Luke Granger-Brown
57725ef3ec
git-subtree-dir: third_party/nixpkgs git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
1443 lines
73 KiB
Markdown
1443 lines
73 KiB
Markdown
# Release 23.11 (“Tapir”, 2023.11/29) {#sec-release-23.11}
|
||
|
||
The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.11 ("Tapir").
|
||
|
||
NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
|
||
|
||
Support is planned until the end of June 2024, handing over to NixOS 24.05.
|
||
|
||
To upgrade to the latest release, follow the upgrade chapter and check the [Breaking Changes](#sec-release-23.11-nixos-breaking-changes)
|
||
section for packages and services used in your configuration.
|
||
|
||
The team is excited about the many software updates and improvements in this release. Just to name a few, do check the updates
|
||
for `GNOME` packages, `systemd`, `glibc`, the `ROCM` package set, and `hostapd` (which brings support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK).
|
||
|
||
Make sure to also check the many updates in the [Nixpkgs library](#sec-release-23.11-nixpkgs-lib) when developing your own packages.
|
||
|
||
## Table of Contents {#sec-release-23.11-toc}
|
||
|
||
- [NixOS](#sec-release-23.11-nixos)
|
||
- [Breaking Changes](#sec-release-23.11-nixos-breaking-changes)
|
||
- [New Services](#sec-release-23.11-nixos-new-services)
|
||
- [Other Notable Changes](#sec-release-23.11-nixos-notable-changes)
|
||
- [Nixpkgs Library](#sec-release-23.11-nixpkgs-lib)
|
||
- [Breaking Changes](#sec-release-23.11-lib-breaking)
|
||
- [Additions and Improvements](#sec-release-23.11-lib-additions-improvements)
|
||
- [Deprecations](#sec-release-23.11-lib-deprecations)
|
||
|
||
## NixOS {#sec-release-23.11-nixos}
|
||
|
||
|
||
### Breaking Changes {#sec-release-23.11-nixos-breaking-changes}
|
||
|
||
- `services.postgresql.ensurePermissions` has been deprecated in favor of
|
||
`services.postgresql.ensureUsers.*.ensureDBOwnership` which simplifies the
|
||
setup of database owned by a certain system user in local database contexts
|
||
(which make use of peer authentication via UNIX sockets), migration
|
||
guidelines were provided in the NixOS manual, please refer to them if you are
|
||
affected by a PostgreSQL 15 changing the way `GRANT ALL PRIVILEGES` is
|
||
working. `services.postgresql.ensurePermissions` will be removed in 24.05.
|
||
All NixOS modules were migrated using one of the strategy, e.g.
|
||
`ensureDBOwnership` or `postStart`. Refer to the [PR
|
||
#266270](https://github.com/NixOS/nixpkgs/pull/266270) for more details.
|
||
|
||
- `network-online.target` has been fixed to no longer time out for systems with
|
||
`networking.useDHCP = true` and `networking.useNetworkd = true`. Workarounds
|
||
for this can be removed.
|
||
|
||
- The `boot.loader.raspberryPi` options have been marked deprecated, with
|
||
intent of removal for NixOS 24.11. They had a limited use-case, and do not
|
||
work like people expect. They required either very old installs from ([before
|
||
mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds
|
||
out of scope of the standard and generic AArch64 support. That option set
|
||
never supported the Raspberry Pi 4 family of devices.
|
||
|
||
- `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The
|
||
latter package is based on upstream's dedicated repository for sequoia's
|
||
Python bindings, where the Python bindings from
|
||
[gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were
|
||
removed long ago.
|
||
|
||
- `writeTextFile` requires `executable` to be boolean now, values like `null`
|
||
or `""` will fail to evaluate now.
|
||
|
||
- The latest version of `clonehero` now stores custom content in
|
||
`~/.clonehero`. Refer to the [migration
|
||
instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html)
|
||
for more details. Typically, these content files would exist along side the
|
||
binary, but the previous build used a wrapper script that would store them in
|
||
`~/.config/unity3d/srylain Inc_/Clone Hero`.
|
||
|
||
- `services.mastodon` doesn't support providing a TCP port to its `streaming`
|
||
component anymore, as upstream implemented parallelization by running
|
||
multiple instances instead of running multiple processes in one instance.
|
||
Please create a PR if you are interested in this feature.\
|
||
Due to this, the desired number of such instances
|
||
{option}`services.mastodon.streamingProcesses` now needs to be declared explicitly.
|
||
|
||
- The `services.hostapd` module was rewritten to support `passwordFile` like
|
||
options, WPA3-SAE, and management of multiple interfaces. This breaks
|
||
compatibility with older configurations.
|
||
- `hostapd` is now started with additional systemd sandbox/hardening options
|
||
for better security.
|
||
- `services.hostapd.interface` was replaced with a per-radio and per-bss
|
||
configuration scheme using
|
||
[services.hostapd.radios](#opt-services.hostapd.radios).
|
||
- `services.hostapd.wpa` has been replaced by
|
||
[services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword)
|
||
and
|
||
[services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords)
|
||
which configure WPA2-PSK and WP3-SAE respectively.
|
||
- The default authentication has been changed to WPA3-SAE. Options for other
|
||
(legacy) schemes are still available.
|
||
|
||
- `python3.pkgs.fetchPypi` and `python3Packages.fetchPypi` have been
|
||
deprecated in favor of top-level `fetchPypi`.
|
||
|
||
- xdg-desktop-portal has been updated to 1.18, which reworked how portal
|
||
implementations are selected. If you roll your own desktop environment, you
|
||
should either set `xdg.portal.config` or `xdg.portal.configPackages`, which
|
||
allow fine-grained control over which portal backend to use for specific
|
||
interfaces, as described in {manpage}`portals.conf(5)`.
|
||
|
||
If you don't provide configurations, a portal backend will only be considered
|
||
when the desktop you use matches its deprecated `UseIn` key. While some NixOS
|
||
desktop modules should already ship one for you, it is suggested to test
|
||
portal availability by trying [Door
|
||
Knocker](https://flathub.org/apps/xyz.tytanium.DoorKnocker) and [ASHPD
|
||
Demo](https://flathub.org/apps/com.belmoussaoui.ashpd.demo). If things
|
||
regressed, you may run `G_MESSAGES_DEBUG=all
|
||
/path/to/xdg-desktop-portal/libexec/xdg-desktop-portal` for ideas on which
|
||
config file and which portals are chosen.
|
||
|
||
- `pass` now does not contain `password-store.el`. Users should get
|
||
`password-store.el` from Emacs lisp package set `emacs.pkgs.password-store`.
|
||
|
||
- `services.knot` now supports `.settings` from RFC42. The previous
|
||
`.extraConfig` still works the same, but it displays a warning now.
|
||
|
||
- `services.invoiceplane` now supports `.settings` from RFC42. The previous
|
||
`.extraConfig` still works the same way, but it displays a warning now.
|
||
|
||
- `mu` does not install `mu4e` files by default now. Users should get `mu4e`
|
||
from Emacs lisp package set `emacs.pkgs.mu4e`.
|
||
|
||
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning
|
||
the default version was upgraded from v10.6.x to v10.11.x. Refer to the
|
||
[upgrade
|
||
notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/)
|
||
for potential issues.
|
||
|
||
- `getent` has been moved from `glibc`'s `bin` output to its own dedicated
|
||
output, reducing closure size for many dependents. Dependents using the
|
||
`getent` alias should not be affected; others should move from using
|
||
`glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility
|
||
with non-glibc platforms).
|
||
|
||
- `maintainers/scripts/update-luarocks-packages` is now a proper package
|
||
`luarocks-packages-updater` that can be run to maintain out-of-tree luarocks
|
||
packages.
|
||
|
||
- The `users.users.<name>.passwordFile` has been renamed to
|
||
`users.users.<name>.hashedPasswordFile` to avoid possible confusions. The
|
||
option is in fact the file-based version of `hashedPassword`, not `password`,
|
||
and expects a file containing the {manpage}`crypt(3)` hash of the user
|
||
password.
|
||
|
||
- `chromiumBeta` and `chromiumDev` have been removed due to the lack of
|
||
maintenance in nixpkgs. Consider using `chromium` instead.
|
||
|
||
- `google-chrome-beta` and `google-chrome-dev` have been removed due to the
|
||
lack of maintenance in nixpkgs. Consider using `google-chrome` instead.
|
||
|
||
- The `services.ananicy.extraRules` option now has the type of `listOf attrs`
|
||
instead of `string`.
|
||
|
||
- `buildVimPluginFrom2Nix` has been renamed to `buildVimPlugin`, which now
|
||
now skips `configurePhase` and `buildPhase`.
|
||
|
||
- JACK tools (`jack_*` except `jack_control`) have moved from the `jack2`
|
||
package to `jack-example-tools`.
|
||
|
||
- The `waagent` service does provisioning now.
|
||
|
||
- The `matrix-synapse` package & module have undergone some significant
|
||
internal changes, for most setups no intervention is needed, though:
|
||
- The option
|
||
[`services.matrix-synapse.package`](#opt-services.matrix-synapse.package)
|
||
is read-only now. For modifying the package, use an overlay which modifies
|
||
`matrix-synapse-unwrapped` instead. More on that below.
|
||
- The `enableSystemd` & `enableRedis` arguments have been removed and
|
||
`matrix-synapse` has been renamed to `matrix-synapse-unwrapped`. Also,
|
||
several optional dependencies (such as `psycopg2` or `authlib`) have been
|
||
removed.
|
||
- These optional dependencies are automatically added via a wrapper
|
||
(`pkgs.matrix-synapse.override { extras = ["redis"]; }` for `hiredis` &
|
||
`txredisapi` for instance) if the relevant config section is declared in
|
||
`services.matrix-synapse.settings`. For instance, if
|
||
`services.matrix-synapse.settings.redis.enabled` is set to `true`,
|
||
`"redis"` will be automatically added to the `extras` list of
|
||
`pkgs.matrix-synapse`.
|
||
- A list of all extras (and the extras enabled by default) can be found at
|
||
the [option's reference for
|
||
`services.matrix-synapse.extras`](#opt-services.matrix-synapse.extras).
|
||
- In some cases (e.g. for running synapse workers) it was necessary to re-use
|
||
the `PYTHONPATH` of `matrix-synapse.service`'s environment to have all
|
||
plugins available. This isn't necessary anymore, instead
|
||
`config.services.matrix-synapse.package` can be used as it points to the
|
||
wrapper with properly configured `extras` and also all plugins defined via
|
||
[`services.matrix-synapse.plugins`](#opt-services.matrix-synapse.plugins)
|
||
available. This is also the reason for why the option is read-only now,
|
||
it's supposed to be set by the module only.
|
||
|
||
- `netbox` was updated to v3.6. `services.netbox.package` still defaults
|
||
to v3.5 if `stateVersion` is earlier than 23.11. Refer to upstream's breaking
|
||
changes [for
|
||
v3.6.0](https://github.com/netbox-community/netbox/releases/tag/v3.6.0) and
|
||
upgrade NetBox by changing `services.netbox.package`. Database migrations
|
||
will be run automatically.
|
||
|
||
- `etcd` has been updated to v3.5. Refer to upgrade guides for [v3.3 to
|
||
v3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [v3.4 to
|
||
v3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) for more details.
|
||
|
||
- `gitlab` installations created or updated between versions \[15.11.0,
|
||
15.11.2] have an incorrect database schema. This will become a problem when
|
||
upgrading to `gitlab` >=16.2.0. A workaround for affected users can be found
|
||
in the [GitLab
|
||
docs](https://docs.gitlab.com/ee/update/versions/gitlab_16_changes.html#undefined-column-error-upgrading-to-162-or-later).
|
||
|
||
|
||
- `consul` has been updated to v1.16.0. Refer to the [release
|
||
note](https://github.com/hashicorp/consul/releases/tag/v1.16.0) for more
|
||
details. Once a new Consul version has started and upgraded it's data
|
||
directory, it generally cannot be downgraded to the previous version.
|
||
|
||
- `llvmPackages_rocm` has been moved to `rocmPackages.llvm`.
|
||
|
||
- `hip`, `rocm-opencl-runtime`, `rocm-opencl-icd`, and `rocclr` have been
|
||
combined into `rocmPackages.clr`.
|
||
|
||
- `clang-ocl`, `clr`, `composable_kernel`, `hipblas`, `hipcc`, `hip-common`, `hipcub`,
|
||
`hipfft`, `hipfort`, `hipify`, `hipsolver`, `hipsparse`, `migraphx`, `miopen`, `miopengemm`,
|
||
`rccl`, `rdc`, `rocalution`, `rocblas`, `rocdgbapi`, `rocfft`, `rocgdb`, `rocm-cmake`,
|
||
`rocm-comgr`, `rocm-core`, `rocm-device-libs`, `rocminfo`, `rocmlir`, `rocm-runtime`,
|
||
`rocm-smi`, `rocm-thunk`, `rocprim`, `rocprofiler`, `rocrand`, `rocr-debug-agent`,
|
||
`rocsolver`, `rocsparse`, `rocthrust`, `roctracer`, `rocwmma`, and `tensile`
|
||
have been moved to `rocmPackages`.
|
||
|
||
- `himalaya` has been updated to v0.8.0, which drops the native TLS support
|
||
(in favor of Rustls) and add OAuth 2.0 support. Refer to the [release
|
||
note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more
|
||
details.
|
||
|
||
|
||
- `nix-prefetch-git` now ignores global and user git config, to improve
|
||
reproducibility.
|
||
|
||
- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option defaults
|
||
to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"` now.
|
||
To use all of Caddy's default ACME CAs and enable Caddy's automatic issuer
|
||
fallback feature by default, as recommended by upstream.
|
||
|
||
- The default priorities of
|
||
[`services.nextcloud.phpOptions`](#opt-services.nextcloud.phpOptions) have
|
||
changed. This means that e.g.
|
||
`services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23";`
|
||
doesn't discard all of the other defaults from this option anymore. The
|
||
attribute values of `phpOptions` are still defaults, these can be overridden
|
||
as shown here.
|
||
|
||
To override all of the options (including including `upload_max_filesize`,
|
||
`post_max_size` and `memory_limit` which all point to
|
||
[`services.nextcloud.maxUploadSize`](#opt-services.nextcloud.maxUploadSize)
|
||
by default) can be done like this:
|
||
|
||
```nix
|
||
{
|
||
services.nextcloud.phpOptions = lib.mkForce {
|
||
/* ... */
|
||
};
|
||
}
|
||
```
|
||
|
||
- `php80` is no longer supported due to upstream not supporting this version
|
||
anymore.
|
||
|
||
- PHP defaults to PHP 8.2 now, updated from v8.1.
|
||
|
||
- GraalVM has been updated to the latest version, and this brings significant
|
||
changes. Upstream don't release multiple versions targeting different JVMs
|
||
anymore, so now we only have one GraalVM derivation (`graalvm-ce`). While at
|
||
first glance the version may seem a downgrade (v22.3.1 -> v21.0.0), the major
|
||
version is now following the JVM it targets (so this latest version targets
|
||
JVM 21). Also some products like `llvm-installable-svm` and
|
||
`native-image-svm` were incorporate to the main GraalVM derivation, so
|
||
they're included by default.
|
||
|
||
- GraalPy (`graalCEPackages.graalpy`), TruffleRuby
|
||
(`graalCEPackages.truffleruby`), GraalJS (`graalCEPackages.graaljs`) and
|
||
GraalNodeJS (`grallCEPackages.graalnodejs`) are now independent from the main
|
||
GraalVM derivation.
|
||
|
||
- The ISC DHCP package and corresponding module have been removed, because they
|
||
are EOL upstream. Refer [to this
|
||
post](https://www.isc.org/blogs/isc-dhcp-eol/) for details and switch to a
|
||
different DHCP implementation like kea or dnsmasq.
|
||
|
||
- `prometheus-unbound-exporter` has been replaced by the Let's Encrypt
|
||
maintained version, since the previous version was archived. This requires
|
||
some changes to the module configuration, most notable `controlInterface`
|
||
needs migration towards `unbound.host` and requires either the `tcp://` or
|
||
`unix://` URI scheme.
|
||
|
||
- `odoo` defaults to v16 now, updated from v15.
|
||
|
||
- `varnish` was upgraded from v7.2.x to v7.4.x. Refer to upgrade guides vor
|
||
[v7.3](https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html) and
|
||
[v7.4](https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html). The
|
||
current LTS version is still offered as `varnish60`.
|
||
|
||
- `util-linux` is now supported on Darwin and is no longer an alias to
|
||
`unixtools`. Use the `unixtools.util-linux` package for access to the Apple
|
||
variants of the utilities.
|
||
|
||
- `services.keyd` changed API. Now you can create multiple configuration files.
|
||
|
||
- `baloo`, the file indexer and search engine used by KDE now has a patch to
|
||
prevent files from constantly being reindexed when the device IDs of the
|
||
their underlying storage change. This happens frequently when using btrfs or
|
||
LVM. The patch has not yet been accepted upstream but it provides a
|
||
significantly improved experience. When upgrading, reset baloo to get a clean
|
||
index: `balooctl disable ; balooctl purge ; balooctl enable`.
|
||
|
||
- The `vlock` program from the `kbd` package has been moved into its own
|
||
package output and should now be referenced explicitly as `kbd.vlock` or
|
||
replaced with an alternative such as the standalone `vlock` package or
|
||
`physlock`.
|
||
|
||
- `fileSystems.<name>.autoFormat` now uses `systemd-makefs`, which does not
|
||
accept formatting options. Therefore, `fileSystems.<name>.formatOptions` has
|
||
been removed.
|
||
|
||
- `fileSystems.<name>.autoResize` uses `systemd-growfs` to resize the file
|
||
system online in Stage 2 now. This means that `f2fs` and `ext2` can no longer
|
||
be auto resized, while `xfs` and `btrfs` now can be.
|
||
|
||
- `fuse3` has been updated from v3.11.0 to v3.16.2. Refer to the
|
||
[changelog](https://github.com/libfuse/libfuse/blob/fuse-3.16.2/ChangeLog.rst#libfuse-3162-2023-10-10)
|
||
for an overview of the changes.
|
||
|
||
Unsupported mount options are no longer silently accepted [(since
|
||
3.15.0)](https://github.com/libfuse/libfuse/blob/fuse-3.16.2/ChangeLog.rst#libfuse-3150-2023-06-09).
|
||
The [affected mount
|
||
options](https://github.com/libfuse/libfuse/commit/dba6b3983af34f30de01cf532dff0b66f0ed6045)
|
||
are: `atime`, `diratime`, `lazytime`, `nolazytime`, `relatime`, `norelatime`,
|
||
`strictatime`.
|
||
|
||
For example,
|
||
|
||
```bash
|
||
$ sshfs 127.0.0.1:/home/test/testdir /home/test/sshfs_mnt -o atime
|
||
```
|
||
|
||
would previously terminate successfully with the mount point established, now
|
||
it outputs the error message ``fuse: unknown option(s): `-o atime'`` and
|
||
terminates with exit status 1.
|
||
|
||
- `nixos-rebuild {switch,boot,test,dry-activate}` runs the system
|
||
activation inside `systemd-run` now, creating an ephemeral systemd service
|
||
and protecting the system switch against issues like network disconnections
|
||
during remote (e.g. SSH) sessions. This has the side effect of running the
|
||
switch in an isolated environment, that could possible break post-switch
|
||
scripts that depends on things like environment variables being set. If you
|
||
want to opt-out from this behavior for now, you may set the
|
||
`NIXOS_SWITCH_USE_DIRTY_ENV` environment variable before running
|
||
`nixos-rebuild`. However, keep in mind that this option will be removed in
|
||
the future.
|
||
|
||
- The `services.vaultwarden.config` option default value was changed to make
|
||
Vaultwarden only listen on localhost, following the [secure defaults for most
|
||
NixOS services](https://github.com/NixOS/nixpkgs/issues/100192).
|
||
|
||
- `services.lemmy.settings.federation` was removed in v0.17.0 and no longer has
|
||
any effect. To enable federation, the hostname must be set in the
|
||
configuration file and then federation must be enabled in the admin web UI.
|
||
Refer to the [release
|
||
notes](https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions)
|
||
for more details.
|
||
|
||
- `pict-rs` was upgraded from v0.3 to v0.4 and contains an incompatible database
|
||
& configuration change. To upgrade on systems with `stateVersion = "23.05";`
|
||
or older follow the migration steps from
|
||
https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide
|
||
and set `services.pict-rs.package = pkgs.pict-rs;`.
|
||
|
||
- The following packages in `haskellPackages` have a separate bin output now:
|
||
`cabal-fmt`, `calligraphy`, `eventlog2html`, `ghc-debug-brick`, `hindent`,
|
||
`nixfmt`, `releaser`. This means you need to replace e.g.
|
||
`"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"` with `"${lib.getBin
|
||
pkgs.haskellPackages.nixfmt}/bin/nixfmt"` or `"${lib.getExe
|
||
pkgs.haskellPackages.nixfmt}"`. The binaries also won’t be in scope if you
|
||
rely on them being installed e.g. via `ghcWithPackages`.
|
||
`environment.packages` picks the `bin` output automatically, so for normal
|
||
installation no intervention is required. Also, toplevel attributes like
|
||
`pkgs.nixfmt` are not impacted negatively by this change.
|
||
|
||
- `spamassassin` no longer supports the `Hashcash` module. The module needs to
|
||
be removed from the `loadplugin` list if it was copied over from the default
|
||
`initPreConf` option.
|
||
|
||
- `nano` was removed from `environment.defaultPackages`. To not leave systems
|
||
without a editor, now `programs.nano.enable` is enabled by default.
|
||
|
||
- `programs.nano.nanorc` and `programs.nano.syntaxHighlight` no longer have an
|
||
effect unless `programs.nano.enable` is set to true which is the default.
|
||
|
||
- `services.outline.sequelizeArguments` has been removed, as `outline` no
|
||
longer executes database migrations via the `sequelize` cli.
|
||
|
||
- The binary of the package `cloud-sql-proxy` has changed from
|
||
`cloud_sql_proxy` to `cloud-sql-proxy`.
|
||
|
||
- The module `services.apache-kafka` was largely rewritten and has certain
|
||
breaking changes. To be precise, this means that the following things have
|
||
changed:
|
||
- Most settings have been migrated to
|
||
[services.apache-kafka.settings](#opt-services.apache-kafka.settings).
|
||
- Care must be taken when adapting an existing cluster to these changes,
|
||
see [](#module-services-apache-kafka-migrating-to-settings).
|
||
- By virtue of being less opinionated, it is now possible to use the module
|
||
to run Apache Kafka in KRaft mode instead of Zookeeper mode.
|
||
- [A few options](#module-services-apache-kafka-kraft) have been added to
|
||
assist in this mode.
|
||
|
||
- Garage has been upgraded to v0.9.x. `services.garage.package` needs to be
|
||
explicitly set now, so version upgrades can be done in a controlled fashion.
|
||
For this, we expose `garage_x_y` attributes which can be set here.
|
||
|
||
- `voms` and `xrootd` now moves the `$out/etc` content to the `$etc` output
|
||
instead of `$out/etc.orig`, when input argument `externalEtc` is not `null`.
|
||
|
||
- The `woodpecker-*` CI packages have been updated to v1.0.0. This release is
|
||
wildly incompatible with the v0.15.x versions that were previously packaged.
|
||
Refer to [upstream's
|
||
documentation](https://woodpecker-ci.org/docs/next/migrations#100) to learn
|
||
how to update your CI configurations.
|
||
|
||
- Meilisearch was updated from v1.3.1 to v1.5.0. The update has breaking
|
||
changes about backslashes and filtering. Refer to the [release
|
||
announcement](https://blog.meilisearch.com/v1-4-release/) for more
|
||
details.
|
||
|
||
- The Caddy module gained a new option named `services.caddy.enableReload`
|
||
which is enabled by default. It allows reloading the service instead of
|
||
restarting it, if only a config file has changed. This option must be
|
||
disabled if you have turned off the [Caddy admin
|
||
API](https://caddyserver.com/docs/caddyfile/options#admin). If you keep this
|
||
option enabled, you should consider setting
|
||
[`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period)
|
||
to a non-infinite value to prevent Caddy from delaying the reload
|
||
indefinitely.
|
||
|
||
- mdraid support is optional now. This reduces initramfs size and prevents the
|
||
potentially undesired automatic detection and activation of software RAID
|
||
pools. It is disabled by default in new configurations (determined by
|
||
`stateVersion`), but the appropriate settings will be generated by
|
||
`nixos-generate-config` when installing to a software RAID device, so the
|
||
standard installation procedure should be unaffected. If you have custom
|
||
configs relying on mdraid, ensure that you use `stateVersion` correctly or
|
||
set `boot.swraid.enable` manually. On systems with an updated `stateVersion`
|
||
we now also emit warnings if `mdadm.conf` does not contain the minimum
|
||
required configuration necessary to run the dynamically enabled monitoring
|
||
daemons.
|
||
|
||
- The `go-ethereum` package has been updated to v1.12.0. This drops support for
|
||
proof-of-work. Its GraphQL API now encodes all numeric values as hex strings
|
||
and the GraphQL UI is updated to v2.0. The default database has changed from
|
||
`leveldb` to `pebble` but `leveldb` can be forced with the
|
||
--db.engine=leveldb flag. The `checkpoint-admin` command was [removed along
|
||
with trusted
|
||
checkpoints](https://github.com/ethereum/go-ethereum/pull/27147).
|
||
|
||
- The `aseprite-unfree` package has been upgraded from v1.2.16.3 to v1.2.40.
|
||
The free version of aseprite has been dropped because it is EOL and the
|
||
package attribute now points to the unfree version. A maintained fork of the
|
||
last free version of Aseprite, named 'LibreSprite', is available in the
|
||
`libresprite` package.
|
||
|
||
- The default `kops` version is v1.28.0 now and support for v1.25 and older have
|
||
been dropped.
|
||
|
||
- `pharo` has been updated to latest stable v10.0.8, which is compatible with
|
||
the latest stable and oldstable images (Pharo 10 and 11). The VM in question
|
||
is the 64bit Spur. The 32bit version has been dropped due to lack of
|
||
maintenance. The Cog VM has been deleted because it is severily outdated.
|
||
Finally, the `pharo-launcher` package has been deleted because it was not
|
||
compatible with the newer VM, and due to lack of maintenance.
|
||
|
||
- Emacs mainline v29 was introduced. This new version includes many major
|
||
additions, most notably `tree-sitter` support (enabled by default) and
|
||
the pgtk variant (useful for Wayland users), which is available under the
|
||
attribute `emacs29-pgtk`.
|
||
|
||
- Emacs macport version 29 was introduced.
|
||
|
||
- The option `services.networking.networkmanager.enableFccUnlock` was removed
|
||
in favor of `networking.networkmanager.fccUnlockScripts`, which allows
|
||
specifying unlock scripts explicitly. The previous option enabled all unlock
|
||
scripts bundled with ModemManager, which is risky, and didn't allow using
|
||
vendor-provided unlock scripts at all.
|
||
|
||
- The `html-proofer` package has been updated from major version 3 to major
|
||
version 5, which includes [breaking
|
||
changes](https://github.com/gjtorikian/html-proofer/blob/v5.0.8/UPGRADING.md).
|
||
|
||
- `kratos` has been updated from v0.10.1 to the first stable v1.0.0, please
|
||
read the [v0.10.1 to
|
||
v0.11.0](https://github.com/ory/kratos/releases/tag/v0.11.0), [v0.11.0 to
|
||
v0.11.1](https://github.com/ory/kratos/releases/tag/v0.11.1), [v0.11.1 to
|
||
v0.13.0](https://github.com/ory/kratos/releases/tag/v0.13.0) and [v0.13.0 to
|
||
v1.0.0](https://github.com/ory/kratos/releases/tag/v1.0.0) upgrade guides.
|
||
The most notable breaking change is the introduction of one-time passwords
|
||
(`code`) and update of the default recovery strategy from `link` to `code`.
|
||
|
||
- The `hail` module was removed, as `hail` was unmaintained since 2017.
|
||
|
||
- Package `noto-fonts-emoji` was renamed to `noto-fonts-color-emoji`. Refer to
|
||
[PR #221181](https://github.com/NixOS/nixpkgs/issues/221181) for more
|
||
details.
|
||
|
||
- Package `cloud-sql-proxy` was renamed to `google-cloud-sql-proxy` as it
|
||
cannot be used with other cloud providers.
|
||
|
||
- Package `pash` was removed due to being archived upstream. Use `powershell`
|
||
as an alternative.
|
||
|
||
- The option `services.plausible.releaseCookiePath` has been removed. Plausible
|
||
does not use any distributed Erlang features, and does not plan to (refer to
|
||
[discussion](https://github.com/NixOS/nixpkgs/pull/130297#issuecomment-1805851333)),
|
||
Thus NixOS disables them now , and the Erlang cookie becomes unnecessary. You
|
||
may delete the file that `releaseCookiePath` was set to.
|
||
|
||
- `security.sudo.extraRules` includes `root`'s default rule now, with ordering
|
||
priority 400. This is functionally identical for users not specifying rule
|
||
order, or relying on `mkBefore` and `mkAfter`, but may impact users calling
|
||
`mkOrder n` with n ≤ 400.
|
||
|
||
- X keyboard extension (XKB) options have been reorganized into a single
|
||
attribute set, `services.xserver.xkb`. Specifically,
|
||
`services.xserver.layout` is `services.xserver.xkb.layout` now,
|
||
`services.xserver.extraLayouts` is `services.xserver.xkb.extraLayouts` now,
|
||
`services.xserver.xkbModel` is `services.xserver.xkb.model` now,
|
||
`services.xserver.xkbOptions` is `services.xserver.xkb.options` now ,
|
||
`services.xserver.xkbVariant` is `services.xserver.xkb.variant` now, and
|
||
`services.xserver.xkbDir` is `services.xserver.xkb.dir` now.
|
||
|
||
- `networking.networkmanager.firewallBackend` was removed as NixOS is now using
|
||
iptables-nftables-compat even when using iptables, therefore Networkmanager
|
||
uses the nftables backend unconditionally now.
|
||
|
||
- `rome` was removed because it is no longer maintained and is succeeded by
|
||
`biome`.
|
||
|
||
- The `prometheus-knot-exporter` was migrated to a version maintained by
|
||
CZ.NIC. Various metric names have changed, so checking existing rules is
|
||
recommended.
|
||
|
||
- The `services.mtr-exporter.target` has been removed in favor of
|
||
`services.mtr-exporter.jobs` which allows specifying multiple targets.
|
||
|
||
- `blender-with-packages` has been deprecated in favor of
|
||
`blender.withPackages`, for example `blender.withPackages (ps: [ps.bpycv])`.
|
||
It behaves similarly to `python3.withPackages`.
|
||
|
||
- Setting `nixpkgs.config` options while providing an external `pkgs` instance
|
||
will now raise an error instead of silently ignoring the options. NixOS
|
||
modules no longer set `nixpkgs.config` to accommodate this. This specifically
|
||
affects `services.locate`,
|
||
`services.xserver.displayManager.lightdm.greeters.tiny` and
|
||
`programs.firefox` NixOS modules. No manual intervention should be required
|
||
in most cases, however, configurations relying on those modules affecting
|
||
packages outside the system environment should switch to explicit overlays.
|
||
|
||
- `privacyidea` (and the corresponding `privacyidea-ldap-proxy`) has been
|
||
removed from nixpkgs because it has severely outdated dependencies that
|
||
became unmaintainable with nixpkgs' python package-set.
|
||
|
||
- `dagger` was removed because using a package called `dagger` and packaging it
|
||
from source violates their trademark policy.
|
||
|
||
- `win-virtio` package was renamed to `virtio-win` to be consistent with the upstream package name.
|
||
|
||
- `ps3netsrv` has been replaced with the webman-mod fork, the executable has
|
||
been renamed from `ps3netsrv++` to `ps3netsrv` and cli parameters have
|
||
changed.
|
||
|
||
- `ssm-agent` package and module were renamed to `amazon-ssm-agent` to be
|
||
consistent with the upstream package name.
|
||
|
||
- `services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}` now use separate runtime
|
||
directories instead of `/run/kea` to work around the runtime directory being
|
||
cleared on service start.
|
||
|
||
- `mkDerivation` rejects MD5 hashes now.
|
||
|
||
- The `junicode` font package has been updated to [major
|
||
v2](https://github.com/psb1558/Junicode-font/releases/tag/v2.001), which is
|
||
a font family now. In particular, plain `Junicode.ttf` no longer exists. In
|
||
addition, TrueType font files are now placed in `font/truetype` instead of
|
||
`font/junicode-ttf`; this change does not affect use via `fonts.packages`
|
||
option.
|
||
|
||
- The `prayer` package as well as `services.prayer` have been removed because
|
||
it's been unmaintained for several years and the author's website has
|
||
vanished.
|
||
|
||
- The `chrony` NixOS module now tracks the real-time clock drift from the
|
||
system clock with `rtcfile` and automatically adjusts it with `rtcautotrim`
|
||
when it exceeds the maximum error specified in
|
||
`services.chrony.autotrimThreshold` (defaults to 30 seconds). If you enabled
|
||
`rtcsync` in `extraConfig`, you should remove RTC related options from
|
||
`extraConfig`. If you do not want chrony configured to keep the RTC in check,
|
||
you can set `services.chrony.enableRTCTrimming = false;`.
|
||
|
||
- `trilium-desktop` and `trilium-server` have been updated to
|
||
[v0.61](https://github.com/zadam/trilium/releases/tag/v0.61.12). For existing
|
||
installations, upgrading to this version is supported only after running
|
||
v0.60.x at least once. If you are still on an older version, make sure to
|
||
update to v0.60 (available in NixOS 23.05) first and only then to v0.61
|
||
(available in NixOS 23.11).
|
||
|
||
- Cassandra now defaults to v4.x, updated from v3.11.x.
|
||
|
||
|
||
- FoundationDB now defaults to major version 7.
|
||
|
||
- [glibc](https://www.gnu.org/software/libc/) has been updated from v2.37 to
|
||
v2.38. Refer to the [the release
|
||
notes](https://sourceware.org/glibc/wiki/Release/2.38) for more details.
|
||
|
||
- `linuxPackages_testing_bcachefs` is now soft-deprecated by
|
||
`linuxPackages_testing`.
|
||
- Please consider changing your NixOS configuration's `boot.kernelPackages`
|
||
to `linuxPackages_testing` until a stable kernel with bcachefs support is
|
||
released.
|
||
|
||
- PostgreSQL now defaults to major version 15.
|
||
|
||
- All [ROCm](https://rocm.docs.amd.com/en/latest/) packages have been updated
|
||
to v5.7.0.
|
||
- [ROCm](https://rocm.docs.amd.com/en/latest/) package attribute sets are
|
||
versioned: `rocmPackages` -> `rocmPackages_5`.
|
||
|
||
- [systemd](https://systemd.io) has been updated from v253 to v254, refer to
|
||
[the release
|
||
notes](https://github.com/systemd/systemd/blob/v254/NEWS#L3-L659) for more
|
||
details.
|
||
- `boot.resumeDevice` **must be specified** when hibernating if not in EFI
|
||
mode.
|
||
- systemd may warn your system about the permissions of your ESP partition
|
||
(often `/boot`), this warning can be ignored for now, we are looking into
|
||
a satisfying solution regarding this problem.
|
||
- Updating with `nixos-rebuild boot` and rebooting is recommended, since in
|
||
some rare cases the `nixos-rebuild switch` into the new generation on a
|
||
live system might fail due to missing mount units.
|
||
|
||
- If the user has a custom shell enabled via `users.users.${USERNAME}.shell =
|
||
${CUSTOMSHELL}`, the assertion will require them to also set
|
||
`programs.${CUSTOMSHELL}.enable = true`. This is generally safe behavior, but
|
||
for anyone needing to opt out from the check
|
||
`users.users.${USERNAME}.ignoreShellProgramCheck = true` will do the job.
|
||
|
||
- `yarn-berry` has been updated to v4.0.1. This means that NodeJS versions less
|
||
v18.12 are no longer supported by it. Refer to the [upstream
|
||
changelog](https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md) for
|
||
more details.
|
||
|
||
- GNOME has been updated to v45. Refer to the [release
|
||
notes](https://release.gnome.org/45/) for more details. Notably, Loupe has
|
||
replaced Eye of GNOME as the default image viewer, Snapshot has replaced
|
||
Cheese as the default camera application, and Photos will no longer be
|
||
installed.
|
||
|
||
- The module `services.ankisyncd` has been switched to
|
||
[anki-sync-server-rs](https://github.com/ankicommunity/anki-sync-server-rs).
|
||
The former version written in Python was difficult to update, did not receive
|
||
updates in a while, and did not support recent versions of Anki.
|
||
|
||
Unfortunately all servers supporting new clients do not support the older
|
||
sync protocol that was used in the old server. This includes newer version of
|
||
anki-sync-server, Anki's built in sync server and this new Rust package. Thus
|
||
old clients will also need updating. In particular nixpkgs's Anki package is
|
||
also being updated in this release.
|
||
|
||
The module update takes care of the new config syntax. The data itself (i.e.
|
||
user login and card information) is compatible. Thus users of the module will
|
||
be able to simply log in again after updating both client and server without
|
||
any extra action needed to be taken.
|
||
|
||
- The argument `vendorSha256` of `buildGoModule` is deprecated. Use
|
||
`vendorHash` instead. Refer to [PR
|
||
\#259999](https://github.com/NixOS/nixpkgs/pull/259999)) for more details.
|
||
|
||
- `go-modules` in `buildGoModule` attrs has been renamed to `goModules`.
|
||
|
||
- The package `cawbird` is dropped from nixpkgs. It broke by the Twitter API
|
||
closing down and has been abandoned upstream.
|
||
|
||
- The Cinnamon module now enables XDG desktop integration by default. If you
|
||
are experiencing collisions related to xdg-desktop-portal-gtk you can safely
|
||
remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your
|
||
NixOS configuration.
|
||
|
||
- GNOME, Pantheon, Cinnamon modules no longer force Qt applications to use
|
||
Adwaita style. This implemantion was buggy and is no longer maintained
|
||
upstream. Specifically, Cinnamon defaults to the gtk2 style instead now,
|
||
following the default in Linux Mint). If you still want Adwaita used, you may
|
||
add the following options to your configuration. Please be aware, that it
|
||
will probably be removed eventually.
|
||
|
||
```nix
|
||
{
|
||
qt = {
|
||
enable = true;
|
||
platformTheme = "gnome";
|
||
style = "adwaita";
|
||
};
|
||
}
|
||
```
|
||
|
||
- DocBook option documentation is no longer supported, all module documentation
|
||
now uses Markdown.
|
||
|
||
- Docker defaults to v24 now, as 20.10 is stopping to receive security updates
|
||
and bug fixes after [December 10,
|
||
2023](https://github.com/moby/moby/discussions/45104).
|
||
|
||
- Elixir defaults to v1.15 now. Refer to their
|
||
[changelog](https://elixir-lang.org/blog/2023/06/19/elixir-v1-15-0-released/)
|
||
for more details.
|
||
|
||
- The `extend` function of `llvmPackages` has been removed due it coming from
|
||
the `tools` attrset thus only extending the `tool` attrset. A possible
|
||
replacement is to construct the set from `libraries` and `tools`, or patch
|
||
nixpkgs.
|
||
|
||
- `ffmpeg` defaults to `ffmpeg_6` now, upgrading from `ffmpeg_5`.
|
||
|
||
- `fontconfig` defaults to using greyscale antialiasing now. Previously
|
||
subpixel antialiasing was used because of a [recommendation from one of the
|
||
downstreams](https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/337).
|
||
You can change this value by configuring
|
||
[](#opt-fonts.fontconfig.subpixel.rgba) accordingly.
|
||
|
||
- The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to
|
||
`fonts.packages` and `fonts.enableDefaultPackages` respectively.
|
||
|
||
- `services.hedgedoc` has been heavily refactored, reducing the amount of
|
||
declared options in the module. Most of the options should still work without
|
||
any changes to the configuration. Some options have been deprecated, as they
|
||
no longer have any effect. Refer to [PR
|
||
#244941](https://github.com/NixOS/nixpkgs/pull/244941) for more details.
|
||
|
||
- `jq` was updated to v1.7. This is its [first release in 5
|
||
years](https://github.com/jqlang/jq/releases/tag/jq-1.7).
|
||
|
||
- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs)
|
||
now always evaluates the initial accumulator argument first.
|
||
|
||
- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime)
|
||
now always evaluates the initial accumulator argument first. If you depend on
|
||
the lazier behavior, consider using
|
||
[`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl)
|
||
or
|
||
[`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl')
|
||
instead.
|
||
|
||
- Now `magma` defaults to `magma-hip` instead of `magma-cuda`. It also
|
||
respects the `config.cudaSupport` and `config.rocmSupport` options.
|
||
|
||
- The MariaDB C client library was upgraded from v3.2.x to v3.3.x. Refer to the
|
||
[upstream release
|
||
notes](https://mariadb.com/kb/en/mariadb-connector-c-33-release-notes/) for
|
||
more details.
|
||
|
||
- Mattermost has been upgraded to extended support version 8.1 as the previously
|
||
packaged extended support version 7.8 is [reaching end-of-life](https://docs.mattermost.com/upgrade/extended-support-release.html).
|
||
Migration may take some time, refer to the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v8-1-extended-support-release)
|
||
and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html).
|
||
|
||
- The `netdata` package disables cloud support by default now. To enable it use the `netdataCloud` package.
|
||
|
||
- `networking.nftables` is no longer flushing all rulesets on every reload.
|
||
Use `networking.nftables.flushRuleset = true;` to enable the previous behaviour.
|
||
|
||
- Node.js v14, v16 has been removed as they were end of life. Any dependent packages that contributors were not able to reasonably upgrade were dropped after a month of notice to their maintainers, were **removed**.
|
||
- This includes VSCode Server.
|
||
- This includes Kibana 7 as the ELK stack is unmaintained in nixpkgs and is marked for slow removal.
|
||
|
||
- The application firewall `opensnitch` uses the process monitor method eBPF as
|
||
default now. This is recommended by upstream. The method may be changed with
|
||
the setting
|
||
[services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod).
|
||
|
||
- `paperwork` is updated to v2.2. Documents scanned with this version will not
|
||
be visible to previous versions if you downgrade. Refer to the [upstream
|
||
announcement](https://forum.openpaper.work/t/paperwork-2-2-testing-phase/316#important-switch-from-jpeg-to-png-for-new-pages-2)
|
||
for details and workarounds.
|
||
|
||
- The latest available version of Nextcloud is v27 (available as
|
||
`pkgs.nextcloud27`). The installation logic is as follows:
|
||
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is
|
||
specified explicitly, this package will be installed (**recommended**)
|
||
- If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11,
|
||
`pkgs.nextcloud27` will be installed by default.
|
||
- If [`system.stateVersion`](#opt-system.stateVersion) is >=23.05,
|
||
`pkgs.nextcloud26` will be installed by default.
|
||
- Please note that an upgrade from v25 (or older) to v27 is not possible
|
||
directly. Please upgrade to `nextcloud26` (or earlier) first. Nextcloud
|
||
prohibits skipping major versions while upgrading. You may upgrade by
|
||
declaring [`services.nextcloud.package =
|
||
pkgs.nextcloud26;`](options.html#opt-services.nextcloud.package) inbetween.
|
||
|
||
- `postgresql_11` has been removed since it'll stop receiving fixes on November
|
||
9th 2023.
|
||
|
||
- `programs.gnupg.agent.pinentryFlavor` is set in `/etc/gnupg/gpg-agent.conf`
|
||
now. It will no longer take precedence over a `pinentry-program` set in
|
||
`~/.gnupg/gpg-agent.conf`.
|
||
|
||
- `python3.pkgs.flitBuildHook` has been removed. Use `flit-core` and `format =
|
||
"pyproject"` instead.
|
||
|
||
- Certificate generation via the `security.acme` limits the concurrent number
|
||
of running certificate renewals and generation jobs now. This is to avoid
|
||
spiking resource usage when processing many certificates at once. The limit
|
||
defaults to *5* and can be adjusted via `maxConcurrentRenewals`. Setting the
|
||
value to *0* disables the limits altogether.
|
||
|
||
- `services.borgmatic.settings.location` and
|
||
`services.borgmatic.configurations.<name>.location` are deprecated, please
|
||
move your options out of sections to the global scope.
|
||
|
||
- `services.fail2ban.jails` can be configured with attribute sets now, defining
|
||
settings and filters instead of lines. The stringed options `daemonConfig`
|
||
and `extraSettings` have respectively been replaced by `daemonSettings` and
|
||
`jails.DEFAULT.settings`. Those use attribute sets.
|
||
|
||
- The `services.mbpfan` module has the option `aggressive` enabled by default
|
||
now. This is for better heat moderation. To get the upstream defaults you may
|
||
disable this.
|
||
|
||
- Apptainer/Singularity defaults to using `"$out/var/lib"` for the
|
||
`LOCALSTATEDIR` configuration option instead of the top-level `"/var/lib"`
|
||
now. This change impacts the `SESSIONDIR` (container-run-time mount point)
|
||
configuration, which is set to `$LOCALSTATEDIR/<apptainer or
|
||
singularity>/mnt/session`. This detaches the packages from the top-level
|
||
directory, rendering the NixOS module optional.
|
||
|
||
The default behavior of the NixOS module `programs.singularity` stays
|
||
unchanged. We add a new option
|
||
`programs.singularity.enableExternalSysConfDir` (default to `true`) to
|
||
specify whether to set the top-level `"/var/lib"` as `LOCALSTATEDIR` or not.
|
||
|
||
- The `services.sslh` module has been updated to follow [RFC
|
||
0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md).
|
||
As such, several options have been moved to the freeform attribute set
|
||
[services.sslh.settings](#opt-services.sslh.settings), which allows to change
|
||
any of the settings in {manpage}`sslh(8)`.
|
||
|
||
In addition, the newly added option
|
||
[services.sslh.method](#opt-services.sslh.method) allows to switch between
|
||
the {manpage}`fork(2)`, {manpage}`select(2)` and `libev`-based connection
|
||
handling method. Refer to the [sslh
|
||
docs](https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries)
|
||
for a comparison.
|
||
|
||
- Suricata was upgraded from v6.0 to v7.0 and no longer considers HTTP/2
|
||
support as experimental. Refer to [upstream release
|
||
notes](https://forum.suricata.io/t/suricata-7-0-0-released/3715) for more
|
||
details.
|
||
|
||
- `teleport` has been upgraded from major version 12 to major version 14.
|
||
Refer to upstream [upgrade
|
||
instructions](https://goteleport.com/docs/management/operations/upgrading/)
|
||
and release notes for
|
||
[v13](https://goteleport.com/docs/changelog/#1300-050823) and
|
||
[v14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport
|
||
does not officially support upgrades across more than one major version at a
|
||
time. If you're running Teleport server components, it is recommended to
|
||
first upgrade to an intermediate v13.x version by setting
|
||
`services.teleport.package = pkgs.teleport_13`. Afterwards, this option can
|
||
be removed to upgrade to the default version (14).
|
||
|
||
- `zfs` was updated from v2.1.x to v2.2.0, [enabling newer kernel support and
|
||
adding new features](https://github.com/openzfs/zfs/releases/tag/zfs-2.2.0).
|
||
|
||
- The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and
|
||
similar lines in package derivations using the default `unpackPhase` is
|
||
deprecated as it requires `unpackPhase` to always produce a directory named
|
||
"source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`,
|
||
or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead.
|
||
|
||
- The `django` alias in the python package set was upgraded to Django v4.x.
|
||
Applications that consume Django should always pin their python environment
|
||
to a compatible major version, so they can move at their own pace.
|
||
|
||
```nix
|
||
{
|
||
python = python3.override {
|
||
packageOverrides = self: super: {
|
||
django = super.django_3;
|
||
};
|
||
};
|
||
}
|
||
```
|
||
|
||
- The `qemu-vm.nix` module by default now identifies block devices via
|
||
persistent names available in `/dev/disk/by-*`. Because the rootDevice is
|
||
identified by its filesystem label, it needs to be formatted before the VM is
|
||
started. The functionality of automatically formatting the rootDevice in the
|
||
initrd is removed from the QEMU module. However, for tests that depend on
|
||
this functionality, a test utility for the scripted initrd is added
|
||
(`nixos/tests/common/auto-format-root-device.nix`). To use this in a NixOS
|
||
test, import the module, e.g. `imports = [
|
||
./common/auto-format-root-device.nix ];` When you use the systemd initrd, you
|
||
can automatically format the root device by setting
|
||
`virtualisation.fileSystems."/".autoFormat = true;`.
|
||
|
||
- The `electron` packages places its application files in
|
||
`$out/libexec/electron` instead of `$out/lib/electron` now. Packages using
|
||
electron-builder will fail to build and need to be adjusted by changing `lib`
|
||
to `libexec`.
|
||
|
||
### New Services {#sec-release-23.11-nixos-new-services}
|
||
|
||
- [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server
|
||
built for redstone. Available as
|
||
[services.mchprs](#opt-services.mchprs.enable).
|
||
|
||
- [acme-dns](https://github.com/joohoi/acme-dns), a limited DNS server to
|
||
handle ACME DNS challenges easily and securely. Available as
|
||
[services.acme-dns](#opt-services.acme-dns.enable).
|
||
|
||
- [frp](https://github.com/fatedier/frp), a fast reverse proxy to help you
|
||
expose a local server behind a NAT or firewall to the Internet. Available as
|
||
[services.frp](#opt-services.frp.enable).
|
||
|
||
- [river](https://github.com/riverwm/river), A dynamic tiling wayland
|
||
compositor. Available as [programs.river](#opt-programs.river.enable).
|
||
|
||
- [wayfire](https://wayfire.org), a modular and extensible wayland compositor.
|
||
Available as [programs.wayfire](#opt-programs.wayfire.enable).
|
||
|
||
- [mautrix-whatsapp](https://docs.mau.fi/bridges/go/whatsapp/index.html), a
|
||
Matrix-WhatsApp puppeting bridge. Available as
|
||
[services.mautrix-whatsapp](#opt-services.mautrix-whatsapp.enable).
|
||
|
||
- [hddfancontrol](https://github.com/desbma/hddfancontrol), a service to
|
||
regulate fan speeds based on hard drive temperature. Available as
|
||
[services.hddfancontrol](#opt-services.hddfancontrol.enable).
|
||
|
||
- [seatd](https://sr.ht/~kennylevinsen/seatd/), A minimal seat management
|
||
daemon. Available as [services.seatd](#opt-services.seatd.enable).
|
||
|
||
- [GoToSocial](https://gotosocial.org/), an ActivityPub social network server
|
||
written in Golang. Available as
|
||
[services.gotosocial](#opt-services.gotosocial.enable).
|
||
|
||
- [Castopod](https://castopod.org/), an open-source hosting platform made for
|
||
podcasters who want to engage and interact with their audience. Available as
|
||
[services.castopod](#opt-services.castopod.enable).
|
||
|
||
- [Typesense](https://github.com/typesense/typesense), a fast, typo-tolerant
|
||
search engine for building delightful search experiences. Available as
|
||
[services.typesense](#opt-services.typesense.enable).
|
||
|
||
* [NS-USBLoader](https://github.com/developersu/ns-usbloader/), an all-in-one
|
||
tool for managing Nintendo Switch homebrew. Available as
|
||
[programs.ns-usbloader](#opt-programs.ns-usbloader.enable).
|
||
|
||
- [athens](https://github.com/gomods/athens), a Go module datastore and proxy. Available as [services.athens](#opt-services.athens.enable).
|
||
|
||
- [Mobilizon](https://joinmobilizon.org/), a Fediverse platform for publishing
|
||
events. Available as [services.mobilizon](#opt-services.mobilizon.enable).
|
||
|
||
- [Anuko Time Tracker](https://github.com/anuko/timetracker), a simple, easy to
|
||
use, open source time tracking system. Available as
|
||
[services.anuko-time-tracker](#opt-services.anuko-time-tracker.enable).
|
||
|
||
- [Prometheus MySQL exporter](https://github.com/prometheus/mysqld_exporter), a
|
||
MySQL server exporter for Prometheus. Available as
|
||
[services.prometheus.exporters.mysqld](#opt-services.prometheus.exporters.mysqld.enable).
|
||
|
||
- [LibreNMS](https://www.librenms.org), a auto-discovering PHP/MySQL/SNMP based
|
||
network monitoring. Available as
|
||
[services.librenms](#opt-services.librenms.enable).
|
||
|
||
- [Livebook](https://livebook.dev/), an interactive notebook with support for
|
||
Elixir, graphs, machine learning, and more. Available as
|
||
[services.livebook](#opt-services.livebook.enableUserService).
|
||
|
||
- [sitespeed-io](https://sitespeed.io), a tool that can generate metrics such
|
||
as timings and diagnostics for websites. Available as
|
||
[services.sitespeed-io](#opt-services.sitespeed-io.enable).
|
||
|
||
- [stalwart-mail](https://stalw.art), an all-in-one email server (SMTP, IMAP,
|
||
JMAP). Available as
|
||
[services.stalwart-mail](#opt-services.stalwart-mail.enable).
|
||
|
||
|
||
- [tang](https://github.com/latchset/tang), a server for binding data to
|
||
network presence. Available as [services.tang](#opt-services.tang.enable).
|
||
|
||
- [Jool](https://nicmx.github.io/Jool/en/index.html), a kernelspace NAT64 and
|
||
SIIT implementation providing translation between IPv4 and IPv6. Available as
|
||
[networking.jool.enable](#opt-networking.jool.enable).
|
||
|
||
- [Home Assistant
|
||
Satellite](https://github.com/synesthesiam/homeassistant-satellite), a
|
||
streaming audio satellite for Home Assistant voice pipelines, where you can
|
||
reuse existing mic and speaker hardware. Available as
|
||
`services.homeassistant-satellite`.
|
||
|
||
- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform,
|
||
clientless remote desktop gateway. Available as
|
||
[services.guacamole-server](#opt-services.guacamole-server.enable) and
|
||
[services.guacamole-client](#opt-services.guacamole-client.enable) services.
|
||
|
||
- [pgBouncer](https://www.pgbouncer.org), a PostgreSQL connection pooler.
|
||
Available as [services.pgbouncer](#opt-services.pgbouncer.enable).
|
||
|
||
- [Goss](https://goss.rocks/), a YAML based serverspec alternative tool for
|
||
validating a server's configuration. Available as
|
||
[services.goss](#opt-services.goss.enable).
|
||
|
||
- [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe
|
||
and secure from the ground up. Available as
|
||
`services.trust-dns`.
|
||
|
||
- [osquery](https://www.osquery.io/), a SQL powered operating system
|
||
instrumentation, monitoring, and analytics. Available as
|
||
[services.osquery](#opt-services.osquery.enable).
|
||
|
||
- [ebusd](https://ebusd.eu), a daemon for handling communication with eBUS
|
||
devices connected to a 2-wire bus system ("energy bus" used by numerous
|
||
heating systems). Available as [services.ebusd](#opt-services.ebusd.enable).
|
||
|
||
- [systemd-sysupdate](https://www.freedesktop.org/software/systemd/man/systemd-sysupdate.html),
|
||
atomically updates the host OS, container images, portable service images or
|
||
other sources. Available as [systemd.sysupdate](opt-systemd.sysupdate).
|
||
|
||
- [eris-server](https://codeberg.org/eris/eris-go), an implementation of the
|
||
Encoding for Robust Immutable Storage (ERIS). Available as
|
||
[services.eris-server](#opt-services.eris-server.enable).
|
||
|
||
- [forgejo](https://forgejo.org/), a git forge and drop-in replacement for
|
||
Gitea. Available as [services.forgejo](#opt-services.forgejo.enable).
|
||
|
||
- `hardware/infiniband.nix` adds infiniband subnet manager support using an
|
||
[opensm](https://github.com/linux-rdma/opensm) systemd-template service,
|
||
instantiated on card guids. The module also adds kernel modules and cli
|
||
tooling to help administrators debug and measure performance. Available as
|
||
[hardware.infiniband.enable](#opt-hardware.infiniband.enable).
|
||
|
||
- [zwave-js](https://github.com/zwave-js/zwave-js-server), a small server
|
||
wrapper around Z-Wave JS to access it via a WebSocket. Available as
|
||
[services.zwave-js](#opt-services.zwave-js.enable).
|
||
|
||
- [Honk](https://humungus.tedunangst.com/r/honk), a complete ActivityPub server
|
||
with minimal setup and support costs. Available as
|
||
[services.honk](#opt-services.honk.enable).
|
||
|
||
- [ferretdb](https://www.ferretdb.io/), an open-source proxy, converting the
|
||
MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as
|
||
[services.ferretdb](options.html#opt-services.ferretdb.enable).
|
||
|
||
- [MicroBin](https://microbin.eu/), a feature rich, performant and secure text
|
||
and file sharing web application, a "paste bin". Available as
|
||
[services.microbin](#opt-services.microbin.enable).
|
||
|
||
- [NNCP](http://www.nncpgo.org/), nncp-daemon and nncp-caller services.
|
||
Available as [programs.nncp.settings](#opt-programs.nncp.settings) and
|
||
[services.nncp](#opt-services.nncp.caller.enable).
|
||
|
||
- [FastNetMon Advanced](https://fastnetmon.com/product-overview/), a commercial
|
||
high performance DDoS detector and sensor. Available as
|
||
[services.fastnetmon-advanced](#opt-services.fastnetmon-advanced.enable).
|
||
|
||
- [tuxedo-rs](https://github.com/AaronErhardt/tuxedo-rs), Rust utilities for
|
||
interacting with hardware from TUXEDO Computers. Available as
|
||
[hardware.tuxedo-rs](#opt-hardware.tuxedo-rs.enable).
|
||
|
||
- [certspotter](https://github.com/SSLMate/certspotter), a certificate
|
||
transparency log monitor. Available as
|
||
[services.certspotter](#opt-services.certspotter.enable).
|
||
|
||
- [audiobookshelf](https://github.com/advplyr/audiobookshelf/), a self-hosted
|
||
audiobook and podcast server. Available as
|
||
[services.audiobookshelf](#opt-services.audiobookshelf.enable).
|
||
|
||
- [ZITADEL](https://zitadel.com), a turnkey identity and access management
|
||
platform. Available as [services.zitadel](#opt-services.zitadel.enable).
|
||
|
||
- [exportarr](https://github.com/onedr0p/exportarr), Prometheus Exporters for
|
||
Bazarr, Lidarr, Prowlarr, Radarr, Readarr, and Sonarr. Available as
|
||
[services.prometheus.exporters.exportarr-bazarr](#opt-services.prometheus.exporters.exportarr-bazarr.enable)/[services.prometheus.exporters.exportarr-lidarr](#opt-services.prometheus.exporters.exportarr-lidarr.enable)/[services.prometheus.exporters.exportarr-prowlarr](#opt-services.prometheus.exporters.exportarr-prowlarr.enable)/[services.prometheus.exporters.exportarr-radarr](#opt-services.prometheus.exporters.exportarr-radarr.enable)/[services.prometheus.exporters.exportarr-readarr](#opt-services.prometheus.exporters.exportarr-readarr.enable)/[services.prometheus.exporters.exportarr-sonarr](#opt-services.prometheus.exporters.exportarr-sonarr.enable).
|
||
|
||
- [netclient](https://github.com/gravitl/netclient), an automated WireGuard
|
||
Management Client. Available as
|
||
[services.netclient](#opt-services.netclient.enable).
|
||
|
||
- [trunk-ng](https://github.com/ctron/trunk), A fork of `trunk`: Build, bundle
|
||
& ship your Rust WASM application to the web
|
||
|
||
- [virt-manager](https://virt-manager.org/), an UI for managing virtual
|
||
machines in libvirt. Available as
|
||
[programs.virt-manager](#opt-programs.virt-manager.enable).
|
||
|
||
- [Soft Serve](https://github.com/charmbracelet/soft-serve), a tasty,
|
||
self-hostable Git server for the command line. Available as
|
||
[services.soft-serve](#opt-services.soft-serve.enable).
|
||
|
||
- [Rosenpass](https://rosenpass.eu/), a service for post-quantum-secure VPNs
|
||
with WireGuard. Available as
|
||
[services.rosenpass](#opt-services.rosenpass.enable).
|
||
|
||
- [c2FmZQ](https://github.com/c2FmZQ/c2FmZQ/), an application that can securely
|
||
encrypt, store, and share files, including but not limited to pictures and
|
||
videos. Available as
|
||
[services.c2fmzq-server](#opt-services.c2fmzq-server.enable).
|
||
|
||
- [preload](http://sourceforge.net/projects/preload), a service that makes
|
||
applications run faster by prefetching binaries and shared objects.
|
||
Available as [services.preload](#opt-services.preload.enable).
|
||
|
||
### Other Notable Changes {#sec-release-23.11-nixos-notable-changes}
|
||
|
||
- The new option `system.switch.enable` was added. It is enabled by default.
|
||
Disabling it makes the system unable to be reconfigured via `nixos-rebuild`.
|
||
This is of advantage for image based appliances where updates are handled
|
||
outside the image.
|
||
|
||
- `services.searx` receives new options for better SearXNG support. This
|
||
includes options for the built-in rate limiter, bot protection and
|
||
automatically configuring a local Redis server.
|
||
|
||
- The iptables firewall module installs the `nixos-firewall-tool` now which
|
||
allows the user to easily temporarily open ports through the firewall.
|
||
|
||
- A new option was added to the virtualisation module that enables specifying
|
||
explicitly named network interfaces in QEMU VMs. The existing
|
||
`virtualisation.vlans` is still supported for cases where the name of the
|
||
network interface is irrelevant.
|
||
|
||
- `services.outline` can be configured to use local filesystem storage now.
|
||
Previously ony S3 storage was possible. This may be set using
|
||
[services.outline.storage.storageType](#opt-services.outline.storage.storageType).
|
||
|
||
- `pkgs.openvpn3` optionally supports systemd-resolved now. `programs.openvpn3`
|
||
will automatically enable systemd-resolved support if
|
||
[services.resolved.enable](#opt-services.resolved.enable) is set to true.
|
||
|
||
- The
|
||
[services.woodpecker-server.environmentFile](#opt-services.woodpecker-server.environmentFile)
|
||
type was changed to list of paths to be more consistent to the
|
||
woodpecker-agent module
|
||
|
||
- `services.matrix-synapse` has new options to configure worker processes for
|
||
matrix-synapse using
|
||
[`services.matrix-synapse.workers`](#opt-services.matrix-synapse.workers).
|
||
Configuring a local redis server using
|
||
[`services.matrix-synapse.configureRedisLocally`](#opt-services.matrix-synapse.configureRedisLocally)
|
||
is also possible now.
|
||
|
||
- The `services.nginx` module gained a `defaultListen` option at server-level
|
||
with support for PROXY protocol listeners. Also `proxyProtocol` is exposed in
|
||
the `services.nginx.virtualHosts.<name>.listen` option now. This it is
|
||
possible to run PROXY listeners and non-PROXY listeners at a server-level.
|
||
Refer to [PR #213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more
|
||
details.
|
||
|
||
- `services.restic.backups` adds wrapper scripts to your system path now. This
|
||
wrapper script sets the same environment variables as the service, so restic
|
||
operations can easily be run from the command line. This behavior can be
|
||
disabled by setting `createWrapper` to `false`, for each backup
|
||
configuration.
|
||
|
||
- `services.prometheus.exporters` has a new exporter to monitor electrical
|
||
power consumption based on PowercapRAPL sensor called
|
||
[Scaphandre](https://github.com/hubblo-org/scaphandre). Refer to [PR
|
||
#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details.
|
||
|
||
- The `services.calibre-server` module has new options to configure the `host`,
|
||
`port`, `auth.enable`, `auth.mode` and `auth.userDb` path. Refer to [PR
|
||
#216497](https://github.com/NixOS/nixpkgs/pull/216497/) for more details.
|
||
|
||
- `services.prometheus.exporters` has a new
|
||
[exporter](https://github.com/hipages/php-fpm_exporter) to monitor PHP-FPM
|
||
processes. Refer to [PR
|
||
#240394](https://github.com/NixOS/nixpkgs/pull/240394) for more details.
|
||
|
||
- `services.github-runner` and `services.github-runners.<name>` gained the
|
||
option `nodeRuntimes`. This option defaults to `[ "node20" ]`. I.e., the
|
||
service supports Node.js 20 GitHub Actions only. The list of Node.js versions
|
||
accepted by `nodeRuntimes` tracks the versions the upstream GitHub Actions
|
||
runner supports. Refer to [PR
|
||
#249103](https://github.com/NixOS/nixpkgs/pull/249103) for details.
|
||
|
||
- `programs.gnupg` has the option `agent.settings` now. This allows setting
|
||
verbatim config values in `/etc/gnupg/gpg-agent.conf`.
|
||
|
||
- `dockerTools.buildImage`, `dockerTools.buildLayeredImage` and
|
||
`dockerTools.streamLayeredImage` use `lib.makeOverridable` now . This allows
|
||
`dockerTools`-based images to be customized more efficiently at the Nix
|
||
level.
|
||
|
||
- `services.influxdb2` supports doing an automatic initial setup and
|
||
provisioning of users, organizations, buckets and authentication tokens now.
|
||
Refer to [PR #249502](https://github.com/NixOS/nixpkgs/pull/249502) for more
|
||
details.
|
||
|
||
- `wrapHelm` exposes `passthru.pluginsDir` now which can be passed to
|
||
`helmfile`. For convenience, a top-level package `helmfile-wrapped` has been
|
||
added, which inherits `passthru.pluginsDir` from `kubernetes-helm-wrapped`.
|
||
Refer to [PR #217768](https://github.com/NixOS/nixpkgs/issues/217768) for
|
||
more details.
|
||
|
||
- The `boot.initrd.network.udhcp.enable` option allows control over DHCP during
|
||
Stage 1 regardless of what `networking.useDHCP` is set to.
|
||
|
||
- `networking.nftables` has the option `networking.nftables.table.<table>` now. This creates tables
|
||
and have them be updated atomically, instead of flushing the ruleset.
|
||
|
||
- `hardware.nvidia` gained `datacenter` options for enabling NVIDIA Data Center
|
||
drivers and configuration of NVLink/NVSwitch topologies through
|
||
`nv-fabricmanager`.
|
||
|
||
- The new `boot.bcache.enable` option allows completely removing `bcache`
|
||
mount support. It is enabled by default.
|
||
|
||
- `security.sudo` provides two extra options now, while not changing the
|
||
module's default behaviour:
|
||
- `defaultOptions` controls the options used for the default rules;
|
||
- `keepTerminfo` controls whether `TERMINFO` and `TERMINFO_DIRS` are preserved
|
||
for `root` and the `wheel` group.
|
||
|
||
- `virtualisation.googleComputeImage` provides a `efi` option to support UEFI
|
||
booting now.
|
||
|
||
- CoreDNS may be built with external plugins now. This may be done by
|
||
overriding `externalPlugins` and `vendorHash` arguments like this:
|
||
|
||
```nix
|
||
{
|
||
services.coredns = {
|
||
enable = true;
|
||
package = pkgs.coredns.override {
|
||
externalPlugins = [
|
||
{name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";}
|
||
];
|
||
vendorHash = "<SRI hash>";
|
||
};
|
||
};
|
||
}
|
||
```
|
||
|
||
To get the necessary SRI hash, set `vendorHash = "";`. The build will fail
|
||
and produce the correct `vendorHash` in the error message.
|
||
|
||
If you use this feature, updates to CoreDNS may require updating `vendorHash`
|
||
by following these steps again.
|
||
|
||
- Using `fusuma` enables the following plugins now:
|
||
[appmatcher](https://github.com/iberianpig/fusuma-plugin-appmatcher),
|
||
[keypress](https://github.com/iberianpig/fusuma-plugin-keypress),
|
||
[sendkey](https://github.com/iberianpig/fusuma-plugin-sendkey),
|
||
[tap](https://github.com/iberianpig/fusuma-plugin-tap) and
|
||
[wmctrl](https://github.com/iberianpig/fusuma-plugin-wmctrl).
|
||
|
||
- The Home Assistant module offers support for installing custom components and
|
||
lovelace modules now. Available at
|
||
[`services.home-assistant.customComponents`](#opt-services.home-assistant.customComponents)
|
||
and
|
||
[`services.home-assistant.customLovelaceModules`](#opt-services.home-assistant.customLovelaceModules).
|
||
|
||
- TeX Live environments can now be built with the new `texlive.withPackages`.
|
||
The procedure for creating custom TeX packages has been changed. Refer to the
|
||
[Nixpkgs
|
||
manual](https://nixos.org/manual/nixpkgs/stable/#sec-language-texlive-custom-packages)
|
||
for more details.
|
||
|
||
- In `wxGTK32`, the webkit module `wxWebView` has been enabled on all builds.
|
||
Prior releases only enabled this on Darwin.
|
||
|
||
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the
|
||
`hostapd` package, along with a significant rework of the hostapd module.
|
||
|
||
- LXD supports virtual machine instances now to complement the existing
|
||
container support.
|
||
|
||
- The `nixos-rebuild` command has been given a `list-generations` subcommand.
|
||
Refer to `man nixos-rebuild` for more details.
|
||
|
||
- [`sudo-rs`], a reimplementation of `sudo` in Rust, is now supported.
|
||
An experimental new module `security.sudo-rs` was added.
|
||
Switching to it (via ` security.sudo-rs.enable = true;`) introduces
|
||
slight changes in sudo behaviour, due to `sudo-rs`' current limitations:
|
||
- terminfo-related environment variables aren't preserved for `root` and `wheel`;
|
||
- `root` and `wheel` are not given the ability to set (or preserve)
|
||
arbitrary environment variables.
|
||
|
||
**Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
|
||
and in particular does not automatically use previously-set rules; this could be
|
||
achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.
|
||
|
||
[`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
|
||
|
||
- There is a new NixOS option when writing NixOS tests
|
||
`testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires
|
||
`boot.initrd.systemd.enable` to be enabled. Boot will pause in Stage 1 at
|
||
`initrd.target`, and will listen for commands from the `Machine` python
|
||
interface, just like Stage 2 normally does. This enables commands to be sent
|
||
to test and debug Stage 1. Use `machine.switch_root()` to leave Stage 1 and
|
||
proceed to Stage 2.
|
||
|
||
- The Linux kernel module `msr` (refer to
|
||
[`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides
|
||
an interface to read and write the model-specific registers (MSRs) of an x86
|
||
CPU, can now be configured via `hardware.cpu.x86.msr`.
|
||
|
||
- The `qemu-vm.nix` module now supports disabling overriding `fileSystems` with
|
||
`virtualisation.fileSystems`. This enables the user to boot VMs from
|
||
"external" disk images not created by the qemu-vm module. You can stop the
|
||
qemu-vm module from overriding `fileSystems` by setting
|
||
`virtualisation.fileSystems = lib.mkForce { };`.
|
||
|
||
- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
|
||
the snapraid-sync systemd service will no longer fail to run.
|
||
|
||
- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
|
||
secrets (such as Pre-Shared Keys) can safely be passed via
|
||
`networking.wireless.environmentFile`.
|
||
|
||
The configuration file could previously be read, when `userControlled.enable` (non-default),
|
||
by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)
|
||
|
||
|
||
## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}
|
||
|
||
### Breaking Changes {#sec-release-23.11-lib-breaking}
|
||
|
||
- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime)
|
||
now always evaluates the initial accumulator argument first. If you depend on
|
||
the lazier behavior, consider using
|
||
[`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl)
|
||
or
|
||
[`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl')
|
||
instead.
|
||
- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs)
|
||
now always evaluates the initial accumulator argument first.
|
||
- Now that the internal NixOS transition to Markdown documentation is complete,
|
||
`lib.options.literalDocBook` has been removed after deprecation in 22.11.
|
||
- `lib.types.string` is now fully deprecated and gives a warning when used.
|
||
|
||
### Additions and Improvements {#sec-release-23.11-lib-additions-improvements}
|
||
|
||
- [`lib.fileset`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fileset):
|
||
A new sub-library to select local files to use for sources, designed to be
|
||
easy and safe to use.
|
||
|
||
This aims to be a replacement for `lib.sources`-based filtering. To learn
|
||
more about it, see [the blog
|
||
post](https://www.tweag.io/blog/2023-11-28-file-sets/) or [the
|
||
tutorial](https://nix.dev/tutorials/file-sets).
|
||
|
||
- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-gvariant):
|
||
A partial and basic implementation of GVariant formatted strings. See
|
||
[GVariant Format
|
||
Strings](https://docs.gtk.org/glib/gvariant-format-strings.html) for details.
|
||
|
||
:::{.warning}
|
||
This API is not considered fully stable and it might therefore
|
||
change in backwards incompatible ways without prior notice.
|
||
:::
|
||
|
||
- [`lib.asserts`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-asserts):
|
||
New function:
|
||
[`assertEachOneOf`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.asserts.assertEachOneOf).
|
||
- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-attrsets):
|
||
New function:
|
||
[`attrsToList`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.attrsToList).
|
||
- [`lib.customisation`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-customisation):
|
||
New function:
|
||
[`makeScopeWithSplicing'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.customisation.makeScopeWithSplicing-prime).
|
||
- [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fixedPoints):
|
||
Documentation improvements for
|
||
[`lib.fixedPoints.fix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.fixedPoints.fix).
|
||
- `lib.generators`: New functions:
|
||
[`mkDconfKeyValue`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.mkDconfKeyValue),
|
||
[`toDconfINI`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.generators.toDconfINI).
|
||
|
||
`lib.generators.toKeyValue` now supports the `indent` attribute in its first
|
||
argument.
|
||
- [`lib.lists`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-lists):
|
||
New functions:
|
||
[`findFirstIndex`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.findFirstIndex),
|
||
[`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.hasPrefix),
|
||
[`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.removePrefix),
|
||
[`commonPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.commonPrefix),
|
||
[`allUnique`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.allUnique).
|
||
|
||
Documentation improvements for
|
||
[`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime).
|
||
- [`lib.meta`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-meta):
|
||
Documentation of functions now gets rendered
|
||
- [`lib.path`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-path):
|
||
New functions:
|
||
[`hasPrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.hasPrefix),
|
||
[`removePrefix`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.removePrefix),
|
||
[`splitRoot`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.splitRoot),
|
||
[`subpath.components`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.path.subpath.components).
|
||
- [`lib.strings`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-strings):
|
||
New functions:
|
||
[`replicate`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.replicate),
|
||
[`cmakeOptionType`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeOptionType),
|
||
[`cmakeBool`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeBool),
|
||
[`cmakeFeature`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.strings.cmakeFeature).
|
||
- [`lib.trivial`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-trivial):
|
||
New function:
|
||
[`mirrorFunctionArgs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.trivial.mirrorFunctionArgs).
|
||
- `lib.systems`: New function:
|
||
[`equals`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.systems.equals).
|
||
- [`lib.options`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-options):
|
||
Improved documentation for
|
||
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption).
|
||
|
||
[`mkPackageOption`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.options.mkPackageOption).
|
||
now also supports the `pkgsText` attribute.
|
||
|
||
Module system:
|
||
- Options in the `options` module argument now have the `declarationPositions`
|
||
attribute containing the position where the option was declared:
|
||
```
|
||
$ nix-repl -f '<nixpkgs/nixos>' [...]
|
||
nix-repl> :p options.environment.systemPackages.declarationPositions
|
||
[ {
|
||
column = 7;
|
||
file = "/nix/store/vm9zf9wvfd628cchj0hdij1g4hzjrcz9-source/nixos/modules/config/system-path.nix";
|
||
line = 62;
|
||
} ]
|
||
```
|
||
|
||
Not to be confused with `definitionsWithLocations`, which is the same but for option _definitions_.
|
||
- Improved error message for option declarations missing `mkOption`
|
||
|
||
### Deprecations {#sec-release-23.11-lib-deprecations}
|
||
|
||
- `lib.meta.getExe pkg` (also available as `lib.getExe`) now gives a warning if
|
||
`pkg.meta.mainProgram` is not set, but it continues to default to the
|
||
derivation name. Nixpkgs accepts PRs that set `meta.mainProgram` on packages
|
||
where it makes sense. Use `lib.getExe' pkg "some-command"` to avoid the
|
||
warning and/or select a different executable.
|