depot/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md

# Release 24.11 (“Vicuña”, 2024.11/??) {#sec-release-24.11}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

## Highlights {#sec-release-24.11-highlights}

- Create the first release note entry in this section!

## New Services {#sec-release-24.11-new-services}

- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
  for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable)
  service.

## Backward Incompatibilities {#sec-release-24.11-incompatibilities}

- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.

- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
  use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).

- `nvimpager` was updated to version 0.13.0, which changes the order of user and
  nvimpager settings: user commands in `-c` and `--cmd` now override the
  respective default settings because they are executed later.

- `services.forgejo.mailerPasswordFile` has been deprecated by the drop-in replacement `services.forgejo.secrets.mailer.PASSWD`,
  which is part of the new free-form `services.forgejo.secrets` option.
  `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
  `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.

- The Invoiceplane module now only accepts the structured `settings` option.
  `extraConfig` is now removed.

- Legacy package `stalwart-mail_0_6` was dropped, please note the
  [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
  before changing the package to `pkgs.stalwart-mail` in
  [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package).

- The `stalwart-mail` module now uses RocksDB as the default storage backend
  for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
  data and the filesystem for blobs).

- `zx` was updated to v8, which introduces several breaking changes.
  See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.

- The `portunus` package and service do not support weak password hashes anymore.
  If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
  Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
  If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
  ```nix
  services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
  services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
  ```

## Other Notable Changes {#sec-release-24.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
  The derivation now installs "impl" headers selectively instead of by a wildcard.
  Use `imgui.src` if you just want to access the unpacked sources.