07cb3bf3cc
Update the pinned channel in `md-to-db`, which bumps the Pandoc version, which fixes https://github.com/NixOS/nixpkgs/issues/125511 maybe.
1569 lines
66 KiB
XML
1569 lines
66 KiB
XML
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.05">
|
||
<title>Release 21.05 (<quote>Okapi</quote>, 2021.05/31)</title>
|
||
<para>
|
||
Support is planned until the end of December 2021, handing over to
|
||
21.11.
|
||
</para>
|
||
<section xml:id="sec-release-21.05-highlights">
|
||
<title>Highlights</title>
|
||
<para>
|
||
In addition to numerous new and upgraded packages, this release
|
||
has the following highlights:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Core version changes:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
gcc: 9.3.0 -> 10.3.0
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
glibc: 2.30 -> 2.32
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
default linux: 5.4 -> 5.10, all supported kernels
|
||
available
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
mesa: 20.1.7 -> 21.0.1
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Desktop Environments:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
GNOME: 3.36 -> 40, see its
|
||
<link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">release
|
||
notes</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Plasma5: 5.18.5 -> 5.21.3
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
kdeApplications: 20.08.1 -> 20.12.3
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
cinnamon: 4.6 -> 4.8.1
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Programming Languages and Frameworks:
|
||
</para>
|
||
<itemizedlist spacing="compact">
|
||
<listitem>
|
||
<para>
|
||
Python optimizations were disabled again. Builds with
|
||
optimizations enabled are not reproducible. Optimizations
|
||
can now be enabled with an option.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The linux_latest kernel was updated to the 5.13 series. It
|
||
currently is not officially supported for use with the zfs
|
||
filesystem. If you use zfs, you should use a different kernel
|
||
version (either the LTS kernel, or track a specific one).
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-21.05-new-services">
|
||
<title>New Services</title>
|
||
<para>
|
||
The following new services were added since the last release:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.gnuradio.org/">GNURadio</link>
|
||
3.8 and 3.9 were
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
|
||
packaged, along with a rewrite to the Nix expressions,
|
||
allowing users to override the features upstream supports
|
||
selecting to compile or not to. Additionally, the attribute
|
||
<literal>gnuradio</literal> (3.9),
|
||
<literal>gnuradio3_8</literal> and
|
||
<literal>gnuradio3_7</literal> now point to an externally
|
||
wrapped by default derivations, that allow you to also add
|
||
`extraPythonPackages` to the Python interpreter used by
|
||
GNURadio. Missing environmental variables needed for
|
||
operational GUI were also added
|
||
(<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.keycloak.org/">Keycloak</link>,
|
||
an open source identity and access management server with
|
||
support for
|
||
<link xlink:href="https://openid.net/connect/">OpenID
|
||
Connect</link>, <link xlink:href="https://oauth.net/2/">OAUTH
|
||
2.0</link> and
|
||
<link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
|
||
2.0</link>.
|
||
</para>
|
||
<para>
|
||
See the <link linkend="module-services-keycloak">Keycloak
|
||
section of the NixOS manual</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.samba-wsdd.enable">services.samba-wsdd.enable</link>
|
||
Web Services Dynamic Discovery host daemon
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.discourse.org/">Discourse</link>,
|
||
a modern and open source discussion platform.
|
||
</para>
|
||
<para>
|
||
See the <link linkend="module-services-discourse">Discourse
|
||
section of the NixOS manual</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.nebula.networks">services.nebula.networks</link>
|
||
<link xlink:href="https://github.com/slackhq/nebula">Nebula
|
||
VPN</link>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-21.05-incompatibilities">
|
||
<title>Backward Incompatibilities</title>
|
||
<para>
|
||
When upgrading from a previous release, please be aware of the
|
||
following incompatible changes:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
GNOME desktop environment was upgraded to 40, see the release
|
||
notes for
|
||
<link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link>
|
||
and
|
||
<link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>.
|
||
The <literal>gnome3</literal> attribute set has been renamed
|
||
to <literal>gnome</literal> and so have been the NixOS
|
||
options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
If you are using <literal>services.udev.extraRules</literal>
|
||
to assign custom names to network interfaces, this may stop
|
||
working due to a change in the initialisation of dhcpcd and
|
||
systemd networkd. To avoid this, either move them to
|
||
<literal>services.udev.initrdRules</literal> or see the new
|
||
<link linkend="sec-custom-ifnames">Assigning custom
|
||
names</link> section of the NixOS manual for an example using
|
||
networkd links.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.hideProcessInformation</literal> module
|
||
has been removed. It was broken since the switch to
|
||
cgroups-v2.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>linuxPackages.ati_drivers_x11</literal> kernel
|
||
modules have been removed. The drivers only supported kernels
|
||
prior to 4.2, and thus have become obsolete.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>systemConfig</literal> kernel parameter is no
|
||
longer added to boot loader entries. It has been unused since
|
||
September 2010, but if do have a system generation from that
|
||
era, you will now be unable to boot into them.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>systemd-journal2gelf</literal> no longer parses json
|
||
and expects the receiving system to handle it. How to achieve
|
||
this with Graylog is described in this
|
||
<link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub
|
||
issue</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
If the <literal>services.dbus</literal> module is enabled,
|
||
then the user D-Bus session is now always socket activated.
|
||
The associated options
|
||
<literal>services.dbus.socketActivated</literal> and
|
||
<literal>services.xserver.startDbusSession</literal> have
|
||
therefore been removed and you will receive a warning if they
|
||
are present in your configuration. This change makes the user
|
||
D-Bus session available also for non-graphical logins.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>networking.wireless.iwd</literal> module now
|
||
installs the upstream-provided 80-iwd.link file, which sets
|
||
the NamePolicy= for all wlan devices to <quote>keep
|
||
kernel</quote>, to avoid race conditions between iwd and
|
||
networkd. If you don’t want this, you can set
|
||
<literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>rubyMinimal</literal> was removed due to being unused
|
||
and unusable. The default ruby interpreter includes JIT
|
||
support, which makes it reference it’s compiler. Since JIT
|
||
support is probably needed by some Gems, it was decided to
|
||
enable this feature with all cc references by default, and
|
||
allow to build a Ruby derivation without references to cc, by
|
||
setting <literal>jitSupport = false;</literal> in an overlay.
|
||
See
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
|
||
for more info.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Setting
|
||
<literal>services.openssh.authorizedKeysFiles</literal> now
|
||
also affects which keys
|
||
<literal>security.pam.enableSSHAgentAuth</literal> will use.
|
||
WARNING: If you are using these options in combination do make
|
||
sure that any key paths you use are present in
|
||
<literal>services.openssh.authorizedKeysFiles</literal>!
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The option <literal>fonts.enableFontDir</literal> has been
|
||
renamed to
|
||
<link xlink:href="options.html#opt-fonts.fontDir.enable">fonts.fontDir.enable</link>.
|
||
The path of font directory has also been changed to
|
||
<literal>/run/current-system/sw/share/X11/fonts</literal>, for
|
||
consistency with other X11 resources.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
A number of options have been renamed in the kicad interface.
|
||
<literal>oceSupport</literal> has been renamed to
|
||
<literal>withOCE</literal>, <literal>withOCCT</literal> has
|
||
been renamed to <literal>withOCC</literal>,
|
||
<literal>ngspiceSupport</literal> has been renamed to
|
||
<literal>withNgspice</literal>, and
|
||
<literal>scriptingSupport</literal> has been renamed to
|
||
<literal>withScripting</literal>. Additionally,
|
||
<literal>kicad/base.nix</literal> no longer provides default
|
||
argument values since these are provided by
|
||
<literal>kicad/default.nix</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The socket for the <literal>pdns-recursor</literal> module was
|
||
moved from <literal>/var/lib/pdns-recursor</literal> to
|
||
<literal>/run/pdns-recursor</literal> to match upstream.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Paperwork was updated to version 2. The on-disk format
|
||
slightly changed, and it is not possible to downgrade from
|
||
Paperwork 2 back to Paperwork 1.3. Back your documents up
|
||
before upgrading. See
|
||
<link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this
|
||
thread</link> for more details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PowerDNS has been updated from <literal>4.2.x</literal> to
|
||
<literal>4.3.x</literal>. Please be sure to review the
|
||
<link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade
|
||
Notes</link> provided by upstream before upgrading. Worth
|
||
specifically noting is that the service now runs entirely as a
|
||
dedicated <literal>pdns</literal> user, instead of starting as
|
||
<literal>root</literal> and dropping privileges, as well as
|
||
the default <literal>socket-dir</literal> location changing
|
||
from <literal>/var/lib/powerdns</literal> to
|
||
<literal>/run/pdns</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>mediatomb</literal> service is now using by
|
||
default the new and maintained fork <literal>gerbera</literal>
|
||
package instead of the unmaintained
|
||
<literal>mediatomb</literal> package. If you want to keep the
|
||
old behavior, you must declare it with:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
services.mediatomb.package = pkgs.mediatomb;
|
||
}
|
||
</programlisting>
|
||
<para>
|
||
One new option <literal>openFirewall</literal> has been
|
||
introduced which defaults to false. If you relied on the
|
||
service declaration to add the firewall rules itself before,
|
||
you should now declare it with:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
services.mediatomb.openFirewall = true;
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
xfsprogs was update from 4.19 to 5.11. It now enables reflink
|
||
support by default on filesystem creation. Support for
|
||
reflinks was added with an experimental status to kernel 4.9
|
||
and deemed stable in kernel 4.16. If you want to be able to
|
||
mount XFS filesystems created with this release of xfsprogs on
|
||
kernel releases older than those, you need to format them with
|
||
<literal>mkfs.xfs -m reflink=0</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The uWSGI server is now built with POSIX capabilities. As a
|
||
consequence, root is no longer required in emperor mode and
|
||
the service defaults to running as the unprivileged
|
||
<literal>uwsgi</literal> user. Any additional capability can
|
||
be added via the new option
|
||
<link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>.
|
||
The previous behaviour can be restored by setting:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
services.uwsgi.user = "root";
|
||
services.uwsgi.group = "root";
|
||
services.uwsgi.instance =
|
||
{
|
||
uid = "uwsgi";
|
||
gid = "uwsgi";
|
||
};
|
||
}
|
||
</programlisting>
|
||
<para>
|
||
Another incompatibility from the previous release is that
|
||
vassals running under a different user or group need to use
|
||
<literal>immediate-{uid,gid}</literal> instead of the usual
|
||
<literal>uid,gid</literal> options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
btc1 has been abandoned upstream, and removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
cpp_ethereum (aleth) has been abandoned upstream, and removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
riak-cs package removed along with
|
||
<literal>services.riak-cs</literal> module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
stanchion package removed along with
|
||
<literal>services.stanchion</literal> module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
mutt has been updated to a new major version (2.x), which
|
||
comes with some backward incompatible changes that are
|
||
described in the
|
||
<link xlink:href="http://www.mutt.org/relnotes/2.0/">release
|
||
notes for Mutt 2.0</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>vim</literal> and <literal>neovim</literal> switched
|
||
to Python 3, dropping all Python 2 support.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>,
|
||
which is off by default, had a <literal>chmod</literal> race
|
||
condition fixed. As an aside, the parent directory’s
|
||
permissions were widened, and the key files were made
|
||
owner-writable. This only affects newly created keys. However,
|
||
if the exact permissions are important for your setup, read
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
|
||
previously did nothing, but has been fixed. However its
|
||
default has been changed to <literal>false</literal> to
|
||
preserve the existing default behaviour. If you have this
|
||
explicitly set to <literal>true</literal>, please note that
|
||
your non-root pools will now be forcibly imported.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
openafs now points to openafs_1_8, which is the new stable
|
||
release. OpenAFS 1.6 was removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The WireGuard module gained a new option
|
||
<literal>networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds</literal>
|
||
that implements refreshing the IP of DNS-based endpoints
|
||
periodically (which WireGuard itself
|
||
<link xlink:href="https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html">cannot
|
||
do</link>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
MariaDB has been updated to 10.5. Before you upgrade, it would
|
||
be best to take a backup of your database and read
|
||
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105">
|
||
Incompatible Changes Between 10.4 and 10.5</link>. After the
|
||
upgrade you will need to run <literal>mysql_upgrade</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The TokuDB storage engine dropped in mariadb 10.5 and removed
|
||
in mariadb 10.6. It is recommended to switch to RocksDB. See
|
||
also
|
||
<link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>
|
||
and
|
||
<link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780:
|
||
Remove the TokuDB storage engine</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>openldap</literal> module now has support for
|
||
OLC-style configuration, users of the
|
||
<literal>configDir</literal> option may wish to migrate. If
|
||
you continue to use <literal>configDir</literal>, ensure that
|
||
<literal>olcPidFile</literal> is set to
|
||
<literal>/run/slapd/slapd.pid</literal>.
|
||
</para>
|
||
<para>
|
||
As a result, <literal>extraConfig</literal> and
|
||
<literal>extraDatabaseConfig</literal> are removed. To help
|
||
with migration, you can convert your
|
||
<literal>slapd.conf</literal> file to OLC configuration with
|
||
the following script (find the location of this configuration
|
||
file by running <literal>systemctl status openldap</literal>,
|
||
it is the <literal>-f</literal> option.
|
||
</para>
|
||
<programlisting>
|
||
$ TMPDIR=$(mktemp -d)
|
||
$ slaptest -f /path/to/slapd.conf -F $TMPDIR
|
||
$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
|
||
</programlisting>
|
||
<para>
|
||
This will dump your current configuration in LDIF format,
|
||
which should be straightforward to convert into Nix settings.
|
||
This does not show your schema configuration, as this is
|
||
unnecessarily verbose for users of the default schemas and
|
||
<literal>slaptest</literal> is buggy with schemas directly in
|
||
the config file.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Amazon EC2 and OpenStack Compute (nova) images now re-fetch
|
||
instance meta data and user data from the instance metadata
|
||
service (IMDS) on each boot. For example: stopping an EC2
|
||
instance, changing its user data, and restarting the instance
|
||
will now cause it to fetch and apply the new user data.
|
||
</para>
|
||
<warning>
|
||
<para>
|
||
Specifically, <literal>/etc/ec2-metadata</literal> is
|
||
re-populated on each boot. Some NixOS scripts that read from
|
||
this directory are guarded to only run if the files they
|
||
want to manipulate do not already exist, and so will not
|
||
re-apply their changes if the IMDS response changes.
|
||
Examples: <literal>root</literal>’s SSH key is only added if
|
||
<literal>/root/.ssh/authorized_keys</literal> does not
|
||
exist, and SSH host keys are only set from user data if they
|
||
do not exist in <literal>/etc/ssh</literal>.
|
||
</para>
|
||
</warning>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>rspamd</literal> services is now sandboxed. It is
|
||
run as a dynamic user instead of root, so secrets and other
|
||
files may have to be moved or their permissions may have to be
|
||
fixed. The sockets are now located in
|
||
<literal>/run/rspamd</literal> instead of
|
||
<literal>/run</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Enabling the Tor client no longer silently also enables and
|
||
configures Privoxy, and the
|
||
<literal>services.tor.client.privoxy.enable</literal> option
|
||
has been removed. To enable Privoxy, and to configure it to
|
||
use Tor’s faster port, use the following configuration:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
opt-services.privoxy.enable = true;
|
||
opt-services.privoxy.enableTor = true;
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.tor</literal> module has a new
|
||
exhaustively typed
|
||
<link xlink:href="options.html#opt-services.tor.settings">services.tor.settings</link>
|
||
option following RFC 0042; backward compatibility with old
|
||
options has been preserved when aliasing was possible. The
|
||
corresponding systemd service has been hardened, but there is
|
||
a chance that the service still requires more permissions, so
|
||
please report any related trouble on the bugtracker. Onion
|
||
services v3 are now supported in
|
||
<link xlink:href="options.html#opt-services.tor.relay.onionServices">services.tor.relay.onionServices</link>.
|
||
A new
|
||
<link xlink:href="options.html#opt-services.tor.openFirewall">services.tor.openFirewall</link>
|
||
option as been introduced for allowing connections on all the
|
||
TCP ports configured.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The options
|
||
<literal>services.slurm.dbdserver.storagePass</literal> and
|
||
<literal>services.slurm.dbdserver.configFile</literal> have
|
||
been removed. Use
|
||
<literal>services.slurm.dbdserver.storagePassFile</literal>
|
||
instead to provide the database password. Extra config options
|
||
can be given via the option
|
||
<literal>services.slurm.dbdserver.extraConfig</literal>. The
|
||
actual configuration file is created on the fly on startup of
|
||
the service. This avoids that the password gets exposed in the
|
||
nix store.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>wafHook</literal> hook does not wrap Python
|
||
anymore. Packages depending on <literal>wafHook</literal> need
|
||
to include any Python into their
|
||
<literal>nativeBuildInputs</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Starting with version 1.7.0, the project formerly named
|
||
<literal>CodiMD</literal> is now named
|
||
<literal>HedgeDoc</literal>. New installations will no longer
|
||
use the old name for users, state directories and such, this
|
||
needs to be considered when moving state to a more recent
|
||
NixOS installation. Based on
|
||
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>,
|
||
existing installations will continue to work.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The fish-foreign-env package has been replaced with
|
||
fishPlugins.foreign-env, in which the fish functions have been
|
||
relocated to the <literal>vendor_functions.d</literal>
|
||
directory to be loaded automatically.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The prometheus json exporter is now managed by the prometheus
|
||
community. Together with additional features some backwards
|
||
incompatibilities were introduced. Most importantly the
|
||
exporter no longer accepts a fixed command-line parameter to
|
||
specify the URL of the endpoint serving JSON. It now expects
|
||
this URL to be passed as an URL parameter, when scraping the
|
||
exporter’s <literal>/probe</literal> endpoint. In the
|
||
prometheus scrape configuration the scrape target might look
|
||
like this:
|
||
</para>
|
||
<programlisting>
|
||
http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
|
||
</programlisting>
|
||
<para>
|
||
Existing configuration for the exporter needs to be updated,
|
||
but can partially be re-used. Documentation is available in
|
||
the upstream repository and a small example for NixOS is
|
||
available in the corresponding NixOS test.
|
||
</para>
|
||
<para>
|
||
These changes also affect
|
||
<link xlink:href="options.html#opt-services.prometheus.exporters.rspamd.enable">services.prometheus.exporters.rspamd.enable</link>,
|
||
which is just a preconfigured instance of the json exporter.
|
||
</para>
|
||
<para>
|
||
For more information, take a look at the
|
||
<link xlink:href="https://github.com/prometheus-community/json_exporter">
|
||
official documentation</link> of the json_exporter.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Androidenv was updated, removing the
|
||
<literal>includeDocs</literal> and
|
||
<literal>lldbVersions</literal> arguments. Docs only covered a
|
||
single version of the Android SDK, LLDB is now bundled with
|
||
the NDK, and both are no longer available to download from the
|
||
Android package repositories. Additionally, since the package
|
||
lists have been updated, some older versions of Android
|
||
packages may not be bundled. If you depend on older versions
|
||
of Android packages, we recommend overriding the repo.
|
||
</para>
|
||
<para>
|
||
Android packages are now loaded from a repo.json file created
|
||
by parsing Android repo XML files. The arguments
|
||
<literal>repoJson</literal> and <literal>repoXmls</literal>
|
||
have been added to allow overriding the built-in androidenv
|
||
repo.json with your own. Additionally, license files are now
|
||
written to allow compatibility with Gradle-based tools, and
|
||
the <literal>extraLicenses</literal> argument has been added
|
||
to accept more SDK licenses if your project requires it. See
|
||
the androidenv documentation for more details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The attribute <literal>mpi</literal> is now consistently used
|
||
to provide a default, system-wide MPI implementation. The
|
||
default implementation is openmpi, which has been used before
|
||
by all derivations affects by this change. Note that all
|
||
packages that have used <literal>mpi ? null</literal> in the
|
||
input for optional MPI builds, have been changed to the
|
||
boolean input paramater <literal>useMpi</literal> to enable
|
||
building with MPI. Building all packages with
|
||
<literal>mpich</literal> instead of the default
|
||
<literal>openmpi</literal> can now be achived like this:
|
||
</para>
|
||
<programlisting language="nix">
|
||
self: super:
|
||
{
|
||
mpi = super.mpich;
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Searx module has been updated with the ability to
|
||
configure the service declaratively and uWSGI integration. The
|
||
option <literal>services.searx.configFile</literal> has been
|
||
renamed to
|
||
<link xlink:href="options.html#opt-services.searx.settingsFile">services.searx.settingsFile</link>
|
||
for consistency with the new
|
||
<link xlink:href="options.html#opt-services.searx.settings">services.searx.settings</link>.
|
||
In addition, the <literal>searx</literal> uid and gid
|
||
reservations have been removed since they were not necessary:
|
||
the service is now running with a dynamically allocated uid.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The libinput module has been updated with the ability to
|
||
configure mouse and touchpad settings separately. The options
|
||
in <literal>services.xserver.libinput</literal> have been
|
||
renamed to
|
||
<literal>services.xserver.libinput.touchpad</literal>, while
|
||
there is a new
|
||
<literal>services.xserver.libinput.mouse</literal> for mouse
|
||
related configuration.
|
||
</para>
|
||
<para>
|
||
Since touchpad options no longer apply to all devices, you may
|
||
want to replicate your touchpad configuration in mouse
|
||
section.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
ALSA OSS emulation
|
||
(<literal>sound.enableOSSEmulation</literal>) is now disabled
|
||
by default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Thinkfan as been updated to <literal>1.2.x</literal>, which
|
||
comes with a new YAML based configuration format. For this
|
||
reason, several NixOS options of the thinkfan module have been
|
||
changed to non-backward compatible types. In addition, a new
|
||
<link xlink:href="options.html#opt-services.thinkfan.settings">services.thinkfan.settings</link>
|
||
option has been added.
|
||
</para>
|
||
<para>
|
||
Please read the
|
||
<link xlink:href="https://github.com/vmatare/thinkfan#readme">
|
||
thinkfan documentation</link> before updating.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Adobe Flash Player support has been dropped from the tree. In
|
||
particular, the following packages no longer support it:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
chromium
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
firefox
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
qt48
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
qt5.qtwebkit
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
Additionally, packages flashplayer and hal-flash were removed
|
||
along with the <literal>services.flashpolicyd</literal>
|
||
module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.rngd</literal> module has been removed.
|
||
It was disabled by default in 20.09 as it was functionally
|
||
redundant with krngd in the linux kernel. It is not necessary
|
||
for any device that the kernel recognises as an hardware RNG,
|
||
as it will automatically run the krngd task to periodically
|
||
collect random data from the device and mix it into the
|
||
kernel’s RNG.
|
||
</para>
|
||
<para>
|
||
The default SMTP port for GitLab has been changed to
|
||
<literal>25</literal> from its previous default of
|
||
<literal>465</literal>. If you depended on this default, you
|
||
should now set the
|
||
<link xlink:href="options.html#opt-services.gitlab.smtp.port">services.gitlab.smtp.port</link>
|
||
option.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The default version of ImageMagick has been updated from 6 to
|
||
7. You can use imagemagick6, imagemagick6_light, and
|
||
imagemagick6Big if you need the older version.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.xserver.videoDrivers">services.xserver.videoDrivers</link>
|
||
no longer uses the deprecated <literal>cirrus</literal> and
|
||
<literal>vesa</literal> device dependent X drivers by default.
|
||
It also enables both <literal>amdgpu</literal> and
|
||
<literal>nouveau</literal> drivers by default now.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>kindlegen</literal> package is gone, because it
|
||
is no longer supported or hosted by Amazon. Sadly, its
|
||
replacement, Kindle Previewer, has no Linux support. However,
|
||
there are other ways to generate MOBI files. See
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/96439">the
|
||
discussion</link> for more info.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The apacheKafka packages are now built with version-matched
|
||
JREs. Versions 2.6 and above, the ones that recommend it, use
|
||
jdk11, while versions below remain on jdk8. The NixOS service
|
||
has been adjusted to start the service using the same version
|
||
as the package, adjustable with the new
|
||
<link xlink:href="options.html#opt-services.apache-kafka.jre">services.apache-kafka.jre</link>
|
||
option. Furthermore, the default list of
|
||
<link xlink:href="options.html#opt-services.apache-kafka.jvmOptions">services.apache-kafka.jvmOptions</link>
|
||
have been removed. You should set your own according to the
|
||
<link xlink:href="https://kafka.apache.org/documentation/#java">upstream
|
||
documentation</link> for your Kafka version.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The kodi package has been modified to allow concise addon
|
||
management. Consider the following configuration from previous
|
||
releases of NixOS to install kodi, including the
|
||
kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp
|
||
addons:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
environment.systemPackages = [
|
||
pkgs.kodi
|
||
];
|
||
|
||
nixpkgs.config.kodi = {
|
||
enableInputStreamAdaptive = true;
|
||
enableVFSSFTP = true;
|
||
};
|
||
}
|
||
</programlisting>
|
||
<para>
|
||
All Kodi <literal>config</literal> flags have been removed,
|
||
and as a result the above configuration should now be written
|
||
as:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
environment.systemPackages = [
|
||
(pkgs.kodi.withPackages (p: with p; [
|
||
inputstream-adaptive
|
||
vfs-sftp
|
||
]))
|
||
];
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>environment.defaultPackages</literal> now includes
|
||
the nano package. If pkgs.nano is not added to the list, make
|
||
sure another editor is installed and the
|
||
<literal>EDITOR</literal> environment variable is set to it.
|
||
Environment variables can be set using
|
||
<literal>environment.variables</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.minio.dataDir</literal> changed type to a
|
||
list of paths, required for specifiyng multiple data
|
||
directories for using with erasure coding. Currently, the
|
||
service doesn’t enforce nor checks the correct number of paths
|
||
to correspond to minio requirements.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
All CUDA toolkit versions prior to CUDA 10 have been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The kbdKeymaps package was removed since dvp and neo are now
|
||
included in kbd. If you want to use the Programmer Dvorak
|
||
Keyboard Layout, you have to use
|
||
<literal>dvorak-programmer</literal> in
|
||
<literal>console.keyMap</literal> now instead of
|
||
<literal>dvp</literal>. In
|
||
<literal>services.xserver.xkbVariant</literal> it’s still
|
||
<literal>dvp</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The babeld service is now being run as an unprivileged user.
|
||
To achieve that the module configures
|
||
<literal>skip-kernel-setup true</literal> and takes care of
|
||
setting forwarding and rp_filter sysctls by itself as well as
|
||
for each interface in
|
||
<literal>services.babeld.interfaces</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.zigbee2mqtt.config</literal> option has
|
||
been renamed to
|
||
<literal>services.zigbee2mqtt.settings</literal> and now
|
||
follows
|
||
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
|
||
0042</link>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
The yadm dotfile manager has been updated from 2.x to 3.x, which
|
||
has new (XDG) default locations for some data/state files. Most
|
||
yadm commands will fail and print a legacy path warning (which
|
||
describes how to upgrade/migrate your repository). If you have
|
||
scripts, daemons, scheduled jobs, shell profiles, etc. that invoke
|
||
yadm, expect them to fail or misbehave until you perform this
|
||
migration and prepare accordingly.
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Instead of determining
|
||
<literal>services.radicale.package</literal> automatically
|
||
based on <literal>system.stateVersion</literal>, the latest
|
||
version is always used because old versions are not officially
|
||
supported.
|
||
</para>
|
||
<para>
|
||
Furthermore, Radicale’s systemd unit was hardened which might
|
||
break some deployments. In particular, a non-default
|
||
<literal>filesystem_folder</literal> has to be added to
|
||
<literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal>
|
||
if the deprecated <literal>services.radicale.config</literal>
|
||
is used.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
In the <literal>security.acme</literal> module, use of
|
||
<literal>--reuse-key</literal> parameter for Lego has been
|
||
removed. It was introduced for HKPK, but this security feature
|
||
is now deprecated. It is a better security practice to rotate
|
||
key pairs instead of always keeping the same. If you need to
|
||
keep this parameter, you can add it back using
|
||
<literal>extraLegoRenewFlags</literal> as an option for the
|
||
appropriate certificate.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-21.05-notable-changes">
|
||
<title>Other Notable Changes</title>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>stdenv.lib</literal> has been deprecated and will
|
||
break eval in 21.11. Please use <literal>pkgs.lib</literal>
|
||
instead. See
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.gnuradio.org/">GNURadio</link>
|
||
has a <literal>pkgs</literal> attribute set, and there’s a
|
||
<literal>gnuradio.callPackage</literal> function that extends
|
||
<literal>pkgs</literal> with a
|
||
<literal>mkDerivation</literal>, and a
|
||
<literal>mkDerivationWith</literal>, like Qt5. Now all
|
||
<literal>gnuradio.pkgs</literal> are defined with
|
||
<literal>gnuradio.callPackage</literal> and some packages that
|
||
depend on gnuradio are defined with this as well.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.privoxy.org/">Privoxy</link> has
|
||
been updated to version 3.0.32 (See
|
||
<link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
|
||
Compared to the previous release, Privoxy has gained support
|
||
for HTTPS inspection (still experimental), Brotli
|
||
decompression, several new filters and lots of bug fixes,
|
||
including security ones. In addition, the package is now built
|
||
with compression and external filters support, which were
|
||
previously disabled.
|
||
</para>
|
||
<para>
|
||
Regarding the NixOS module, new options for HTTPS inspection
|
||
have been added and
|
||
<literal>services.privoxy.extraConfig</literal> has been
|
||
replaced by the new
|
||
<link xlink:href="options.html#opt-services.privoxy.settings">services.privoxy.settings</link>
|
||
(See
|
||
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
|
||
0042</link> for the motivation).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://kodi.tv/">Kodi</link> has been
|
||
updated to version 19.1 <quote>Matrix</quote>. See the
|
||
<link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link>
|
||
for further details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.packagekit.backend</literal> option has
|
||
been removed as it only supported a single setting which would
|
||
always be the default. Instead new
|
||
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
|
||
0042</link> compliant
|
||
<link xlink:href="options.html#opt-services.packagekit.settings">services.packagekit.settings</link>
|
||
and
|
||
<link xlink:href="options.html#opt-services.packagekit.vendorSettings">services.packagekit.vendorSettings</link>
|
||
options have been introduced.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://nginx.org">Nginx</link> has been
|
||
updated to stable version 1.20.0. Now nginx uses the zlib-ng
|
||
library by default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
KDE Gear (formerly KDE Applications) is upgraded to 21.04, see
|
||
its
|
||
<link xlink:href="https://kde.org/announcements/gear/21.04/">release
|
||
notes</link> for details.
|
||
</para>
|
||
<para>
|
||
The <literal>kdeApplications</literal> package set is now
|
||
<literal>kdeGear</literal>, in keeping with the new name. The
|
||
old name remains for compatibility, but it is deprecated.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://libreswan.org/">Libreswan</link> has
|
||
been updated to version 4.4. The package now includes example
|
||
configurations and manual pages by default. The NixOS module
|
||
has been changed to use the upstream systemd units and write
|
||
the configuration in the <literal>/etc/ipsec.d/ </literal>
|
||
directory. In addition, two new options have been added to
|
||
specify connection policies
|
||
(<link xlink:href="options.html#opt-services.libreswan.policies">services.libreswan.policies</link>)
|
||
and disable send/receive redirects
|
||
(<link xlink:href="options.html#opt-services.libreswan.disableRedirects">services.libreswan.disableRedirects</link>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Mailman NixOS module (<literal>services.mailman</literal>)
|
||
has a new option
|
||
<link xlink:href="options.html#opt-services.mailman.enablePostfix">services.mailman.enablePostfix</link>,
|
||
defaulting to true, that controls integration with Postfix.
|
||
</para>
|
||
<para>
|
||
If this option is disabled, default MTA config becomes not set
|
||
and you should set the options in
|
||
<literal>services.mailman.settings.mta</literal> according to
|
||
the desired configuration as described in
|
||
<link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman
|
||
documentation</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The default-version of <literal>nextcloud</literal> is
|
||
nextcloud21. Please note that it’s <emphasis>not</emphasis>
|
||
possible to upgrade <literal>nextcloud</literal> across
|
||
multiple major versions! This means that it’s e.g. not
|
||
possible to upgrade from nextcloud18 to nextcloud20 in a
|
||
single deploy and most <literal>20.09</literal> users will
|
||
have to upgrade to nextcloud20 first.
|
||
</para>
|
||
<para>
|
||
The package can be manually upgraded by setting
|
||
<link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
|
||
to nextcloud21.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The setting
|
||
<link xlink:href="options.html#opt-services.redis.bind">services.redis.bind</link>
|
||
defaults to <literal>127.0.0.1</literal> now, making Redis
|
||
listen on the loopback interface only, and not all public
|
||
network interfaces.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
NixOS now emits a deprecation warning if systemd’s
|
||
<literal>StartLimitInterval</literal> setting is used in a
|
||
<literal>serviceConfig</literal> section instead of in a
|
||
<literal>unitConfig</literal>; that setting is deprecated and
|
||
now undocumented for the service section by systemd upstream,
|
||
but still effective and somewhat buggy there, which can be
|
||
confusing. See
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link>
|
||
for details.
|
||
</para>
|
||
<para>
|
||
All services should use
|
||
<link xlink:href="options.html#opt-systemd.services._name_.startLimitIntervalSec">systemd.services.<emphasis>name</emphasis>.startLimitIntervalSec</link>
|
||
or <literal>StartLimitIntervalSec</literal> in
|
||
<link xlink:href="options.html#opt-systemd.services._name_.unitConfig">systemd.services.<emphasis>name</emphasis>.unitConfig</link>
|
||
instead.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>mediatomb</literal> service declares new options.
|
||
It also adapts existing options so the configuration
|
||
generation is now lazy. The existing option
|
||
<literal>customCfg</literal> (defaults to false), when
|
||
enabled, stops the service configuration generation
|
||
completely. It then expects the users to provide their own
|
||
correct configuration at the right location (whereas the
|
||
configuration was generated and not used at all before). The
|
||
new option <literal>transcodingOption</literal> (defaults to
|
||
no) allows a generated configuration. It makes the mediatomb
|
||
service pulls the necessary runtime dependencies in the nix
|
||
store (whereas it was generated with hardcoded values before).
|
||
The new option <literal>mediaDirectories</literal> allows the
|
||
users to declare autoscan media directories from their nixos
|
||
configuration:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
services.mediatomb.mediaDirectories = [
|
||
{ path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
|
||
{ path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
|
||
];
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Unbound DNS resolver service
|
||
(<literal>services.unbound</literal>) has been refactored to
|
||
allow reloading, control sockets and to fix startup ordering
|
||
issues.
|
||
</para>
|
||
<para>
|
||
It is now possible to enable a local UNIX control socket for
|
||
unbound by setting the
|
||
<link xlink:href="options.html#opt-services.unbound.localControlSocketPath">services.unbound.localControlSocketPath</link>
|
||
option.
|
||
</para>
|
||
<para>
|
||
Previously we just applied a very minimal set of restrictions
|
||
and trusted unbound to properly drop root privs and
|
||
capabilities.
|
||
</para>
|
||
<para>
|
||
As of this we are (for the most part) just using the upstream
|
||
example unit file for unbound. The main difference is that we
|
||
start unbound as <literal>unbound</literal> user with the
|
||
required capabilities instead of letting unbound do the chroot
|
||
& uid/gid changes.
|
||
</para>
|
||
<para>
|
||
The upstream unit configuration this is based on is a lot
|
||
stricter with all kinds of permissions then our previous
|
||
variant. It also came with the default of having the
|
||
<literal>Type</literal> set to <literal>notify</literal>,
|
||
therefore we are now also using the
|
||
<literal>unbound-with-systemd</literal> package here. Unbound
|
||
will start up, read the configuration files and start
|
||
listening on the configured ports before systemd will declare
|
||
the unit <literal>active (running)</literal>. This will likely
|
||
help with startup order and the occasional race condition
|
||
during system activation where the DNS service is started but
|
||
not yet ready to answer queries. Services depending on
|
||
<literal>nss-lookup.target</literal> or
|
||
<literal>unbound.service</literal> are now be able to use
|
||
unbound when those targets have been reached.
|
||
</para>
|
||
<para>
|
||
Additionally to the much stricter runtime environment the
|
||
<literal>/dev/urandom</literal> mount lines we previously had
|
||
in the code (that randomly failed during the stop-phase) have
|
||
been removed as systemd will take care of those for us.
|
||
</para>
|
||
<para>
|
||
The <literal>preStart</literal> script is now only required if
|
||
we enabled the trust anchor updates (which are still enabled
|
||
by default).
|
||
</para>
|
||
<para>
|
||
Another benefit of the refactoring is that we can now issue
|
||
reloads via either <literal>pkill -HUP unbound</literal> and
|
||
<literal>systemctl reload unbound</literal> to reload the
|
||
running configuration without taking the daemon offline. A
|
||
prerequisite of this was that unbound configuration is
|
||
available on a well known path on the file system. We are
|
||
using the path <literal>/etc/unbound/unbound.conf</literal> as
|
||
that is the default in the CLI tooling which in turn enables
|
||
us to use <literal>unbound-control</literal> without passing a
|
||
custom configuration location.
|
||
</para>
|
||
<para>
|
||
The module has also been reworked to be
|
||
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
|
||
0042</link> compliant. As such,
|
||
<literal>sevices.unbound.extraConfig</literal> has been
|
||
removed and replaced by
|
||
<link xlink:href="options.html#opt-services.unbound.settings">services.unbound.settings</link>.
|
||
<literal>services.unbound.interfaces</literal> has been
|
||
renamed to
|
||
<literal>services.unbound.settings.server.interface</literal>.
|
||
</para>
|
||
<para>
|
||
<literal>services.unbound.forwardAddresses</literal> and
|
||
<literal>services.unbound.allowedAccess</literal> have also
|
||
been changed to use the new settings interface. You can follow
|
||
the instructions when executing
|
||
<literal>nixos-rebuild</literal> to upgrade your configuration
|
||
to use the new interface.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.dnscrypt-proxy2</literal> module now
|
||
takes the upstream’s example configuration and updates it with
|
||
the user’s settings. An option has been added to restore the
|
||
old behaviour if you prefer to declare the configuration from
|
||
scratch.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
NixOS now defaults to the unified cgroup hierarchy
|
||
(cgroupsv2). See the
|
||
<link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora
|
||
Article for 31</link> for details on why this is desirable,
|
||
and how it impacts containers.
|
||
</para>
|
||
<para>
|
||
If you want to run containers with a runtime that does not yet
|
||
support cgroupsv2, you can switch back to the old behaviour by
|
||
setting
|
||
<link xlink:href="options.html#opt-systemd.enableUnifiedCgroupHierarchy">systemd.enableUnifiedCgroupHierarchy</link>
|
||
= <literal>false</literal>; and rebooting.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PulseAudio was upgraded to 14.0, with changes to the handling
|
||
of default sinks. See its
|
||
<link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release
|
||
notes</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNOME users may wish to delete their
|
||
<literal>~/.config/pulse</literal> due to the changes to
|
||
stream routing logic. See
|
||
<link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio
|
||
bug 832</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The zookeeper package does not provide
|
||
<literal>zooInspector.sh</literal> anymore, as that
|
||
<quote>contrib</quote> has been dropped from upstream
|
||
releases.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
In the ACME module, the data used to build the hash for the
|
||
account directory has changed to accommodate new features to
|
||
reduce account rate limit issues. This will trigger new
|
||
account creation on the first rebuild following this update.
|
||
No issues are expected to arise from this, thanks to the new
|
||
account creation handling.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-users.users._name_.createHome">users.users.<emphasis>name</emphasis>.createHome</link>
|
||
now always ensures home directory permissions to be
|
||
<literal>0700</literal>. Permissions had previously been
|
||
ignored for already existing home directories, possibly
|
||
leaving them readable by others. The option’s description was
|
||
incorrect regarding ownership management and has been
|
||
simplified greatly.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
When defining a new user, one of
|
||
<link xlink:href="options.html#opt-users.users._name_.isNormalUser">users.users.<emphasis>name</emphasis>.isNormalUser</link>
|
||
and
|
||
<link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
|
||
is now required. This is to prevent accidentally giving a UID
|
||
above 1000 to system users, which could have unexpected
|
||
consequences, like running user activation scripts for system
|
||
users. Note that users defined with an explicit UID below 500
|
||
are exempted from this check, as
|
||
<link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
|
||
has no effect for those.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.apparmor</literal> module, for the
|
||
<link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
|
||
Mandatory Access Control system, has been substantialy
|
||
improved along with related tools, so that module maintainers
|
||
can now more easily write AppArmor profiles for NixOS. The
|
||
most notable change on the user-side is the new option
|
||
<link xlink:href="options.html#opt-security.apparmor.policies">security.apparmor.policies</link>,
|
||
replacing the previous <literal>profiles</literal> option to
|
||
provide a way to disable a profile and to select whether to
|
||
confine in enforce mode (default) or in complain mode (see
|
||
<literal>journalctl -b --grep apparmor</literal>).
|
||
Security-minded users may also want to enable
|
||
<link xlink:href="options.html#opt-security.apparmor.killUnconfinedConfinables">security.apparmor.killUnconfinedConfinables</link>,
|
||
at the cost of having some of their processes killed when
|
||
updating to a NixOS version introducing new AppArmor profiles.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GNOME desktop manager once again installs gnome.epiphany
|
||
by default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
NixOS now generates empty <literal>/etc/netgroup</literal>.
|
||
<literal>/etc/netgroup</literal> defines network-wide groups
|
||
and may affect to setups using NIS.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Platforms, like <literal>stdenv.hostPlatform</literal>, no
|
||
longer have a <literal>platform</literal> attribute. It has
|
||
been (mostly) flattened away:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>platform.gcc</literal> is now
|
||
<literal>gcc</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>platform.kernel*</literal> is now
|
||
<literal>linux-kernel.*</literal>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
Additionally, <literal>platform.kernelArch</literal> moved to
|
||
the top level as <literal>linuxArch</literal> to match the
|
||
other <literal>*Arch</literal> variables.
|
||
</para>
|
||
<para>
|
||
The <literal>platform</literal> grouping of these things never
|
||
meant anything, and was just a historial/implementation
|
||
artifact that was overdue removal.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.restic</literal> now uses a dedicated cache
|
||
directory for every backup defined in
|
||
<literal>services.restic.backups</literal>. The old global
|
||
cache directory, <literal>/root/.cache/restic</literal>, is
|
||
now unused and can be removed to free up disk space.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>isync</literal>: The <literal>isync</literal>
|
||
compatibility wrapper was removed and the Master/Slave
|
||
terminology has been deprecated and should be replaced with
|
||
Far/Near in the configuration file.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The nix-gc service now accepts randomizedDelaySec (default: 0)
|
||
and persistent (default: true) parameters. By default nix-gc
|
||
will now run immediately if it would have been triggered at
|
||
least once during the time when the timer was inactive.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>rustPlatform.buildRustPackage</literal> function
|
||
is split into several hooks: cargoSetupHook to set up
|
||
vendoring for Cargo-based projects, cargoBuildHook to build a
|
||
project using Cargo, cargoInstallHook to install a project
|
||
using Cargo, and cargoCheckHook to run tests in Cargo-based
|
||
projects. With this change, mixed-language projects can use
|
||
the relevant hooks within builders other than
|
||
<literal>buildRustPackage</literal>. However, these changes
|
||
also required several API changes to
|
||
<literal>buildRustPackage</literal> itself:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <literal>target</literal> argument was removed.
|
||
Instead, <literal>buildRustPackage</literal> will always
|
||
use the same target as the C/C++ compiler that is used.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>cargoParallelTestThreads</literal> argument
|
||
was removed. Parallel tests are now disabled through
|
||
<literal>dontUseCargoParallelTests</literal>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>rustPlatform.maturinBuildHook</literal> hook was
|
||
added. This hook can be used with
|
||
<literal>buildPythonPackage</literal> to build Python packages
|
||
that are written in Rust and use Maturin as their build tool.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Kubernetes has
|
||
<link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated
|
||
docker</link> as container runtime. As a consequence, the
|
||
Kubernetes module now has support for configuration of custom
|
||
remote container runtimes and enables containerd by default.
|
||
Note that containerd is more strict regarding container image
|
||
OCI-compliance. As an example, images with CMD or ENTRYPOINT
|
||
defined as strings (not lists) will fail on containerd, while
|
||
working fine on docker. Please test your setup and container
|
||
images with containerd prior to upgrading.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GitLab module now has support for automatic backups. A
|
||
schedule can be set with the
|
||
<link xlink:href="options.html#opt-services.gitlab.backup.startAt">services.gitlab.backup.startAt</link>
|
||
option.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Prior to this release, systemd would also read system units
|
||
from an undocumented
|
||
<literal>/etc/systemd-mutable/system</literal> path. This path
|
||
has been dropped from the defaults. That path (or others) can
|
||
be re-enabled by adding it to the
|
||
<link xlink:href="options.html#opt-boot.extraSystemdUnitPaths">boot.extraSystemdUnitPaths</link>
|
||
list.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle
|
||
and has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="https://www.xfce.org/">Xfce4</link> relies
|
||
on GIO/GVfs for userspace virtual filesystem access in
|
||
applications like
|
||
<link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link>
|
||
and
|
||
<link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>.
|
||
For that to work, the gvfs nixos service is enabled by
|
||
default, and it can be configured with the specific package
|
||
that provides GVfs. Until now Xfce4 was setting it to use a
|
||
lighter version of GVfs (without support for samba). To avoid
|
||
conflicts with other desktop environments this setting has
|
||
been dropped. Users that still want it should add the
|
||
following to their system configuration:
|
||
</para>
|
||
<programlisting language="nix">
|
||
{
|
||
services.gvfs.package = pkgs.gvfs.override { samba = null; };
|
||
}
|
||
</programlisting>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The newly enabled <literal>systemd-pstore.service</literal>
|
||
now automatically evacuates crashdumps and panic logs from the
|
||
persistent storage to
|
||
<literal>/var/lib/systemd/pstore</literal>. This prevents
|
||
NVRAM from filling up, which ensures the latest diagnostic
|
||
data is always stored and alleviates problems with writing new
|
||
boot configurations.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Nixpkgs now contains
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically
|
||
packaged GNOME Shell extensions</link> from the
|
||
<link xlink:href="https://extensions.gnome.org/">GNOME
|
||
Extensions</link> portal. You can find them, filed by their
|
||
UUID, under <literal>gnome38Extensions</literal> attribute for
|
||
GNOME 3.38 and under <literal>gnome40Extensions</literal> for
|
||
GNOME 40. Finally, the <literal>gnomeExtensions</literal>
|
||
attribute contains extensions for the latest GNOME Shell
|
||
version in Nixpkgs, listed under a more human-friendly name.
|
||
The unqualified attribute scope also contains manually
|
||
packaged extensions. Note that the automatically packaged
|
||
extensions are provided for convenience and are not checked or
|
||
guaranteed to work.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Erlang/OTP versions older than R21 got dropped. We also
|
||
dropped the cuter package, as it was purely an example of how
|
||
to build a package. We also dropped <literal>lfe_1_2</literal>
|
||
as it could not build with R21+. Moving forward, we expect to
|
||
only support 3 yearly releases of OTP.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|