<para>GNOME desktop environment was upgraded to 3.38, see its <linkxlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.
<literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <linkxlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>.
Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.
WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
Paperwork was updated to version 2. The on-disk format slightly changed,
and it is not possible to downgrade from Paperwork 2 back to Paperwork
1.3. Back your documents up before upgrading. See <linkxlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details.
The <literal>services.tor</literal> module has a new exhaustively typed <xreflinkend="opt-services.tor.settings"/> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible.
The corresponding systemd service has been hardened,
but there is a chance that the service still requires more permissions,
so please report any related trouble on the bugtracker.
Onion services v3 are now supported in <xreflinkend="opt-services.tor.relay.onionServices"/>.
A new <xreflinkend="opt-services.tor.openFirewall"/> option as been introduced for allowing connections on all the TCP ports configured.
The options <literal>services.slurm.dbdserver.storagePass</literal>
and <literal>services.slurm.dbdserver.configFile</literal> have been removed.
Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password.
Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service.
This avoids that the password gets exposed in the nix store.
Starting with version 1.7.0, the project formerly named <literal>CodiMD</literal>
is now named <literal>HedgeDoc</literal>.
New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation.
Based on <xreflinkend="opt-system.stateVersion"/>, existing installations will continue to work.
<xreflinkend="opt-services.xserver.videoDrivers"/> no longer uses the deprecated <literal>cirrus</literal> and <literal>vesa</literal> device dependent X drivers by default. It also enables both <literal>amdgpu</literal> and <literal>nouveau</literal> drivers by default now.
</para>
</listitem>
<listitem>
<para>
The <package>apacheKafka</package> packages are now built with
version-matched JREs. Versions 2.6 and above, the ones that recommend it,
use jdk11, while versions below remain on jdk8. The NixOS service has
been adjusted to start the service using the same version as the package,
The setting <xreflinkend="opt-services.redis.bind"/> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces.
NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <linkxlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details.
</para>
<para>
All services should use <xreflinkend="opt-systemd.services._name_.startLimitIntervalSec"/> or <literal>StartLimitIntervalSec</literal> in <xreflinkend="opt-systemd.services._name_.unitConfig"/> instead.
The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
</para>
<para>
It is now possible to enable a local UNIX control socket for unbound by setting the <xreflinkend="opt-services.unbound.localControlSocketPath"/>
option.
</para>
<para>
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.
</para>
<para>
As of this we are (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound as <literal>unbound</literal> user with the required capabilities instead of
letting unbound do the chroot & uid/gid changes.
</para>
<para>
The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also
using the <literal>unbound-with-systemd</literal> package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit <literal>active (running)</literal>.
This will likely help with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal>
are now be able to use unbound when those targets have been reached.
</para>
<para>
Aditionally to the much stricter runtime environmet the
<literal>/dev/urandom</literal> mount lines we previously had in the code (that would
randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
</para>
<para>
The <literal>preStart</literal> script is now only required if we enabled the trust
anchor updates (which are still enabled by default).
</para>
<para>
Another benefit of the refactoring is that we can now issue reloads via
either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the
default in the CLI tooling which in turn enables us to use
<literal>unbound-control</literal> without passing a custom configuration location.
Platforms, like <varname>stdenv.hostPlatform</varname>, no longer have a <varname>platform</varname> attribute.
It has been (mostly) flattoned away:
</para>
<itemizedlist>
<listitem><para><varname>platform.gcc</varname> is now <varname>gcc</varname></para></listitem>
<listitem><para><literal>platform.kernel*</literal> is now <literal>linux-kernel.*</literal></para></listitem>
</itemizedlist>
<para>
Additionally, <varname>platform.kernelArch</varname> moved to the top level as <varname>linuxArch</varname> to match the other <literal>*Arch</literal> variables.
</para>
<para>
The <varname>platform</varname> grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.
</para>
</listitem>
<listitem>
<para>
<varname>services.restic</varname> now uses a dedicated cache directory for every backup defined in <varname>services.restic.backups</varname>. The old global cache directory, <literal>/root/.cache/restic</literal>, is now unused and can be removed to free up disk space.
</para>
</listitem>
<listitem>
<para>
<literal>isync</literal>: The <literal>isync</literal> compatibility wrapper was removed and the Master/Slave
terminology has been deprecated and should be replaced with Far/Near in the configuration file.
The nix-gc service now accepts randomizedDelaySec (default: 0) and persistent (default: true) parameters.
By default nix-gc will now run immediately if it would have been triggered at least
once during the time when the timer was inactive.
</para>
</listitem>
<listitem>
<para>
The <literal>rustPlatform.buildRustPackage</literal> function is split into several hooks:
<package>cargoSetupHook</package> to set up vendoring for Cargo-based projects,
<package>cargoBuildHook</package> to build a project using Cargo,
<package>cargoInstallHook</package> to install a project using Cargo, and
<package>cargoCheckHook</package> to run tests in Cargo-based projects. With this change,
mixed-language projects can use the relevant hooks within builders other than
<literal>buildRustPackage</literal>. However, these changes also required several API changes to
<literal>buildRustPackage</literal> itself:
<itemizedlist>
<listitem>
<para>
The <literal>target</literal> argument was removed. Instead, <literal>buildRustPackage</literal>
will always use the same target as the C/C++ compiler that is used.
</para>
</listitem>
<listitem>
<para>
The <literal>cargoParallelTestThreads</literal> argument was removed. Parallel tests are
now disabled through <literal>dontUseCargoParallelTests</literal>.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The <literal>rustPlatform.maturinBuildHook</literal> hook was added. This hook can be used
with <literal>buildPythonPackage</literal> to build Python packages that are written in Rust
and use Maturin as their build tool.
</para>
</listitem>
<listitem>
<para>
Kubernetes has <linkxlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated docker</link> as container runtime.
As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default.
Note that containerd is more strict regarding container image OCI-compliance.
As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker.
Please test your setup and container images with containerd prior to upgrading.
