mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-22 14:45:27 +00:00
225 lines
16 KiB
Markdown
225 lines
16 KiB
Markdown
# Release 24.11 (“Vicuña”, 2024.11/??) {#sec-release-24.11}
|
|
|
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
|
|
|
## Highlights {#sec-release-24.11-highlights}
|
|
|
|
- Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`.
|
|
|
|
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option.
|
|
This also allows configuring runtime settings of AMDVLK and enabling experimental features.
|
|
- The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
|
|
|
|
## New Services {#sec-release-24.11-new-services}
|
|
|
|
- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
|
|
for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable)
|
|
service.
|
|
|
|
- [Quickwit](https://quickwit.io), sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit).
|
|
|
|
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
|
|
|
|
- [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable).
|
|
|
|
- [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
|
|
|
|
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
|
|
|
|
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
|
|
|
|
- [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).
|
|
|
|
- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
|
|
|
|
- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).
|
|
|
|
- [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance).
|
|
|
|
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
|
|
|
|
- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
|
|
- `transmission-gtk`: `~/.config/transmission`
|
|
- `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
|
|
|
|
- `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
|
|
|
|
- `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
|
|
|
|
- `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
|
|
The module was updated to accommodate for breaking changes.
|
|
Breaking changes to the module API were minimised as much as possible,
|
|
but some were nonetheless inevitable due to changes in the upstream CLI.
|
|
Certain options were moved from separate CLI arguments into the forward specifications,
|
|
and those options were also removed from the module's API,
|
|
please consult the wstunnel man page for more detail.
|
|
Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`,
|
|
that those might have been removed or modified upstream.
|
|
|
|
- `clang-tools_<version>` packages have been moved into `llvmPackages_<version>` (i.e. `clang-tools_18` is now `llvmPackages_18.clang-tools`).
|
|
- For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`.
|
|
- Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release.
|
|
|
|
- `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html).
|
|
|
|
- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.
|
|
|
|
- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
|
|
use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
|
|
|
|
- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
|
|
it is set, instead of the previous hardcoded default of
|
|
`${networking.hostName}.${security.ipa.domain}`.
|
|
|
|
- The fcgiwrap module now allows multiple instances running as distinct users.
|
|
The option `services.fgciwrap` now takes an attribute set of the
|
|
configuration of each individual instance.
|
|
This requires migrating any previous configuration keys from
|
|
`services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
|
|
The ownership and mode of the UNIX sockets created by this service are now
|
|
configurable and private by default.
|
|
Processes also now run as a dynamically allocated user by default instead of
|
|
root.
|
|
|
|
- `services.cgit` now runs as the cgit user by default instead of root.
|
|
This change requires granting access to the repositories to this user or
|
|
setting the appropriate one through `services.cgit.some-instance.user`.
|
|
|
|
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
|
|
nvimpager settings: user commands in `-c` and `--cmd` now override the
|
|
respective default settings because they are executed later.
|
|
|
|
- `pkgs.nextcloud27` has been removed since it's EOL.
|
|
|
|
- `services.forgejo.mailerPasswordFile` has been deprecated by the drop-in replacement `services.forgejo.secrets.mailer.PASSWD`,
|
|
which is part of the new free-form `services.forgejo.secrets` option.
|
|
`services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
|
|
`services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
|
|
|
|
- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
|
|
|
|
- `teleport` has been upgraded from major version 15 to major version 16.
|
|
Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
|
|
and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
|
|
|
|
- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
|
|
this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
|
|
your local configuration.
|
|
|
|
- The Invoiceplane module now only accepts the structured `settings` option.
|
|
`extraConfig` is now removed.
|
|
|
|
- Legacy package `stalwart-mail_0_6` was dropped, please note the
|
|
[manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
|
|
before changing the package to `pkgs.stalwart-mail` in
|
|
[`services.stalwart-mail.package`](#opt-services.stalwart-mail.package).
|
|
|
|
- `androidndkPkgs` has been updated to `androidndkPkgs_26`.
|
|
|
|
- Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
|
|
|
|
- `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`,
|
|
and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream.
|
|
The `vscode-langservers-extracted` package is a maintained drop-in replacement.
|
|
|
|
- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the
|
|
output by default, to alert users to closure size issues caused by
|
|
[#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging
|
|
Helpers" in the Haskell section of the Nixpkgs
|
|
manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers)
|
|
for information on working around `output '...' is not allowed to refer to
|
|
the following paths` errors caused by this change.
|
|
|
|
- The `stalwart-mail` service now runs under the `stalwart-mail` system user
|
|
instead of a dynamically created one via `DynamicUser`, to avoid automatic
|
|
ownership changes on its large file store each time the service was started.
|
|
This change requires to manually move the state directory from
|
|
`/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to
|
|
change the ownership of the directory and its content to `stalwart-mail`.
|
|
|
|
- The `stalwart-mail` module now uses RocksDB as the default storage backend
|
|
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
|
|
data and the filesystem for blobs).
|
|
|
|
- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:
|
|
|
|
```
|
|
# This is how a environment file can be generated:
|
|
# $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file
|
|
services.shiori.environmentFile = "/path/to/env-file";
|
|
```
|
|
|
|
- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
|
|
|
|
- `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will
|
|
ultimately remove it in GitLab 18.0, as outlined in the
|
|
[documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes).
|
|
After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0.
|
|
Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170).
|
|
GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170)
|
|
with *runner authentication tokens* until the release of GitLab 18.0.
|
|
|
|
- `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
|
|
|
|
- `zx` was updated to v8, which introduces several breaking changes.
|
|
See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
|
|
|
|
- The `portunus` package and service do not support weak password hashes anymore.
|
|
If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
|
|
Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
|
|
If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
|
|
```nix
|
|
services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
|
|
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
|
|
```
|
|
|
|
- The default value of `services.kubernetes.kubelet.hostname` is now lowercased.
|
|
Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back
|
|
the old default behavior.
|
|
|
|
- `keycloak` was updated to version 25, which introduces new hostname related options.
|
|
See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
|
|
|
|
- The `tracy` package no longer works on X11, since it's moved to Wayland
|
|
support, which is the intended default behavior by Tracy maintainers.
|
|
X11 users have to switch to the new package `tracy-x11`.
|
|
|
|
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
|
|
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
|
|
|
|
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
|
|
|
|
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
|
|
|
|
## Other Notable Changes {#sec-release-24.11-notable-changes}
|
|
|
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
|
|
|
- The `zerocallusedregs` hardening flag is enabled by default on compilers that support it.
|
|
|
|
- The `stackclashprotection` hardening flag has been added, though disabled by default.
|
|
|
|
- `hareHook` has been added as the language framework for Hare. From now on, it,
|
|
not the `hare` package, should be added to `nativeBuildInputs` when building
|
|
Hare programs.
|
|
|
|
- [`lib.options.mkPackageOptionMD`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOptionMD) is now obsolete; use the identical [`lib.options.mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption) instead.
|
|
|
|
- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
|
|
The derivation now installs "impl" headers selectively instead of by a wildcard.
|
|
Use `imgui.src` if you just want to access the unpacked sources.
|
|
|
|
- `security.pam.u2f` now follows RFC42.
|
|
All module options are now settable through the freeform `.settings`.
|
|
|
|
- Cinnamon has been updated to 6.2.
|
|
- Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
|
|
- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop
|
|
listed as a regular entry in Cinnamon Wayland session's window list applet.
|
|
|
|
- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
|
|
in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
|
|
should be changed to using *runner authentication tokens* by configuring
|
|
{option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile` instead of the former
|
|
{option}`services.gitlab-runner.services.<name>.registrationConfigFile` option.
|