mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-04 03:25:02 +00:00
a007e07abb
Note that it made into 2 entries, one about new options in the first section. Another in the breaking compatibility section due to the openFirewall option which changes the behavior.
1229 lines
55 KiB
XML
1229 lines
55 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-20.09">
|
|
<title>Release 20.09 (“Nightingale”, 2020.09/??)</title>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-20.09-highlights">
|
|
<title>Highlights</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Support is planned until the end of April 2021, handing over to 21.03.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>GNOME desktop environment was upgraded to 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Cinnamon desktop environment (v4.6) has been added. <varname>services.xserver.desktopManager.cinnamon.enable = true;</varname> to try it out!
|
|
Remember that, with any new feature it's possible you could run into issues, so please send all support requests to <link xlink:href="https://github.com/NixOS/nixpkgs/issues">github.com/NixOS/nixpkgs</link> to notify the maintainers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Quickly configure a complete, private, self-hosted video
|
|
conferencing solution with the new Jitsi Meet module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module.
|
|
Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We now distribute a GNOME ISO.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP now defaults to PHP 7.4, updated from 7.3.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Python 3 now defaults to Python 3.8 instead of 3.7.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
|
|
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
|
|
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
|
|
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
|
|
make use of these new options instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There is a new module for Podman(<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new <varname>virtualisation.containers</varname> module manages configuration shared by the CRI-O and Podman modules.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Declarative Docker containers are renamed from <varname>docker-containers</varname> to <varname>virtualisation.oci-containers.containers</varname>.
|
|
This is to make it possible to use <literal>podman</literal> instead of <literal>docker</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
|
|
Before you upgrade, it would be best to take a backup of your database.
|
|
For MariaDB Galera Cluster, see <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading
|
|
from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link> instead.
|
|
Before doing the upgrade read <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible
|
|
Changes Between 10.3 and 10.4</link>.
|
|
After the upgrade you will need to run <literal>mysql_upgrade</literal>.
|
|
MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more
|
|
intuitive. See <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication from MariaDB 10.4</link>.
|
|
unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are
|
|
created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use
|
|
the traditional mysql_native_password plugin method, one must run the following:
|
|
<programlisting>
|
|
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
|
|
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
|
|
'';
|
|
</programlisting>
|
|
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
|
|
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
|
|
calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
|
|
- allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
|
|
<programlisting>
|
|
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
|
|
</programlisting>
|
|
- allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
|
|
access to <literal>/var/data</literal>
|
|
<programlisting>
|
|
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
The MySQL service no longer runs its <literal>systemd</literal> service startup script as <literal>root</literal> anymore. A dedicated non <literal>root</literal>
|
|
super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements
|
|
as a super admin user before upgrading:
|
|
<programlisting>
|
|
CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
|
|
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
|
|
</programlisting>
|
|
If you use MySQL instead of MariaDB please replace <literal>unix_socket</literal> with <literal>auth_socket</literal>. If you have changed the value of <xref linkend="opt-services.mysql.user"/>
|
|
from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link>
|
|
has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities
|
|
like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of
|
|
the NixOS configuration: since this can be expensive when a large number of packages are installed, the
|
|
feature is disabled by default.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Subordinate GID and UID mappings are now set up automatically for all normal users.
|
|
This will make container tools like Podman work as non-root users out of the box.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through
|
|
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the upgrade guide</link>
|
|
and apply any changes required. Be sure to take special note of the section on
|
|
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling extended range of numeric (float) values</link>
|
|
as you will need to apply this database migration manually.
|
|
</para>
|
|
<para>
|
|
If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of <literal>utf8</literal> and a collate of <literal>utf8_bin</literal> has become mandatory with
|
|
this release. See the upstream <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> for further discussion. Before upgrading you should check the character set and collation used by
|
|
your database and ensure they are correct:
|
|
<programlisting>
|
|
SELECT
|
|
default_character_set_name,
|
|
default_collation_name
|
|
FROM
|
|
information_schema.schemata
|
|
WHERE
|
|
schema_name = 'zabbix';
|
|
</programlisting>
|
|
If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an
|
|
<link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> of how to do so, taken from
|
|
the Zabbix forums:
|
|
<programlisting>
|
|
ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
|
|
|
|
-- the following will produce a list of SQL commands you should subsequently execute
|
|
SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString
|
|
FROM information_schema.`COLUMNS`
|
|
WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The GRUB module gained support for basic password protection, which
|
|
allows to restrict non-default entries in the boot menu to one or more
|
|
users. The users and passwords are defined via the option
|
|
<option>boot.loader.grub.users</option>.
|
|
Note: Password support is only avaiable in GRUB version 2.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Following its deprecation in 20.03, the Perl NixOS test driver has been removed.
|
|
All remaining tests have been ported to the Python test framework.
|
|
Code outside nixpkgs using <filename>make-test.nix</filename> or
|
|
<filename>testing.nix</filename> needs to be ported to
|
|
<filename>make-test-python.nix</filename> and
|
|
<filename>testing-python.nix</filename> respectively.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link linked="opt-services.mediatomb">mediatomb service</link>
|
|
declares new options. It also adapts existing options so the
|
|
configuration generation is now lazy. The existing option
|
|
<literal>customCfg</literal> (defaults to false), when enabled, stops
|
|
the service configuration generation completely. It then expects the
|
|
users to provide their own correct configuration at the right location
|
|
(whereas the configuration was generated and not used at all before).
|
|
The new option <literal>transcodingOption</literal> (defaults to no)
|
|
allows a generated configuration. It makes the mediatomb service pulls
|
|
the necessary runtime dependencies in the nix store (whereas it was
|
|
generated with hardcoded values before). The new option
|
|
<literal>mediaDirectories</literal> allows the users to declare autoscan
|
|
media directories from their nixos configuration:
|
|
<programlisting>
|
|
services.mediatomb.mediaDirectories = [
|
|
{ path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
|
|
{ path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
|
|
];
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-20.09-new-services">
|
|
<title>New Services</title>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
There is a new <xref linkend="opt-security.doas.enable"/> module that provides <command>doas</command>, a lighter alternative to <command>sudo</command> with many of the same features.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="https://hercules-ci.com">Hercules CI</link> Agent is a specialized build agent for projects built with Nix. See the <link xlink:href="https://nixos.org/nixos/options.html#services.hercules-ci-agent">options</link> and <link xlink:href="https://docs.hercules-ci.com/hercules-ci/getting-started/#deploy-agent">setup</link>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-20.09-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <link linkend="opt-services.matrix-synapse.enable">matrix-synapse</link> module no longer includes optional dependencies by default, they have to be added through the <link linkend="opt-services.matrix-synapse.plugins">plugins</link> option.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>buildGoModule</literal> now internally creates a vendor directory
|
|
in the source tree for downloaded modules instead of using go's <link
|
|
xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module
|
|
proxy protocol</link>. This storage format is simpler and therefore less
|
|
likely to break with future versions of go. As a result
|
|
<literal>buildGoModule</literal> switched from
|
|
<literal>modSha256</literal> to the <literal>vendorSha256</literal>
|
|
attribute to pin fetched version data.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Grafana is now built without support for phantomjs by default. Phantomjs support has been
|
|
<link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link>
|
|
and the <package>phantomjs</package> project is
|
|
<link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>.
|
|
It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation:
|
|
<programlisting>{
|
|
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
|
|
phantomJsSupport = false;
|
|
});
|
|
}</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
|
|
as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
|
|
is 20.09 or higher. It also enables a number of
|
|
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
|
|
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
|
|
<option>systemd.services.supybot.serviceConfig</option>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>security.duosec.skey</literal> option, which stored a secret in the
|
|
nix store, has been replaced by a new
|
|
<link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
|
|
option for better security.
|
|
</para>
|
|
<para>
|
|
<literal>security.duosec.ikey</literal> has been renamed to
|
|
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults.
|
|
For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The initrd SSH support now uses OpenSSH rather than Dropbear to
|
|
allow the use of Ed25519 keys and other OpenSSH-specific
|
|
functionality. Host keys must now be in the OpenSSH format, and at
|
|
least one pre-generated key must be specified.
|
|
</para>
|
|
<para>
|
|
If you used the <option>boot.initrd.network.ssh.host*Key</option>
|
|
options, you'll get an error explaining how to convert your host
|
|
keys and migrate to the new
|
|
<option>boot.initrd.network.ssh.hostKeys</option> option.
|
|
Otherwise, if you don't have any host keys set, you'll need to
|
|
generate some; see the <option>hostKeys</option> option
|
|
documentation for instructions.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Since this release there's an easy way to customize your PHP
|
|
install to get a much smaller base PHP with only wanted
|
|
extensions enabled. See the following snippet installing a
|
|
smaller PHP with the extensions <literal>imagick</literal>,
|
|
<literal>opcache</literal>, <literal>pdo</literal> and
|
|
<literal>pdo_mysql</literal> loaded:
|
|
|
|
<programlisting>
|
|
environment.systemPackages = [
|
|
(pkgs.php.withExtensions
|
|
({ all, ... }: with all; [
|
|
imagick
|
|
opcache
|
|
pdo
|
|
pdo_mysql
|
|
])
|
|
)
|
|
];</programlisting>
|
|
|
|
The default <literal>php</literal> attribute hasn't lost any
|
|
extensions. The <literal>opcache</literal> extension has been
|
|
added.
|
|
|
|
All upstream PHP extensions are available under <package><![CDATA[php.extensions.<name?>]]></package>.
|
|
</para>
|
|
<para>
|
|
All PHP <literal>config</literal> flags have been removed for
|
|
the following reasons:
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The updated <literal>php</literal> attribute is now easily
|
|
customizable to your liking by using
|
|
<literal>php.withExtensions</literal> or
|
|
<literal>php.buildEnv</literal> instead of writing config files
|
|
or changing configure flags.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The remaining configuration flags can now be set directly on
|
|
the <literal>php</literal> attribute. For example, instead of
|
|
|
|
<programlisting>
|
|
php.override {
|
|
config.php.embed = true;
|
|
config.php.apxs2 = false;
|
|
}
|
|
</programlisting>
|
|
|
|
you should now write
|
|
|
|
<programlisting>
|
|
php.override {
|
|
embedSupport = true;
|
|
apxs2Support = false;
|
|
}
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The ACME module has been overhauled for simplicity and maintainability.
|
|
Cert generation now implicitly uses the <literal>acme</literal>
|
|
user, and the <literal>security.acme.certs._name_.user</literal> option
|
|
has been removed. Instead, certificate access from other services is now
|
|
managed through group permissions. The module no longer runs lego
|
|
twice under certain conditions, and will correctly renew certificates if
|
|
their configuration is changed. Services which reload nginx and httpd after
|
|
certificate renewal are now properly configured too so you no longer have
|
|
to do this manually if you are using HTTPS enabled virtual hosts. A mechanism
|
|
for regenerating certs on demand has also been added and documented.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Gollum received a major update to version 5.x and you may have to change
|
|
some links in your wiki when migrating from gollum 4.x. More information
|
|
can be found
|
|
<link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Deluge 2.x was added and is used as default for new NixOS
|
|
installations where stateVersion is >= 20.09. If you are upgrading from a previous
|
|
NixOS version, you can set <literal>service.deluge.package = pkgs.deluge-2_x</literal>
|
|
to upgrade to Deluge 2.x and migrate the state to the new format.
|
|
Be aware that backwards state migrations are not supported by Deluge.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Nginx web server now starting with additional sandbox/hardening options. By default, write access
|
|
to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
|
|
use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
|
|
<programlisting>
|
|
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The NixOS options <literal>nesting.clone</literal> and
|
|
<literal>nesting.children</literal> have been deleted, and
|
|
replaced with named <xref linkend="opt-specialisation"/>
|
|
configurations.
|
|
</para>
|
|
|
|
<para>
|
|
Replace a <literal>nesting.clone</literal> entry with:
|
|
|
|
<programlisting>{
|
|
<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = {
|
|
<link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = {
|
|
...
|
|
};
|
|
};</programlisting>
|
|
|
|
</para>
|
|
<para>
|
|
Replace a <literal>nesting.children</literal> entry with:
|
|
|
|
<programlisting>{
|
|
<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = {
|
|
<link xlink:href="#opt-specialisation._name_.inheritParentConfig">inheritParentConfig</link> = false;
|
|
<link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = {
|
|
...
|
|
};
|
|
};</programlisting>
|
|
</para>
|
|
|
|
<para>
|
|
To switch to a specialised configuration at runtime you need to
|
|
run:
|
|
<programlisting>
|
|
# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
|
|
</programlisting>
|
|
Before you would have used:
|
|
<programlisting>
|
|
# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Nginx log directory has been moved to <literal>/var/log/nginx</literal>, the cache directory
|
|
to <literal>/var/cache/nginx</literal>. The option <literal>services.nginx.stateDir</literal> has
|
|
been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The httpd web server previously started its main process as root
|
|
privileged, then ran worker processes as a less privileged identity user.
|
|
This was changed to start all of httpd as a less privileged user (defined by
|
|
<xref linkend="opt-services.httpd.user"/> and
|
|
<xref linkend="opt-services.httpd.group"/>). As a consequence, all files that
|
|
are needed for httpd to run (included configuration fragments, SSL
|
|
certificates and keys, etc.) must now be readable by this less privileged
|
|
user/group.
|
|
</para>
|
|
<para>
|
|
The default value for <xref linkend="opt-services.httpd.mpm"/>
|
|
has been changed from <literal>prefork</literal> to <literal>event</literal>. Along with
|
|
this change the default value for
|
|
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link>
|
|
has been set to <literal>true</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>systemd-networkd</literal> option
|
|
<literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal>
|
|
has been removed following upstream systemd's deprecation of the same. It is recommended to use
|
|
<literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> instead.
|
|
See <citerefentry><refentrytitle>systemd.network</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>systemd-networkd</literal> option
|
|
<literal>systemd.network.networks._name_.dhcpConfig</literal>
|
|
has been renamed to
|
|
<xref linkend="opt-systemd.network.networks._name_.dhcpV4Config"/>
|
|
following upstream systemd's documentation change.
|
|
See <citerefentry><refentrytitle>systemd.network</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
In the <literal>picom</literal> module, several options that accepted
|
|
floating point numbers encoded as strings (for example
|
|
<xref linkend="opt-services.picom.activeOpacity"/>) have been changed
|
|
to the (relatively) new native <literal>float</literal> type. To migrate
|
|
your configuration simply remove the quotes around the numbers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When using <literal>buildBazelPackage</literal> from Nixpkgs,
|
|
<literal>flat</literal> hash mode is now used for dependencies
|
|
instead of <literal>recursive</literal>. This is to better allow
|
|
using hashed mirrors where needed. As a result, these hashes
|
|
will have changed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The rkt module has been removed, it was archived by upstream.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link xlink:href="https://bazaar.canonical.com">Bazaar</link> VCS is
|
|
unmaintained and, as consequence of the Python 2 EOL, the packages
|
|
<literal>bazaar</literal> and <literal>bazaarTools</literal> were
|
|
removed. Breezy, the backward compatible fork of Bazaar (see the
|
|
<link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>),
|
|
was packaged as <literal>breezy</literal> and can be used instead.
|
|
</para>
|
|
<para>
|
|
Regarding Nixpkgs, <literal>fetchbzr</literal>,
|
|
<literal>nix-prefetch-bzr</literal> and Bazaar support in Hydra will
|
|
continue to work through Breezy.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
In addition to the hostname, the fully qualified domain name (FQDN),
|
|
which consists of <literal>${cfg.hostName}</literal> and
|
|
<literal>${cfg.domain}</literal> is now added to
|
|
<literal>/etc/hosts</literal>, to allow local FQDN resolution, as used by the
|
|
<literal>hostname --fqdn</literal> command and other applications that
|
|
try to determine the FQDN. These new entries take precedence over entries
|
|
from the DNS which could cause regressions in some very specific setups.
|
|
Additionally the hostname is now resolved to <literal>127.0.0.2</literal>
|
|
instead of <literal>127.0.1.1</literal> to be consistent with what
|
|
<literal>nss-myhostname</literal> (from systemd) returns.
|
|
The old behaviour can e.g. be restored by using
|
|
<literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The hostname (<literal>networking.hostName</literal>) must now be a valid
|
|
DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part.
|
|
This means that the hostname must start with a letter or digit, end with a letter
|
|
or digit, and have as interior characters only letters, digits, and
|
|
hyphen. The maximum length is 63 characters. Additionally it is
|
|
recommended to only use lower-case characters.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
|
|
has been replaced with the generic option
|
|
<option>boot.initrd.secrets</option>. This option creates a secondary
|
|
initrd from the specified files, rather than using a manually created
|
|
initrd file.
|
|
|
|
Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>,
|
|
it is not possible to directly boot an older generation that used that
|
|
option. It is still possible to rollback to that generation if the required
|
|
initrd file has not been deleted.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
|
|
package and NixOS module have been removed from Nixpkgs as the software is
|
|
unmaintained and can't be built. For more information see issue
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must
|
|
upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package
|
|
version 1.6.24 is marked broken but can be used during transition to
|
|
OpenAFS 1.8.x. Use the options
|
|
<option>services.openafsClient.packages.module</option>,
|
|
<option>services.openafsClient.packages.programs</option> and
|
|
<option>services.openafsServer.package</option> to select a different
|
|
OpenAFS package. OpenAFS 1.6 will be removed in the next release. The
|
|
package <literal>openafs</literal> and the service options will then
|
|
silently point to the OpenAFS 1.8 release.
|
|
</para>
|
|
<para>
|
|
See also the OpenAFS <link
|
|
xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator
|
|
Guide</link> for instructions. Beware of the following when updating
|
|
servers:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The storage format of the server key has changed and the key must be converted before running the new release.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When updating multiple database servers, turn off the database servers
|
|
from the highest IP down to the lowest with resting periods in
|
|
between. Start up in reverse order. Do not concurrently run database
|
|
servers working with different OpenAFS releases!
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Update servers first, then clients.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Radicale's default package has changed from 2.x to 3.x. An upgrade
|
|
checklist can be found
|
|
<link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>.
|
|
You can use the newer version in the NixOS service by setting the
|
|
<literal>package</literal> to <literal>radicale3</literal>, which is done
|
|
automatically if <literal>stateVersion</literal> is 20.09 or higher.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>udpt</literal> experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml.
|
|
The new configuration documentation can be found at
|
|
<link xlink:href="https://naim94a.github.io/udpt/config.html">the official website</link> and example
|
|
configuration is packaged in <literal>${udpt}/share/udpt/udpt.toml</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We now have a unified <xref linkend="opt-services.xserver.displayManager.autoLogin"/> option interface
|
|
to be used for every display-manager in NixOS.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>bitcoind</literal> module has changed to multi-instance, using submodules.
|
|
Therefore, it is now mandatory to name each instance.
|
|
To use this new multi-instance config with an existing bitcoind data directory and user,
|
|
you have to adjust the original config, e.g.:
|
|
<programlisting>
|
|
services.bitcoind = {
|
|
enable = true;
|
|
extraConfig = "...";
|
|
...
|
|
};
|
|
</programlisting>
|
|
To something similar:
|
|
<programlisting>
|
|
services.bitcoind.mainnet = {
|
|
enable = true;
|
|
dataDir = "/var/lib/bitcoind";
|
|
user = "bitcoin";
|
|
extraConfig = "...";
|
|
...
|
|
};
|
|
</programlisting>
|
|
The key settings are:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>dataDir</literal> - to continue using the same data directory.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>user</literal> - to continue using the same user so that bitcoind maintains access to its files.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups.
|
|
When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>dokuwiki</literal> module has changed to multi-instance, using submodules.
|
|
Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so
|
|
<literal>nginx.forceSSL</literal> and <literal>nginx.enableACME</literal> are no longer set to <literal>true</literal>.
|
|
To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:
|
|
<programlisting>
|
|
services.dokuwiki = {
|
|
enable = true;
|
|
...
|
|
};
|
|
</programlisting>
|
|
To something similar:
|
|
<programlisting>
|
|
services.dokuwiki."mywiki" = {
|
|
enable = true;
|
|
nginx = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
...
|
|
};
|
|
</programlisting>
|
|
The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your
|
|
<xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below
|
|
should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly
|
|
set this value to maintain compatibility:
|
|
<programlisting>
|
|
services.postgresql.dataDir = "/var/db/postgresql";
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users
|
|
with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a
|
|
database super admin user before upgrading:
|
|
<programlisting>
|
|
CREATE ROLE postgres LOGIN SUPERUSER;
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems.
|
|
As a result, what previously evaluated may not do so anymore.
|
|
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the PR that changed this</link> for more info.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For NixOS configuration options, the type <literal>loaOf</literal>, after
|
|
its initial deprecation in release 20.03, has been removed. In NixOS and
|
|
Nixpkgs options using this type have been converted to <literal>attrsOf</literal>.
|
|
For more information on this change have look at these links:
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>,
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>config.systemd.services.${name}.path</literal> now returns a list of paths instead of a colon-separated string.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting
|
|
<xref linkend="opt-services.caddy.package"/> to <literal>pkgs.caddy1</literal>.
|
|
</para>
|
|
<para>
|
|
New option <xref linkend="opt-services.caddy.adapter"/> has been added.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link linkend="opt-services.jellyfin.enable">jellyfin</link> module will use and stay on the Jellyfin version <literal>10.5.5</literal>
|
|
if <literal>stateVersion</literal> is lower than <literal>20.09</literal>. This is because significant changes were made to the database schema,
|
|
and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by
|
|
setting your <literal>stateVersion</literal> to <literal>20.09</literal> or higher, or set the <option>services.jellyfin.package</option> to
|
|
<literal>pkgs.jellyfin</literal>. If you do not wish to upgrade Jellyfin, but want to change your <literal>stateVersion</literal>, you can set
|
|
the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>security.rngd</literal> service is now disabled by default.
|
|
This choice was made because there's krngd in the linux kernel space making it (for most usecases)
|
|
functionally redundent.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The package <package>nextcloud17</package> has been removed and <package>nextcloud18</package> was marked as insecure
|
|
since both of them will <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html">
|
|
will be EOL (end of life) within the lifetime of 20.09</link>.
|
|
</para>
|
|
<para>
|
|
It's necessary to upgrade to <package>nextcloud19</package>:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
From <package>nextcloud17</package>, you have to upgrade to <package>nextcloud18</package> first as
|
|
Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible
|
|
by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud18</package>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
From <package>nextcloud18</package>, it's possible to directly upgrade to <package>nextcloud19</package>
|
|
by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud19</package>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<listitem>
|
|
<para>
|
|
The <link linked="opt-services.mediatomb">mediatomb service</link> is
|
|
now using by default the new and maintained fork
|
|
<literal>gerbera</literal> package instead of the unmaintained
|
|
<literal>mediatomb</literal> package. If you want to keep the old
|
|
behavior, you must declare it with:
|
|
<programlisting>
|
|
services.mediatomb.package = pkgs.mediatomb;
|
|
</programlisting>
|
|
One new option <literal>openFirewall<literal> has been introduced which
|
|
defaults to false. If you relied on the service declaration to add the
|
|
firewall rules itself before, you should now declare it with:
|
|
<programlisting>
|
|
services.mediatomb.openFirewall = true;
|
|
</programlisting>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-20.09-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<option>services.journald.rateLimitBurst</option> was updated from
|
|
<literal>1000</literal> to <literal>10000</literal> to follow the new
|
|
upstream systemd default.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <package>notmuch</package> package move its emacs-related binaries and
|
|
emacs lisp files to a separate output. They're not part
|
|
of the default <literal>out</literal> output anymore - if you relied on the
|
|
<literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via
|
|
the <literal>notmuch.emacs</literal> output.
|
|
|
|
Device tree overlay support was improved in
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link>
|
|
and now uses <xref linkend="opt-hardware.deviceTree.kernelPackage"/>
|
|
instead of <option>hardware.deviceTree.base</option>.
|
|
|
|
<xref linkend="opt-hardware.deviceTree.overlays"/> configuration was
|
|
extended to support <literal>.dts</literal> files with symbols.
|
|
|
|
Device trees can now be filtered by setting
|
|
<xref linkend="opt-hardware.deviceTree.filter"/> option.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>buildGoModule</literal> <literal>doCheck</literal> now defaults to <literal>true</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal>
|
|
mode for the <literal>checkPhase</literal> by default.
|
|
</para>
|
|
<para>
|
|
Please note that Rust packages utilizing a custom build/install procedure
|
|
(e.g. by using a <filename>Makefile</filename>) or test suites that rely on the
|
|
structure of the <filename>target/</filename> directory may break due to those assumptions.
|
|
For further information, please read the Rust section in the Nixpkgs manual.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>.
|
|
This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer.
|
|
To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The scripted networking system now uses <literal>.link</literal> files in
|
|
<literal>/etc/systemd/network</literal> to configure mac address and link MTU,
|
|
instead of the sometimes buggy <literal>network-link-*</literal> units, which
|
|
have been removed.
|
|
Bringing the interface up has been moved to the beginning of the
|
|
<literal>network-addresses-*</literal> unit.
|
|
Note this doesn't require <command>systemd-networkd</command> - it's udev that
|
|
parses <literal>.link</literal> files.
|
|
Extra care needs to be taken in the presence of <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy udev rules</link>
|
|
to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name.
|
|
In such cases, you most likely want to create a <literal>10-*.link</literal> file through <xref linkend="opt-systemd.network.links"/> and set both name and MAC Address / MTU there.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Grafana received a major update to version 7.x. A plugin is now needed for
|
|
image rendering support, and plugins must now be signed by default. More
|
|
information can be found
|
|
<link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>hardware.u2f</literal> module, which was installing udev rules
|
|
was removed, as udev gained native support to handle FIDO security tokens.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.transmission</literal> module
|
|
was enhanced with the new options:
|
|
<xref linkend="opt-services.transmission.credentialsFile"/>,
|
|
<xref linkend="opt-services.transmission.openFirewall"/>,
|
|
and <xref linkend="opt-services.transmission.performanceNetParameters"/>.
|
|
</para>
|
|
<para>
|
|
<literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security.
|
|
Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
|
|
any use case where this is not working well.
|
|
In particular, the <literal>RootDirectory</literal> option newly set
|
|
forbids uploading or downloading a torrent outside of the default directory
|
|
configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>.
|
|
If you really need Transmission to access other directories,
|
|
you must include those directories into the <literal>BindPaths</literal> of the service:
|
|
<programlisting>
|
|
systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
|
|
</programlisting>
|
|
</para>
|
|
<para>
|
|
Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal>
|
|
is now only available on the local network interface by default.
|
|
Use:
|
|
<programlisting>
|
|
services.transmission.settings.rpc-bind-address = "0.0.0.0";
|
|
</programlisting>
|
|
to get the previous behavior of listening on all network interfaces.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)
|
|
has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over
|
|
socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
|
|
devices the default buffer size (currently 128MB) is not enough.
|
|
</para>
|
|
<para>
|
|
On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to
|
|
be brought up during system startup, the receive buffer size will spike for a brief period.
|
|
Eventually some of the message will be dropped since there is not enough (permitted) buffer
|
|
space available.
|
|
</para>
|
|
<para>
|
|
By having <literal>systemd-networkd</literal> start with a netlink socket created by
|
|
<literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter
|
|
in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>)
|
|
without recompiling <literal>systemd-networkd</literal>.
|
|
</para>
|
|
<para>
|
|
Since the actual memory requirements depend on hardware, timing, exact
|
|
configurations etc. it isn't currently possible to infer a good default
|
|
from within the NixOS module system. Administrators are advised to
|
|
monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer
|
|
overrun</literal> spam and increase the memory limit as they see fit.
|
|
</para>
|
|
<para>
|
|
Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases
|
|
the upper bound on the kernel side. The memory allocation depends on the amount of messages that are
|
|
queued on the kernel side of the netlink socket.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module
|
|
as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal>
|
|
should be the key of the attribute.
|
|
</para>
|
|
<para>
|
|
This means that a configuration like this
|
|
<programlisting>{
|
|
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [
|
|
{ name = "Junk";
|
|
auto = "create";
|
|
}
|
|
];
|
|
}</programlisting>
|
|
should now look like this:
|
|
<programlisting>{
|
|
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = {
|
|
Junk.auto = "create";
|
|
};
|
|
}</programlisting>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>nextcloud</package> has been updated to <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>.
|
|
</para>
|
|
<para>
|
|
If you have an existing installation, please make sure that you're on
|
|
<package>nextcloud18</package> before upgrading to <package>nextcloud19</package>
|
|
since Nextcloud doesn't support upgrades across multiple major versions.
|
|
</para>
|
|
<para>
|
|
The <literal>nixos-run-vms</literal> script now deletes the
|
|
previous run machines states on test startup. You can use the
|
|
<literal>--keep-vm-state</literal> flag to match the previous
|
|
behaviour and keep the same VM state between different test runs.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link linkend="opt-nix.buildMachines">nix.buildMachines</link> option is now type-checked.
|
|
There are no functional changes, however this may require updating some configurations to use correct types for all attributes.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>fontconfig</literal> module stopped generating fontconfig 2.10.x config and cache.
|
|
Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Nginx module <literal>nginxModules.fastcgi-cache-purge</literal> renamed to official name <literal>nginxModules.cache-purge</literal>.
|
|
Nginx module <literal>nginxModules.ngx_aws_auth</literal> renamed to official name <literal>nginxModules.aws-auth</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <option>defaultPackages</option> was added. It installs the packages <package>perl</package>, <package>rsync</package> and <package>strace</package> for now. They were added unconditionally to <option>systemPackages</option> before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>undervolt</literal> option no longer needs to apply its
|
|
settings every 30s. If they still become undone, open an issue and restore
|
|
the previous behaviour using <literal>undervolt.useTimer</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Agda has been heavily reworked.
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>agda.mkDerivation</literal> has been heavily changed and
|
|
is now located at <package>agdaPackages.mkDerivation</package>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
New top-level packages <package>agda</package> and
|
|
<literal>agda.withPackages</literal> have been added, the second
|
|
of which sets up agda with access to chosen libraries.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
All agda libraries now live under
|
|
<literal>agdaPackages</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Many broken libraries have been removed.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
See the <link
|
|
xlink:href="https://nixos.org/nixpkgs/manual/#agda">new
|
|
documentation</link> for more information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>deepin</literal> package set has been removed from
|
|
nixpkgs. It was a work in progress to package the
|
|
<link xlink:href="https://www.deepin.org/en/dde/">Deepin Desktop Environment (DDE)</link>,
|
|
including libraries, tools and applications, and it was still
|
|
missing a service to lauch the desktop environment. It has shown
|
|
to no longer be a feasible goal due to reasons discussed in
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue #94870</link>.
|
|
The package <literal>netease-cloud-music</literal> has also been
|
|
removed, as it depends on libraries from deepin.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>opendkim</literal> module now uses systemd sandboxing features
|
|
to limit the exposure of the system towards the opendkim service.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para />
|
|
<para>
|
|
Kubernetes has been upgraded to 1.19.1, which also means that the
|
|
golang version to build it has been bumped to 1.15. This may have
|
|
consequences for your existing clusters and their certificates. Please
|
|
consider
|
|
<link xlink:href="https://relnotes.k8s.io/?markdown=93264">
|
|
the release notes for Kubernetes 1.19 carefully
|
|
</link>
|
|
before upgrading.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|