Release 20.09 (“Nightingale”, 2020.09/??)
Highlights In addition to numerous new and upgraded packages, this release has the following highlights: Support is planned until the end of April 2021, handing over to 21.03. GNOME desktop environment was upgraded to 3.36, see its release notes. We now distribute a GNOME ISO. PHP now defaults to PHP 7.4, updated from 7.3. Two new options, authorizedKeysCommand and authorizedKeysCommandUser, have been added to the openssh module. If you have AuthorizedKeysCommand in your services.openssh.extraConfig you should make use of these new options instead. There is a new module for Podman(virtualisation.podman), a drop-in replacement for the Docker command line. The new virtualisation.containers module manages configuration shared by the CRI-O and Podman modules. Declarative Docker containers are renamed from docker-containers to virtualisation.oci-containers.containers. This is to make it possible to use podman instead of docker.
New Services The following new services were added since the last release:
Backward Incompatibilities When upgrading from a previous release, please be aware of the following incompatible changes: Grafana is now built without support for phantomjs by default. Phantomjs support has been deprecated in Grafana and the phantomjs project is currently unmaintained. It can still be enabled by providing phantomJsSupport = true to the package instanciation: { services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = false; }); } The supybot module now uses /var/lib/supybot as its default stateDir path if stateVersion is 20.09 or higher. It also enables number of systemd sandboxing options which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in . The security.duosec.skey option, which stored a secret in the nix store, has been replaced by a new security.duosec.secretKeyFile option for better security. security.duosec.ikey has been renamed to security.duosec.integrationKey. The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified. If you used the options, you'll get an error explaining how to convert your host keys and migrate to the new option. Otherwise, if you don't have any host keys set, you'll need to generate some; see the option documentation for instructions. Since this release there's an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions imagick, opcache, pdo and pdo_mysql loaded: environment.systemPackages = [ (pkgs.php.withExtensions ({ all, ... }: with all; [ imagick opcache pdo pdo_mysql ]) ) ]; The default php attribute hasn't lost any extensions. The opcache extension has been added. All upstream PHP extensions are available under ]]>. All PHP config flags have been removed for the following reasons: The updated php attribute is now easily customizable to your liking by using php.withExtensions or php.buildEnv instead of writing config files or changing configure flags. The remaining configuration flags can now be set directly on the php attribute. For example, instead of php.override { config.php.embed = true; config.php.apxs2 = false; } you should now write php.override { embedSupport = true; apxs2Support = false; } Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found here. Deluge 2.x was added and is used as default for new NixOS installations where stateVersion is >= 20.09. If you are upgrading from a previous NixOS version, you can set service.deluge.package = pkgs.deluge-2_x to upgrade to Deluge 2.x and migrate the state to the new format. Be aware that backwards state migrations are not supported by Deluge. The NixOS options nesting.clone and nesting.children have been deleted, and replaced with named configurations. Replace a nesting.clone entry with: { specialisation.example-sub-configuration = { configuration = { ... }; }; Replace a nesting.children entry with: { specialisation.example-sub-configuration = { inheritParentConfig = false; configuration = { ... }; }; To switch to a specialised configuration at runtime you need to run: # sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test Before you would have used: # sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test The httpd web server previously started its main process as root privileged, then ran worker processes as a less privileged identity user. This was changed to start all of httpd as a less privileged user (defined by and ). As a consequence, all files that are needed for httpd to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group. The default value for has been changed from prefork to event. Along with this change the default value for services.httpd.virtualHosts.<name>.http2 has been set to true. The systemd-networkd option systemd.network.networks.<name>.dhcp.CriticalConnection has been removed following upstream systemd's deprecation of the same. It is recommended to use systemd.network.networks.<name>.networkConfig.KeepConfiguration instead. See systemd.network 5 for details. The systemd-networkd option systemd.network.networks._name_.dhcpConfig has been renamed to following upstream systemd's documentation change. See systemd.network 5 for details.
Other Notable Changes was updated from 1000 to 10000 to follow the new upstream systemd default. The notmuch package move its emacs-related binaries and emacs lisp files to a separate output. They're not part of the default out output anymore - if you relied on the notmuch-emacs-mua binary or the emacs lisp files, access them via the notmuch.emacs output.