Release 20.09 (“Nightingale”, 2020.09/??)Highlights
In addition to numerous new and upgraded packages, this release has the
following highlights:
Support is planned until the end of April 2021, handing over to 21.03.
GNOME desktop environment was upgraded to 3.36, see its release notes.
We now distribute a GNOME ISO.
PHP now defaults to PHP 7.4, updated from 7.3.
Two new options, authorizedKeysCommand
and authorizedKeysCommandUser, have
been added to the openssh module. If you have AuthorizedKeysCommand
in your services.openssh.extraConfig you should
make use of these new options instead.
There is a new module for Podman(virtualisation.podman), a drop-in replacement for the Docker command line.
The new virtualisation.containers module manages configuration shared by the CRI-O and Podman modules.
Declarative Docker containers are renamed from docker-containers to virtualisation.oci-containers.containers.
This is to make it possible to use podman instead of docker.
New Services
The following new services were added since the last release:
Backward Incompatibilities
When upgrading from a previous release, please be aware of the following
incompatible changes:
Grafana is now built without support for phantomjs by default. Phantomjs support has been
deprecated in Grafana
and the phantomjs project is
currently unmaintained.
It can still be enabled by providing phantomJsSupport = true to the package instanciation:
{
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
phantomJsSupport = false;
});
}
The supybot module now uses /var/lib/supybot
as its default stateDir path if stateVersion
is 20.09 or higher. It also enables number of
systemd sandboxing options
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
.
The security.duosec.skey option, which stored a secret in the
nix store, has been replaced by a new
security.duosec.secretKeyFile
option for better security.
security.duosec.ikey has been renamed to
security.duosec.integrationKey.
The initrd SSH support now uses OpenSSH rather than Dropbear to
allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format, and at
least one pre-generated key must be specified.
If you used the
options, you'll get an error explaining how to convert your host
keys and migrate to the new
option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the option
documentation for instructions.
Since this release there's an easy way to customize your PHP
install to get a much smaller base PHP with only wanted
extensions enabled. See the following snippet installing a
smaller PHP with the extensions imagick,
opcache, pdo and
pdo_mysql loaded:
environment.systemPackages = [
(pkgs.php.withExtensions
({ all, ... }: with all; [
imagick
opcache
pdo
pdo_mysql
])
)
];
The default php attribute hasn't lost any
extensions. The opcache extension has been
added.
All upstream PHP extensions are available under ]]>.
All PHP config flags have been removed for
the following reasons:
The updated php attribute is now easily
customizable to your liking by using
php.withExtensions or
php.buildEnv instead of writing config files
or changing configure flags.
The remaining configuration flags can now be set directly on
the php attribute. For example, instead of
php.override {
config.php.embed = true;
config.php.apxs2 = false;
}
you should now write
php.override {
embedSupport = true;
apxs2Support = false;
}
Gollum received a major update to version 5.x and you may have to change
some links in your wiki when migrating from gollum 4.x. More information
can be found
here.
Deluge 2.x was added and is used as default for new NixOS
installations where stateVersion is >= 20.09. If you are upgrading from a previous
NixOS version, you can set service.deluge.package = pkgs.deluge-2_x
to upgrade to Deluge 2.x and migrate the state to the new format.
Be aware that backwards state migrations are not supported by Deluge.
The NixOS options nesting.clone and
nesting.children have been deleted, and
replaced with named
configurations.
Replace a nesting.clone entry with:
{
specialisation.example-sub-configuration = {
configuration = {
...
};
};
Replace a nesting.children entry with:
{
specialisation.example-sub-configuration = {
inheritParentConfig = false;
configuration = {
...
};
};
To switch to a specialised configuration at runtime you need to
run:
# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
Before you would have used:
# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
The httpd web server previously started its main process as root
privileged, then ran worker processes as a less privileged identity user.
This was changed to start all of httpd as a less privileged user (defined by
and
). As a consequence, all files that
are needed for httpd to run (included configuration fragments, SSL
certificates and keys, etc.) must now be readable by this less privileged
user/group.
The default value for
has been changed from prefork to event. Along with
this change the default value for
services.httpd.virtualHosts.<name>.http2
has been set to true.
The systemd-networkd option
systemd.network.networks.<name>.dhcp.CriticalConnection
has been removed following upstream systemd's deprecation of the same. It is recommended to use
systemd.network.networks.<name>.networkConfig.KeepConfiguration instead.
See systemd.network5 for details.
The systemd-networkd option
systemd.network.networks._name_.dhcpConfig
has been renamed to
following upstream systemd's documentation change.
See systemd.network5 for details.
Other Notable Changes
was updated from
1000 to 10000 to follow the new
upstream systemd default.
The notmuch package move its emacs-related binaries and
emacs lisp files to a separate output. They're not part
of the default out output anymore - if you relied on the
notmuch-emacs-mua binary or the emacs lisp files, access them via
the notmuch.emacs output.