depot/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md
Default email 60f07311b9 Project import generated by Copybara.
GitOrigin-RevId: f8e2ebd66d097614d51a56a755450d4ae1632df1
2024-02-06 17:22:34 -08:00

26 KiB

Release 24.05 (“Uakari”, 2024.05/??)

Support is planned until the end of December 2024, handing over to 24.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • screen's module has been cleaned, and will now require you to set programs.screen.enable in order to populate screenrc and add the program to the environment.

  • linuxPackages_testing_bcachefs is now fully deprecated by linuxPackages_latest, and is therefore no longer available.

  • NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.

    • This can be disabled through the environment.stub-ld.enable option.
    • If you use programs.nix-ld.enable, no changes are needed. The stub will be disabled automatically.
  • Julia environments can now be built with arbitrary packages from the ecosystem using the .withPackages function. For example: julia.withPackages ["Plots"].

  • A new option systemd.sysusers.enable was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script.

  • A new option system.etc.overlay.enable was added. If enabled, /etc is mounted via an overlayfs instead of being created by a custom perl script.

  • It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:

    { modulesPath, ... }: {
      imports = [ "${modulesPath}/profiles/perlless.nix" ];
    }
    

New Services

Backward Incompatibilities

  • himalaya was updated to v1.0.0-beta, which introduces breaking changes. Check out the release note for details.

  • The power.ups module now generates upsd.conf, upsd.users and upsmon.conf automatically from a set of new configuration options. This breaks compatibility with existing power.ups setups where these files were created manually. Back up these files before upgrading NixOS.

  • k9s was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration.

  • idris2 was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details.

  • neo4j has been updated to 5, you may want to read the release notes for Neo4j 5

  • services.neo4j.allowUpgrade was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.

  • nitter requires a guest_accounts.jsonl to be provided as a path or loaded into the default location at /var/lib/nitter/guest_accounts.jsonl. See Guest Account Branch Deployment for details.

  • services.aria2.rpcSecret has been replaced with services.aria2.rpcSecretFile. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have create a file with the same exact string, and change your module options to point to that file. For example, services.aria2.rpcSecret = "mysecret" becomes services.aria2.rpcSecretFile = "/path/to/secret_file" where the file secret_file contains the string mysecret.

  • Invidious has changed its default database username from kemal to invidious. Setups involving an externally provisioned database (i.e. services.invidious.database.createLocally == false) should adjust their configuration accordingly. The old kemal user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

  • inetutils now has a lower priority to avoid shadowing the commonly used util-linux. If one wishes to restore the default priority, simply use lib.setPrio 5 inetutils or override with meta.priority = 5.

  • paperless' services.paperless.extraConfig setting has been removed and converted to the freeform type and option named services.paperless.settings.

  • The legacy and long deprecated systemd target network-interfaces.target has been removed. Use network.target instead.

  • services.frp.settings now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.

    • The settings.common section in the configuration is no longer valid and all the options form inside it now goes directly under settings.
    • The _ separating words in the configuration options is removed so the options are now in camel case. For example: server_addr becomes serverAddr, server_port becomes serverPort etc.
    • Proxies are now defined with a new option settings.proxies which takes a list of proxies.
    • Consult the upstream documentation for more details on the changes.
  • mkosi was updated to v20. Parts of the user interface have changed. Consult the release notes of v19 and v20 for a list of changes.

  • The woodpecker-* packages have been updated to v2 which includes breaking changes.

  • services.nginx will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:

      locations."/".extraConfig = ''
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
      '';
      locations."^~ /assets/".extraConfig = ''
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
      '';
    
    
  • The package optparse-bash is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include argc, argbash, bashly and gum, to name a few.

  • The kanata package has been updated to v1.5.0, which includes breaking changes.

  • The craftos-pc package has been updated to v2.8, which includes breaking changes.

    • Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
    • The ROM was updated to match ComputerCraft version v1.109.2.
    • The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
    • The WebSocket API was rewritten, which introduced breaking changes.
  • The latest available version of Nextcloud is v28 (available as pkgs.nextcloud28). The installation logic is as follows:

  • The vendored third party libraries have been mostly removed from cudaPackages.nsight_systems, which we now only ship for cudaPackages_11_8 and later due to outdated dependencies. Users comfortable with the vendored dependencies may use overrideAttrs to amend the postPatch phase and the meta.broken correspondingly. Alternatively, one could package the deprecated boost170 locally, as required for cudaPackages_11_4.nsight_systems.

  • The cudaPackages package scope has been updated to cudaPackages_12.

  • services.resolved.fallbackDns can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

  • xxd has been moved from vim default output to its own output to reduce closure size. The canonical way to reference it across all platforms is unixtools.xxd.

  • services.avahi.nssmdns got split into services.avahi.nssmdns4 and services.avahi.nssmdns6 which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.

  • A warning has been added for services that are after = [ "network-online.target" ] but do not depend on it (e.g. using wants), because the dependency that multi-user.target has on network-online.target is planned for removal.

  • services.archisteamfarm no longer uses the abbreviation asf for its state directory (/var/lib/asf), user and group (both asf). Instead the long name archisteamfarm is used. Configurations with system.stateVersion 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.

  • networking.iproute2.enable now does not set environment.etc."iproute2/rt_tables".text.

    Setting environment.etc."iproute2/{CONFIG_FILE_NAME}".text will override the whole configuration file instead of appending it to the upstream configuration file.

    CONFIG_FILE_NAME includes bpf_pinning, ematch_map, group, nl_protos, rt_dsfield, rt_protos, rt_realms, rt_scopes, and rt_tables.

  • netbox was updated to v3.7. services.netbox.package still defaults to v3.6 if stateVersion is earlier than 24.05. Refer to upstream's breaking changes for v3.7.0 and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

  • The executable file names for firefox-devedition, firefox-beta, firefox-esr now matches their package names, which is consistent with the firefox-*-bin packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.

  • switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.

  • The systemd.oomd module behavior is changed as:

    • Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit

    • Remove swap policy. This helps prevent killing processes when user's swap is small.

    • Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: commit

    • systemd.oomd.enableUserServices is renamed to systemd.oomd.enableUserSlices.

  • security.pam.enableSSHAgentAuth now requires services.openssh.authorizedKeysFiles to be non-empty, which is the case when services.openssh.enable is true. Previously, pam_ssh_agent_auth silently failed to work.

  • The configuration format for services.prometheus.exporters.snmp changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository.

  • watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.

  • The jdt-language-server package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:

    • The main binary for the package is now named jdtls instead of jdt-language-server, equivalent to what most editors expect the binary to be named.

    • JVM arguments should now be provided with the --jvm-arg flag instead of setting JAVA_OPTS.

    • The -data path is no longer required to run the package, and will be set to point to a folder in $TMP if missing.

  • nomad has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.

    • nomad is now Nomad 1.7.x.

    • nomad_1_4 has been removed, as it is now unsupported upstream.

  • The livebook package is now built as a mix release instead of an escript. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that the livebook service configuration has changed:

    • The erlang_node_short_name, erlang_node_name, port and options configuration parameters are gone, and have been replaced with an environment parameter. Use the appropriate environment variables inside environment to configure the service instead.

Other Notable Changes

  • addDriverRunpath has been added to facilitate the deprecation of the old addOpenGLRunpath setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.

  • Cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release.

  • services.postgresql.extraPlugins changed its type from just a list of packages to also a function that returns such a list. For example a config line like services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ]; is recommended to be changed to services.postgresql.extraPlugins = ps: with ps; [ postgis ];;

  • Programs written in Nim are built with libraries selected by lockfiles. The nimPackages and nim2Packages sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

  • Portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.

  • libass now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with mpv, ffmpeg, etc.

  • Lilypond and Denemo are now compiled with Guile 3.0.

  • The following options of the Nextcloud module were moved into services.nextcloud.settings and renamed to match the name from Nextcloud's config.php:

  • The option [services.nextcloud.config.dbport] of the Nextcloud module was removed to match upstream. The port can be specified in services.nextcloud.config.dbhost.

  • stdenv: The --replace flag in substitute, substituteInPlace, substituteAll, substituteAllStream, and substituteStream is now deprecated if favor of the new --replace-fail, --replace-warn and --replace-quiet. The deprecated --replace equates to --replace-warn.

  • New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see services.dnsdist.dnscrypt.enable, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

  • With a bump to sonarr v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly.

  • The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set boot.kernel.sysctl."kernel.yama.ptrace_scope" to 0.

  • The netbird module now allows running multiple tunnels in parallel through services.netbird.tunnels.

  • Nginx virtual hosts using forceSSL or globalRedirect can now have redirect codes other than 301 through redirectCode.

  • The source of the mockgen package has changed to the go.uber.org/mock fork because the original repository is no longer maintained.

  • security.pam.enableSSHAgentAuth was renamed to security.pam.sshAgentAuth.enable and an authorizedKeysFiles option was added, to control which authorized_keys files are trusted. It defaults to the previous behaviour, which is insecure: see #31611.

  • changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as since 22.11.

  • services.zfs.zed.enableMail now uses the global sendmail wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

  • nextcloud-setup.service no longer changes the group of each file & directory inside /var/lib/nextcloud/{config,data,store-apps} if one of these directories has the wrong owner group. This was part of transitioning the group used for /var/lib/nextcloud, but isn't necessary anymore.

  • The krb5 module has been rewritten and moved to security.krb5, moving all options but security.krb5.enable and security.krb5.package into security.krb5.settings.

  • Gitea 1.21 upgrade has several breaking changes, including:

    • Custom themes and other assets that were previously stored in custom/public/* now belong in custom/public/assets/*
    • New instances of Gitea using MySQL now ignore the [database].CHARSET config option and always use the utf8mb4 charset, existing instances should migrate via the gitea doctor convert CLI command.
  • The services.paperless module no longer uses the previously downloaded NLTK data stored in /var/cache/paperless/nltk. This directory can be removed.

  • The hardware.pulseaudio module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399.

  • The btrbk module now automatically selects and provides required compression program depending on the configured stream_compress option. Since this replaces the need for the extraPackages option, this option will be deprecated in future releases.

  • The mpich package expression now requires withPm to be a list, e.g. "hydra:gforker" becomes [ "hydra" "gforker" ].

  • YouTrack is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.

  • QtMultimedia has changed its default backend to QT_MEDIA_BACKEND=ffmpeg (previously gstreamer on Linux or darwin on MacOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.