depot/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md
Default email eaf6957cd3 Project import generated by Copybara.
GitOrigin-RevId: 4bb072f0a8b267613c127684e099a70e1f6ff106
2023-03-27 12:17:25 -07:00

37 KiB
Raw Blame History

Release 23.05 (“Stoat”, 2023.05/??)

Support is planned until the end of December 2023, handing over to 23.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Core version changes:

    • default linux: 5.15 -> 6.1, all supported kernels available

    • systemd has been updated to v253.1, see the pull request for more info. It's recommended to use nixos-rebuild boot and reboot, rather than nixos-rebuild switch - since in some rare cases the switch of a live system might fail.

  • Cinnamon has been updated to 5.6, see the pull request for what is changed.

  • KDE Plasma has been updated to v5.27, see the release notes for what is changed.

  • nixos-rebuild now supports an extra --specialisation option that can be used to change specialisation for switch and test commands.

  • libxcrypt, the library providing the crypt(3) password hashing function, is now built without support for algorithms not flagged strong. This affects the availability of password hashing algorithms used for system login (login(1), passwd(1)), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and many other packages.

New Services

Backward Incompatibilities

  • carnix and cratesIO has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead.

  • checkInputs have been renamed to nativeCheckInputs, because they behave the same as nativeBuildInputs when doCheck is set. checkInputs now denote a new type of dependencies, added to buildInputs when doCheck is set. As a rule of thumb, nativeCheckInputs are tools on $PATH used during the tests, and checkInputs are libraries which are linked to executables built as part of the tests. Similarly, installCheckInputs are renamed to nativeInstallCheckInputs, corresponding to nativeBuildInputs, and installCheckInputs are a new type of dependencies added to buildInputs when doInstallCheck is set. (Note that this change will not cause breakage to derivations with strictDeps unset, which are most packages except python, rust, ocaml and go packages).

  • buildDunePackage now defaults to strictDeps = true which means that any library should go into buildInputs or checkInputs. Any executable that is run on the building machine should go into nativeBuildInputs or nativeCheckInputs respectively. Example of executables are ocaml, findlib and menhir. PPXs are libraries which are built by dune and should therefore not go into nativeBuildInputs.

  • borgbackup module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.borgbackup.jobs.<name>.inhibitsSleep.

  • The ssh client tool now disables the ~C escape sequence by default. This can be re-enabled by setting EnableEscapeCommandline yes

  • podman now uses the netavark network stack. Users will need to delete all of their local containers, images, volumes, etc, by running podman system reset --force once before upgrading their systems.

  • git-bug has been updated to at least version 0.8.0, which includes backwards incompatible changes. The git-bug-migration package can be used to upgrade existing repositories.

  • nushell has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as old-alias but it is recommended you migrate to the new format. See Reworked aliases.

  • keepassx and keepassx2 have been removed, due to upstream stopping development. Consider KeePassXC as a maintained alternative.

  • The services.kubo.settings option is now no longer stateful. If you changed any of the options in services.kubo.settings in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.

  • The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from /etc/ec2-metadata should now have an after dependency on fetch-ec2-metadata.service

  • minio removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration we keep around the last version that still supports the old filesystem backend as minio_legacy_fs. Use it via services.minio.package = minio_legacy_fs; to export your data before switching to the new version. See the corresponding issue for more details.

  • services.sourcehut.dispatch and the corresponding package (sourcehut.dispatchsrht) have been removed due to upstream deprecation.

  • The services.snapserver.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.tmate-ssh-server.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.unifi-video.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • Kime has been updated from 2.5.6 to 3.0.2 and the i18n.inputMethod.kime.config option has been removed. Users should use daemonModules, iconColor, and extraConfig options under i18n.inputMethod.kime instead.

  • tut has been updated from 1.0.34 to 2.0.0, and now uses the TOML format for the configuration file instead of INI. Additional information can be found here.

  • i3status-rust has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found here.

  • The wordpress derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them in wordpressPackages.{plugins,themes}.

  • llvmPackages_rocm.llvm will not contain clang or compiler-rt. llvmPackages_rocm.clang will not contain llvm. llvmPackages_rocm.clangNoCompilerRt has been removed in favor of using llvmPackages_rocm.clang-unwrapped.

  • services.xserver.desktopManager.plasma5.excludePackages has been moved to environment.plasma5.excludePackages, for consistency with other Desktop Environments

  • The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing /tmp on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.

  • teleport has been upgraded from major version 10 to major version 12. Please see upstream upgrade instructions and release notes for versions 11 and 12. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting services.teleport.package = pkgs.teleport_11. Afterwards, this option can be removed to upgrade to the default version (12).

  • The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

  • fail2ban has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 (changelog for 1.0.1, changelog for 1.0.2)

  • Calling makeSetupHook without passing a name argument is deprecated.

  • lib.systems.examples.ghcjs and consequently pkgsCross.ghcjs now use the target triplet javascript-unknown-ghcjs instead of js-unknown-ghcjs. This has been done to match an upstream decision to follow Cabal's platform naming more closely. Nixpkgs will also reject js as an architecture name.

  • The cosmoc package has been removed. The upstream scripts in cosmocc should be used instead.

  • Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.

  • The services.wordpress.sites.<name>.plugins and services.wordpress.sites.<name>.themes options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.

  • protonmail-bridge package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream.

  • Nebula now runs as a system user and group created for each nebula network, using the CAP_NET_ADMIN ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default nebula-${networkName}.

  • The i18n.inputMethod.fcitx option has been replaced with i18n.inputMethod.fcitx5 because fcitx 4 pkgs.fcitx has been removed.

  • In mastodon it is now necessary to specify location of file with PostgreSQL database password. In services.mastodon.database.passwordFile parameter default value /var/lib/mastodon/secrets/db-password has been changed to null.

  • The --target-host and --build-host options of nixos-rebuild no longer treat the localhost value specially to build on/deploy to local machine, omit the relevant flag.

  • The nix.readOnlyStore option has been renamed to boot.readOnlyNixStore to clarify that it configures the NixOS boot process, not the Nix daemon.

  • Deprecated xlibsWrapper transitional package has been removed in favour of direct use of its constitutents: xorg.libX11, freetype and others.

  • The latest available version of Nextcloud is v26 (available as pkgs.nextcloud26) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:

    • If system.stateVersion is >=23.05, pkgs.nextcloud26 will be installed by default.
    • If system.stateVersion is >=22.11, pkgs.nextcloud25 will be installed by default.
    • Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to nextcloud25 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud25;.
    • It's recommended to use the latest version available (i.e. v26) and to specify that using services.nextcloud.package.
  • .NET 5.0 was removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core

  • The iputils package, which is installed by default, no longer provides the ninfod, rarpd and rdisc tools. See upstream's release notes for more details and available replacements.

  • services.xserver.videoDrivers now defaults to the modesetting driver over device-specific ones. The radeon, amdgpu and nouveau drivers are still available, but effectively unmaintained and not recommended for use.

  • conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.

  • The services.pipewire.config options have been removed, as they have basically never worked correctly. All behavior defined by the default configuration can be overridden with drop-in files as necessary - see below for details.

  • The catch-all hardware.video.hidpi.enable option was removed. Users on high density displays may want to:

    • Set services.xserver.upscaleDefaultCursor to upscale the default X11 cursor for higher resolutions
    • Adjust settings under fonts.fontconfig according to preference
    • Adjust console.font according to preference, though the kernel will generally choose a reasonably sized font
  • services.pipewire.media-session and the pipewire-media-session package have been removed, as they are no longer supported upstream. Users are encouraged to use services.pipewire.wireplumber instead.

  • The baget package and module was removed due to being unmaintained.

Other Notable Changes

  • vim_configurable has been renamed to vim-full to avoid confusion: vim-full's build-time features are configurable, but both vim and vim-full are customizable (in the sense of user configuration, like vimrc).

  • Pantheon now defaults to Mutter 42 and GNOME settings daemon 42, all Pantheon packages are now tracking elementary OS 7 updates.

  • The module for the application firewall opensnitch got the ability to configure rules. Available as services.opensnitch.rules

  • The module usbmuxd now has the ability to change the package used by the daemon. In case you're experiencing issues with usbmuxd you can try an alternative program like usbmuxd2. Available as services.usbmuxd.package

  • A few openssh options have been moved from extraConfig to the new freeform option settings and renamed as follows:

    • services.openssh.forwardX11 to services.openssh.settings.X11Forwarding
    • services.openssh.kbdInteractiveAuthentication -> services.openssh.settings.KbdInteractiveAuthentication
    • services.openssh.passwordAuthentication to services.openssh.settings.PasswordAuthentication
    • services.openssh.useDns to services.openssh.settings.UseDns
    • services.openssh.permitRootLogin to services.openssh.settings.PermitRootLogin
    • services.openssh.logLevel to services.openssh.settings.LogLevel
    • services.openssh.kexAlgorithms to services.openssh.settings.KexAlgorithms
    • services.openssh.macs to services.openssh.settings.Macs
    • services.openssh.ciphers to services.openssh.settings.Ciphers
    • services.openssh.gatewayPorts to services.openssh.settings.GatewayPorts
  • services.mastodon gained a tootctl wrapped named mastodon-tootctl similar to nextcloud-occ which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

  • DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in to silence this warning.

    DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.

  • NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set services.nscd.enableNsncd = false, but please open an issue in nixpkgs so your issue can be fixed.

  • services.borgmatic now allows for multiple configurations, placed in /etc/borgmatic.d/, you can define them with services.borgmatic.configurations.

  • The dnsmasq service now takes configuration via the services.dnsmasq.settings attribute set. The option services.dnsmasq.extraConfig will be deprecated when NixOS 22.11 reaches end of life.

  • The dokuwiki service now takes configuration via the services.dokuwiki.sites.<name>.settings attribute set, extraConfig is deprecated and will be removed. The {aclUse,superUser,disableActions} attributes have been renamed, pluginsConfig now also accepts an attribute set of booleans, passing plain PHP is deprecated. Same applies to acl which now also accepts structured settings.

  • The zsh package changes the way to set environment variables on NixOS systems where programs.zsh.enable equals false. It now sources /etc/set-environment when reading the system-level zshenv file. Before, it sourced /etc/profile when reading the system-level zprofile file.

  • The wordpress service now takes configuration via the services.wordpress.sites.<name>.settings attribute set, extraConfig is still available to append additional text to wp-config.php.

  • To reduce closure size in nixos/modules/profiles/minimal.nix profile disabled installation documentations and manuals. Also disabled logrotate and udisks2 services.

  • To reduce closure size in nixos/modules/installer/netboot/netboot-minimal.nix profile disabled load linux firmwares, pre-installing the complete stdenv and networking.wireless service.

  • The minimal ISO image now uses the nixos/modules/profiles/minimal.nix profile.

  • The ghcWithPackages and ghcWithHoogle wrappers will now also symlink GHC's and all included libraries' documentation to $out/share/doc for convenience. If undesired, the old behavior can be restored by overriding the builders with { installDocumentation = false; }.

  • The new option networking.nftables.checkRuleset controls whether the ruleset is checked for syntax or not during build. It is true by default. The check might fail because it is in a sandbox environment. To circumvent this, the ruleset file can be edited using the networking.nftables.preCheckRuleset option.

  • mastodon now supports connection to a remote PostgreSQL database.

  • nextcloud has an option to enable SSE-C in S3.

  • services.peertube now requires you to specify the secret file secrets.secretsFile. It can be generated by running openssl rand -hex 32. Before upgrading, read the release notes for PeerTube:

    And backup your data.

  • services.chronyd is now started with additional systemd sandbox/hardening options for better security.

  • services.dhcpcd service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses.

  • The module services.headscale was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:

  • nixos/lib/make-disk-image.nix can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.

  • services.grafana listens only on localhost by default again. This was changed to upstreams default of 0.0.0.0 by accident in the freeform setting conversion.

  • Grafana Tempo has been updated to version 2.0. See the upstream upgrade guide for migration instructions.

  • A new virtualisation.rosetta module was added to allow running x86_64 binaries through Rosetta inside virtualised NixOS guests on Apple silicon. This feature works by default with the UTM virtualisation package.

  • The new option users.motdFile allows configuring a Message Of The Day that can be updated dynamically.

  • The root package is now built with the "-Dgnuinstall=ON" CMake flag, making the output conform the bin lib share layout. In this layout, tutorials is under share/doc/ROOT/; cmake, font, icons, js and macro under share/root; Makefile.comp and Makefile.config under etc/root.

  • Enabling global redirect in services.nginx.virtualHosts now allows one to add exceptions with the locations option.

  • A new option recommendedBrotliSettings has been added to services.nginx. Learn more about compression in Brotli format here.

  • Updated recommended settings in services.nginx.recommendedGzipSettings:

    • Enables gzip compression for only certain proxied requests.
    • Allow checking and loading of precompressed files.
    • Updated gzip mime-types.
    • Increased the minimum length of a response that will be gzipped.
  • Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and force services.garage.package or upgrade accordingly system.stateVersion.

  • Nebula now supports the services.nebula.networks.<name>.isRelay and services.nebula.networks.<name>.relays configuration options for setting up or allowing traffic relaying. See the announcement for more details about relays.

  • hip has been separated into hip, hip-common and hipcc.

  • services.nginx.recommendedProxySettings now removes the Connection header preventing clients from closing backend connections.

  • Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

  • The firewall and nat module now has a nftables based implementation. Enable networking.nftables to use it.

  • The services.fwupd module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings).

  • services.xserver.desktopManager.plasma5.phononBackend now defaults to vlc according to upstrean recommendation

  • The zramSwap is now implemented with zram-generator, and the option zramSwap.numDevices for using ZRAM devices as general purpose ephemeral block devices has been removed.

  • As Singularity has renamed to Apptainer to distinguish from an un-renamed fork by Sylabs Inc., there are now two packages of Singularity/Apptainer:

    • apptainer: From github.com/apptainer/apptainer, which is the new repo after renaming.
    • singularity: From github.com/sylabs/singularity, which is the fork by Sylabs Inc..

    programs.singularity got a new package option to specify which package to use.

    singularity-tools.buildImage got a new input argument singularity to specify which package to use.

  • The new option programs.singularity.enableFakeroot, if set to true, provides --fakeroot support for apptainer and singularity.

  • The unifi-poller package and corresponding NixOS module have been renamed to unpoller to match upstream.

  • protonmail-bridge package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream.

  • The new option services.tailscale.useRoutingFeatures controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to server, otherwise if you wish to use an exit node you can set this setting to client. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

  • openjdk from version 11 and above is not build with openjfx (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: openjdk11.override { enableJavaFX = true; };.

  • Xastir can now access AX.25 interfaces via the libax25 package.

  • nixos-version now accepts --configuration-revision to display more information about the current generation revision

  • The option services.nomad.extraSettingsPlugins has been fixed to allow more than one plugin in the path.

  • The option services.prometheus.exporters.pihole.interval does not exist anymore and has been removed.

  • k3s can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.

  • boot.initrd.luks.device.<name> has a new tryEmptyPassphrase option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase

Detailed migration information

Pipewire configuration overrides

Why this change?

The Pipewire config semantics don't really match the NixOS module semantics, so it's extremely awkward to override the default config, especially when lists are involved. Vendoring the configuration files in nixpkgs also creates unnecessary maintenance overhead.

Also, upstream added a lot of accomodations to allow doing most of the things you'd want to do with a config edit in better ways.

Migrating your configuration

Compare your settings to the defaults and where your configuration differs from them.

Then, create a drop-in JSON file in /etc/pipewire/<config file name>.d/99-custom.conf (the actual filename can be anything) and migrate your changes to it according to the following sections.

Repeat for every file you've modified, changing the directory name accordingly.

Things you can just copy over

If you are:

  • setting properties via *.properties
  • loading a new module to context.modules
  • creating new objects with context.objects
  • declaring SPA libraries with context.spa-libs
  • running custom commands with context.exec
  • adding new rules with *.rules
  • running custom PulseAudio commands with pulse.cmd

Simply move the definitions into the drop-in.

Note that the use of context.exec is not recommended and other methods of running your thing are likely a better option.

{
  "context.properties": {
    "your.property.name": "your.property.value"
  },
  "context.modules": [
    { "name": "libpipewire-module-my-cool-thing" }
  ],
  "context.objects": [
    { "factory": { ... } }
  ],
  "alsa.rules": [
    { "matches: { ... }, "actions": { ... } }
  ]
}

Removing a module from context.modules

Look for an option to disable it via context.properties ("module.x11.bell": "false" is likely the most common use case here). If one is not available, proceed to Nuclear option.

Modifying a module's parameters in context.modules

For most modules (e.g. libpipewire-module-rt) it's enough to load the module again with the new arguments, e.g.:

{
  "context.modules": [
    {
      "name": "libpipewire-module-rt",
      "args": {
        "rt.prio": 90
      }
    }
  ]
}

Note that module-rt specifically will generally use the highest values available by default, so setting limits on the pipewire systemd service is preferable to reloading.

If reloading the module is not an option, proceed to Nuclear option.

Nuclear option

If all else fails, you can still manually copy the contents of the default configuration file from ${pkgs.pipewire.lib}/share/pipewire to /etc/pipewire and edit it to fully override the default. However, this should be done only as a last resort. Please talk to the Pipewire maintainers if you ever need to do this.