9c6d255489
GitOrigin-RevId: 8133b9cb5f7c00d4fe31c8c2c4b525bc2650bfc0
1229 lines
55 KiB
XML
1229 lines
55 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.09">
|
||
<title>Release 20.09 (“Nightingale”, 2020.09/??)</title>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.09-highlights">
|
||
<title>Highlights</title>
|
||
|
||
<para>
|
||
In addition to numerous new and upgraded packages, this release has the
|
||
following highlights:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Support is planned until the end of April 2021, handing over to 21.03.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>GNOME desktop environment was upgraded to 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link>.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Cinnamon desktop environment (v4.6) has been added. <varname>services.xserver.desktopManager.cinnamon.enable = true;</varname> to try it out!
|
||
Remember that, with any new feature it's possible you could run into issues, so please send all support requests to <link xlink:href="https://github.com/NixOS/nixpkgs/issues">github.com/NixOS/nixpkgs</link> to notify the maintainers.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Quickly configure a complete, private, self-hosted video
|
||
conferencing solution with the new Jitsi Meet module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module.
|
||
Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
We now distribute a GNOME ISO.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PHP now defaults to PHP 7.4, updated from 7.3.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Python 3 now defaults to Python 3.8 instead of 3.7.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Python 3.5 has reached its upstream EOL at the end of September 2020: it
|
||
has been removed from the list of available packages.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
|
||
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
|
||
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
|
||
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
|
||
make use of these new options instead.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There is a new module for Podman(<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The new <varname>virtualisation.containers</varname> module manages configuration shared by the CRI-O and Podman modules.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Declarative Docker containers are renamed from <varname>docker-containers</varname> to <varname>virtualisation.oci-containers.containers</varname>.
|
||
This is to make it possible to use <literal>podman</literal> instead of <literal>docker</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
|
||
Before you upgrade, it would be best to take a backup of your database.
|
||
For MariaDB Galera Cluster, see <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading
|
||
from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link> instead.
|
||
Before doing the upgrade read <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible
|
||
Changes Between 10.3 and 10.4</link>.
|
||
After the upgrade you will need to run <literal>mysql_upgrade</literal>.
|
||
MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more
|
||
intuitive. See <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication from MariaDB 10.4</link>.
|
||
unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are
|
||
created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use
|
||
the traditional mysql_native_password plugin method, one must run the following:
|
||
<programlisting>
|
||
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
|
||
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
|
||
'';
|
||
</programlisting>
|
||
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
|
||
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
|
||
calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
|
||
- allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
|
||
<programlisting>
|
||
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
|
||
</programlisting>
|
||
- allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
|
||
access to <literal>/var/data</literal>
|
||
<programlisting>
|
||
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
The MySQL service no longer runs its <literal>systemd</literal> service startup script as <literal>root</literal> anymore. A dedicated non <literal>root</literal>
|
||
super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements
|
||
as a super admin user before upgrading:
|
||
<programlisting>
|
||
CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
|
||
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
|
||
</programlisting>
|
||
If you use MySQL instead of MariaDB please replace <literal>unix_socket</literal> with <literal>auth_socket</literal>. If you have changed the value of <xref linkend="opt-services.mysql.user"/>
|
||
from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link>
|
||
has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities
|
||
like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of
|
||
the NixOS configuration: since this can be expensive when a large number of packages are installed, the
|
||
feature is disabled by default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Subordinate GID and UID mappings are now set up automatically for all normal users.
|
||
This will make container tools like Podman work as non-root users out of the box.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through
|
||
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the upgrade guide</link>
|
||
and apply any changes required. Be sure to take special note of the section on
|
||
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling extended range of numeric (float) values</link>
|
||
as you will need to apply this database migration manually.
|
||
</para>
|
||
<para>
|
||
If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of <literal>utf8</literal> and a collate of <literal>utf8_bin</literal> has become mandatory with
|
||
this release. See the upstream <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> for further discussion. Before upgrading you should check the character set and collation used by
|
||
your database and ensure they are correct:
|
||
<programlisting>
|
||
SELECT
|
||
default_character_set_name,
|
||
default_collation_name
|
||
FROM
|
||
information_schema.schemata
|
||
WHERE
|
||
schema_name = 'zabbix';
|
||
</programlisting>
|
||
If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an
|
||
<link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> of how to do so, taken from
|
||
the Zabbix forums:
|
||
<programlisting>
|
||
ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
|
||
|
||
-- the following will produce a list of SQL commands you should subsequently execute
|
||
SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString
|
||
FROM information_schema.`COLUMNS`
|
||
WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GRUB module gained support for basic password protection, which
|
||
allows to restrict non-default entries in the boot menu to one or more
|
||
users. The users and passwords are defined via the option
|
||
<option>boot.loader.grub.users</option>.
|
||
Note: Password support is only avaiable in GRUB version 2.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Following its deprecation in 20.03, the Perl NixOS test driver has been removed.
|
||
All remaining tests have been ported to the Python test framework.
|
||
Code outside nixpkgs using <filename>make-test.nix</filename> or
|
||
<filename>testing.nix</filename> needs to be ported to
|
||
<filename>make-test-python.nix</filename> and
|
||
<filename>testing-python.nix</filename> respectively.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.09-new-services">
|
||
<title>New Services</title>
|
||
|
||
<para>
|
||
The following new services were added since the last release:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
There is a new <xref linkend="opt-security.doas.enable"/> module that provides <command>doas</command>, a lighter alternative to <command>sudo</command> with many of the same features.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://hercules-ci.com">Hercules CI</link> Agent is a specialized build agent for projects built with Nix. See the <link xlink:href="https://nixos.org/nixos/options.html#services.hercules-ci-agent">options</link> and <link xlink:href="https://docs.hercules-ci.com/hercules-ci/getting-started/#deploy-agent">setup</link>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.09-incompatibilities">
|
||
<title>Backward Incompatibilities</title>
|
||
|
||
<para>
|
||
When upgrading from a previous release, please be aware of the following
|
||
incompatible changes:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.matrix-synapse.enable">matrix-synapse</link> module no longer includes optional dependencies by default, they have to be added through the <link linkend="opt-services.matrix-synapse.plugins">plugins</link> option.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>buildGoModule</literal> now internally creates a vendor directory
|
||
in the source tree for downloaded modules instead of using go's <link
|
||
xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module
|
||
proxy protocol</link>. This storage format is simpler and therefore less
|
||
likely to break with future versions of go. As a result
|
||
<literal>buildGoModule</literal> switched from
|
||
<literal>modSha256</literal> to the <literal>vendorSha256</literal>
|
||
attribute to pin fetched version data.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Grafana is now built without support for phantomjs by default. Phantomjs support has been
|
||
<link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link>
|
||
and the <package>phantomjs</package> project is
|
||
<link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>.
|
||
It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation:
|
||
<programlisting>{
|
||
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
|
||
phantomJsSupport = false;
|
||
});
|
||
}</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
|
||
as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
|
||
is 20.09 or higher. It also enables a number of
|
||
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
|
||
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
|
||
<option>systemd.services.supybot.serviceConfig</option>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.duosec.skey</literal> option, which stored a secret in the
|
||
nix store, has been replaced by a new
|
||
<link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
|
||
option for better security.
|
||
</para>
|
||
<para>
|
||
<literal>security.duosec.ikey</literal> has been renamed to
|
||
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults.
|
||
For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The initrd SSH support now uses OpenSSH rather than Dropbear to
|
||
allow the use of Ed25519 keys and other OpenSSH-specific
|
||
functionality. Host keys must now be in the OpenSSH format, and at
|
||
least one pre-generated key must be specified.
|
||
</para>
|
||
<para>
|
||
If you used the <option>boot.initrd.network.ssh.host*Key</option>
|
||
options, you'll get an error explaining how to convert your host
|
||
keys and migrate to the new
|
||
<option>boot.initrd.network.ssh.hostKeys</option> option.
|
||
Otherwise, if you don't have any host keys set, you'll need to
|
||
generate some; see the <option>hostKeys</option> option
|
||
documentation for instructions.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Since this release there's an easy way to customize your PHP
|
||
install to get a much smaller base PHP with only wanted
|
||
extensions enabled. See the following snippet installing a
|
||
smaller PHP with the extensions <literal>imagick</literal>,
|
||
<literal>opcache</literal>, <literal>pdo</literal> and
|
||
<literal>pdo_mysql</literal> loaded:
|
||
|
||
<programlisting>
|
||
environment.systemPackages = [
|
||
(pkgs.php.withExtensions
|
||
({ all, ... }: with all; [
|
||
imagick
|
||
opcache
|
||
pdo
|
||
pdo_mysql
|
||
])
|
||
)
|
||
];</programlisting>
|
||
|
||
The default <literal>php</literal> attribute hasn't lost any
|
||
extensions. The <literal>opcache</literal> extension has been
|
||
added.
|
||
|
||
All upstream PHP extensions are available under <package><![CDATA[php.extensions.<name?>]]></package>.
|
||
</para>
|
||
<para>
|
||
All PHP <literal>config</literal> flags have been removed for
|
||
the following reasons:
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The updated <literal>php</literal> attribute is now easily
|
||
customizable to your liking by using
|
||
<literal>php.withExtensions</literal> or
|
||
<literal>php.buildEnv</literal> instead of writing config files
|
||
or changing configure flags.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The remaining configuration flags can now be set directly on
|
||
the <literal>php</literal> attribute. For example, instead of
|
||
|
||
<programlisting>
|
||
php.override {
|
||
config.php.embed = true;
|
||
config.php.apxs2 = false;
|
||
}
|
||
</programlisting>
|
||
|
||
you should now write
|
||
|
||
<programlisting>
|
||
php.override {
|
||
embedSupport = true;
|
||
apxs2Support = false;
|
||
}
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The ACME module has been overhauled for simplicity and maintainability.
|
||
Cert generation now implicitly uses the <literal>acme</literal>
|
||
user, and the <literal>security.acme.certs._name_.user</literal> option
|
||
has been removed. Instead, certificate access from other services is now
|
||
managed through group permissions. The module no longer runs lego
|
||
twice under certain conditions, and will correctly renew certificates if
|
||
their configuration is changed. Services which reload nginx and httpd after
|
||
certificate renewal are now properly configured too so you no longer have
|
||
to do this manually if you are using HTTPS enabled virtual hosts. A mechanism
|
||
for regenerating certs on demand has also been added and documented.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Gollum received a major update to version 5.x and you may have to change
|
||
some links in your wiki when migrating from gollum 4.x. More information
|
||
can be found
|
||
<link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Deluge 2.x was added and is used as default for new NixOS
|
||
installations where stateVersion is >= 20.09. If you are upgrading from a previous
|
||
NixOS version, you can set <literal>service.deluge.package = pkgs.deluge-2_x</literal>
|
||
to upgrade to Deluge 2.x and migrate the state to the new format.
|
||
Be aware that backwards state migrations are not supported by Deluge.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Nginx web server now starting with additional sandbox/hardening options. By default, write access
|
||
to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
|
||
use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
|
||
<programlisting>
|
||
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The NixOS options <literal>nesting.clone</literal> and
|
||
<literal>nesting.children</literal> have been deleted, and
|
||
replaced with named <xref linkend="opt-specialisation"/>
|
||
configurations.
|
||
</para>
|
||
|
||
<para>
|
||
Replace a <literal>nesting.clone</literal> entry with:
|
||
|
||
<programlisting>{
|
||
<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = {
|
||
<link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = {
|
||
...
|
||
};
|
||
};</programlisting>
|
||
|
||
</para>
|
||
<para>
|
||
Replace a <literal>nesting.children</literal> entry with:
|
||
|
||
<programlisting>{
|
||
<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = {
|
||
<link xlink:href="#opt-specialisation._name_.inheritParentConfig">inheritParentConfig</link> = false;
|
||
<link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = {
|
||
...
|
||
};
|
||
};</programlisting>
|
||
</para>
|
||
|
||
<para>
|
||
To switch to a specialised configuration at runtime you need to
|
||
run:
|
||
<programlisting>
|
||
# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
|
||
</programlisting>
|
||
Before you would have used:
|
||
<programlisting>
|
||
# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Nginx log directory has been moved to <literal>/var/log/nginx</literal>, the cache directory
|
||
to <literal>/var/cache/nginx</literal>. The option <literal>services.nginx.stateDir</literal> has
|
||
been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The httpd web server previously started its main process as root
|
||
privileged, then ran worker processes as a less privileged identity user.
|
||
This was changed to start all of httpd as a less privileged user (defined by
|
||
<xref linkend="opt-services.httpd.user"/> and
|
||
<xref linkend="opt-services.httpd.group"/>). As a consequence, all files that
|
||
are needed for httpd to run (included configuration fragments, SSL
|
||
certificates and keys, etc.) must now be readable by this less privileged
|
||
user/group.
|
||
</para>
|
||
<para>
|
||
The default value for <xref linkend="opt-services.httpd.mpm"/>
|
||
has been changed from <literal>prefork</literal> to <literal>event</literal>. Along with
|
||
this change the default value for
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link>
|
||
has been set to <literal>true</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>systemd-networkd</literal> option
|
||
<literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal>
|
||
has been removed following upstream systemd's deprecation of the same. It is recommended to use
|
||
<literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> instead.
|
||
See <citerefentry><refentrytitle>systemd.network</refentrytitle>
|
||
<manvolnum>5</manvolnum></citerefentry> for details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>systemd-networkd</literal> option
|
||
<literal>systemd.network.networks._name_.dhcpConfig</literal>
|
||
has been renamed to
|
||
<xref linkend="opt-systemd.network.networks._name_.dhcpV4Config"/>
|
||
following upstream systemd's documentation change.
|
||
See <citerefentry><refentrytitle>systemd.network</refentrytitle>
|
||
<manvolnum>5</manvolnum></citerefentry> for details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
In the <literal>picom</literal> module, several options that accepted
|
||
floating point numbers encoded as strings (for example
|
||
<xref linkend="opt-services.picom.activeOpacity"/>) have been changed
|
||
to the (relatively) new native <literal>float</literal> type. To migrate
|
||
your configuration simply remove the quotes around the numbers.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
When using <literal>buildBazelPackage</literal> from Nixpkgs,
|
||
<literal>flat</literal> hash mode is now used for dependencies
|
||
instead of <literal>recursive</literal>. This is to better allow
|
||
using hashed mirrors where needed. As a result, these hashes
|
||
will have changed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The rkt module has been removed, it was archived by upstream.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link xlink:href="https://bazaar.canonical.com">Bazaar</link> VCS is
|
||
unmaintained and, as consequence of the Python 2 EOL, the packages
|
||
<literal>bazaar</literal> and <literal>bazaarTools</literal> were
|
||
removed. Breezy, the backward compatible fork of Bazaar (see the
|
||
<link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>),
|
||
was packaged as <literal>breezy</literal> and can be used instead.
|
||
</para>
|
||
<para>
|
||
Regarding Nixpkgs, <literal>fetchbzr</literal>,
|
||
<literal>nix-prefetch-bzr</literal> and Bazaar support in Hydra will
|
||
continue to work through Breezy.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
In addition to the hostname, the fully qualified domain name (FQDN),
|
||
which consists of <literal>${networking.hostName}</literal> and
|
||
<literal>${networking.domain}</literal> is now added to
|
||
<literal>/etc/hosts</literal>, to allow local FQDN resolution, as used by the
|
||
<literal>hostname --fqdn</literal> command and other applications that
|
||
try to determine the FQDN. These new entries take precedence over entries
|
||
from the DNS which could cause regressions in some very specific setups.
|
||
Additionally the hostname is now resolved to <literal>127.0.0.2</literal>
|
||
instead of <literal>127.0.1.1</literal> to be consistent with what
|
||
<literal>nss-myhostname</literal> (from systemd) returns.
|
||
The old behaviour can e.g. be restored by using
|
||
<literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The hostname (<literal>networking.hostName</literal>) must now be a valid
|
||
DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part.
|
||
This means that the hostname must start with a letter or digit, end with a letter
|
||
or digit, and have as interior characters only letters, digits, and
|
||
hyphen. The maximum length is 63 characters. Additionally it is
|
||
recommended to only use lower-case characters.
|
||
If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname
|
||
(<literal>uname --nodename</literal>) the option
|
||
<literal>boot.kernel.sysctl."kernel.hostname"</literal>
|
||
can be used as a workaround (but be aware of the 64 character limit).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
|
||
has been replaced with the generic option
|
||
<option>boot.initrd.secrets</option>. This option creates a secondary
|
||
initrd from the specified files, rather than using a manually created
|
||
initrd file.
|
||
|
||
Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>,
|
||
it is not possible to directly boot an older generation that used that
|
||
option. It is still possible to rollback to that generation if the required
|
||
initrd file has not been deleted.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
|
||
package and NixOS module have been removed from Nixpkgs as the software is
|
||
unmaintained and can't be built. For more information see issue
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must
|
||
upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package
|
||
version 1.6.24 is marked broken but can be used during transition to
|
||
OpenAFS 1.8.x. Use the options
|
||
<option>services.openafsClient.packages.module</option>,
|
||
<option>services.openafsClient.packages.programs</option> and
|
||
<option>services.openafsServer.package</option> to select a different
|
||
OpenAFS package. OpenAFS 1.6 will be removed in the next release. The
|
||
package <literal>openafs</literal> and the service options will then
|
||
silently point to the OpenAFS 1.8 release.
|
||
</para>
|
||
<para>
|
||
See also the OpenAFS <link
|
||
xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator
|
||
Guide</link> for instructions. Beware of the following when updating
|
||
servers:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The storage format of the server key has changed and the key must be converted before running the new release.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
When updating multiple database servers, turn off the database servers
|
||
from the highest IP down to the lowest with resting periods in
|
||
between. Start up in reverse order. Do not concurrently run database
|
||
servers working with different OpenAFS releases!
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Update servers first, then clients.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Radicale's default package has changed from 2.x to 3.x. An upgrade
|
||
checklist can be found
|
||
<link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>.
|
||
You can use the newer version in the NixOS service by setting the
|
||
<literal>package</literal> to <literal>radicale3</literal>, which is done
|
||
automatically if <literal>stateVersion</literal> is 20.09 or higher.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>udpt</literal> experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml.
|
||
The new configuration documentation can be found at
|
||
<link xlink:href="https://naim94a.github.io/udpt/config.html">the official website</link> and example
|
||
configuration is packaged in <literal>${udpt}/share/udpt/udpt.toml</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
We now have a unified <xref linkend="opt-services.xserver.displayManager.autoLogin"/> option interface
|
||
to be used for every display-manager in NixOS.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>bitcoind</literal> module has changed to multi-instance, using submodules.
|
||
Therefore, it is now mandatory to name each instance.
|
||
To use this new multi-instance config with an existing bitcoind data directory and user,
|
||
you have to adjust the original config, e.g.:
|
||
<programlisting>
|
||
services.bitcoind = {
|
||
enable = true;
|
||
extraConfig = "...";
|
||
...
|
||
};
|
||
</programlisting>
|
||
To something similar:
|
||
<programlisting>
|
||
services.bitcoind.mainnet = {
|
||
enable = true;
|
||
dataDir = "/var/lib/bitcoind";
|
||
user = "bitcoin";
|
||
extraConfig = "...";
|
||
...
|
||
};
|
||
</programlisting>
|
||
The key settings are:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>dataDir</literal> - to continue using the same data directory.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>user</literal> - to continue using the same user so that bitcoind maintains access to its files.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups.
|
||
When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>dokuwiki</literal> module has changed to multi-instance, using submodules.
|
||
Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so
|
||
<literal>nginx.forceSSL</literal> and <literal>nginx.enableACME</literal> are no longer set to <literal>true</literal>.
|
||
To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:
|
||
<programlisting>
|
||
services.dokuwiki = {
|
||
enable = true;
|
||
...
|
||
};
|
||
</programlisting>
|
||
To something similar:
|
||
<programlisting>
|
||
services.dokuwiki."mywiki" = {
|
||
enable = true;
|
||
nginx = {
|
||
forceSSL = true;
|
||
enableACME = true;
|
||
};
|
||
...
|
||
};
|
||
</programlisting>
|
||
The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your
|
||
<xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below
|
||
should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly
|
||
set this value to maintain compatibility:
|
||
<programlisting>
|
||
services.postgresql.dataDir = "/var/db/postgresql";
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users
|
||
with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a
|
||
database super admin user before upgrading:
|
||
<programlisting>
|
||
CREATE ROLE postgres LOGIN SUPERUSER;
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems.
|
||
As a result, what previously evaluated may not do so anymore.
|
||
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the PR that changed this</link> for more info.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS configuration options, the type <literal>loaOf</literal>, after
|
||
its initial deprecation in release 20.03, has been removed. In NixOS and
|
||
Nixpkgs options using this type have been converted to <literal>attrsOf</literal>.
|
||
For more information on this change have look at these links:
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>,
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>config.systemd.services.${name}.path</literal> now returns a list of paths instead of a colon-separated string.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting
|
||
<xref linkend="opt-services.caddy.package"/> to <literal>pkgs.caddy1</literal>.
|
||
</para>
|
||
<para>
|
||
New option <xref linkend="opt-services.caddy.adapter"/> has been added.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.jellyfin.enable">jellyfin</link> module will use and stay on the Jellyfin version <literal>10.5.5</literal>
|
||
if <literal>stateVersion</literal> is lower than <literal>20.09</literal>. This is because significant changes were made to the database schema,
|
||
and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by
|
||
setting your <literal>stateVersion</literal> to <literal>20.09</literal> or higher, or set the <option>services.jellyfin.package</option> to
|
||
<literal>pkgs.jellyfin</literal>. If you do not wish to upgrade Jellyfin, but want to change your <literal>stateVersion</literal>, you can set
|
||
the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.rngd</literal> service is now disabled by default.
|
||
This choice was made because there's krngd in the linux kernel space making it (for most usecases)
|
||
functionally redundent.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>hardware.nvidia.optimus_prime.enable</literal> service has been renamed to
|
||
<literal>hardware.nvidia.prime.sync.enable</literal> and has many new enhancements.
|
||
Related nvidia prime settings may have also changed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The package <package>nextcloud17</package> has been removed and <package>nextcloud18</package> was marked as insecure
|
||
since both of them will <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html">
|
||
will be EOL (end of life) within the lifetime of 20.09</link>.
|
||
</para>
|
||
<para>
|
||
It's necessary to upgrade to <package>nextcloud19</package>:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
From <package>nextcloud17</package>, you have to upgrade to <package>nextcloud18</package> first as
|
||
Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible
|
||
by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud18</package>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
From <package>nextcloud18</package>, it's possible to directly upgrade to <package>nextcloud19</package>
|
||
by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud19</package>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GNOME desktop manager no longer default installs <package>gnome3.epiphany</package>.
|
||
It was chosen to do this as it has a usability breaking issue (see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>)
|
||
that makes it unsuitable to be a default app.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.09-notable-changes">
|
||
<title>Other Notable Changes</title>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<option>services.journald.rateLimitBurst</option> was updated from
|
||
<literal>1000</literal> to <literal>10000</literal> to follow the new
|
||
upstream systemd default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <package>notmuch</package> package move its emacs-related binaries and
|
||
emacs lisp files to a separate output. They're not part
|
||
of the default <literal>out</literal> output anymore - if you relied on the
|
||
<literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via
|
||
the <literal>notmuch.emacs</literal> output.
|
||
|
||
Device tree overlay support was improved in
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link>
|
||
and now uses <xref linkend="opt-hardware.deviceTree.kernelPackage"/>
|
||
instead of <option>hardware.deviceTree.base</option>.
|
||
|
||
<xref linkend="opt-hardware.deviceTree.overlays"/> configuration was
|
||
extended to support <literal>.dts</literal> files with symbols.
|
||
|
||
Device trees can now be filtered by setting
|
||
<xref linkend="opt-hardware.deviceTree.filter"/> option.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>buildGoModule</literal> <literal>doCheck</literal> now defaults to <literal>true</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal>
|
||
mode for the <literal>checkPhase</literal> by default.
|
||
</para>
|
||
<para>
|
||
Please note that Rust packages utilizing a custom build/install procedure
|
||
(e.g. by using a <filename>Makefile</filename>) or test suites that rely on the
|
||
structure of the <filename>target/</filename> directory may break due to those assumptions.
|
||
For further information, please read the Rust section in the Nixpkgs manual.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>.
|
||
This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer.
|
||
To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The scripted networking system now uses <literal>.link</literal> files in
|
||
<literal>/etc/systemd/network</literal> to configure mac address and link MTU,
|
||
instead of the sometimes buggy <literal>network-link-*</literal> units, which
|
||
have been removed.
|
||
Bringing the interface up has been moved to the beginning of the
|
||
<literal>network-addresses-*</literal> unit.
|
||
Note this doesn't require <command>systemd-networkd</command> - it's udev that
|
||
parses <literal>.link</literal> files.
|
||
Extra care needs to be taken in the presence of <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy udev rules</link>
|
||
to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name.
|
||
In such cases, you most likely want to create a <literal>10-*.link</literal> file through <xref linkend="opt-systemd.network.links"/> and set both name and MAC Address / MTU there.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Grafana received a major update to version 7.x. A plugin is now needed for
|
||
image rendering support, and plugins must now be signed by default. More
|
||
information can be found
|
||
<link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>hardware.u2f</literal> module, which was installing udev rules
|
||
was removed, as udev gained native support to handle FIDO security tokens.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.transmission</literal> module
|
||
was enhanced with the new options:
|
||
<xref linkend="opt-services.transmission.credentialsFile"/>,
|
||
<xref linkend="opt-services.transmission.openFirewall"/>,
|
||
and <xref linkend="opt-services.transmission.performanceNetParameters"/>.
|
||
</para>
|
||
<para>
|
||
<literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security.
|
||
Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
|
||
any use case where this is not working well.
|
||
In particular, the <literal>RootDirectory</literal> option newly set
|
||
forbids uploading or downloading a torrent outside of the default directory
|
||
configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>.
|
||
If you really need Transmission to access other directories,
|
||
you must include those directories into the <literal>BindPaths</literal> of the service:
|
||
<programlisting>
|
||
systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal>
|
||
is now only available on the local network interface by default.
|
||
Use:
|
||
<programlisting>
|
||
services.transmission.settings.rpc-bind-address = "0.0.0.0";
|
||
</programlisting>
|
||
to get the previous behavior of listening on all network interfaces.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)
|
||
has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over
|
||
socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
|
||
devices the default buffer size (currently 128MB) is not enough.
|
||
</para>
|
||
<para>
|
||
On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to
|
||
be brought up during system startup, the receive buffer size will spike for a brief period.
|
||
Eventually some of the message will be dropped since there is not enough (permitted) buffer
|
||
space available.
|
||
</para>
|
||
<para>
|
||
By having <literal>systemd-networkd</literal> start with a netlink socket created by
|
||
<literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter
|
||
in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>)
|
||
without recompiling <literal>systemd-networkd</literal>.
|
||
</para>
|
||
<para>
|
||
Since the actual memory requirements depend on hardware, timing, exact
|
||
configurations etc. it isn't currently possible to infer a good default
|
||
from within the NixOS module system. Administrators are advised to
|
||
monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer
|
||
overrun</literal> spam and increase the memory limit as they see fit.
|
||
</para>
|
||
<para>
|
||
Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases
|
||
the upper bound on the kernel side. The memory allocation depends on the amount of messages that are
|
||
queued on the kernel side of the netlink socket.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module
|
||
as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal>
|
||
should be the key of the attribute.
|
||
</para>
|
||
<para>
|
||
This means that a configuration like this
|
||
<programlisting>{
|
||
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [
|
||
{ name = "Junk";
|
||
auto = "create";
|
||
}
|
||
];
|
||
}</programlisting>
|
||
should now look like this:
|
||
<programlisting>{
|
||
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = {
|
||
Junk.auto = "create";
|
||
};
|
||
}</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>nextcloud</package> has been updated to <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>.
|
||
</para>
|
||
<para>
|
||
If you have an existing installation, please make sure that you're on
|
||
<package>nextcloud18</package> before upgrading to <package>nextcloud19</package>
|
||
since Nextcloud doesn't support upgrades across multiple major versions.
|
||
</para>
|
||
<para>
|
||
The <literal>nixos-run-vms</literal> script now deletes the
|
||
previous run machines states on test startup. You can use the
|
||
<literal>--keep-vm-state</literal> flag to match the previous
|
||
behaviour and keep the same VM state between different test runs.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-nix.buildMachines">nix.buildMachines</link> option is now type-checked.
|
||
There are no functional changes, however this may require updating some configurations to use correct types for all attributes.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>fontconfig</literal> module stopped generating config and cache files for fontconfig 2.10.x, the <filename>/etc/fonts/fonts.conf</filename> now belongs to the latest fontconfig, just like on other Linux distributions, and we will <link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no longer</link> be versioning the config directories.
|
||
</para>
|
||
<para>
|
||
Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t been used in any Nixpkgs package for years now.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Nginx module <literal>nginxModules.fastcgi-cache-purge</literal> renamed to official name <literal>nginxModules.cache-purge</literal>.
|
||
Nginx module <literal>nginxModules.ngx_aws_auth</literal> renamed to official name <literal>nginxModules.aws-auth</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The option <option>defaultPackages</option> was added. It installs the packages <package>perl</package>, <package>rsync</package> and <package>strace</package> for now. They were added unconditionally to <option>systemPackages</option> before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>undervolt</literal> option no longer needs to apply its
|
||
settings every 30s. If they still become undone, open an issue and restore
|
||
the previous behaviour using <literal>undervolt.useTimer</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Agda has been heavily reworked.
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>agda.mkDerivation</literal> has been heavily changed and
|
||
is now located at <package>agdaPackages.mkDerivation</package>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
New top-level packages <package>agda</package> and
|
||
<literal>agda.withPackages</literal> have been added, the second
|
||
of which sets up agda with access to chosen libraries.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
All agda libraries now live under
|
||
<literal>agdaPackages</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Many broken libraries have been removed.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
See the <link
|
||
xlink:href="https://nixos.org/nixpkgs/manual/#agda">new
|
||
documentation</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>deepin</literal> package set has been removed from
|
||
nixpkgs. It was a work in progress to package the
|
||
<link xlink:href="https://www.deepin.org/en/dde/">Deepin Desktop Environment (DDE)</link>,
|
||
including libraries, tools and applications, and it was still
|
||
missing a service to lauch the desktop environment. It has shown
|
||
to no longer be a feasible goal due to reasons discussed in
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue #94870</link>.
|
||
The package <literal>netease-cloud-music</literal> has also been
|
||
removed, as it depends on libraries from deepin.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>opendkim</literal> module now uses systemd sandboxing features
|
||
to limit the exposure of the system towards the opendkim service.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para />
|
||
<para>
|
||
Kubernetes has been upgraded to 1.19.1, which also means that the
|
||
golang version to build it has been bumped to 1.15. This may have
|
||
consequences for your existing clusters and their certificates. Please
|
||
consider
|
||
<link xlink:href="https://relnotes.k8s.io/?markdown=93264">
|
||
the release notes for Kubernetes 1.19 carefully
|
||
</link>
|
||
before upgrading.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
For AMD GPUs, Vulkan can now be used by adding <literal>amdvlk</literal>
|
||
to <literal>hardware.opengl.extraPackages</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Similarly, still for AMD GPUs, the ROCm OpenCL stack can now be used by adding
|
||
<literal>rocm-opencl-icd</literal> to
|
||
<literal>hardware.opengl.extraPackages</literal>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|