diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml')
-rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml | 664 |
1 files changed, 655 insertions, 9 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml index e17e8ac24d1..0f5df907d88 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml @@ -28,6 +28,12 @@ </listitem> <listitem> <para> + Quickly configure a complete, private, self-hosted video + conferencing solution with the new Jitsi Meet module. + </para> + </listitem> + <listitem> + <para> <package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module. Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module. </para> @@ -44,6 +50,16 @@ </listitem> <listitem> <para> + PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release. + </para> + </listitem> + <listitem> + <para> + Python 3 now defaults to Python 3.8 instead of 3.7. + </para> + </listitem> + <listitem> + <para> Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> @@ -89,6 +105,121 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. </para> </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options + may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when + calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required: + - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +</programlisting> + - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write + access to <literal>/var/data</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +</programlisting> + </para> + <para> + The MySQL service no longer runs its <literal>systemd</literal> service startup script as <literal>root</literal> anymore. A dedicated non <literal>root</literal> + super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements + as a super admin user before upgrading: +<programlisting> +CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; +GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; +</programlisting> + If you use MySQL instead of MariaDB please replace <literal>unix_socket</literal> with <literal>auth_socket</literal>. If you have changed the value of <xref linkend="opt-services.mysql.user"/> + from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead. + </para> + </listitem> + <listitem> + <para> + The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link> + has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities + like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of + the NixOS configuration: since this can be expensive when a large number of packages are installed, the + feature is disabled by default. + </para> + </listitem> + <listitem> + <para> + <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities. + </para> + </listitem> + <listitem> + <para> + Subordinate GID and UID mappings are now set up automatically for all normal users. + This will make container tools like Podman work as non-root users out of the box. + </para> + </listitem> + <listitem> + <para> + The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds. + </para> + </listitem> + <listitem> + <para> + Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the upgrade guide</link> + and apply any changes required. Be sure to take special note of the section on + <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling extended range of numeric (float) values</link> + as you will need to apply this database migration manually. + </para> + <para> + If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of <literal>utf8</literal> and a collate of <literal>utf8_bin</literal> has become mandatory with + this release. See the upstream <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> for further discussion. Before upgrading you should check the character set and collation used by + your database and ensure they are correct: +<programlisting> + SELECT + default_character_set_name, + default_collation_name + FROM + information_schema.schemata + WHERE + schema_name = 'zabbix'; +</programlisting> + If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an + <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> of how to do so, taken from + the Zabbix forums: +<programlisting> + ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; + + -- the following will produce a list of SQL commands you should subsequently execute + SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString + FROM information_schema.`COLUMNS` + WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci"; +</programlisting> + </para> + </listitem> + <listitem> + <para> + The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them. + </para> + </listitem> + <listitem> + <para> + The GRUB module gained support for basic password protection, which + allows to restrict non-default entries in the boot menu to one or more + users. The users and passwords are defined via the option + <option>boot.loader.grub.users</option>. + Note: Password support is only avaiable in GRUB version 2. + </para> + </listitem> + <listitem> + <para> + Following its deprecation in 20.03, the Perl NixOS test driver has been removed. + All remaining tests have been ported to the Python test framework. + Code outside nixpkgs using <filename>make-test.nix</filename> or + <filename>testing.nix</filename> needs to be ported to + <filename>make-test-python.nix</filename> and + <filename>testing-python.nix</filename> respectively. + </para> + </listitem> </itemizedlist> </section> @@ -108,6 +239,11 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' <para> There is a new <xref linkend="opt-security.doas.enable"/> module that provides <command>doas</command>, a lighter alternative to <command>sudo</command> with many of the same features. </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://hercules-ci.com">Hercules CI</link> Agent is a specialized build agent for projects built with Nix. See the <link xlink:href="https://nixos.org/nixos/options.html#services.hercules-ci-agent">options</link> and <link xlink:href="https://docs.hercules-ci.com/hercules-ci/getting-started/#deploy-agent">setup</link>. + </para> </listitem> </itemizedlist> @@ -132,12 +268,10 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' in the source tree for downloaded modules instead of using go's <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module proxy protocol</link>. This storage format is simpler and therefore less - likekly to break with future versions of go. As a result + likely to break with future versions of go. As a result <literal>buildGoModule</literal> switched from <literal>modSha256</literal> to the <literal>vendorSha256</literal> - attribute to pin fetched version data. <literal>buildGoModule</literal> - still accepts <literal>modSha256</literal> with a warning, but support will - be removed in the next release. + attribute to pin fetched version data. </para> </listitem> <listitem> @@ -146,7 +280,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link> and the <package>phantomjs</package> project is <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>. - It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instanciation: + It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation: <programlisting>{ services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = false; @@ -158,7 +292,7 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' <para> The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal> as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal> - is 20.09 or higher. It also enables number of + is 20.09 or higher. It also enables a number of <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link> which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in <option>systemd.services.supybot.serviceConfig</option>. @@ -178,6 +312,12 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' </listitem> <listitem> <para> + <literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults. + For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers. + </para> + </listitem> + <listitem> + <para> The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at @@ -261,6 +401,20 @@ php.override { </para> </listitem> <listitem> + <para> + The ACME module has been overhauled for simplicity and maintainability. + Cert generation now implicitly uses the <literal>acme</literal> + user, and the <literal>security.acme.certs._name_.user</literal> option + has been removed. Instead, certificate access from other services is now + managed through group permissions. The module no longer runs lego + twice under certain conditions, and will correctly renew certificates if + their configuration is changed. Services which reload nginx and httpd after + certificate renewal are now properly configured too so you no longer have + to do this manually if you are using HTTPS enabled virtual hosts. A mechanism + for regenerating certs on demand has also been added and documented. + </para> + </listitem> + <listitem> <para> Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information @@ -279,8 +433,8 @@ php.override { </listitem> <listitem> <para> - Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. - By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, + Nginx web server now starting with additional sandbox/hardening options. By default, write access + to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> <programlisting> systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; @@ -441,6 +595,239 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; recommended to only use lower-case characters. </para> </listitem> + <listitem> + <para> + The GRUB specific option <option>boot.loader.grub.extraInitrd</option> + has been replaced with the generic option + <option>boot.initrd.secrets</option>. This option creates a secondary + initrd from the specified files, rather than using a manually created + initrd file. + + Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>, + it is not possible to directly boot an older generation that used that + option. It is still possible to rollback to that generation if the required + initrd file has not been deleted. + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> + package and NixOS module have been removed from Nixpkgs as the software is + unmaintained and can't be built. For more information see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. + </para> + </listitem> + <listitem> + <para> + In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>. + </para> + </listitem> + <listitem> + <para> + Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must + upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package + version 1.6.24 is marked broken but can be used during transition to + OpenAFS 1.8.x. Use the options + <option>services.openafsClient.packages.module</option>, + <option>services.openafsClient.packages.programs</option> and + <option>services.openafsServer.package</option> to select a different + OpenAFS package. OpenAFS 1.6 will be removed in the next release. The + package <literal>openafs</literal> and the service options will then + silently point to the OpenAFS 1.8 release. + </para> + <para> + See also the OpenAFS <link + xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator + Guide</link> for instructions. Beware of the following when updating + servers: + <itemizedlist> + <listitem> + <para> + The storage format of the server key has changed and the key must be converted before running the new release. + </para> + </listitem> + <listitem> + <para> + When updating multiple database servers, turn off the database servers + from the highest IP down to the lowest with resting periods in + between. Start up in reverse order. Do not concurrently run database + servers working with different OpenAFS releases! + </para> + </listitem> + <listitem> + <para> + Update servers first, then clients. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 2.x to 3.x. An upgrade + checklist can be found + <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. + You can use the newer version in the NixOS service by setting the + <literal>package</literal> to <literal>radicale3</literal>, which is done + automatically if <literal>stateVersion</literal> is 20.09 or higher. + </para> + </listitem> + <listitem> + <para> + <literal>udpt</literal> experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. + The new configuration documentation can be found at + <link xlink:href="https://naim94a.github.io/udpt/config.html">the official website</link> and example + configuration is packaged in <literal>${udpt}/share/udpt/udpt.toml</literal>. + </para> + </listitem> + <listitem> + <para> + We now have a unified <xref linkend="opt-services.xserver.displayManager.autoLogin"/> option interface + to be used for every display-manager in NixOS. + </para> + </listitem> + <listitem> + <para> + The <literal>bitcoind</literal> module has changed to multi-instance, using submodules. + Therefore, it is now mandatory to name each instance. + To use this new multi-instance config with an existing bitcoind data directory and user, + you have to adjust the original config, e.g.: +<programlisting> + services.bitcoind = { + enable = true; + extraConfig = "..."; + ... + }; +</programlisting> + To something similar: +<programlisting> + services.bitcoind.mainnet = { + enable = true; + dataDir = "/var/lib/bitcoind"; + user = "bitcoin"; + extraConfig = "..."; + ... + }; +</programlisting> + The key settings are: + <itemizedlist> + <listitem> + <para> + <literal>dataDir</literal> - to continue using the same data directory. + </para> + </listitem> + <listitem> + <para> + <literal>user</literal> - to continue using the same user so that bitcoind maintains access to its files. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. + When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue. + </para> + </listitem> + <listitem> + <para> + The <literal>dokuwiki</literal> module has changed to multi-instance, using submodules. + Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so + <literal>nginx.forceSSL</literal> and <literal>nginx.enableACME</literal> are no longer set to <literal>true</literal>. + To continue using your service with the original SSL settings, you have to adjust the original config, e.g.: +<programlisting> +services.dokuwiki = { + enable = true; + ... +}; +</programlisting> + To something similar: +<programlisting> +services.dokuwiki."mywiki" = { + enable = true; + nginx = { + forceSSL = true; + enableACME = true; + }; + ... +}; +</programlisting> + The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading. + </para> + </listitem> + <listitem> + <para> + The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your + <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below + should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly + set this value to maintain compatibility: +<programlisting> +services.postgresql.dataDir = "/var/db/postgresql"; +</programlisting> + </para> + <para> + The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users + with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a + database super admin user before upgrading: +<programlisting> +CREATE ROLE postgres LOGIN SUPERUSER; +</programlisting> + </para> + </listitem> + <listitem> + <para> + The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal. + </para> + </listitem> + <listitem> + <para> + The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. + As a result, what previously evaluated may not do so anymore. + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the PR that changed this</link> for more info. + </para> + </listitem> + <listitem> + <para> + For NixOS configuration options, the type <literal>loaOf</literal>, after + its initial deprecation in release 20.03, has been removed. In NixOS and + Nixpkgs options using this type have been converted to <literal>attrsOf</literal>. + For more information on this change have look at these links: + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>. + </para> + </listitem> + <listitem> + <para> + <literal>config.systemd.services.${name}.path</literal> now returns a list of paths instead of a colon-separated string. + </para> + </listitem> + <listitem> + <para> + Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting + <xref linkend="opt-services.caddy.package"/> to <literal>pkgs.caddy1</literal>. + </para> + <para> + New option <xref linkend="opt-services.caddy.adapter"/> has been added. + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.jellyfin.enable">jellyfin</link> module will use and stay on the Jellyfin version <literal>10.5.5</literal> + if <literal>stateVersion</literal> is lower than <literal>20.09</literal>. This is because significant changes were made to the database schema, + and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by + setting your <literal>stateVersion</literal> to <literal>20.09</literal> or higher, or set the <option>services.jellyfin.package</option> to + <literal>pkgs.jellyfin</literal>. If you do not wish to upgrade Jellyfin, but want to change your <literal>stateVersion</literal>, you can set + the value of <option>services.jellyfin.package</option> to <literal>pkgs.jellyfin_10_5</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>security.rngd</literal> service is now disabled by default. + This choice was made because there's krngd in the linux kernel space making it (for most usecases) + functionally redundent. + </para> + </listitem> </itemizedlist> </section> @@ -453,6 +840,9 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <itemizedlist> <listitem> + <para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para> + </listitem> + <listitem> <para> <option>services.journald.rateLimitBurst</option> was updated from <literal>1000</literal> to <literal>10000</literal> to follow the new @@ -466,11 +856,50 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; of the default <literal>out</literal> output anymore - if you relied on the <literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via the <literal>notmuch.emacs</literal> output. + + Device tree overlay support was improved in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link> + and now uses <xref linkend="opt-hardware.deviceTree.kernelPackage"/> + instead of <option>hardware.deviceTree.base</option>. + + <xref linkend="opt-hardware.deviceTree.overlays"/> configuration was + extended to support <literal>.dts</literal> files with symbols. + + Device trees can now be filtered by setting + <xref linkend="opt-hardware.deviceTree.filter"/> option. + </para> + </listitem> + <listitem> + <para> + The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>buildGoModule</literal> <literal>doCheck</literal> now defaults to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal> + mode for the <literal>checkPhase</literal> by default. + </para> + <para> + Please note that Rust packages utilizing a custom build/install procedure + (e.g. by using a <filename>Makefile</filename>) or test suites that rely on the + structure of the <filename>target/</filename> directory may break due to those assumptions. + For further information, please read the Rust section in the Nixpkgs manual. </para> </listitem> <listitem> <para> - The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>. + The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>. + This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. + </para> + </listitem> + <listitem> + <para> + Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package. </para> </listitem> <listitem> @@ -480,6 +909,12 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; </listitem> <listitem> <para> + The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. + To login through ssh, either a password or an ssh key must be set for the root user or the nixos user. + </para> + </listitem> + <listitem> + <para> The scripted networking system now uses <literal>.link</literal> files in <literal>/etc/systemd/network</literal> to configure mac address and link MTU, instead of the sometimes buggy <literal>network-link-*</literal> units, which @@ -501,6 +936,217 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>. </para> </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was installing udev rules + was removed, as udev gained native support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + The <literal>services.transmission</literal> module + was enhanced with the new options: + <xref linkend="opt-services.transmission.credentialsFile"/>, + <xref linkend="opt-services.transmission.openFirewall"/>, + and <xref linkend="opt-services.transmission.performanceNetParameters"/>. + </para> + <para> + <literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security. + Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link> + any use case where this is not working well. + In particular, the <literal>RootDirectory</literal> option newly set + forbids uploading or downloading a torrent outside of the default directory + configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>. + If you really need Transmission to access other directories, + you must include those directories into the <literal>BindPaths</literal> of the service: +<programlisting> +systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; +</programlisting> + </para> + <para> + Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal> + is now only available on the local network interface by default. + Use: +<programlisting> +services.transmission.settings.rpc-bind-address = "0.0.0.0"; +</programlisting> + to get the previous behavior of listening on all network interfaces. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) + has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over + socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) + devices the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to + be brought up during system startup, the receive buffer size will spike for a brief period. + Eventually some of the message will be dropped since there is not enough (permitted) buffer + space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a netlink socket created by + <literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, timing, exact + configurations etc. it isn't currently possible to infer a good default + from within the NixOS module system. Administrators are advised to + monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer + overrun</literal> spam and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases + the upper bound on the kernel side. The memory allocation depends on the amount of messages that are + queued on the kernel side of the netlink socket. + </para> + </listitem> + <listitem> + <para> + Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module + as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal> + should be the key of the attribute. + </para> + <para> + This means that a configuration like this +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [ + { name = "Junk"; + auto = "create"; + } + ]; +}</programlisting> + should now look like this: +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = { + Junk.auto = "create"; + }; +}</programlisting> + </para> + </listitem> + <listitem> + <para> + <package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11. + </para> + </listitem> + <listitem> + <para> + <package>nextcloud</package> has been updated to <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>. + </para> + <para> + If you have an existing installation, please make sure that you're on + <package>nextcloud18</package> before upgrading to <package>nextcloud19</package> + since Nextcloud doesn't support upgrades across multiple major versions. + </para> + <para> + The <literal>nixos-run-vms</literal> script now deletes the + previous run machines states on test startup. You can use the + <literal>--keep-vm-state</literal> flag to match the previous + behaviour and keep the same VM state between different test runs. + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-nix.buildMachines">nix.buildMachines</link> option is now type-checked. + There are no functional changes, however this may require updating some configurations to use correct types for all attributes. + </para> + </listitem> + <listitem> + <para> + The <literal>fontconfig</literal> module stopped generating fontconfig 2.10.x config and cache. + Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore. + </para> + </listitem> + <listitem> + <para> + Nginx module <literal>nginxModules.fastcgi-cache-purge</literal> renamed to official name <literal>nginxModules.cache-purge</literal>. + Nginx module <literal>nginxModules.ngx_aws_auth</literal> renamed to official name <literal>nginxModules.aws-auth</literal>. + </para> + </listitem> + <listitem> + <para> + The option <option>defaultPackages</option> was added. It installs the packages <package>perl</package>, <package>rsync</package> and <package>strace</package> for now. They were added unconditionally to <option>systemPackages</option> before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break. + </para> + </listitem> + <listitem> + <para> + The <literal>undervolt</literal> option no longer needs to apply its + settings every 30s. If they still become undone, open an issue and restore + the previous behaviour using <literal>undervolt.useTimer</literal>. + </para> + </listitem> + <listitem> + <para> + Agda has been heavily reworked. + <itemizedlist> + <listitem> + <para> + <literal>agda.mkDerivation</literal> has been heavily changed and + is now located at <package>agdaPackages.mkDerivation</package>. + </para> + </listitem> + <listitem> + <para> + New top-level packages <package>agda</package> and + <literal>agda.withPackages</literal> have been added, the second + of which sets up agda with access to chosen libraries. + </para> + </listitem> + <listitem> + <para> + All agda libraries now live under + <literal>agdaPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Many broken libraries have been removed. + </para> + </listitem> + </itemizedlist> + See the <link + xlink:href="https://nixos.org/nixpkgs/manual/#agda">new + documentation</link> for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>deepin</literal> package set has been removed from + nixpkgs. It was a work in progress to package the + <link xlink:href="https://www.deepin.org/en/dde/">Deepin Desktop Environment (DDE)</link>, + including libraries, tools and applications, and it was still + missing a service to lauch the desktop environment. It has shown + to no longer be a feasible goal due to reasons discussed in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue #94870</link>. + The package <literal>netease-cloud-music</literal> has also been + removed, as it depends on libraries from deepin. + </para> + </listitem> + <listitem> + <para> + The <literal>opendkim</literal> module now uses systemd sandboxing features + to limit the exposure of the system towards the opendkim service. + </para> + </listitem> + </itemizedlist> + <itemizedlist> + <listitem> + <para /> + <para> + Kubernetes has been upgraded to 1.19.1, which also means that the + golang version to build it has been bumped to 1.15. This may have + consequences for your existing clusters and their certificates. Please + consider + <link xlink:href="https://relnotes.k8s.io/?markdown=93264"> + the release notes for Kubernetes 1.19 carefully + </link> + before upgrading. + </para> + </listitem> </itemizedlist> </section> </section> |