Release 21.03 (“Okapi”, 2021.03/??)Highlights
In addition to numerous new and upgraded packages, this release has the
following highlights:
Support is planned until the end of October 2021, handing over to 21.09.
New Services
The following new services were added since the last release:
Keycloak,
an open source identity and access management server with
support for OpenID Connect,
OAUTH 2.0 and
SAML
2.0.
See the Keycloak
section of the NixOS manual for more information.
Backward Incompatibilities
When upgrading from a previous release, please be aware of the following
incompatible changes:
systemd-journal2gelf no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue.
If the services.dbus module is enabled, then
the user D-Bus session is now always socket activated. The
associated options services.dbus.socketActivated
and services.xserver.startDbusSession have
therefore been removed and you will receive a warning if
they are present in your configuration. This change makes the
user D-Bus session available also for non-graphical logins.
The option has been renamed to
. The path of font directory
has also been changed to /run/current-system/sw/share/X11/fonts,
for consistency with other X11 resources.
A number of options have been renamed in the kicad interface. oceSupport
has been renamed to withOCE, withOCCT has been renamed
to withOCC, ngspiceSupport has been renamed to
withNgspice, and scriptingSupport has been renamed to
withScripting. Additionally, kicad/base.nix no longer
provides default argument values since these are provided by
kicad/default.nix.
The socket for the pdns-recursor module was moved from /var/lib/pdns-recursor
to /run/pdns-recursor to match upstream.
PowerDNS has been updated from 4.2.x to 4.3.x. Please
be sure to review the Upgrade Notes
provided by upstream before upgrading. Worth specifically noting is that the service now runs
entirely as a dedicated pdns user, instead of starting as root
and dropping privileges, as well as the default socket-dir location changing from
/var/lib/powerdns to /run/pdns.
btc1 has been abandoned upstream, and removed.
riak-cs package removed along with services.riak-cs module.
stanchion package removed along with services.stanchion module.
mutt has been updated to a new major version (2.x), which comes with
some backward incompatible changes that are described in the
release notes for Mutt 2.0.
Other Notable Changes
The default-version of nextcloud is nextcloud20.
Please note that it's not possible to upgrade nextcloud
across multiple major versions! This means that it's e.g. not possible to upgrade
from nextcloud18 to nextcloud20 in a single deploy.
The package can be manually upgraded by setting
to nextcloud20.
The setting defaults to 127.0.0.1 now, making Redis listen on the loopback interface only, and not all public network interfaces.
NixOS now emits a deprecation warning if systemd's StartLimitInterval setting is used in a serviceConfig section instead of in a unitConfig; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details.
All services should use or StartLimitIntervalSec in instead.
The Unbound DNS resolver service (services.unbound) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
It is now possible to enable a local UNIX control socket for unbound by setting the
option.
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.
As of this we are (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound as unbound user with the required capabilities instead of
letting unbound do the chroot & uid/gid changes.
The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the Type set to notify, therefore we are now also
using the unbound-with-systemd package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit active (running).
This will likely help with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries. Services depending on nss-lookup.target or unbound.service
are now be able to use unbound when those targets have been reached.
Aditionally to the much stricter runtime environmet the
/dev/urandom mount lines we previously had in the code (that would
randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
The preStart script is now only required if we enabled the trust
anchor updates (which are still enabled by default).
Another benefit of the refactoring is that we can now issue reloads via
either pkill -HUP unbound and systemctl reload unbound to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. We are using the path /etc/unbound/unbound.conf as that is the
default in the CLI tooling which in turn enables us to use
unbound-control without passing a custom configuration location.