German &amp; English &amp; Japanse
};
}
</programlisting>
<itemizedlist>
<listitem>
<para>
If you previously specified
<literal>PAPERLESS_CONSUME_MAIL_*</literal> settings in
<literal>services.paperless.extraConfig</literal> you
should remove those options now. You now
<emphasis>must</emphasis> define those settings in the
admin interface of paperless-ng.
</para>
</listitem>
<listitem>
<para>
Option <literal>services.paperless.manage</literal> no
longer exists. Use the script at
<literal>${services.paperless-ng.dataDir}/paperless-ng-manage</literal>
instead. Note that this script only exists after the
<literal>paperless-ng</literal> service has been started
at least once.
</para>
</listitem>
<listitem>
<para>
After switching to the new system configuration you should
run the Django management command to reindex your
documents and optionally create a user, if you dont have
one already.
</para>
<para>
To do so, enter the data directory (the value of
<literal>services.paperless-ng.dataDir</literal>,
<literal>/var/lib/paperless</literal> by default), switch
to the paperless user and execute the management command
like below:
</para>
<programlisting>
$ cd /var/lib/paperless
$ su paperless -s /bin/sh
$ ./paperless-ng-manage document_index reindex
# if not already done create a user account, paperless-ng requires a login
$ ./paperless-ng-manage createsuperuser
Username (leave blank to use 'paperless'): my-user-name
Email address: me@example.com
Password: **********
Password (again): **********
Superuser created successfully.
</programlisting>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>staticjinja</literal> package has been upgraded
from 1.0.4 to 4.1.1
</para>
</listitem>
<listitem>
<para>
Firefox v91 does not support addons with invalid signature
anymore. Firefox ESR needs to be used for nix addon support.
</para>
</listitem>
<listitem>
<para>
The <literal>erigon</literal> ethereum node has moved to a new
database format in <literal>2021-05-04</literal>, and requires
a full resync
</para>
</listitem>
<listitem>
<para>
The <literal>erigon</literal> ethereum node has moved its
database location in <literal>2021-08-03</literal>, users
upgrading must manually move their chaindata (see
<link xlink:href="https://github.com/ledgerwatch/erigon/releases/tag/v2021.08.03">release
notes</link>).
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-users.users._name_.group">users.users.&lt;name&gt;.group</link>
no longer defaults to <literal>nogroup</literal>, which was
insecure. Out-of-tree modules are likely to require
adaptation: instead of
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
};
}
</programlisting>
<para>
also create a group for your user:
</para>
<programlisting language="bash">
{
users.users.foo = {
isSystemUser = true;
group = &quot;foo&quot;;
};
users.groups.foo = {};
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>services.geoip-updater</literal> was broken and has
been replaced by
<link xlink:href="options.html#opt-services.geoipupdate.enable">services.geoipupdate</link>.
</para>
</listitem>
<listitem>
<para>
<literal>ihatemoney</literal> has been updated to version
5.1.1
(<link xlink:href="https://github.com/spiral-project/ihatemoney/blob/5.1.1/CHANGELOG.rst">release
notes</link>). If you serve ihatemoney by HTTP rather than
HTTPS, you must set
<link xlink:href="options.html#opt-services.ihatemoney.secureCookie">services.ihatemoney.secureCookie</link>
to <literal>false</literal>.
</para>
</listitem>
<listitem>
<para>
PHP 7.3 is no longer supported due to upstream not supporting
this version for the entire lifecycle of the 21.11 release.
</para>
</listitem>
<listitem>
<para>
Those making use of <literal>buildBazelPackage</literal> will
need to regenerate the fetch hashes (preferred), or set
<literal>fetchConfigured = false;</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>consul</literal> was upgraded to a new major release
with breaking changes, see
<link xlink:href="https://github.com/hashicorp/consul/releases/tag/v1.10.0">upstream
changelog</link>.
</para>
</listitem>
<listitem>
<para>
fsharp41 has been removed in preference to use the latest
dotnet-sdk
</para>
</listitem>
<listitem>
<para>
The following F#-related packages have been removed for being
unmaintaned. Please use <literal>fetchNuGet</literal> for
specific packages.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
ExtCore
</para>
</listitem>
<listitem>
<para>
Fake
</para>
</listitem>
<listitem>
<para>
Fantomas
</para>
</listitem>
<listitem>
<para>
FsCheck
</para>
</listitem>
<listitem>
<para>
FsCheck262
</para>
</listitem>
<listitem>
<para>
FsCheckNunit
</para>
</listitem>
<listitem>
<para>
FSharpAutoComplete
</para>
</listitem>
<listitem>
<para>
FSharpCompilerCodeDom
</para>
</listitem>
<listitem>
<para>
FSharpCompilerService
</para>
</listitem>
<listitem>
<para>
FSharpCompilerTools
</para>
</listitem>
<listitem>
<para>
FSharpCore302
</para>
</listitem>
<listitem>
<para>
FSharpCore3125
</para>
</listitem>
<listitem>
<para>
FSharpCore4001
</para>
</listitem>
<listitem>
<para>
FSharpCore4117
</para>
</listitem>
<listitem>
<para>
FSharpData
</para>
</listitem>
<listitem>
<para>
FSharpData225
</para>
</listitem>
<listitem>
<para>
FSharpDataSQLProvider
</para>
</listitem>
<listitem>
<para>
FSharpFormatting
</para>
</listitem>
<listitem>
<para>
FsLexYacc
</para>
</listitem>
<listitem>
<para>
FsLexYacc706
</para>
</listitem>
<listitem>
<para>
FsLexYaccRuntime
</para>
</listitem>
<listitem>
<para>
FsPickler
</para>
</listitem>
<listitem>
<para>
FsUnit
</para>
</listitem>
<listitem>
<para>
Projekt
</para>
</listitem>
<listitem>
<para>
Suave
</para>
</listitem>
<listitem>
<para>
UnionArgParser
</para>
</listitem>
<listitem>
<para>
ExcelDnaRegistration
</para>
</listitem>
<listitem>
<para>
MathNetNumerics
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>programs.x2goserver</literal> is now
<literal>services.x2goserver</literal>
</para>
</listitem>
<listitem>
<para>
The following dotnet-related packages have been removed for
being unmaintaned. Please use <literal>fetchNuGet</literal>
for specific packages.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
Autofac
</para>
</listitem>
<listitem>
<para>
SystemValueTuple
</para>
</listitem>
<listitem>
<para>
MicrosoftDiaSymReader
</para>
</listitem>
<listitem>
<para>
MicrosoftDiaSymReaderPortablePdb
</para>
</listitem>
<listitem>
<para>
SystemCollectionsImmutable
</para>
</listitem>
<listitem>
<para>
SystemCollectionsImmutable131
</para>
</listitem>
<listitem>
<para>
SystemReflectionMetadata
</para>
</listitem>
<listitem>
<para>
NUnit350
</para>
</listitem>
<listitem>
<para>
Deedle
</para>
</listitem>
<listitem>
<para>
ExcelDna
</para>
</listitem>
<listitem>
<para>
GitVersionTree
</para>
</listitem>
<listitem>
<para>
NDeskOptions
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
The <literal>antlr</literal> package now defaults to the 4.x
release instead of the old 2.7.7 version.
</para>
</listitem>
<listitem>
<para>
The <literal>pulseeffects</literal> package updated to
<link xlink:href="https://github.com/wwmm/easyeffects/releases/tag/v6.0.0">version
4.x</link> and renamed to <literal>easyeffects</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>libwnck</literal> package now defaults to the 3.x
release instead of the old 2.31.0 version.
</para>
</listitem>
<listitem>
<para>
The <literal>bitwarden_rs</literal> packages and modules were
renamed to <literal>vaultwarden</literal>
<link xlink:href="https://github.com/dani-garcia/vaultwarden/discussions/1642">following
upstream</link>. More specifically,
</para>
<itemizedlist>
<listitem>
<para>
<literal>pkgs.bitwarden_rs</literal>,
<literal>pkgs.bitwarden_rs-sqlite</literal>,
<literal>pkgs.bitwarden_rs-mysql</literal> and
<literal>pkgs.bitwarden_rs-postgresql</literal> were
renamed to <literal>pkgs.vaultwarden</literal>,
<literal>pkgs.vaultwarden-sqlite</literal>,
<literal>pkgs.vaultwarden-mysql</literal> and
<literal>pkgs.vaultwarden-postgresql</literal>,
respectively.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
Old names are preserved as aliases for backwards
compatibility, but may be removed in the future.
</para>
</listitem>
<listitem>
<para>
The <literal>bitwarden_rs</literal> executable was
also renamed to <literal>vaultwarden</literal> in all
packages.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>pkgs.bitwarden_rs-vault</literal> was renamed to
<literal>pkgs.vaultwarden-vault</literal>.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>pkgs.bitwarden_rs-vault</literal> is
preserved as an alias for backwards compatibility, but
may be removed in the future.
</para>
</listitem>
<listitem>
<para>
The static files were moved from
<literal>/usr/share/bitwarden_rs</literal> to
<literal>/usr/share/vaultwarden</literal>.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>services.bitwarden_rs</literal> config module
was renamed to <literal>services.vaultwarden</literal>.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>services.bitwarden_rs</literal> is preserved
as an alias for backwards compatibility, but may be
removed in the future.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>systemd.services.bitwarden_rs</literal>,
<literal>systemd.services.backup-bitwarden_rs</literal>
and <literal>systemd.timers.backup-bitwarden_rs</literal>
were renamed to
<literal>systemd.services.vaultwarden</literal>,
<literal>systemd.services.backup-vaultwarden</literal> and
<literal>systemd.timers.backup-vaultwarden</literal>,
respectively.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
Old names are preserved as aliases for backwards
compatibility, but may be removed in the future.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>users.users.bitwarden_rs</literal> and
<literal>users.groups.bitwarden_rs</literal> were renamed
to <literal>users.users.vaultwarden</literal> and
<literal>users.groups.vaultwarden</literal>, respectively.
</para>
</listitem>
<listitem>
<para>
The data directory remains located at
<literal>/var/lib/bitwarden_rs</literal>, for backwards
compatibility.
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
<literal>yggdrasil</literal> was upgraded to a new major
release with breaking changes, see
<link xlink:href="https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0">upstream
changelog</link>.
</para>
</listitem>
<listitem>
<para>
<literal>icingaweb2</literal> was upgraded to a new release
which requires a manual database upgrade, see
<link xlink:href="https://github.com/Icinga/icingaweb2/releases/tag/v2.9.0">upstream
changelog</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>isabelle</literal> package has been upgraded from
2020 to 2021
</para>
</listitem>
<listitem>
<para>
the <literal>mingw-64</literal> package has been upgraded from
6.0.0 to 9.0.0
</para>
</listitem>
<listitem>
<para>
<literal>tt-rss</literal> was upgraded to the commit on
2021-06-21, which has breaking changes. If you use
<literal>services.tt-rss.extraConfig</literal> you should
migrate to the <literal>putenv</literal>-style configuration.
See
<link xlink:href="https://community.tt-rss.org/t/rip-config-php-hello-classes-config-php/4337">this
Discourse post</link> in the tt-rss forums for more details.
</para>
</listitem>
<listitem>
<para>
The following Visual Studio Code extensions were renamed to
keep the naming convention uniform.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>bbenoist.Nix</literal> -&gt;
<literal>bbenoist.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>CoenraadS.bracket-pair-colorizer</literal> -&gt;
<literal>coenraads.bracket-pair-colorizer</literal>
</para>
</listitem>
<listitem>
<para>
<literal>golang.Go</literal> -&gt;
<literal>golang.go</literal>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>services.uptimed</literal> now uses
<literal>/var/lib/uptimed</literal> as its stateDirectory
instead of <literal>/var/spool/uptimed</literal>. Make sure to
move all files to the new directory.
</para>
</listitem>
<listitem>
<para>
Deprecated package aliases in <literal>emacs.pkgs.*</literal>
have been removed. These aliases were remnants of the old
Emacs package infrastructure. We now use exact upstream names
wherever possible.
</para>
</listitem>
<listitem>
<para>
<literal>programs.neovim.runtime</literal> switched to a
<literal>linkFarm</literal> internally, making it impossible
to use wildcards in the <literal>source</literal> argument.
</para>
</listitem>
<listitem>
<para>
The <literal>openrazer</literal> and
<literal>openrazer-daemon</literal> packages as well as the
<literal>hardware.openrazer</literal> module now require users
to be members of the <literal>openrazer</literal> group
instead of <literal>plugdev</literal>. With this change, users
no longer need be granted the entire set of
<literal>plugdev</literal> group permissions, which can
include permissions other than those required by
<literal>openrazer</literal>. This is desirable from a
security point of view. The setting
<link xlink:href="options.html#opt-services.hardware.openrazer.users"><literal>harware.openrazer.users</literal></link>
can be used to add users to the <literal>openrazer</literal>
group.
</para>
</listitem>
<listitem>
<para>
The fontconfig services dpi option has been removed.
Fontconfig should use Xft settings by default so theres no
need to override one value in multiple places. The user can
set DPI via ~/.Xresources properly, or at the system level per
monitor, or as a last resort at the system level with
<literal>services.xserver.dpi</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>yambar</literal> package has been split into
<literal>yambar</literal> and
<literal>yambar-wayland</literal>, corresponding to the xorg
and wayland backend respectively. Please switch to
<literal>yambar-wayland</literal> if you are on wayland.
</para>
</listitem>
<listitem>
<para>
The <literal>services.minio</literal> module gained an
additional option <literal>consoleAddress</literal>, that
configures the address and port the web UI is listening, it
defaults to <literal>:9001</literal>. To be able to access the
web UI this port needs to be opened in the firewall.
</para>
</listitem>
<listitem>
<para>
The <literal>varnish</literal> package was upgraded from 6.3.x
to 7.x. <literal>varnish60</literal> for the last LTS release
is also still available.
</para>
</listitem>
<listitem>
<para>
The <literal>kubernetes</literal> package was upgraded to
1.22. The <literal>kubernetes.apiserver.kubeletHttps</literal>
option was removed and HTTPS is always used.
</para>
</listitem>
<listitem>
<para>
The attribute <literal>linuxPackages_latest_hardened</literal>
was dropped because the hardened patches lag behind the
upstream kernel which made version bumps harder. If you want
to use a hardened kernel, please pin it explicitly with a
versioned attribute such as
<literal>linuxPackages_5_10_hardened</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>nomad</literal> package now defaults to a 1.1.x
release instead of 1.0.x
</para>
</listitem>
<listitem>
<para>
If <literal>exfat</literal> is included in
<literal>boot.supportedFilesystems</literal> and when using
kernel 5.7 or later, the <literal>exfatprogs</literal>
user-space utilities are used instead of
<literal>exfat</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>todoman</literal> package was upgraded from 3.9.0
to 4.0.0. This introduces breaking changes in the
<link xlink:href="https://todoman.readthedocs.io/en/stable/configure.html#configuration-file">configuration
file</link> format.
</para>
</listitem>
<listitem>
<para>
The <literal>datadog-agent</literal>,
<literal>datadog-integrations-core</literal> and
<literal>datadog-process-agent</literal> packages were
upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and
6.11.1 to 7.30.2, respectively. As a result
<literal>services.datadog-agent</literal> has had breaking
changes to the configuration file. For details, see the
<link xlink:href="https://github.com/DataDog/datadog-agent/blob/main/CHANGELOG.rst">upstream
changelog</link>.
</para>
</listitem>
<listitem>
<para>
<literal>opencv2</literal> no longer includes the non-free
libraries by default, and consequently
<literal>pfstools</literal> no longer includes OpenCV support
by default. Both packages now support an
<literal>enableUnfree</literal> option to re-enable this
functionality.
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.displayManager.defaultSession = &quot;plasma5&quot;</literal>
does not work anymore, instead use either
<literal>&quot;plasma&quot;</literal> for the Plasma X11
session or <literal>&quot;plasmawayland&quot;</literal> for
the Plasma Wayland sesison.
</para>
</listitem>
<listitem>
<para>
<literal>boot.kernelParams</literal> now only accepts one
command line parameter per string. This change is aimed to
reduce common mistakes like <quote>param = 12</quote>, which
would be parsed as 3 parameters.
</para>
</listitem>
<listitem>
<para>
<literal>nix.daemonNiceLevel</literal> and
<literal>nix.daemonIONiceLevel</literal> have been removed in
favour of the new options
<link xlink:href="options.html#opt-nix.daemonCPUSchedPolicy"><literal>nix.daemonCPUSchedPolicy</literal></link>,
<link xlink:href="options.html#opt-nix.daemonIOSchedClass"><literal>nix.daemonIOSchedClass</literal></link>
and
<link xlink:href="options.html#opt-nix.daemonIOSchedPriority"><literal>nix.daemonIOSchedPriority</literal></link>.
Please refer to the options documentation and the
<literal>sched(7)</literal> and
<literal>ioprio_set(2)</literal> man pages for guidance on how
to use them.
</para>
</listitem>
<listitem>
<para>
The <literal>coursier</literal> packages binary was renamed
from <literal>coursier</literal> to <literal>cs</literal>.
Completions which havent worked for a while should now work
with the renamed binary. To keep using
<literal>coursier</literal>, you can create a shell alias.
</para>
</listitem>
<listitem>
<para>
The <literal>services.mosquitto</literal> module has been
rewritten to support multiple listeners and per-listener
configuration. Module configurations from previous releases
will no longer work and must be updated.
</para>
</listitem>
<listitem>
<para>
The <literal>fluidsynth_1</literal> attribute has been
removed, as this legacy version is no longer needed in
nixpkgs. The actively maintained 2.x series is available as
<literal>fluidsynth</literal> unchanged.
</para>
</listitem>
<listitem>
<para>
Nextcloud 20 (<literal>pkgs.nextcloud20</literal>) has been
dropped because it was EOLed by upstream in 2021-10.
</para>
</listitem>
<listitem>
<para>
The <literal>virtualisation.pathsInNixDB</literal> option was
renamed
<link xlink:href="options.html#opt-virtualisation.additionalPaths"><literal>virtualisation.additionalPaths</literal></link>.
</para>
</listitem>
<listitem>
<para>
The <literal>services.ddclient.password</literal> option was
removed, and replaced with
<literal>services.ddclient.passwordFile</literal>.
</para>
</listitem>
<listitem>
<para>
The default GNAT version has been changed: The
<literal>gnat</literal> attribute now points to
<literal>gnat11</literal> instead of <literal>gnat9</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>retroArchCores</literal> has been removed. This means
that using <literal>nixpkgs.config.retroarch</literal> to
customize RetroArch cores is not supported anymore. Instead,
use package overrides, for example:
<literal>retroarch.override { cores = with libretro; [ citra snes9x ]; };</literal>.
Also, <literal>retroarchFull</literal> derivation is available
for those who want to have all RetroArch cores available.
</para>
</listitem>
<listitem>
<para>
The Linux kernel for security reasons now restricts access to
BPF syscalls via <literal>BPF_UNPRIV_DEFAULT_OFF=y</literal>.
Unprivileged access can be reenabled via the
<literal>kernel.unprivileged_bpf_disabled</literal> sysctl
knob.
</para>
</listitem>
<listitem>
<para>
<literal>/usr</literal> will always be included in the initial
ramdisk. See the
<literal>fileSystems.&lt;name&gt;.neededForBoot</literal>
option. If any files exist under <literal>/usr</literal>
(which is not typical for NixOS), they will be included in the
initial ramdisk, increasing its size to a possibly problematic
extent.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.haskell-language-server</literal> will now by
default be linked dynamically to improve TemplateHaskell
compatibility. To mitigate the increased closure size it will
now by default only support our current default ghc (at the
moment 9.0.2). Add other ghc versions via e.g.
<literal>pkgs.haskell-language-server.override { supportedGhcVersions = [ &quot;90&quot; &quot;92&quot; ]; }</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-21.11-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
The linux kernel package infrastructure was moved out of
<literal>all-packages.nix</literal>, and restructured. Linux
related functions and attributes now live under the
<literal>pkgs.linuxKernel</literal> attribute set. In
particular the versioned <literal>linuxPackages_*</literal>
package sets (such as <literal>linuxPackages_5_4</literal>)
and kernels from <literal>pkgs</literal> were moved there and
now live under <literal>pkgs.linuxKernel.packages.*</literal>.
The unversioned ones (such as
<literal>linuxPackages_latest</literal>) remain untouched.
</para>
</listitem>
<listitem>
<para>
In NixOS virtual machines (QEMU), the
<literal>virtualisation</literal> module has been updated with
new options:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.forwardPorts"><literal>forwardPorts</literal></link>
to configure IPv4 port forwarding,
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.sharedDirectories"><literal>sharedDirectories</literal></link>
to set up shared host directories,
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.resolution"><literal>resolution</literal></link>
to set the screen resolution,
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.useNixStoreImage"><literal>useNixStoreImage</literal></link>
to use a disk image for the Nix store instead of 9P.
</para>
</listitem>
</itemizedlist>
<para>
In addition, the default
<link xlink:href="options.html#opt-virtualisation.msize"><literal>msize</literal></link>
parameter in 9P filesystems (including /nix/store and all
shared directories) has been increased to 16K for improved
performance.
</para>
</listitem>
<listitem>
<para>
The setting
<link xlink:href="options.html#opt-services.openssh.logLevel"><literal>services.openssh.logLevel</literal></link>
<literal>&quot;VERBOSE&quot;</literal>
<literal>&quot;INFO&quot;</literal>. This brings NixOS in line
with upstream and other Linux distributions, and reduces log
spam on servers due to bruteforcing botnets.
</para>
<para>
However, if
<link xlink:href="options.html#opt-services.fail2ban.enable"><literal>services.fail2ban.enable</literal></link>
is <literal>true</literal>, the <literal>fail2ban</literal>
will override the verbosity to
<literal>&quot;VERBOSE&quot;</literal>, so that
<literal>fail2ban</literal> can observe the failed login
attempts from the SSH logs.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.xserver.extraLayouts"><literal>services.xserver.extraLayouts</literal></link>
no longer cause additional rebuilds when a layout is added or
modified.
</para>
</listitem>
<listitem>
<para>
Sway: The terminal emulator <literal>rxvt-unicode</literal> is
no longer installed by default via
<literal>programs.sway.extraPackages</literal>. The current
default configuration uses <literal>alacritty</literal> (and
soon <literal>foot</literal>) so this is only an issue when
using a customized configuration and not installing
<literal>rxvt-unicode</literal> explicitly.
</para>
</listitem>
<listitem>
<para>
<literal>python3</literal> now defaults to Python 3.9. Python
3.9 introduces many deprecation warnings, please look at the
<link xlink:href="https://docs.python.org/3/whatsnew/3.9.html">Whats
New In Python 3.9 post</link> for more information.
</para>
</listitem>
<listitem>
<para>
<literal>qtile</literal> hase been updated from
<quote>0.16.0</quote> to <quote>0.18.0</quote>, please check
<link xlink:href="https://github.com/qtile/qtile/blob/master/CHANGELOG">qtile
changelog</link> for changes.
</para>
</listitem>
<listitem>
<para>
The <literal>claws-mail</literal> package now references the
new GTK+ 3 release branch, major version 4. To use the GTK+ 2
releases, one can install the
<literal>claws-mail-gtk2</literal> package.
</para>
</listitem>
<listitem>
<para>
The wordpress module provides a new interface which allows to
use different webservers with the new option
<link xlink:href="options.html#opt-services.wordpress.webserver"><literal>services.wordpress.webserver</literal></link>.
Currently <literal>httpd</literal>, <literal>caddy</literal>
and <literal>nginx</literal> are supported. The definitions of
wordpress sites should now be set in
<link xlink:href="options.html#opt-services.wordpress.sites"><literal>services.wordpress.sites</literal></link>.
</para>
<para>
Sites definitions that use the old interface are automatically
migrated in the new option. This backward compatibility will
be removed in 22.05.
</para>
</listitem>
<listitem>
<para>
The dokuwiki module provides a new interface which allows to
use different webservers with the new option
<link xlink:href="options.html#opt-services.dokuwiki.webserver"><literal>services.dokuwiki.webserver</literal></link>.
Currently <literal>caddy</literal> and
<literal>nginx</literal> are supported. The definitions of
dokuwiki sites should now be set in
<link xlink:href="options.html#opt-services.dokuwiki.sites"><literal>services.dokuwiki.sites</literal></link>.
</para>
<para>
Sites definitions that use the old interface are automatically
migrated in the new option. This backward compatibility will
be removed in 22.05.
</para>
</listitem>
<listitem>
<para>
The order of NSS (host) modules has been brought in line with
upstream recommendations:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
The <literal>myhostname</literal> module is placed before
the <literal>resolve</literal> (optional) and
<literal>dns</literal> entries, but after
<literal>file</literal> (to allow overriding via
<literal>/etc/hosts</literal> /
<literal>networking.extraHosts</literal>, and prevent ISPs
with catchall-DNS resolvers from hijacking
<literal>.localhost</literal> domains)
</para>
</listitem>
<listitem>
<para>
The <literal>mymachines</literal> module, which provides
hostname resolution for local containers (registered with
<literal>systemd-machined</literal>) is placed to the
front, to make sure its mappings are preferred over other
resolvers.
</para>
</listitem>
<listitem>
<para>
If systemd-networkd is enabled, the
<literal>resolve</literal> module is placed before
<literal>files</literal> and
<literal>myhostname</literal>, as it provides the same
logic internally, with caching.
</para>
</listitem>
<listitem>
<para>
The <literal>mdns(_minimal)</literal> module has been
updated to the new priorities.
</para>
</listitem>
</itemizedlist>
<para>
If you use your own NSS host modules, make sure to update your
priorities according to these rules:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
NSS modules which should be queried before
<literal>resolved</literal> DNS resolution should use
mkBefore.
</para>
</listitem>
<listitem>
<para>
NSS modules which should be queried after
<literal>resolved</literal>, <literal>files</literal> and
<literal>myhostname</literal>, but before
<literal>dns</literal> should use the default priority
</para>
</listitem>
<listitem>
<para>
NSS modules which should come after <literal>dns</literal>
should use mkAfter.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-networking.wireless.enable">networking.wireless</link>
module (based on wpa_supplicant) has been heavily reworked,
solving a number of issues and adding useful features:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
The automatic discovery of wireless interfaces at boot has
been made reliable again (issues
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/101963">#101963</link>,
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/23196">#23196</link>).
</para>
</listitem>
<listitem>
<para>
WPA3 and Fast BSS Transition (802.11r) are now enabled by
default for all networks.
</para>
</listitem>
<listitem>
<para>
Secrets like pre-shared keys and passwords can now be
handled safely, meaning without including them in a
world-readable file
(<literal>wpa_supplicant.conf</literal> under /nix/store).
This is achieved by storing the secrets in a secured
<link xlink:href="options.html#opt-networking.wireless.environmentFile">environmentFile</link>
and referring to them though environment variables that
are expanded inside the configuration.
</para>
</listitem>
<listitem>
<para>
With multiple interfaces declared, independent
wpa_supplicant daemons are started, one for each interface
(the services are named
<literal>wpa_supplicant-wlan0</literal>,
<literal>wpa_supplicant-wlan1</literal>, etc.).
</para>
</listitem>
<listitem>
<para>
The generated <literal>wpa_supplicant.conf</literal> file
is now formatted for easier reading.
</para>
</listitem>
<listitem>
<para>
A new
<link xlink:href="options.html#opt-networking.wireless.scanOnLowSignal">scanOnLowSignal</link>
option has been added to facilitate fast roaming between
access points (enabled by default).
</para>
</listitem>
<listitem>
<para>
A new
<link xlink:href="options.html#opt-networking.wireless.networks._name_.authProtocols">networks.&lt;name&gt;.authProtocols</link>
option has been added to change the authentication
protocols used when connecting to a network.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-networking.wireless.iwd.enable">networking.wireless.iwd</link>
module has a new
<link xlink:href="options.html#opt-networking.wireless.iwd.settings">networking.wireless.iwd.settings</link>
option.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.smokeping.host">services.smokeping.host</link>
option was added and defaulted to
<literal>localhost</literal>. Before,
<literal>smokeping</literal> listened to all interfaces by
default. NixOS defaults generally aim to provide
non-Internet-exposed defaults for databases and internal
monitoring tools, see e.g.
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/100192">#100192</link>.
Further, the systemd service for <literal>smokeping</literal>
got reworked defaults for increased operational stability, see
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/144127">PR
#144127</link> for details.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.syncoid.enable">services.syncoid.enable</link>
module now properly drops ZFS permissions after usage. Before
it delegated permissions to whole pools instead of datasets
and didnt clean up after execution. You can manually look
this up for your pools by running
<literal>zfs allow your-pool-name</literal> and use
<literal>zfs unallow syncoid your-pool-name</literal> to clean
this up.
</para>
</listitem>
<listitem>
<para>
Zfs: <literal>latestCompatibleLinuxPackages</literal> is now
exported on the zfs package. One can use
<literal>boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;</literal>
to always track the latest compatible kernel with a given
version of zfs.
</para>
</listitem>
<listitem>
<para>
Nginx will use the value of
<literal>sslTrustedCertificate</literal> if provided for a
virtual host, even if <literal>enableACME</literal> is set.
This is useful for providers not using the same certificate to
sign OCSP responses and server certificates.
</para>
</listitem>
<listitem>
<para>
<literal>lib.formats.yaml</literal>s
<literal>generate</literal> will not generate JSON anymore,
but instead use more of the YAML-specific syntax.
</para>
</listitem>
<listitem>
<para>
MariaDB was upgraded from 10.5.x to 10.6.x. Please read the
<link xlink:href="https://mariadb.com/kb/en/changes-improvements-in-mariadb-106/">upstream
release notes</link> for changes and upgrade instructions.
</para>
</listitem>
<listitem>
<para>
The MariaDB C client library, also known as libmysqlclient or
mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While
this should hopefully not have any impact, this upgrade comes
with some changes to default behavior, so you might want to
review the
<link xlink:href="https://mariadb.com/kb/en/changes-and-improvements-in-mariadb-connector-c-32/">upstream
release notes</link>.
</para>
</listitem>
<listitem>
<para>
GNOME desktop environment now enables
<literal>QGnomePlatform</literal> as the Qt platform theme,
which should avoid crashes when opening file chooser dialogs
in Qt apps by using XDG desktop portal. Additionally, it will
make the apps fit better visually.
</para>
</listitem>
<listitem>
<para>
<literal>rofi</literal> has been updated from
<quote>1.6.1</quote> to <quote>1.7.0</quote>, one important
thing is the removal of the old xresources based configuration
setup. Read more
<link xlink:href="https://github.com/davatorium/rofi/blob/cb12e6fc058f4a0f4f/Changelog#L1">in
rofis changelog</link>.
</para>
</listitem>
<listitem>
<para>
ipfs now defaults to not listening on you local network. This
setting was change as server providers wont accept port
scanning on their private network. If you have several ipfs
instances running on a network you own, feel free to change
the setting <literal>ipfs.localDiscovery = true;</literal>.
localDiscovery enables different instances to discover each
other and share data.
</para>
</listitem>
<listitem>
<para>
<literal>lua</literal> and <literal>luajit</literal>
interpreters have been patched to avoid looking into /usr/lib
directories, thus increasing the purity of the build.
</para>
</listitem>
<listitem>
<para>
Three new options,
<link linkend="opt-xdg.mime.addedAssociations">xdg.mime.addedAssociations</link>,
<link linkend="opt-xdg.mime.defaultApplications">xdg.mime.defaultApplications</link>,
and
<link linkend="opt-xdg.mime.removedAssociations">xdg.mime.removedAssociations</link>
have been added to the
<link linkend="opt-xdg.mime.enable">xdg.mime</link> module to
allow the configuration of
<literal>/etc/xdg/mimeapps.list</literal>.
</para>
</listitem>
<listitem>
<para>
Kopia was upgraded from 0.8.x to 0.9.x. Please read the
<link xlink:href="https://github.com/kopia/kopia/releases/tag/v0.9.0">upstream
release notes</link> for changes and upgrade instructions.
</para>
</listitem>
<listitem>
<para>
The <literal>systemd.network</literal> module has gained
support for the FooOverUDP link type.
</para>
</listitem>
<listitem>
<para>
The <literal>networking</literal> module has a new
<literal>networking.fooOverUDP</literal> option to configure
Foo-over-UDP encapsulations.
</para>
</listitem>
<listitem>
<para>
<literal>networking.sits</literal> now supports Foo-over-UDP
encapsulation.
</para>
</listitem>
<listitem>
<para>
The <literal>virtualisation.libvirtd</literal> module has been
refactored and updated with new options:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>virtualisation.libvirtd.qemu*</literal> options
(e.g.:
<literal>virtualisation.libvirtd.qemuRunAsRoot</literal>)
were moved to
<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu"><literal>virtualisation.libvirtd.qemu</literal></link>
submodule,
</para>
</listitem>
<listitem>
<para>
software TPM1/TPM2 support (e.g.: Windows 11 guests)
(<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.swtpm"><literal>virtualisation.libvirtd.qemu.swtpm</literal></link>),
</para>
</listitem>
<listitem>
<para>
custom OVMF package (e.g.:
<literal>pkgs.OVMFFull</literal> with HTTP, CSM and Secure
Boot support)
(<link xlink:href="options.html#opt-virtualisation.libvirtd.qemu.ovmf.package"><literal>virtualisation.libvirtd.qemu.ovmf.package</literal></link>).
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>cawbird</literal> Twitter client now uses its own
API keys to count as different application than upstream
builds. This is done to evade application-level rate limiting.
While existing accounts continue to work, users may want to
remove and re-register their account in the client to enjoy a
better user experience and benefit from this change.
</para>
</listitem>
<listitem>
<para>
A new option
<literal>services.prometheus.enableReload</literal> has been
added which can be enabled to reload the prometheus service
when its config file changes instead of restarting.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.prometheus.environmentFile</literal> has
been removed since it was causing
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/126083">issues</link>
and Prometheus now has native support for secret files, i.e.
<literal>basic_auth.password_file</literal> and
<literal>authorization.credentials_file</literal>.
</para>
</listitem>
<listitem>
<para>
Dokuwiki now supports caddy! However
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
the nginx option has been removed, in the new
configuration, please use the
<literal>dokuwiki.webserver = &quot;nginx&quot;</literal>
instead.
</para>
</listitem>
<listitem>
<para>
The <quote>${hostname}</quote> option has been deprecated,
please use
<literal>dokuwiki.sites = [ &quot;${hostname}&quot; ]</literal>
instead
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.unifi.enable">services.unifi</link>
module has been reworked, solving a number of issues. This
leads to several user facing changes:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
The <literal>services.unifi.dataDir</literal> option is
removed and the data is now always located under
<literal>/var/lib/unifi/data</literal>. This is done to
make better use of systemd state direcotiry and thus
making the service restart more reliable.
</para>
</listitem>
<listitem>
<para>
The unifi logs can now be found under:
<literal>/var/log/unifi</literal> instead of
<literal>/var/lib/unifi/logs</literal>.
</para>
</listitem>
<listitem>
<para>
The unifi run directory can now be found under:
<literal>/run/unifi</literal> instead of
<literal>/var/lib/unifi/run</literal>.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>security.pam.services.&lt;name&gt;.makeHomeDir</literal>
now uses <literal>umask=0077</literal> instead of
<literal>umask=0022</literal> when creating the home
directory.
</para>
</listitem>
<listitem>
<para>
Loki has had another release. Some default values have been
changed for the configuration and some configuration options
have been renamed. For more details, please check
<link xlink:href="https://grafana.com/docs/loki/latest/upgrading/#240">the
upgrade guide</link>.
</para>
</listitem>
<listitem>
<para>
<literal>julia</literal> now refers to
<literal>julia-stable</literal> instead of
<literal>julia-lts</literal>. In practice this means it has
been upgraded from <literal>1.0.4</literal> to
<literal>1.5.4</literal>.
</para>
</listitem>
<listitem>
<para>
RetroArch has been upgraded from version
<literal>1.8.5</literal> to <literal>1.9.13.2</literal>. Since
the previous release was quite old, if youre having issues
after the upgrade, please delete your
<literal>$XDG_CONFIG_HOME/retroarch/retroarch.cfg</literal>
file.
</para>
</listitem>
<listitem>
<para>
hydrus has been upgraded from version <literal>438</literal>
to <literal>463</literal>. Since upgrading between releases
this old is advised against, be sure to have a backup of your
data before upgrading. For details, see
<link xlink:href="https://hydrusnetwork.github.io/hydrus/help/getting_started_installing.html#big_updates">the
hydrus manual</link>.
</para>
</listitem>
<listitem>
<para>
More jdk and jre versions are now exposed via
<literal>java-packages.compiler</literal>.
</para>
</listitem>
<listitem>
<para>
The sets <literal>haskell.packages</literal> and
<literal>haskell.compiler</literal> now contain for every ghc
version an attribute with the minor version dropped. E.g. for
<literal>ghc8107</literal> there also now exists
<literal>ghc810</literal>. Those attributes point to the same
compilers and packagesets but have the advantage that e.g.
<literal>ghc92</literal> stays stable when we update from
<literal>ghc924</literal> to <literal>ghc925</literal>.
</para>
</listitem>
</itemizedlist>
</section>
</section>
View git blame Copy permalink