Release 20.09 (“Nightingale”, 2020.09/??)Highlights
In addition to numerous new and upgraded packages, this release has the
following highlights:
Support is planned until the end of April 2021, handing over to 21.03.
GNOME desktop environment was upgraded to 3.36, see its release notes.maxx package removed along with services.xserver.desktopManager.maxx module.
Please migrate to cdesktopenv and services.xserver.desktopManager.cde module.
We now distribute a GNOME ISO.
PHP now defaults to PHP 7.4, updated from 7.3.
Python 3 now defaults to Python 3.8 instead of 3.7.
Two new options, authorizedKeysCommand
and authorizedKeysCommandUser, have
been added to the openssh module. If you have AuthorizedKeysCommand
in your services.openssh.extraConfig you should
make use of these new options instead.
There is a new module for Podman(virtualisation.podman), a drop-in replacement for the Docker command line.
The new virtualisation.containers module manages configuration shared by the CRI-O and Podman modules.
Declarative Docker containers are renamed from docker-containers to virtualisation.oci-containers.containers.
This is to make it possible to use podman instead of docker.
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
Before you upgrade, it would be best to take a backup of your database.
For MariaDB Galera Cluster, see Upgrading
from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster instead.
Before doing the upgrade read Incompatible
Changes Between 10.3 and 10.4.
After the upgrade you will need to run mysql_upgrade.
MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more
intuitive. See Authentication from MariaDB 10.4.
unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are
created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use
the traditional mysql_native_password plugin method, one must run the following:
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
'';
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
calling LOAD DATA INFILE or SELECT * INTO OUTFILE. In this scenario a variant of the following may be required:
- allow MySQL to read from /home and /tmp directories when using LOAD DATA INFILE
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
- allow MySQL to write to custom folder /var/data when using SELECT * INTO OUTFILE, assuming the mysql user has write
access to /var/data
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
New Services
The following new services were added since the last release:
There is a new module that provides doas, a lighter alternative to sudo with many of the same features.
Backward Incompatibilities
When upgrading from a previous release, please be aware of the following
incompatible changes:
buildGoModule now internally creates a vendor directory
in the source tree for downloaded modules instead of using go's module
proxy protocol. This storage format is simpler and therefore less
likekly to break with future versions of go. As a result
buildGoModule switched from
modSha256 to the vendorSha256
attribute to pin fetched version data. buildGoModule
still accepts modSha256 with a warning, but support will
be removed in the next release.
Grafana is now built without support for phantomjs by default. Phantomjs support has been
deprecated in Grafana
and the phantomjs project is
currently unmaintained.
It can still be enabled by providing phantomJsSupport = true to the package instanciation:
{
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
phantomJsSupport = false;
});
}
The supybot module now uses /var/lib/supybot
as its default stateDir path if stateVersion
is 20.09 or higher. It also enables number of
systemd sandboxing options
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
.
The security.duosec.skey option, which stored a secret in the
nix store, has been replaced by a new
security.duosec.secretKeyFile
option for better security.
security.duosec.ikey has been renamed to
security.duosec.integrationKey.
vmware has been removed from the services.x11.videoDrivers defaults.
For VMWare guests set virtualisation.vmware.guest.enable to true which will include the appropriate drivers.
The initrd SSH support now uses OpenSSH rather than Dropbear to
allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format, and at
least one pre-generated key must be specified.
If you used the
options, you'll get an error explaining how to convert your host
keys and migrate to the new
option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the option
documentation for instructions.
Since this release there's an easy way to customize your PHP
install to get a much smaller base PHP with only wanted
extensions enabled. See the following snippet installing a
smaller PHP with the extensions imagick,
opcache, pdo and
pdo_mysql loaded:
environment.systemPackages = [
(pkgs.php.withExtensions
({ all, ... }: with all; [
imagick
opcache
pdo
pdo_mysql
])
)
];
The default php attribute hasn't lost any
extensions. The opcache extension has been
added.
All upstream PHP extensions are available under ]]>.
All PHP config flags have been removed for
the following reasons:
The updated php attribute is now easily
customizable to your liking by using
php.withExtensions or
php.buildEnv instead of writing config files
or changing configure flags.
The remaining configuration flags can now be set directly on
the php attribute. For example, instead of
php.override {
config.php.embed = true;
config.php.apxs2 = false;
}
you should now write
php.override {
embedSupport = true;
apxs2Support = false;
}
Gollum received a major update to version 5.x and you may have to change
some links in your wiki when migrating from gollum 4.x. More information
can be found
here.
Deluge 2.x was added and is used as default for new NixOS
installations where stateVersion is >= 20.09. If you are upgrading from a previous
NixOS version, you can set service.deluge.package = pkgs.deluge-2_x
to upgrade to Deluge 2.x and migrate the state to the new format.
Be aware that backwards state migrations are not supported by Deluge.
Add option services.nginx.enableSandbox to starting Nginx web server with additional sandbox/hardening options.
By default, write access to services.nginx.stateDir is allowed. To allow writing to other folders,
use systemd.services.nginx.serviceConfig.ReadWritePaths
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
The NixOS options nesting.clone and
nesting.children have been deleted, and
replaced with named
configurations.
Replace a nesting.clone entry with:
{
specialisation.example-sub-configuration = {
configuration = {
...
};
};
Replace a nesting.children entry with:
{
specialisation.example-sub-configuration = {
inheritParentConfig = false;
configuration = {
...
};
};
To switch to a specialised configuration at runtime you need to
run:
# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
Before you would have used:
# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
The Nginx log directory has been moved to /var/log/nginx, the cache directory
to /var/cache/nginx. The option services.nginx.stateDir has
been removed.
The httpd web server previously started its main process as root
privileged, then ran worker processes as a less privileged identity user.
This was changed to start all of httpd as a less privileged user (defined by
and
). As a consequence, all files that
are needed for httpd to run (included configuration fragments, SSL
certificates and keys, etc.) must now be readable by this less privileged
user/group.
The default value for
has been changed from prefork to event. Along with
this change the default value for
services.httpd.virtualHosts.<name>.http2
has been set to true.
The systemd-networkd option
systemd.network.networks.<name>.dhcp.CriticalConnection
has been removed following upstream systemd's deprecation of the same. It is recommended to use
systemd.network.networks.<name>.networkConfig.KeepConfiguration instead.
See systemd.network5 for details.
The systemd-networkd option
systemd.network.networks._name_.dhcpConfig
has been renamed to
following upstream systemd's documentation change.
See systemd.network5 for details.
In the picom module, several options that accepted
floating point numbers encoded as strings (for example
) have been changed
to the (relatively) new native float type. To migrate
your configuration simply remove the quotes around the numbers.
When using buildBazelPackage from Nixpkgs,
flat hash mode is now used for dependencies
instead of recursive. This is to better allow
using hashed mirrors where needed. As a result, these hashes
will have changed.
The rkt module has been removed, it was archived by upstream.
The Bazaar VCS is
unmaintained and, as consequence of the Python 2 EOL, the packages
bazaar and bazaarTools were
removed. Breezy, the backward compatible fork of Bazaar (see the
announcement),
was packaged as breezy and can be used instead.
Regarding Nixpkgs, fetchbzr,
nix-prefetch-bzr and Bazaar support in Hydra will
continue to work through Breezy.
In addition to the hostname, the fully qualified domain name (FQDN),
which consists of ${cfg.hostName} and
${cfg.domain} is now added to
/etc/hosts, to allow local FQDN resolution, as used by the
hostname --fqdn command and other applications that
try to determine the FQDN. These new entries take precedence over entries
from the DNS which could cause regressions in some very specific setups.
Additionally the hostname is now resolved to 127.0.0.2
instead of 127.0.1.1 to be consistent with what
nss-myhostname (from systemd) returns.
The old behaviour can e.g. be restored by using
networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };.
The hostname (networking.hostName) must now be a valid
DNS label (see RFC 1035) and as such must not contain the domain part.
This means that the hostname must start with a letter, end with a letter
or digit, and have as interior characters only letters, digits, and
hyphen. The maximum length is 63 characters. Additionally it is
recommended to only use lower-case characters.
The GRUB specific option
has been replaced with the generic option
. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
Due to an existing bug with ,
it is not possible to directly boot an older generation that used that
option. It is still possible to rollback to that generation if the required
initrd file has not been deleted.
The DNSChain
package and NixOS module have been removed from Nixpkgs as the software is
unmaintained and can't be built. For more information see issue
#89205.
Other Notable ChangesSD images are now compressed by default using zstd. The compression for ISO images has also been changed to zstd, but ISO images are still not compressed by default.
was updated from
1000 to 10000 to follow the new
upstream systemd default.
The notmuch package move its emacs-related binaries and
emacs lisp files to a separate output. They're not part
of the default out output anymore - if you relied on the
notmuch-emacs-mua binary or the emacs lisp files, access them via
the notmuch.emacs output.
The default output of buildGoPackage is now $out instead of $bin.
Packages built using buildRustPackage now use release
mode for the checkPhase by default.
Please note that Rust packages utilizing a custom build/install procedure
(e.g. by using a Makefile) or test suites that rely on the
structure of the target/ directory may break due to those assumptions.
For further information, please read the Rust section in the Nixpkgs manual.
The cc- and binutils-wrapper's "infix salt" and _BUILD_ and _TARGET_ user infixes have been replaced with with a "suffix salt" and suffixes and _FOR_BUILD and _FOR_TARGET.
This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
Additional Git documentation (HTML and text files) is now available via the git-doc package.
Default algorithm for ZRAM swap was changed to zstd.
The scripted networking system now uses .link files in
/etc/systemd/network to configure mac address and link MTU,
instead of the sometimes buggy network-link-* units, which
have been removed.
Bringing the interface up has been moved to the beginning of the
network-addresses-* unit.
Note this doesn't require systemd-networkd - it's udev that
parses .link files.
Extra care needs to be taken in the presence of legacy udev rules
to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name.
In such cases, you most likely want to create a 10-*.link file through and set both name and MAC Address / MTU there.
Grafana received a major update to version 7.x. A plugin is now needed for
image rendering support, and plugins must now be signed by default. More
information can be found
in the Grafana documentation.
The hardware.u2f module, which was installing udev rules
was removed, as udev gained native support to handle FIDO security tokens.
With this release systemd-networkd (when enabled through )
has it's netlink socket created through a systemd.socket unit. This gives us control over
socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
devices the default buffer size (currently 128MB) is not enough.
On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to
be brought up during system startup, the receive buffer size will spike for a brief period.
Eventually some of the message will be dropped since there is not enough (permitted) buffer
space available.
By having systemd-networkd start with a netlink socket created by
systemd we can configure the ReceiveBufferSize= parameter
in the socket options (i.e. systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize)
without recompiling systemd-networkd.
Since the actual memory requirements depend on hardware, timing, exact
configurations etc. it isn't currently possible to infer a good default
from within the NixOS module system. Administrators are advised to
monitor the logs of systemd-networkd for rtnl: kernel receive buffer
overrun spam and increase the memory limit as they see fit.
Note: Increasing the ReceiveBufferSize= doesn't allocate any memory. It just increases
the upper bound on the kernel side. The memory allocation depends on the amount of messages that are
queued on the kernel side of the netlink socket.
Specifying mailboxes in the dovecot2 module
as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the name
should be the key of the attribute.
This means that a configuration like this
{
services.dovecot2.mailboxes = [
{ name = "Junk";
auto = "create";
}
];
}
should now look like this:
{
services.dovecot2.mailboxes = {
Junk.auto = "create";
};
}