Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of
NixOS 20.03 when backwards compatible.
</para>
</listitem>
<listitem>
<para>
By default zfs pools will now be trimmed on a weekly basis.
Trimming is only done on supported devices (i.e. NVME or SSDs)
and should improve throughput and lifetime of these devices.
It is controlled by the <varname>services.zfs.trim.enable</varname> varname.
The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>)
and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>)
are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or
<varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain
zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>.
</para>
</listitem>
<listitem>
<para>
<command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness,
and adding a <option>-r</option> option which prints all options and their values recursively.
</para>
</listitem>
<listitem>
<para>
<option>services.xserver.desktopManager.default</option> and <option>services.xserver.windowManager.default</option> options were replaced by a single <xreflinkend="opt-services.xserver.displayManager.defaultSession"/> option to improve support for upstream session files. If you used something like:
The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables.
Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before.
Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
</para>
</listitem>
<listitem>
<para>
The SLIM Display Manager has been removed, as it has been unmaintained since 2013.
Consider migrating to a different display manager such as LightDM (current default in NixOS),
SDDM, GDM, or using the startx module which uses Xinitrc.
</para>
</listitem>
<listitem>
<para>
The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options.
</para>
</listitem>
<listitem>
<para>
The BEAM package set has been deleted. You will only find there the different interpreters.
You should now use the different build tools coming with the languages with sandbox mode disabled.
</para>
</listitem>
<listitem>
<para>
There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
packages. And in the future NixOS releases will be the latest released version of Xfce available at the
time of the release's development (if viable).
</para>
</listitem>
<listitem>
<para>
The <linklinkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
<literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
</para>
</listitem>
<listitem>
<para>
KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more.
</para>
</listitem>
<listitem>
<para>
The BeeGFS module has been removed.
</para>
</listitem>
<listitem>
<para>
The osquery module has been removed.
</para>
</listitem>
<listitem>
<para>
Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default.
If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>.
The aforementioned option was added this release.
</para>
</listitem>
<listitem>
<para>
The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
</para>
</listitem>
<listitem>
<para>
Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1
and bitmap fonts are no longer supported in applications relying on Pango for font rendering
(notably, GTK application). See <linkxlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386">
upstream issue</link> for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>roundcube</literal> module has been hardened.
<itemizedlist>
<listitem>
<para>
The password of the database is not written world readable in the store any more. If <literal>database.host</literal> is set to <literal>localhost</literal>, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option <literal>database.passwordFile</literal>, which should be set to the path of a file containing the password and readable by the user <literal>nginx</literal> only. The <literal>database.password</literal> option is insecure and deprecated. Usage of this option will print a warning.
</para>
</listitem>
<listitem>
<para>
A random <literal>des_key</literal> is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The packages <literal>openobex</literal> and <literal>obexftp</literal>
are no longer installed when enabling Bluetooth via
<option>hardware.bluetooth.enable</option>.
</para>
</listitem>
<listitem>
<para>
The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090
as its upstream. However, this version does not have an internal webserver anymore. The
assets in the <literal>share/dump1090</literal> directory of the derivation can be used
in conjunction with an external webserver to replace this functionality.
</para>
</listitem>
<listitem>
<para>
The fourStore and fourStoreEndpoint modules have been removed.
</para>
</listitem>
<listitem>
<para>
Polkit no longer has the user of uid 0 (root) as an admin identity.
We now follow the upstream default of only having every member of the wheel
group admin privileged. Before it was root and members of wheel.
The positive outcome of this is pkexec GUI popups or terminal prompts
will no longer require the user to choose between two essentially equivalent
choices (whether to perform the action as themselves with wheel permissions, or as the root user).
</para>
</listitem>
<listitem>
<para>
NixOS containers no longer build NixOS manual by default. This saves evaluation time,
especially if there are many declarative containers defined. Note that this is already done
when <literal><nixos/modules/profiles/minimal.nix></literal> module is included
in container config.
</para>
</listitem>
<listitem>
<para>
The <literal>kresd</literal> services deprecates the <literal>interfaces</literal> option
in favor of the <literal>listenPlain</literal> option which requires full
has been introduced, allowing to specify a custom shell to be used.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>citrix_workspace_19_3_0</literal> package has been removed as
it will be EOLed within the lifespan of 20.03. For further information,
please refer to the <linkxlink:href="https://www.citrix.com/de-de/support/product-lifecycle/milestones/receiver.html">support and maintenance information</link> from upstream.
</para>
</listitem>
<listitem>
<para>
The <literal>gcc5</literal> and <literal>gfortran5</literal> packages have been removed.
</para>
</listitem>
<listitem>
<para>
The <option>services.xserver.displayManager.auto</option> module has been removed.
It was only intended for use in internal NixOS tests, and gave the false impression
of it being a special display manager when it's actually LightDM.
Haskell <varname>env</varname> and <varname>shellFor</varname> dev shell environments now organize dependencies the same way as regular builds.
In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.
</para>
<para>
This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a <varname>buildDepends</varname> or run-time Haskell dependency as a <varname>setupDepends</varname>, whereas things would have worked before they may not work now.
</para>
</listitem>
<listitem>
<para>
The <package>gcc-snapshot</package>-package has been removed. It's marked as broken for >2 years and used to point
to a fairly old snapshot from the <package>gcc7</package>-branch.
</para>
</listitem>
<listitem>
<para>
The <citerefentry><refentrytitle>nixos-build-vms</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>-script now uses the python test-driver.
</para>
</listitem>
<listitem>
<para>
The <package>riot-web</package> package now accepts configuration overrides as an attribute set instead of a string.
A formerly used JSON configuration can be converted to an attribute set with <literal>builtins.fromJSON</literal>.
</para>
<para>
The new default configuration also disables automatic guest account registration and analytics to improve privacy.
The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
</para>
</listitem>
<listitem>
<para>
Stand-alone usage of <literal>Upower</literal> now requires
<option>services.upower.enable</option> instead of just installing into
<xreflinkend="opt-environment.systemPackages"/>.
</para>
</listitem>
<listitem>
<para>
<package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
that users from NixOS 19.09 can't upgrade directly since you can only move one version
forward and 19.09 uses <literal>v16.0.8</literal>.
</para>
<para>
To provide a safe upgrade-path and to circumvent similar issues in the future, the following
measures were taken:
<itemizedlist>
<listitem>
<para>
The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
versioned attributes (currently <package>pkgs.nextcloud17</package> and
<package>pkgs.nextcloud18</package>). With this change major-releases can be backported
without breaking stuff and to make upgrade-paths easier.
</para>
</listitem>
<listitem>
<para>
Existing setups will be detected using
<linklinkend="opt-system.stateVersion">system.stateVersion</link>: by default,
<package>nextcloud17</package> will be used, but will raise a warning which notes
that after that deploy it's recommended to update to the latest stable version
(<package>nextcloud18</package>) by declaring the newly introduced setting
As well as this, the options <literal>security.acme.acceptTerms</literal> and either
<literal>security.acme.email</literal> or <literal>security.acme.certs.<name>.email</literal>
must be set in order to use the ACME module.
Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
In particular private keys will not be preserved. However, the credentials for simp-le are preserved and
thus it is possible to roll back to previous versions without breaking certificate generation.
Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can
have consequences if you embed your public key in apps.
</para>
</listitem>
<listitem>
<para>
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
via <option>boot.initrd.luks.fido2Support</option>.
</para>
</listitem>
<listitem>
<para>
Predictably named network interfaces get renamed in stage-1. This means that it is possible
to use the proper interface name for e.g. Dropbear setups.
</para>
<para>
For further reference, please read <linkxlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <linkxlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
</para>
</listitem>
<listitem>
<para>
The <package>matrix-synapse</package>-package has been updated to
