diff --git a/nixos/doc/manual/configuration/config-file.xml b/nixos/doc/manual/configuration/config-file.xml
index c77cfe137baa..eadafb94b8f6 100644
--- a/nixos/doc/manual/configuration/config-file.xml
+++ b/nixos/doc/manual/configuration/config-file.xml
@@ -200,8 +200,9 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
= pkgs.postgresql_10;
The latter option definition changes the default PostgreSQL package used
- by NixOS’s PostgreSQL service to 10.x. For more information on packages,
- including how to add new ones, see .
+ by NixOS’s PostgreSQL service to 10.x. For more information on
+ packages, including how to add new ones, see
+ .
diff --git a/nixos/doc/manual/configuration/kubernetes.xml b/nixos/doc/manual/configuration/kubernetes.xml
index ddc026c0c010..54a100e44795 100644
--- a/nixos/doc/manual/configuration/kubernetes.xml
+++ b/nixos/doc/manual/configuration/kubernetes.xml
@@ -4,15 +4,13 @@
version="5.0"
xml:id="sec-kubernetes">
Kubernetes
-
- The NixOS Kubernetes module is a collective term for a handful of
- individual submodules implementing the Kubernetes cluster components.
+ The NixOS Kubernetes module is a collective term for a handful of individual
+ submodules implementing the Kubernetes cluster components.
-
- There are generally two ways of enabling Kubernetes on NixOS.
- One way is to enable and configure cluster components appropriately by hand:
+ There are generally two ways of enabling Kubernetes on NixOS. One way is to
+ enable and configure cluster components appropriately by hand:
services.kubernetes = {
apiserver.enable = true;
@@ -33,95 +31,82 @@ services.kubernetes = {
= [ "node" ];
- Assigning both the master and node roles is usable if you want a single
- node Kubernetes cluster for dev or testing purposes:
+ Assigning both the master and node roles is usable if you want a single node
+ Kubernetes cluster for dev or testing purposes:
= [ "master" "node" ];
Note: Assigning either role will also default both
and
- to true.
- This sets up flannel as CNI and activates automatic PKI bootstrapping.
+ to true. This sets up
+ flannel as CNI and activates automatic PKI bootstrapping.
-
- As of kubernetes 1.10.X it has been deprecated to open
- non-tls-enabled ports on kubernetes components. Thus, from NixOS 19.03 all
- plain HTTP ports have been disabled by default.
- While opening insecure ports is still possible, it is recommended not to
- bind these to other interfaces than loopback.
-
- To re-enable the insecure port on the apiserver, see options:
-
- and
-
+ As of kubernetes 1.10.X it has been deprecated to open non-tls-enabled ports
+ on kubernetes components. Thus, from NixOS 19.03 all plain HTTP ports have
+ been disabled by default. While opening insecure ports is still possible, it
+ is recommended not to bind these to other interfaces than loopback. To
+ re-enable the insecure port on the apiserver, see options:
+ and
+
-
As of NixOS 19.03, it is mandatory to configure:
- .
- The masterAddress must be resolveable and routeable by all cluster nodes.
- In single node clusters, this can be set to localhost.
+ . The masterAddress
+ must be resolveable and routeable by all cluster nodes. In single node
+ clusters, this can be set to localhost.
-
- Role-based access control (RBAC) authorization mode is enabled by default.
- This means that anonymous requests to the apiserver secure port will
- expectedly cause a permission denied error. All cluster components must
- therefore be configured with x509 certificates for two-way tls communication.
- The x509 certificate subject section determines the roles and permissions
- granted by the apiserver to perform clusterwide or namespaced operations.
- See also:
-
- Using RBAC Authorization.
+ Using RBAC Authorization.
-
-
- The NixOS kubernetes module provides an option for automatic certificate
- bootstrapping and configuration,
- .
- The PKI bootstrapping process involves setting up a certificate authority
- (CA) daemon (cfssl) on the kubernetes master node. cfssl generates a CA-cert
- for the cluster, and uses the CA-cert for signing subordinate certs issued to
- each of the cluster components. Subsequently, the certmgr daemon monitors
- active certificates and renews them when needed. For single node Kubernetes
- clusters, setting = true
- is sufficient and no further action is required. For joining extra node
- machines to an existing cluster on the other hand, establishing initial trust
- is mandatory.
-
-
- To add new nodes to the cluster:
- On any (non-master) cluster node where
- is enabled, the helper
- script nixos-kubernetes-node-join is available on PATH.
- Given a token on stdin, it will copy the token to the kubernetes
- secrets directory and restart the certmgr service. As requested
- certificates are issued, the script will restart kubernetes cluster
- components as needed for them to pick up new keypairs.
+ The NixOS kubernetes module provides an option for automatic certificate
+ bootstrapping and configuration,
+ . The PKI bootstrapping
+ process involves setting up a certificate authority (CA) daemon (cfssl) on
+ the kubernetes master node. cfssl generates a CA-cert for the cluster, and
+ uses the CA-cert for signing subordinate certs issued to each of the cluster
+ components. Subsequently, the certmgr daemon monitors active certificates and
+ renews them when needed. For single node Kubernetes clusters, setting
+ = true is sufficient and
+ no further action is required. For joining extra node machines to an existing
+ cluster on the other hand, establishing initial trust is mandatory.
+
+
+ To add new nodes to the cluster: On any (non-master) cluster node where
+ is enabled, the helper
+ script nixos-kubernetes-node-join is available on PATH.
+ Given a token on stdin, it will copy the token to the kubernetes secrets
+ directory and restart the certmgr service. As requested certificates are
+ issued, the script will restart kubernetes cluster components as needed for
+ them to pick up new keypairs.
-
Multi-master (HA) clusters are not supported by the easyCerts module.
-
- In order to interact with an RBAC-enabled cluster as an administrator, one
- needs to have cluster-admin privileges. By default, when easyCerts is
- enabled, a cluster-admin kubeconfig file is generated and linked into
- /etc/kubernetes/cluster-admin.kubeconfig as determined by
- .
- export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig
- will make kubectl use this kubeconfig to access and authenticate the cluster.
- The cluster-admin kubeconfig references an auto-generated keypair owned by
- root. Thus, only root on the kubernetes master may obtain cluster-admin
- rights by means of this file.
+ In order to interact with an RBAC-enabled cluster as an administrator, one
+ needs to have cluster-admin privileges. By default, when easyCerts is
+ enabled, a cluster-admin kubeconfig file is generated and linked into
+ /etc/kubernetes/cluster-admin.kubeconfig as determined by
+ .
+ export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig
+ will make kubectl use this kubeconfig to access and authenticate the cluster.
+ The cluster-admin kubeconfig references an auto-generated keypair owned by
+ root. Thus, only root on the kubernetes master may obtain cluster-admin
+ rights by means of this file.
-
diff --git a/nixos/doc/manual/configuration/matrix.xml b/nixos/doc/manual/configuration/matrix.xml
index a9a5d6de1f1d..66965460a15d 100644
--- a/nixos/doc/manual/configuration/matrix.xml
+++ b/nixos/doc/manual/configuration/matrix.xml
@@ -5,31 +5,34 @@
xml:id="module-services-matrix">
Matrix
- Matrix
- is an open standard for interoperable, decentralised, real-time communication over IP.
- It can be used to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things communication -
- or anywhere you need a standard HTTP API for publishing and subscribing to data whilst tracking the conversation history.
+ Matrix is an open standard for
+ interoperable, decentralised, real-time communication over IP. It can be used
+ to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things
+ communication - or anywhere you need a standard HTTP API for publishing and
+ subscribing to data whilst tracking the conversation history.
- This chapter will show you how to set up your own, self-hosted Matrix homeserver using the Synapse reference homeserver,
- and how to serve your own copy of the Riot web client.
- See the Try Matrix Now!
- overview page for links to Riot Apps for Android and iOS, desktop clients,
- as well as bridges to other networks and other projects around Matrix.
+ This chapter will show you how to set up your own, self-hosted Matrix
+ homeserver using the Synapse reference homeserver, and how to serve your own
+ copy of the Riot web client. See the
+ Try
+ Matrix Now! overview page for links to Riot Apps for Android and iOS,
+ desktop clients, as well as bridges to other networks and other projects
+ around Matrix.
-
Synapse Homeserver
+
- Synapse
- is the reference homeserver implementation of Matrix from the core development team at matrix.org.
- The following configuration example will set up a synapse server for the example.org
- domain, served from the host myhostname.example.org.
- For more information, please refer to the
+ Synapse is
+ the reference homeserver implementation of Matrix from the core development
+ team at matrix.org. The following configuration example will set up a
+ synapse server for the example.org domain, served from
+ the host myhostname.example.org. For more information,
+ please refer to the
- installation instructions of Synapse
- .
-
+ installation instructions of Synapse .
+
let
fqdn =
let
@@ -116,28 +119,29 @@
};
+
- If the A and AAAA DNS records on example.org
- do not point on the same host as the records for myhostname.example.org,
- you can easily move the /.well-known virtualHost section of the code
- to the host that is serving example.org,
- while the rest stays on myhostname.example.org
- with no other changes required.
- This pattern also allows to seamlessly move the homeserver from myhostname.example.org
- to myotherhost.example.org by only changing the /.well-known redirection target.
+ If the A and AAAA DNS records on
+ example.org do not point on the same host as the records
+ for myhostname.example.org, you can easily move the
+ /.well-known virtualHost section of the code to the host that
+ is serving example.org, while the rest stays on
+ myhostname.example.org with no other changes required.
+ This pattern also allows to seamlessly move the homeserver from
+ myhostname.example.org to
+ myotherhost.example.org by only changing the
+ /.well-known redirection target.
- If you want to run a server with public registration by anybody,
- you can then enable
- .
- Otherwise, or you can generate a registration secret with pwgen -s 64 1
- and set it with
- .
- To create a new user or admin,
- run the following after you have set the secret and have rebuilt NixOS:
-
-
+ If you want to run a server with public registration by anybody, you can
+ then enable . Otherwise, or you can generate a registration secret with
+ pwgen -s 64 1 and set it with
+ . To
+ create a new user or admin, run the following after you have set the secret
+ and have rebuilt NixOS:
+
$ nix run nixpkgs.matrix-synapse
$ register_new_matrix_user -k <your-registration-shared-secret> http://localhost:8008
New user localpart: <your-username>
@@ -147,31 +151,32 @@
Success!
In the example, this would create a user with the Matrix Identifier
- @your-username:example.org.
- Note that the registration secret ends up in the nix store and therefore is world-readable
- by any user on your machine, so it makes sense to only temporarily activate the
- option until a better solution for NixOS is in place.
+ @your-username:example.org. Note that the registration
+ secret ends up in the nix store and therefore is world-readable by any user
+ on your machine, so it makes sense to only temporarily activate the
+ option until a better solution
+ for NixOS is in place.
-
Riot Web Client
-
- Riot Web
- is the reference web client for Matrix and developed by the core team at matrix.org.
- The following snippet can be optionally added to the code before to complete the synapse
- installation with a web client served at
- https://riot.myhostname.example.org and https://riot.example.org.
- Alternatively, you can use the hosted copy at
- https://riot.im/app,
- or use other web clients or native client applications.
- Due to the /.well-known urls set up done above,
- many clients should fill in the required connection details automatically
- when you enter your Matrix Identifier.
- See Try Matrix Now!
- for a list of existing clients and their supported featureset.
-
+
+ Riot Web is
+ the reference web client for Matrix and developed by the core team at
+ matrix.org. The following snippet can be optionally added to the code before
+ to complete the synapse installation with a web client served at
+ https://riot.myhostname.example.org and
+ https://riot.example.org. Alternatively, you can use the hosted
+ copy at https://riot.im/app,
+ or use other web clients or native client applications. Due to the
+ /.well-known urls set up done above, many clients should
+ fill in the required connection details automatically when you enter your
+ Matrix Identifier. See
+ Try
+ Matrix Now! for a list of existing clients and their supported
+ featureset.
+
services.nginx.virtualHosts."riot.${fqdn}" = {
enableACME = true;
forceSSL = true;
@@ -183,15 +188,16 @@
};
+
- Note that the Riot developers do not recommend running Riot and your Matrix homeserver
- on the same fully-qualified domain name for security reasons.
- In the example, this means that you should not reuse the myhostname.example.org
- virtualHost to also serve Riot, but instead serve it on a different subdomain,
- like riot.example.org in the example.
- See the
- Riot Important Security Notes
- for more information on this subject.
+ Note that the Riot developers do not recommend running Riot and your Matrix
+ homeserver on the same fully-qualified domain name for security reasons. In
+ the example, this means that you should not reuse the
+ myhostname.example.org virtualHost to also serve Riot,
+ but instead serve it on a different subdomain, like
+ riot.example.org in the example. See the
+ Riot
+ Important Security Notes for more information on this subject.
diff --git a/nixos/doc/manual/configuration/modularity.xml b/nixos/doc/manual/configuration/modularity.xml
index 5ff5bc22c85e..724abd31ca4e 100644
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@@ -112,9 +112,8 @@ true
$ nixos-option
[ "tun" "ipv6" "loop" ... ]
- Interactive exploration of the configuration is possible using
- nix repl, a read-eval-print loop for Nix expressions.
- A typical use:
+ Interactive exploration of the configuration is possible using nix
+ repl, a read-eval-print loop for Nix expressions. A typical use:
$ nix repl '<nixpkgs/nixos>'
@@ -127,11 +126,10 @@ nix-repl> map (x: x.hostName) config.
-
+
diff --git a/nixos/doc/manual/configuration/profiles.xml b/nixos/doc/manual/configuration/profiles.xml
index 92c0f6202f28..c0a8f55785fc 100644
--- a/nixos/doc/manual/configuration/profiles.xml
+++ b/nixos/doc/manual/configuration/profiles.xml
@@ -12,14 +12,14 @@
That is to say, expected usage is to add them to the imports list of your
/etc/configuration.nix as such:
-
+
imports = [
<nixpkgs/nixos/modules/profiles/profile-name.nix>
];
- Even if some of these profiles seem only useful in the context of
- install media, many are actually intended to be used in real installs.
+ Even if some of these profiles seem only useful in the context of install
+ media, many are actually intended to be used in real installs.
What follows is a brief explanation on the purpose and use-case for each
diff --git a/nixos/doc/manual/configuration/profiles/all-hardware.xml b/nixos/doc/manual/configuration/profiles/all-hardware.xml
index 172975199474..2936f71069d5 100644
--- a/nixos/doc/manual/configuration/profiles/all-hardware.xml
+++ b/nixos/doc/manual/configuration/profiles/all-hardware.xml
@@ -1,15 +1,16 @@
-
All Hardware
+
- Enables all hardware supported by NixOS: i.e., all firmware is
- included, and all devices from which one may boot are enabled in the initrd.
- Its primary use is in the NixOS installation CDs.
+ Enables all hardware supported by NixOS: i.e., all firmware is included, and
+ all devices from which one may boot are enabled in the initrd. Its primary
+ use is in the NixOS installation CDs.
+
The enabled kernel modules include support for SATA and PATA, SCSI
(partially), USB, Firewire (untested), Virtio (QEMU, KVM, etc.), VMware, and
diff --git a/nixos/doc/manual/configuration/profiles/base.xml b/nixos/doc/manual/configuration/profiles/base.xml
index f58a35d626ed..b75f6ba25b4f 100644
--- a/nixos/doc/manual/configuration/profiles/base.xml
+++ b/nixos/doc/manual/configuration/profiles/base.xml
@@ -1,15 +1,15 @@
-
Base
+
- Defines the software packages included in the "minimal"
- installation CD. It installs several utilities useful in a simple recovery or
- install media, such as a text-mode web browser, and tools for manipulating
- block devices, networking, hardware diagnostics, and filesystems (with their
- respective kernel modules).
+ Defines the software packages included in the "minimal" installation CD. It
+ installs several utilities useful in a simple recovery or install media, such
+ as a text-mode web browser, and tools for manipulating block devices,
+ networking, hardware diagnostics, and filesystems (with their respective
+ kernel modules).
diff --git a/nixos/doc/manual/configuration/profiles/clone-config.xml b/nixos/doc/manual/configuration/profiles/clone-config.xml
index 87c8b9ee31b6..234835845e2d 100644
--- a/nixos/doc/manual/configuration/profiles/clone-config.xml
+++ b/nixos/doc/manual/configuration/profiles/clone-config.xml
@@ -1,14 +1,14 @@
-
Clone Config
+
- This profile is used in installer images.
- It provides an editable configuration.nix that imports all the modules that
- were also used when creating the image in the first place.
- As a result it allows users to edit and rebuild the live-system.
+ This profile is used in installer images. It provides an editable
+ configuration.nix that imports all the modules that were also used when
+ creating the image in the first place. As a result it allows users to edit
+ and rebuild the live-system.
diff --git a/nixos/doc/manual/configuration/profiles/demo.xml b/nixos/doc/manual/configuration/profiles/demo.xml
index 98829e4696df..395a5ec357c9 100644
--- a/nixos/doc/manual/configuration/profiles/demo.xml
+++ b/nixos/doc/manual/configuration/profiles/demo.xml
@@ -1,13 +1,15 @@
-
Demo
+
- This profile just enables a demo user, with password demo, uid 1000, wheel
- group and
- autologin in the SDDM display manager.
+ This profile just enables a demo
+ user, with password demo, uid 1000,
+ wheel group and
+ autologin
+ in the SDDM display manager.
diff --git a/nixos/doc/manual/configuration/profiles/docker-container.xml b/nixos/doc/manual/configuration/profiles/docker-container.xml
index bf962442ccef..efa7b8f24c43 100644
--- a/nixos/doc/manual/configuration/profiles/docker-container.xml
+++ b/nixos/doc/manual/configuration/profiles/docker-container.xml
@@ -1,15 +1,16 @@
-
Docker Container
+
This is the profile from which the Docker images are generated. It prepares a
- working system by importing the Minimal and
- Clone Config profiles, and setting appropriate
- configuration options that are useful inside a container context, like
- .
+ working system by importing the
+ Minimal and
+ Clone Config profiles, and
+ setting appropriate configuration options that are useful inside a container
+ context, like .
diff --git a/nixos/doc/manual/configuration/profiles/graphical.xml b/nixos/doc/manual/configuration/profiles/graphical.xml
index 5ded61d9763b..73e3abc59d0c 100644
--- a/nixos/doc/manual/configuration/profiles/graphical.xml
+++ b/nixos/doc/manual/configuration/profiles/graphical.xml
@@ -1,20 +1,21 @@
-
Graphical
+
Defines a NixOS configuration with the Plasma 5 desktop. It's used by the
graphical installation CD.
+
It sets ,
,
(
- without Qt4 Support), and
+ without Qt4 Support), and
to true. It also
includes glxinfo and firefox in the system packages list.
diff --git a/nixos/doc/manual/configuration/profiles/hardened.xml b/nixos/doc/manual/configuration/profiles/hardened.xml
index b3b433792f53..dc83fc837e2a 100644
--- a/nixos/doc/manual/configuration/profiles/hardened.xml
+++ b/nixos/doc/manual/configuration/profiles/hardened.xml
@@ -1,22 +1,24 @@
-
Hardened
+
A profile with most (vanilla) hardening options enabled by default,
potentially at the cost of features and performance.
+
This includes a hardened kernel, and limiting the system information
available to processes through the /sys and
/proc filesystems. It also disables the User Namespaces
feature of the kernel, which stops Nix from being able to build anything
(this particular setting can be overriden via
- ). See the ). See the
+
- profile source for further detail on which settings are altered.
+ profile source for further detail on which settings are altered.
diff --git a/nixos/doc/manual/configuration/profiles/headless.xml b/nixos/doc/manual/configuration/profiles/headless.xml
index 54dc61f236e0..1b64497ebf7f 100644
--- a/nixos/doc/manual/configuration/profiles/headless.xml
+++ b/nixos/doc/manual/configuration/profiles/headless.xml
@@ -1,18 +1,19 @@
-
Headless
+
Common configuration for headless machines (e.g., Amazon EC2 instances).
+
Disables sound,
vesa, serial consoles,
emergency mode,
- grub splash images and
- configures the kernel to reboot automatically on panic.
+ grub splash images
+ and configures the kernel to reboot automatically on panic.
diff --git a/nixos/doc/manual/configuration/profiles/installation-device.xml b/nixos/doc/manual/configuration/profiles/installation-device.xml
index 44ccfc538ad1..3dcdf403d89d 100644
--- a/nixos/doc/manual/configuration/profiles/installation-device.xml
+++ b/nixos/doc/manual/configuration/profiles/installation-device.xml
@@ -1,31 +1,34 @@
-
Installation Device
+
Provides a basic configuration for installation devices like CDs. This means
enabling hardware scans, using the
- Clone Config profile to guarantee
+ Clone Config profile to guarantee
/etc/nixos/configuration.nix exists (for
nixos-rebuild to work), a copy of the Nixpkgs channel
snapshot used to create the install media.
+
Additionally, documentation for
- Nixpkgs and NixOS
- are forcefully enabled (to override the
- Minimal profile preference); the
- NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
- Autologin is enabled as root.
+ Nixpkgs and NixOS
+ are forcefully enabled (to override the
+ Minimal profile preference); the
+ NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
+ Autologin is enabled as root.
+
- A message is shown to the user to start a display manager if needed,
- ssh with are enabled (but
+ A message is shown to the user to start a display manager if needed, ssh with
+ are enabled (but
doesn't autostart). WPA Supplicant is also enabled without autostart.
+
Finally, vim is installed, root is set to not have a password, the kernel is
made more silent for remote public IP installs, and several settings are
diff --git a/nixos/doc/manual/configuration/profiles/minimal.xml b/nixos/doc/manual/configuration/profiles/minimal.xml
index a24af21bd7f7..179f2d0be64b 100644
--- a/nixos/doc/manual/configuration/profiles/minimal.xml
+++ b/nixos/doc/manual/configuration/profiles/minimal.xml
@@ -1,16 +1,16 @@
-
Minimal
+
This profile defines a small NixOS configuration. It does not contain any
graphical stuff. It's a very short file that enables
noXlibs, sets
- i18n.supportedLocales
- to only support the user-selected locale,
+ i18n.supportedLocales to
+ only support the user-selected locale,
disables packages' documentation
, and disables sound.
diff --git a/nixos/doc/manual/configuration/profiles/qemu-guest.xml b/nixos/doc/manual/configuration/profiles/qemu-guest.xml
index d08068650fbe..5d055c45d2d8 100644
--- a/nixos/doc/manual/configuration/profiles/qemu-guest.xml
+++ b/nixos/doc/manual/configuration/profiles/qemu-guest.xml
@@ -4,10 +4,12 @@
version="5.0"
xml:id="sec-profile-qemu-guest">
QEMU Guest
+
This profile contains common configuration for virtual machines running under
QEMU (using virtio).
+
It makes virtio modules available on the initrd, sets the system time from
the hardware clock to work around a bug in qemu-kvm, and
diff --git a/nixos/doc/manual/configuration/wireless.xml b/nixos/doc/manual/configuration/wireless.xml
index 96b0a44f840a..7c7b3b4a65a5 100644
--- a/nixos/doc/manual/configuration/wireless.xml
+++ b/nixos/doc/manual/configuration/wireless.xml
@@ -28,11 +28,9 @@
Be aware that keys will be written to the nix store in plaintext! When no
networks are set, it will default to using a configuration file at
/etc/wpa_supplicant.conf. You should edit this file
- yourself to define wireless networks, WPA keys and so on (see
-
- wpa_supplicant.conf
- 5
- ).
+ yourself to define wireless networks, WPA keys and so on (see
+ wpa_supplicant.conf
+ 5).
diff --git a/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
index 766785dfe070..5c86eacfbf45 100644
--- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml
+++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
@@ -77,10 +77,10 @@
Shared folders can be given a name and a path in the host system in the
VirtualBox settings (Machine / Settings / Shared Folders, then click on the
"Add" icon). Add the following to the
- /etc/nixos/configuration.nix to auto-mount them. If you
- do not add "nofail", the system will no boot properly.
- The same goes for disabling rngd which is normally used
- to get randomness but this does not work in virtual machines.
+ /etc/nixos/configuration.nix to auto-mount them. If you do
+ not add "nofail", the system will no boot properly. The
+ same goes for disabling rngd which is normally used to get
+ randomness but this does not work in virtual machines.
diff --git a/nixos/doc/manual/man-nixos-generate-config.xml b/nixos/doc/manual/man-nixos-generate-config.xml
index 43d6c2696a28..160ada9fff31 100644
--- a/nixos/doc/manual/man-nixos-generate-config.xml
+++ b/nixos/doc/manual/man-nixos-generate-config.xml
@@ -13,18 +13,18 @@
- nixos-generate-config
+ nixos-generate-config
-
+
root
-
+
diff --git a/nixos/doc/manual/man-nixos-rebuild.xml b/nixos/doc/manual/man-nixos-rebuild.xml
index 654b5f4b2840..0b0c0b8f6ea2 100644
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@@ -13,39 +13,39 @@
- nixos-rebuild
+ nixos-rebuild
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
@@ -54,33 +54,33 @@
-
+
-
+
-
+
-
+
+
-
- builder-spec
+ builder-spec
-
+
-
+
@@ -198,7 +198,7 @@ $ nix-build /path/to/nixpkgs/nixos -A system
- Opens configuration.nix in the default editor.
+ Opens configuration.nix in the default editor.
@@ -334,25 +334,23 @@ $ ./result/bin/run-*-vm
-
-
- builder-spec
-
-
-
- Allow ad-hoc remote builders for building the new system.
- This requires the user executing nixos-rebuild (usually
- root) to be configured as a trusted user in the Nix daemon. This can be
- achieved by using the nix.trustedUsers NixOS option.
- Examples values for that option are described in the
- Remote builds chapter in the Nix manual,
- (i.e. --builders "ssh://bigbrother x86_64-linux").
- By specifying an empty string existing builders specified in
- /etc/nix/machines can be ignored:
- --builders "" for example when they are not
- reachable due to network connectivity.
-
-
+
+ builder-spec
+
+
+
+ Allow ad-hoc remote builders for building the new system. This requires
+ the user executing nixos-rebuild (usually root) to be
+ configured as a trusted user in the Nix daemon. This can be achieved by
+ using the nix.trustedUsers NixOS option. Examples
+ values for that option are described in the Remote builds
+ chapter in the Nix manual, (i.e. --builders
+ "ssh://bigbrother x86_64-linux"). By specifying an empty string
+ existing builders specified in /etc/nix/machines can
+ be ignored: --builders "" for example when they are
+ not reachable due to network connectivity.
+
+
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml
index 8715a05f508b..3f10b26223dd 100644
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -639,7 +639,8 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
- Groups kvm and render are introduced now, as systemd requires them.
+ Groups kvm and render are introduced
+ now, as systemd requires them.
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index 3871d54c59c6..7d40637df931 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -20,25 +20,27 @@
- The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.
+ The default Python 3 interpreter is now CPython 3.7 instead of CPython
+ 3.6.
- Added the Pantheon desktop environment.
- It can be enabled through services.xserver.desktopManager.pantheon.enable.
+ Added the Pantheon desktop environment. It can be enabled through
+ services.xserver.desktopManager.pantheon.enable.
- services.xserver.desktopManager.pantheon default enables lightdm
- as a display manager and using Pantheon's greeter.
+ services.xserver.desktopManager.pantheon default
+ enables lightdm as a display manager and using Pantheon's greeter.
- This is because of limitations with the screenlocking implementation, whereas the
- screenlocker would be non-functional without it.
+ This is because of limitations with the screenlocking implementation,
+ whereas the screenlocker would be non-functional without it.
- Because of that it is recommended to retain this precaution, however if you'd like to change this set:
+ Because of that it is recommended to retain this precaution, however if
+ you'd like to change this set:
@@ -52,17 +54,19 @@
- to false and enable your preferred display manager.
+
+ to false and enable your preferred display manager.
+
-
- A major refactoring of the Kubernetes module has been completed.
- Refactorings primarily focus on decoupling components and enhancing
- security. Two-way TLS and RBAC has been enabled by default for all
- components, which slightly changes the way the module is configured.
- See: for details.
-
+
+ A major refactoring of the Kubernetes module has been completed.
+ Refactorings primarily focus on decoupling components and enhancing
+ security. Two-way TLS and RBAC has been enabled by default for all
+ components, which slightly changes the way the module is configured. See:
+ for details.
+
@@ -87,10 +91,11 @@
There is a new security.googleOsLogin module for using
- OS Login
- to manage SSH access to Google Compute Engine instances, which supersedes
- the imperative and broken google-accounts-daemon used
- in nixos/modules/virtualisation/google-compute-config.nix.
+ OS
+ Login to manage SSH access to Google Compute Engine instances,
+ which supersedes the imperative and broken
+ google-accounts-daemon used in
+ nixos/modules/virtualisation/google-compute-config.nix.
@@ -101,8 +106,9 @@
There is a new services.cockroachdb module for running
- CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available
- on x86_64-linux and aarch64-linux.
+ CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well,
+ available on x86_64-linux and
+ aarch64-linux.
@@ -110,15 +116,15 @@
- ./security/duosec.nix
+ ./security/duosec.nix
The PAM module for Duo
- Security has been enabled for use. One can configure it using
- the options along with the
- corresponding PAM option in
+ Security has been enabled for use. One can configure it using the
+ options along with the corresponding PAM
+ option in
.
@@ -184,36 +190,37 @@
- The buildPythonPackage function now sets strictDeps = true
- to help distinguish between native and non-native dependencies in order to
- improve cross-compilation compatibility. Note however that this may break
- user expressions.
+ The buildPythonPackage function now sets
+ strictDeps = true to help distinguish between native
+ and non-native dependencies in order to improve cross-compilation
+ compatibility. Note however that this may break user expressions.
- The buildPythonPackage function now sets LANG = C.UTF-8
- to enable Unicode support. The glibcLocales package is no longer needed as a build input.
+ The buildPythonPackage function now sets LANG
+ = C.UTF-8 to enable Unicode support. The
+ glibcLocales package is no longer needed as a build
+ input.
- The Syncthing state and configuration data has been moved from
- services.syncthing.dataDir to the newly defined
- services.syncthing.configDir, which default to
- /var/lib/syncthing/.config/syncthing.
- This change makes possible to share synced directories using ACLs
- without Syncthing resetting the permission on every start.
+ The Syncthing state and configuration data has been moved from
+ services.syncthing.dataDir to the newly defined
+ services.syncthing.configDir, which default to
+ /var/lib/syncthing/.config/syncthing. This change makes
+ possible to share synced directories using ACLs without Syncthing
+ resetting the permission on every start.
- The ntp module now has sane default restrictions.
- If you're relying on the previous defaults, which permitted all queries
- and commands from all firewall-permitted sources, you can set
- services.ntp.restrictDefault and
- services.ntp.restrictSource to
- [].
+ The ntp module now has sane default restrictions. If
+ you're relying on the previous defaults, which permitted all queries and
+ commands from all firewall-permitted sources, you can set
+ services.ntp.restrictDefault and
+ services.ntp.restrictSource to [].
@@ -241,17 +248,21 @@
- Options
- services.znc.confOptions.networks.name.userName and
- services.znc.confOptions.networks.name.modulePackages
- were removed. They were never used for anything and can therefore safely be removed.
+ Options
+ services.znc.confOptions.networks.name.userName
+ and
+ services.znc.confOptions.networks.name.modulePackages
+ were removed. They were never used for anything and can therefore safely
+ be removed.
- Package wasm has been renamed proglodyte-wasm. The package
- wasm will be pointed to ocamlPackages.wasm in 19.09, so
- make sure to update your configuration if you want to keep proglodyte-wasm
+ Package wasm has been renamed
+ proglodyte-wasm. The package wasm
+ will be pointed to ocamlPackages.wasm in 19.09, so make
+ sure to update your configuration if you want to keep
+ proglodyte-wasm
@@ -279,37 +290,41 @@
- Package consul-ui and passthrough consul.ui have been removed.
- The package consul now uses upstream releases that vendor the UI into the binary.
- See #48714
+ Package consul-ui and passthrough
+ consul.ui have been removed. The package
+ consul now uses upstream releases that vendor the UI
+ into the binary. See
+ #48714
for details.
- Slurm introduces the new option
- services.slurm.stateSaveLocation,
- which is now set to /var/spool/slurm by default
- (instead of /var/spool).
- Make sure to move all files to the new directory or to set the option accordingly.
+ Slurm introduces the new option
+ services.slurm.stateSaveLocation, which is now set to
+ /var/spool/slurm by default (instead of
+ /var/spool). Make sure to move all files to the new
+ directory or to set the option accordingly.
- The slurmctld now runs as user slurm instead of root.
- If you want to keep slurmctld running as root, set
- services.slurm.user = root.
+ The slurmctld now runs as user slurm instead of
+ root. If you want to keep slurmctld running as
+ root, set services.slurm.user =
+ root.
- The options services.slurm.nodeName and
- services.slurm.partitionName are now sets of
- strings to correctly reflect that fact that each of these
- options can occour more than once in the configuration.
+ The options services.slurm.nodeName and
+ services.slurm.partitionName are now sets of strings to
+ correctly reflect that fact that each of these options can occour more
+ than once in the configuration.
- The solr package has been upgraded from 4.10.3 to 7.5.0 and has undergone
- some major changes. The services.solr module has been updated to reflect
- these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.
+ The solr package has been upgraded from 4.10.3 to 7.5.0
+ and has undergone some major changes. The services.solr
+ module has been updated to reflect these changes. Please review
+ http://lucene.apache.org/solr/ carefully before upgrading.
@@ -321,46 +336,49 @@
- The option services.xserver.displayManager.job.logToFile which was
+ The option
+ services.xserver.displayManager.job.logToFile which was
previously set to true when using the display managers
- lightdm, sddm or xpra has been
- reset to the default value (false).
+ lightdm, sddm or
+ xpra has been reset to the default value
+ (false).
Network interface indiscriminate NixOS firewall options
- (networking.firewall.allow*) are now preserved when also
- setting interface specific rules such as networking.firewall.interfaces.en0.allow*.
- These rules continue to use the pseudo device "default"
- (networking.firewall.interfaces.default.*), and assigning
- to this pseudo device will override the (networking.firewall.allow*)
- options.
-
-
-
-
+ (networking.firewall.allow*) are now preserved when
+ also setting interface specific rules such as
+ networking.firewall.interfaces.en0.allow*. These rules
+ continue to use the pseudo device "default"
+ (networking.firewall.interfaces.default.*), and
+ assigning to this pseudo device will override the
+ (networking.firewall.allow*) options.
+
+
+
+
The nscd service now disables all caching of
passwd and group databases by
default. This was interferring with the correct functioning of the
libnss_systemd.so module which is used by
systemd to manage uids and usernames in the presence of
- DynamicUser= in systemd services. This was already the
+ DynamicUser= in systemd services. This was already the
default behaviour in presence of services.sssd.enable =
- true because nscd caching would interfere with
- sssd in unpredictable ways as well. Because we're
- using nscd not for caching, but for convincing glibc to find NSS modules
- in the nix store instead of an absolute path, we have decided to disable
- caching globally now, as it's usually not the behaviour the user wants and
- can lead to surprising behaviour. Furthermore, negative caching of host
+ true because nscd caching would interfere with
+ sssd in unpredictable ways as well. Because we're using
+ nscd not for caching, but for convincing glibc to find NSS modules in the
+ nix store instead of an absolute path, we have decided to disable caching
+ globally now, as it's usually not the behaviour the user wants and can
+ lead to surprising behaviour. Furthermore, negative caching of host
lookups is also disabled now by default. This should fix the issue of dns
lookups failing in the presence of an unreliable network.
-
-
- If the old behaviour is desired, this can be restored by setting
- the services.nscd.config option
- with the desired caching parameters.
-
+
+
+ If the old behaviour is desired, this can be restored by setting the
+ services.nscd.config option with the desired caching
+ parameters.
+
services.nscd.config =
''
server-user nscd
@@ -393,97 +411,109 @@
shared hosts yes
'';
- See #50316
+ See
+ #50316
for details.
-
-
-
-
+
+
+
+
GitLab Shell previously used the nix store paths for the
gitlab-shell command in its
authorized_keys file, which might stop working after
garbage collection. To circumvent that, we regenerated that file on each
- startup. As gitlab-shell has now been changed to use
+ startup. As gitlab-shell has now been changed to use
/var/run/current-system/sw/bin/gitlab-shell, this is
not necessary anymore, but there might be leftover lines with a nix store
path. Regenerate the authorized_keys file via
sudo -u git -H gitlab-rake gitlab:shell:setup in that
case.
-
-
-
-
+
+
+
+
The pam_unix account module is now loaded with its
control field set to required instead of
sufficient, so that later PAM account modules that
- might do more extensive checks are being executed.
- Previously, the whole account module verification was exited prematurely
- in case a nss module provided the account name to
- pam_unix.
- The LDAP and SSSD NixOS modules already add their NSS modules when
- enabled. In case your setup breaks due to some later PAM account module
- previosuly shadowed, or failing NSS lookups, please file a bug. You can
- get back the old behaviour by manually setting
- .text]]>.
-
-
-
-
- The pam_unix password module is now loaded with its
- control field set to sufficient instead of
- required, so that password managed only
- by later PAM password modules are being executed.
- Previously, for example, changing an LDAP account's password through PAM
- was not possible: the whole password module verification
- was exited prematurely by pam_unix,
- preventing pam_ldap to manage the password as it should.
-
-
-
-
- fish has been upgraded to 3.0.
- It comes with a number of improvements and backwards incompatible changes.
- See the fish release notes for more information.
+ might do more extensive checks are being executed. Previously, the whole
+ account module verification was exited prematurely in case a nss module
+ provided the account name to pam_unix. The LDAP and
+ SSSD NixOS modules already add their NSS modules when enabled. In case
+ your setup breaks due to some later PAM account module previosuly
+ shadowed, or failing NSS lookups, please file a bug. You can get back the
+ old behaviour by manually setting
+.text]]>
+ .
-
+
- The ibus-table input method has had a change in config format, which
- causes all previous settings to be lost. See
- this commit message
- for details.
+ The pam_unix password module is now loaded with its
+ control field set to sufficient instead of
+ required, so that password managed only by later PAM
+ password modules are being executed. Previously, for example, changing an
+ LDAP account's password through PAM was not possible: the whole password
+ module verification was exited prematurely by pam_unix,
+ preventing pam_ldap to manage the password as it
+ should.
-
-
-
- NixOS module system type types.optionSet and
- lib.mkOption argument options are deprecated.
- Use types.submodule instead.
- (#54637)
-
-
-
-
- matrix-synapse has been updated to version 0.99. It will
- no longer generate a self-signed certificate on first launch
- and will be the last version to accept self-signed certificates.
- As such, it is now recommended to use a proper certificate verified by a
- root CA (for example Let's Encrypt).
- The new manual chapter on Matrix contains a working example of using nginx as a reverse proxy
- in front of matrix-synapse, using Let's Encrypt certificates.
-
-
+
+
+
+ fish has been upgraded to 3.0. It comes with a number
+ of improvements and backwards incompatible changes. See the
+ fish
+ release
+ notes for more information.
+
+
+
+
+ The ibus-table input method has had a change in config format, which
+ causes all previous settings to be lost. See
+ this
+ commit message for details.
+
+
+
+
+ NixOS module system type types.optionSet and
+ lib.mkOption argument options are
+ deprecated. Use types.submodule instead.
+ (#54637)
+
+
+
+
+ matrix-synapse has been updated to version 0.99. It
+ will no
+ longer generate a self-signed certificate on first launch and will
+ be
+ the
+ last version to accept self-signed certificates. As such, it is now
+ recommended to use a proper certificate verified by a root CA (for example
+ Let's Encrypt). The new manual
+ chapter on Matrix contains a working example of using nginx as a
+ reverse proxy in front of matrix-synapse, using Let's
+ Encrypt certificates.
+
+ mailutils now works by default when
sendmail is not in a setuid wrapper. As a consequence,
- the sendmailPath argument, having lost its main use, has
- been removed.
+ the sendmailPath argument, having lost its main use,
+ has been removed.
- graylog has been upgraded from version 2.* to 3.*. Some setups making use of extraConfig (especially those exposing Graylog via reverse proxies) need to be updated as upstream removed/replaced some settings. See Upgrading Graylog for details.
+ graylog has been upgraded from version 2.* to 3.*. Some
+ setups making use of extraConfig (especially those exposing Graylog via
+ reverse proxies) need to be updated as upstream removed/replaced some
+ settings. See
+ Upgrading
+ Graylog for details.
@@ -500,206 +530,219 @@
The module gained the option
- which determines the used
- Matomo version.
+ which determines the used Matomo
+ version.
- The Matomo module now also comes with the systemd service matomo-archive-processing.service
- and a timer that automatically triggers archive processing every hour.
- This means that you can safely
+ The Matomo module now also comes with the systemd service
+ matomo-archive-processing.service and a timer that
+ automatically triggers archive processing every hour. This means that you
+ can safely
- disable browser triggers for Matomo archiving
- at Administration > System > General Settings.
+ disable browser triggers for Matomo archiving at
+ Administration > System > General Settings.
Additionally, you can enable to
- delete old visitor logs
- at Administration > System > Privacy,
- but make sure that you run systemctl start matomo-archive-processing.service
- at least once without errors if you have already collected data before,
- so that the reports get archived before the source data gets deleted.
+ delete old visitor logs at Administration > System >
+ Privacy, but make sure that you run systemctl start
+ matomo-archive-processing.service at least once without errors
+ if you have already collected data before, so that the reports get
+ archived before the source data gets deleted.
- composableDerivation along with supporting library functions
- has been removed.
+ composableDerivation along with supporting library
+ functions has been removed.
- The deprecated truecrypt package has been removed
- and truecrypt attribute is now an alias for
+ The deprecated truecrypt package has been removed and
+ truecrypt attribute is now an alias for
veracrypt. VeraCrypt is backward-compatible with
- TrueCrypt volumes. Note that cryptsetup also
- supports loading TrueCrypt volumes.
+ TrueCrypt volumes. Note that cryptsetup also supports
+ loading TrueCrypt volumes.
- The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS.
- This change is made in accordance with Kubernetes making CoreDNS the official default
- starting from
- Kubernetes v1.11.
- Please beware that upgrading DNS-addon on existing clusters might induce
- minor downtime while the DNS-addon terminates and re-initializes.
- Also note that the DNS-service now runs with 2 pod replicas by default.
- The desired number of replicas can be configured using:
- .
+ The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This
+ change is made in accordance with Kubernetes making CoreDNS the official
+ default starting from
+ Kubernetes
+ v1.11. Please beware that upgrading DNS-addon on existing clusters
+ might induce minor downtime while the DNS-addon terminates and
+ re-initializes. Also note that the DNS-service now runs with 2 pod
+ replicas by default. The desired number of replicas can be configured
+ using: .
-
-
- The quassel-webserver package and module was removed from nixpkgs due to the lack
- of maintainers.
-
-
- The manual gained a
-
- new chapter on self-hosting matrix-synapse and riot-web
- , the most prevalent server and client implementations for the
- Matrix federated communication network.
+ The quassel-webserver package and module was removed from nixpkgs due to
+ the lack of maintainers.
-
- The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
-
-
-
-
- The httpd service now saves log files with a .log file extension by default for
- easier integration with the logrotate service.
-
-
-
-
- The owncloud server packages and httpd subservice module were removed
- from nixpkgs due to the lack of maintainers.
-
-
-
-
- It is possible now to uze ZRAM devices as general purpose ephemeral block devices,
- not only as swap. Using more than 1 device as ZRAM swap is no longer recommended,
- but is still possible by setting zramSwap.swapDevices explicitly.
-
-
- ZRAM algorithm can be changed now.
-
-
- Changes to ZRAM algorithm are applied during nixos-rebuild switch,
- so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively,
- use nixos-rebuild boot; reboot.
-
+
+ The manual gained a new chapter on
+ self-hosting matrix-synapse and
+ riot-web , the most prevalent server and client
+ implementations for the
+ Matrix federated
+ communication network.
+
- Flat volumes are now disabled by default in hardware.pulseaudio.
- This has been done to prevent applications, which are unaware of this feature, setting
- their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.
+ The astah-community package was removed from nixpkgs due to it being
+ discontinued and the downloads not being available anymore.
+
+
+
+
+ The httpd service now saves log files with a .log file extension by
+ default for easier integration with the logrotate service.
+
+
+
+
+ The owncloud server packages and httpd subservice module were removed from
+ nixpkgs due to the lack of maintainers.
+
+
+
+
+ It is possible now to uze ZRAM devices as general purpose ephemeral block
+ devices, not only as swap. Using more than 1 device as ZRAM swap is no
+ longer recommended, but is still possible by setting
+ zramSwap.swapDevices explicitly.
+
+
+ ZRAM algorithm can be changed now.
+
+
+ Changes to ZRAM algorithm are applied during nixos-rebuild
+ switch, so make sure you have enough swap space on disk to
+ survive ZRAM device rebuild. Alternatively, use nixos-rebuild
+ boot; reboot.
+
+
+
+
+ Flat volumes are now disabled by default in
+ hardware.pulseaudio. This has been done to prevent
+ applications, which are unaware of this feature, setting their volumes to
+ 100% on startup causing harm to your audio hardware and potentially your
+ ears.
- With this change application specific volumes are relative to the master volume which can be
- adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the
- device-volume with the volume of the loudest application.
+ With this change application specific volumes are relative to the master
+ volume which can be adjusted independently, whereas before they were
+ absolute; meaning that in effect, it scaled the device-volume with the
+ volume of the loudest application.
- The ndppd module
- now supports all config options provided by the current
- upstream version as service options. Additionally the ndppd package doesn't contain
- the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.
+ The
+ ndppd
+ module now supports all config
+ options provided by the current upstream version as service
+ options. Additionally the ndppd package doesn't contain
+ the systemd unit configuration from upstream anymore, the unit is
+ completely configured by the NixOS module now.
- New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in
- services.redmine.package while existing installs of NixOS will default to
- the Redmine 3.x series.
+ New installs of NixOS will default to the Redmine 4.x series unless
+ otherwise specified in services.redmine.package while
+ existing installs of NixOS will default to the Redmine 3.x series.
- The Grafana module now supports declarative
- datasource and dashboard
- provisioning.
+ The Grafana module now
+ supports declarative
+ datasource
+ and dashboard provisioning.
-
- The use of insecure ports on kubernetes has been deprecated.
- Thus options:
- services.kubernetes.apiserver.port and
- services.kubernetes.controllerManager.port
- has been renamed to .insecurePort,
- and default of both options has changed to 0 (disabled).
-
-
-
-
- Note that the default value of
- services.kubernetes.apiserver.bindAddress
- has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be
- accessible from outside the master node itself.
- If the apiserver insecurePort is enabled,
- it is strongly recommended to only bind on the loopback interface. See:
- services.kubernetes.apiserver.insecurebindAddress.
-
-
-
-
- The option services.kubernetes.apiserver.allowPrivileged
- and services.kubernetes.kubelet.allowPrivileged now
- defaults to false. Disallowing privileged containers on the cluster.
-
-
-
-
- The kubernetes module does no longer add the kubernetes package to
- environment.systemPackages implicitly.
-
-
-
-
- The intel driver has been removed from the default list of
- X.org video drivers.
- The modesetting driver should take over automatically,
- it is better maintained upstream and has less problems with advanced X11 features.
- This can lead to a change in the output names used by xrandr.
- Some performance regressions on some GPU models might happen.
- Some OpenCL and VA-API applications might also break
- (Beignet seems to provide OpenCL support with
- modesetting driver, too).
- Kernel mode setting API does not support backlight control,
- so xbacklight tool will not work;
- backlight level can be controlled directly via /sys/
- or with brightnessctl.
- Users who need this functionality more than multi-output XRandR are advised
- to add `intel` to `videoDrivers` and report an issue (or provide additional
- details in an existing one)
-
-
-
-
- Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols.
- This may break some older applications that still rely on those symbols.
- An upgrade guide can be found here.
-
- The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using .
+ The use of insecure ports on kubernetes has been deprecated. Thus options:
+ services.kubernetes.apiserver.port and
+ services.kubernetes.controllerManager.port has been
+ renamed to .insecurePort, and default of both options
+ has changed to 0 (disabled).
-
- A new subcommand nixos-rebuild edit was added.
-
+
+ Note that the default value of
+ services.kubernetes.apiserver.bindAddress has changed
+ from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from
+ outside the master node itself. If the apiserver insecurePort is enabled,
+ it is strongly recommended to only bind on the loopback interface. See:
+ services.kubernetes.apiserver.insecurebindAddress.
+
+
+
+
+ The option
+ services.kubernetes.apiserver.allowPrivileged and
+ services.kubernetes.kubelet.allowPrivileged now
+ defaults to false. Disallowing privileged containers on the cluster.
+
+
+
+
+ The kubernetes module does no longer add the kubernetes package to
+ environment.systemPackages implicitly.
+
+
+
+
+ The intel driver has been removed from the default list
+ of X.org video
+ drivers. The modesetting driver should take over
+ automatically, it is better maintained upstream and has less problems with
+ advanced X11 features. This can lead to a change in the output names used
+ by xrandr. Some performance regressions on some GPU
+ models might happen. Some OpenCL and VA-API applications might also break
+ (Beignet seems to provide OpenCL support with
+ modesetting driver, too). Kernel mode setting API does
+ not support backlight control, so xbacklight tool will
+ not work; backlight level can be controlled directly via
+ /sys/ or with brightnessctl. Users
+ who need this functionality more than multi-output XRandR are advised to
+ add `intel` to `videoDrivers` and report an issue (or provide additional
+ details in an existing one)
+
+
+
+
+ Openmpi has been updated to version 4.0.0, which removes some deprecated
+ MPI-1 symbols. This may break some older applications that still rely on
+ those symbols. An upgrade guide can be found
+ here.
+
+
+ The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by
+ default. You can set the protocols used by the nginx service using
+ .
+
+
+
+
+ A new subcommand nixos-rebuild edit was added.
+
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index f54592b6bf6c..cc0d97023f96 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -53,14 +53,17 @@
The module gained an option named
- which makes the generated
- configuration.nix
- 5 manual page include all options from all NixOS modules
- included in a given configuration.nix configuration file. Currently, it is
- set to false by default as enabling it frequently prevents evaluation. But
- the plan is to eventually have it set to true by default. Please set it to
- true now in your configuration.nix and fix all the bugs
- it uncovers.
+ which makes the
+ generated
+ configuration.nix
+ 5 manual page include all options
+ from all NixOS modules included in a given
+ configuration.nix configuration file. Currently, it is
+ set to false by default as enabling it frequently
+ prevents evaluation. But the plan is to eventually have it set to
+ true by default. Please set it to
+ true now in your configuration.nix
+ and fix all the bugs it uncovers.
diff --git a/nixos/modules/programs/zsh/oh-my-zsh.xml b/nixos/modules/programs/zsh/oh-my-zsh.xml
index b26980daf067..568c2de65576 100644
--- a/nixos/modules/programs/zsh/oh-my-zsh.xml
+++ b/nixos/modules/programs/zsh/oh-my-zsh.xml
@@ -87,9 +87,9 @@
Please keep in mind that this is not compatible with
- programs.zsh.ohMyZsh.custom as it requires an immutable store
- path while custom shall remain mutable! An evaluation
- failure will be thrown if both custom and
+ programs.zsh.ohMyZsh.custom as it requires an immutable
+ store path while custom shall remain mutable! An
+ evaluation failure will be thrown if both custom and
customPkgs are set.
diff --git a/nixos/modules/services/web-apps/matomo-doc.xml b/nixos/modules/services/web-apps/matomo-doc.xml
index 20d2de9f4189..021a89be3f63 100644
--- a/nixos/modules/services/web-apps/matomo-doc.xml
+++ b/nixos/modules/services/web-apps/matomo-doc.xml
@@ -12,15 +12,15 @@
An automatic setup is not suported by Matomo, so you need to configure Matomo
itself in the browser-based Matomo setup.
-
Database Setup
+
You also need to configure a MariaDB or MySQL database and -user for Matomo
yourself, and enter those credentials in your browser. You can use
passwordless database authentication via the UNIX_SOCKET authentication
plugin with the following SQL commands:
-
+
# For MariaDB
INSTALL PLUGIN unix_socket SONAME 'auth_socket';
CREATE DATABASE matomo;
@@ -46,30 +46,32 @@
database is not on the same host.
-
Archive Processing
+
- This module comes with the systemd service matomo-archive-processing.service
- and a timer that automatically triggers archive processing every hour.
- This means that you can safely
+ This module comes with the systemd service
+ matomo-archive-processing.service and a timer that
+ automatically triggers archive processing every hour. This means that you
+ can safely
- disable browser triggers for Matomo archiving
- at Administration > System > General Settings.
+ disable browser triggers for Matomo archiving at
+ Administration > System > General Settings.
+
With automatic archive processing, you can now also enable to
- delete old visitor logs
- at Administration > System > Privacy,
- but make sure that you run systemctl start matomo-archive-processing.service
- at least once without errors if you have already collected data before,
- so that the reports get archived before the source data gets deleted.
+ delete old visitor logs at Administration > System >
+ Privacy, but make sure that you run systemctl start
+ matomo-archive-processing.service at least once without errors if
+ you have already collected data before, so that the reports get archived
+ before the source data gets deleted.
-
Backup
+
You only need to take backups of your MySQL database and the
/var/lib/matomo/config/config.ini.php file. Use a user
@@ -78,9 +80,9 @@
.
-
Issues
+
@@ -97,7 +99,6 @@
-
Using other Web Servers than nginx
diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml
index 9600d1be7c88..098625aa02f2 100644
--- a/nixos/modules/services/web-apps/nextcloud.xml
+++ b/nixos/modules/services/web-apps/nextcloud.xml
@@ -4,24 +4,26 @@
version="5.0"
xml:id="module-services-nextcloud">
Nextcloud
-
- Nextcloud is an open-source, self-hostable cloud
- platform. The server setup can be automated using
- services.nextcloud. A desktop client is packaged
- at pkgs.nextcloud-client.
+ Nextcloud is an open-source,
+ self-hostable cloud platform. The server setup can be automated using
+ services.nextcloud. A
+ desktop client is packaged at pkgs.nextcloud-client.
-
Basic usage
+
Nextcloud is a PHP-based application which requires an HTTP server
- (services.nextcloud optionally supports
- services.nginx) and a database
- (it's recommended to use services.postgresql).
+ (services.nextcloud
+ optionally supports
+ services.nginx)
+ and a database (it's recommended to use
+ services.postgresql).
+
- A very basic configuration may look like this:
+ A very basic configuration may look like this:
{ pkgs, ... }:
{
services.nextcloud = {
@@ -55,45 +57,59 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
}
+
- The options hostName and nginx.enable are used internally to configure an
- HTTP server using PHP-FPM and nginx.
- The config attribute set is used for the config.php which is used
- for the application's configuration.
- Beware: this isn't entirely pure since the config is modified by the application's runtime!
+ The options hostName and nginx.enable
+ are used internally to configure an HTTP server using
+ PHP-FPM
+ and nginx. The config attribute set is
+ used for the config.php which is used for the
+ application's configuration. Beware: this isn't entirely pure
+ since the config is modified by the application's runtime!
+
- In case the application serves multiple hosts (those are checked with
- $_SERVER['HTTP_HOST'])
- those can be added using
- services.nextcloud.config.extraTrustedDomains.
+ In case the application serves multiple hosts (those are checked with
+ $_SERVER['HTTP_HOST'])
+ those can be added using
+ services.nextcloud.config.extraTrustedDomains.
-
Pitfalls
+
- Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The
- config file lives in the home directory of the nextcloud user (by default
- /var/lib/nextcloud/config/config.php) and is also used to track several
- states of the application (e.g. whether installed or not).
+ Unfortunately Nextcloud appears to be very stateful when it comes to
+ managing its own configuration. The config file lives in the home directory
+ of the nextcloud user (by default
+ /var/lib/nextcloud/config/config.php) and is also used to
+ track several states of the application (e.g. whether installed or not).
+
- Right now changes to the services.nextcloud.config attribute set won't take effect
- after the first install
- (except services.nextcloud.config.extraTrustedDomains) since the actual configuration
- file is generated by the NextCloud installer which also sets up critical parts such as the database
- structure.
+ Right now changes to the services.nextcloud.config
+ attribute set won't take effect after the first install (except
+ services.nextcloud.config.extraTrustedDomains)
+ since the actual configuration file is generated by the NextCloud installer
+ which also sets up critical parts such as the database structure.
+
- Warning: don't delete config.php! This file tracks the application's state and a deletion can cause unwanted side-effects!
+ Warning: don't delete config.php! This file
+ tracks the application's state and a deletion can cause unwanted
+ side-effects!
+
- Warning: don't rerun nextcloud-occ maintenance:install! This command tries to install the application and can cause unwanted side-effects!
+ Warning: don't rerun nextcloud-occ
+ maintenance:install! This command tries to install the application
+ and can cause unwanted side-effects!
+
- The issues are known and reported in #49783, for now it's unfortunately necessary to manually work around these issues.
+ The issues are known and reported in
+ #49783,
+ for now it's unfortunately necessary to manually work around these issues.
-
diff --git a/nixos/tests/common/webroot/news-rss.xml b/nixos/tests/common/webroot/news-rss.xml
index 28e6fa7da1f3..b8099bf0364a 100644
--- a/nixos/tests/common/webroot/news-rss.xml
+++ b/nixos/tests/common/webroot/news-rss.xml
@@ -1,10 +1,18 @@
-NixOS Newshttps://nixos.orgNews for NixOS, the purely functional Linux distribution.NixOShttps://nixos.org/logo/nixos-logo-only-hires.pnghttps://nixos.org/
- NixOS 18.09 released
- https://nixos.org/news.html
-
-
-
+
+
+ NixOS Newshttps://nixos.org
+ News for NixOS, the purely functional Linux distribution.
+
+ NixOS
+ https://nixos.org/logo/nixos-logo-only-hires.pnghttps://nixos.org/
+
+
+ NixOS 18.09 releasedhttps://nixos.org/news.html
+
+
+
+
NixOS 18.09 “Jellyfish” has been released, the tenth stable release branch.
See the release notes
for details. You can get NixOS 18.09 ISOs and VirtualBox appliances
@@ -12,4 +20,8 @@
For information on how to upgrade from older release branches
to 18.09, check out the
manual section on upgrading.
- Sat Oct 06 2018 00:00:00 GMT
+
+ Sat Oct 06 2018 00:00:00 GMT
+
+
+
-
+