nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml
2021-03-13 10:10:20 -05:00

879 lines
40 KiB
XML

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-21.05">
<title>Release 21.05 (“Okapi”, 2021.05/??)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-21.05-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release has the
following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Support is planned until the end of December 2021, handing over to 21.11.
</para>
</listitem>
<listitem>
<para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
packaged, along with a rewrite to the Nix expressions, allowing users to
override the features upstream supports selecting to compile or not to.
Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code>
now point to an externally wrapped by default derivations, that allow you to
also add `extraPythonPackages` to the Python interpreter used by GNURadio.
Missing environmental variables needed for operational GUI were also added
(<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#7547</link>).
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.privoxy.org/">Privoxy</link> has been updated
to version 3.0.32 (See <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
Compared to the previous release, Privoxy has gained support for HTTPS
inspection (still experimental), Brotli decompression, several new filters
and lots of bug fixes, including security ones. In addition, the package
is now built with compression and external filters support, which were
previously disabled.
</para>
<para>
Regarding the NixOS module, new options for HTTPS inspection have been added
and <option>services.privoxy.extraConfig</option> has been replaced by the new
<xref linkend="opt-services.privoxy.settings"/>
(See <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC 0042</link>
for the motivation).
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://kodi.tv/">Kodi</link> has been updated to version 19.0 "Matrix". See
the <link xlink:href="https://kodi.tv/article/kodi-190-matrix-release">announcement</link> for
further details.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-21.05-new-services">
<title>New Services</title>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://www.keycloak.org/">Keycloak</link>,
an open source identity and access management server with
support for <link
xlink:href="https://openid.net/connect/">OpenID Connect</link>,
<link xlink:href="https://oauth.net/2/">OAUTH 2.0</link> and
<link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
2.0</link>.
</para>
<para>
See the <link linkend="module-services-keycloak">Keycloak
section of the NixOS manual</link> for more information.
</para>
</listitem>
<listitem>
<para>
<xref linkend="opt-services.samba-wsdd.enable" /> Web Services Dynamic Discovery host daemon
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-21.05-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the following
incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
If you are using <option>services.udev.extraRules</option> to assign
custom names to network interfaces, this may stop working due to a change
in the initialisation of dhcpcd and systemd networkd. To avoid this, either
move them to <option>services.udev.initrdRules</option> or see the new
<link linkend="sec-custom-ifnames">Assigning custom names</link> section
of the NixOS manual for an example using networkd links.
</para>
</listitem>
<listitem>
<para>
The <option>security.hideProcessInformation</option> module has been removed.
It was broken since the switch to cgroups-v2.
</para>
</listitem>
<listitem>
<para>
The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.
</para>
</listitem>
<listitem>
<para>
<literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>.
</para>
</listitem>
<listitem>
<para>
If the <varname>services.dbus</varname> module is enabled, then
the user D-Bus session is now always socket activated. The
associated options <varname>services.dbus.socketActivated</varname>
and <varname>services.xserver.startDbusSession</varname> have
therefore been removed and you will receive a warning if
they are present in your configuration. This change makes the
user D-Bus session available also for non-graphical logins.
</para>
</listitem>
<listitem>
<para>
The <varname>networking.wireless.iwd</varname> module now installs
the upstream-provided 80-iwd.link file, which sets the NamePolicy=
for all wlan devices to "keep kernel", to avoid race conditions
between iwd and networkd. If you don't want this, you can set
<literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>rubyMinimal</literal> was removed due to being unused and
unusable. The default ruby interpreter includes JIT support, which makes
it reference it's compiler. Since JIT support is probably needed by some
Gems, it was decided to enable this feature with all cc references by
default, and allow to build a Ruby derivation without references to cc,
by setting <literal>jitSupport = false;</literal> in an overlay. See
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
for more info.
</para>
</listitem>
<listitem>
<para>
Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.
WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
</para>
</listitem>
<listitem>
<para>
The option <option>fonts.enableFontDir</option> has been renamed to
<xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory
has also been changed to <literal>/run/current-system/sw/share/X11/fonts</literal>,
for consistency with other X11 resources.
</para>
</listitem>
<listitem>
<para>
A number of options have been renamed in the kicad interface. <literal>oceSupport</literal>
has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed
to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to
<literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to
<literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer
provides default argument values since these are provided by
<literal>kicad/default.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The socket for the <literal>pdns-recursor</literal> module was moved from <literal>/var/lib/pdns-recursor</literal>
to <literal>/run/pdns-recursor</literal> to match upstream.
</para>
</listitem>
<listitem>
<para>
Paperwork was updated to version 2. The on-disk format slightly changed,
and it is not possible to downgrade from Paperwork 2 back to Paperwork
1.3. Back your documents up before upgrading. See <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details.
</para>
</listitem>
<listitem>
<para>
PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please
be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link>
provided by upstream before upgrading. Worth specifically noting is that the service now runs
entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal>
and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from
<literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>.
</para>
</listitem>
<listitem>
<para>
xfsprogs was update from 4.19 to 5.10. It now enables reflink support by default on filesystem creation.
Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16.
If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them
with <literal>mkfs.xfs -m reflink=0</literal>.
</para>
</listitem>
<listitem>
<para>
The uWSGI server is now built with POSIX capabilities. As a consequence,
root is no longer required in emperor mode and the service defaults to
running as the unprivileged <literal>uwsgi</literal> user. Any additional
capability can be added via the new option
<xref linkend="opt-services.uwsgi.capabilities"/>.
The previous behaviour can be restored by setting:
<programlisting>
<xref linkend="opt-services.uwsgi.user"/> = "root";
<xref linkend="opt-services.uwsgi.group"/> = "root";
<xref linkend="opt-services.uwsgi.instance"/> =
{
uid = "uwsgi";
gid = "uwsgi";
};
</programlisting>
</para>
<para>
Another incompatibility from the previous release is that vassals running under a
different user or group need to use <literal>immediate-{uid,gid}</literal>
instead of the usual <literal>uid,gid</literal> options.
</para>
</listitem>
<listitem>
<para>
<package>btc1</package> has been abandoned upstream, and removed.
</para>
</listitem>
<listitem>
<para>
<package>cpp_ethereum</package> (aleth) has been abandoned upstream, and removed.
</para>
</listitem>
<listitem>
<para>
<package>riak-cs</package> package removed along with <varname>services.riak-cs</varname> module.
</para>
</listitem>
<listitem>
<para>
<package>stanchion</package> package removed along with <varname>services.stanchion</varname> module.
</para>
</listitem>
<listitem>
<para>
<package>mutt</package> has been updated to a new major version (2.x), which comes with
some backward incompatible changes that are described in the
<link xlink:href="http://www.mutt.org/relnotes/2.0/">release notes for Mutt 2.0</link>.
</para>
</listitem>
<listitem>
<para>
<literal>vim</literal> switched to Python 3, dropping all Python 2 support.
</para>
</listitem>
<listitem>
<para>
<link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
previously did nothing, but has been fixed. However its default has been
changed to <literal>false</literal> to preserve the existing default
behaviour. If you have this explicitly set to <literal>true</literal>,
please note that your non-root pools will now be forcibly imported.
</para>
</listitem>
<listitem>
<para>
<package>openafs</package> now points to <package>openafs_1_8</package>,
which is the new stable release. OpenAFS 1.6 was removed.
</para>
</listitem>
<listitem>
<para>
MariaDB has been updated to 10.5.
Before you upgrade, it would be best to take a backup of your database and read
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105">
Incompatible Changes Between 10.4 and 10.5</link>.
After the upgrade you will need to run <literal>mysql_upgrade</literal>.
</para>
</listitem>
<listitem>
<para>
The TokuDB storage engine dropped in <package>mariadb</package> 10.5 and removed in <package>mariadb</package> 10.6.
It is recommended to switch to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link> and
<link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780: Remove the TokuDB storage engine</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>openldap</literal> module now has support for OLC-style
configuration, users of the <literal>configDir</literal> option may wish
to migrate. If you continue to use <literal>configDir</literal>, ensure that
<literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
</para>
<para>
As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
file to OLC configuration with the following script (find the location of this
configuration file by running <literal>systemctl status openldap</literal>, it is the
<literal>-f</literal> option.
</para>
<programlisting>
TMPDIR=$(mktemp -d)
slaptest -f /path/to/slapd.conf $TMPDIR
slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
</programlisting>
<para>
This will dump your current configuration in LDIF format, which should be
straightforward to convert into Nix settings. This does not show your schema
configuration, as this is unnecessarily verbose for users of the default schemas
and <literal>slaptest</literal> is buggy with schemas directly in the config file.
</para>
</listitem>
<listitem>
<para>
Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance
metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and
restarting the instance will now cause it to fetch and apply the new user data.
</para>
<warning>
<para>
Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read
from this directory are guarded to only run if the files they want to manipulate do not already exist, and so
will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is
only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from
user data if they do not exist in <literal>/etc/ssh</literal>.
</para>
</warning>
</listitem>
<listitem>
<para>
The <literal>rspamd</literal> services is now sandboxed. It is run as
a dynamic user instead of root, so secrets and other files may have to
be moved or their permissions may have to be fixed. The sockets are now
located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>.
</para>
</listitem>
<listitem>
<para>
Enabling the Tor client no longer silently also enables and
configures Privoxy, and the
<varname>services.tor.client.privoxy.enable</varname> option has
been removed. To enable Privoxy, and to configure it to use
Tor's faster port, use the following configuration:
</para>
<programlisting>
<xref linkend="opt-services.privoxy.enable" /> = true;
<xref linkend="opt-services.privoxy.enableTor" /> = true;
</programlisting>
</listitem>
<listitem>
<para>
The <literal>services.tor</literal> module has a new exhaustively typed <xref linkend="opt-services.tor.settings" /> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible.
The corresponding systemd service has been hardened,
but there is a chance that the service still requires more permissions,
so please report any related trouble on the bugtracker.
Onion services v3 are now supported in <xref linkend="opt-services.tor.relay.onionServices" />.
A new <xref linkend="opt-services.tor.openFirewall" /> option as been introduced for allowing connections on all the TCP ports configured.
</para>
</listitem>
<listitem>
<para>
The options <literal>services.slurm.dbdserver.storagePass</literal>
and <literal>services.slurm.dbdserver.configFile</literal> have been removed.
Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password.
Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service.
This avoids that the password gets exposed in the nix store.
</para>
</listitem>
<listitem>
<para>
The <literal>wafHook</literal> hook does not wrap Python anymore.
Packages depending on <literal>wafHook</literal> need to include any Python into their <literal>nativeBuildInputs</literal>.
</para>
</listitem>
<listitem>
<para>
Starting with version 1.7.0, the project formerly named <literal>CodiMD</literal>
is now named <literal>HedgeDoc</literal>.
New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation.
Based on <xref linkend="opt-system.stateVersion" />, existing installations will continue to work.
</para>
</listitem>
<listitem>
<para>
The <package>fish-foreign-env</package> package has been replaced with
<package>fishPlugins.foreign-env</package>, in which the fish
functions have been relocated to the
<literal>vendor_functions.d</literal> directory to be loaded automatically.
</para>
</listitem>
<listitem>
<para>
The prometheus json exporter is now managed by the prometheus community. Together with additional features
some backwards incompatibilities were introduced.
Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the
endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's
<literal>/probe</literal> endpoint.
In the prometheus scrape configuration the scrape target might look like this:
<programlisting>
http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
</programlisting>
</para>
<para>
Existing configuration for the exporter needs to be updated, but can partially be re-used.
Documentation is available in the upstream repository and a small example for NixOS is available
in the corresponding NixOS test.
</para>
<para>
These changes also affect <xref linkend="opt-services.prometheus.exporters.rspamd.enable" />, which is
just a preconfigured instance of the json exporter.
</para>
<para>
For more information, take a look at the <link xlink:href="https://github.com/prometheus-community/json_exporter">
official documentation</link> of the json_exporter.
</para>
</listitem>
<listitem>
<para>
Androidenv was updated, removing the <literal>includeDocs</literal> and <literal>lldbVersions</literal>
arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK,
and both are no longer available to download from the Android package repositories. Additionally, since
the package lists have been updated, some older versions of Android packages may not be bundled. If you
depend on older versions of Android packages, we recommend overriding the repo.
</para>
<para>
Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments
<literal>repoJson</literal> and <literal>repoXmls</literal> have been added to allow overriding the built-in
androidenv repo.json with your own. Additionally, license files are now written to allow compatibility
with Gradle-based tools, and the <literal>extraLicenses</literal> argument has been added to accept more
SDK licenses if your project requires it. See the androidenv documentation for more details.
</para>
</listitem>
<listitem>
<para>
The attribute <varname>mpi</varname> is now consistently used to
provide a default, system-wide MPI implementation.
The default implementation is openmpi, which has been used before by
all derivations affects by this change.
Note that all packages that have used <varname>mpi ? null</varname> in the input
for optional MPI builds, have been changed to the boolean input paramater
<varname>useMpi</varname> to enable building with MPI.
Building all packages with <varname>mpich</varname> instead
of the default <varname>openmpi</varname> can now be achived like this:
<programlisting>
self: super:
{
mpi = super.mpich;
}
</programlisting>
</para>
</listitem>
<listitem>
<para>
The Searx module has been updated with the ability to configure the
service declaratively and uWSGI integration.
The option <literal>services.searx.configFile</literal> has been renamed
to <xref linkend="opt-services.searx.settingsFile"/> for consistency with
the new <xref linkend="opt-services.searx.settings"/>. In addition, the
<literal>searx</literal> uid and gid reservations have been removed
since they were not necessary: the service is now running with a
dynamically allocated uid.
</para>
</listitem>
<listitem>
<para>
The libinput module has been updated with the ability to configure mouse and touchpad settings separately.
The options in <literal>services.xserver.libinput</literal> have been renamed to <literal>services.xserver.libinput.touchpad</literal>,
while there is a new <literal>services.xserver.libinput.mouse</literal> for mouse related configuration.
</para>
<para>
Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in
mouse section.
</para>
</listitem>
<listitem>
<para>
ALSA OSS emulation (<varname>sound.enableOSSEmulation</varname>) is now disabled by default.
</para>
</listitem>
<listitem>
<para>
Thinkfan as been updated to <literal>1.2.x</literal>, which comes with a
new YAML based configuration format. For this reason, several NixOS options
of the thinkfan module have been changed to non-backward compatible types.
In addition, a new <xref linkend="opt-services.thinkfan.settings"/> option has
been added.
</para>
<para>
Please read the <link xlink:href="https://github.com/vmatare/thinkfan#readme">
thinkfan documentation</link> before updating.
</para>
</listitem>
<listitem>
<para>
Adobe Flash Player support has been dropped from the tree. In particular,
the following packages no longer support it:
<itemizedlist>
<listitem><simpara><package>chromium</package></simpara></listitem>
<listitem><simpara><package>firefox</package></simpara></listitem>
<listitem><simpara><package>qt48</package></simpara></listitem>
<listitem><simpara><package>qt5.qtwebkit</package></simpara></listitem>
</itemizedlist>
Additionally, packages <package>flashplayer</package> and
<package>hal-flash</package> were removed along with the
<varname>services.flashpolicyd</varname> module.
</para>
</listitem>
<listitem>
<para>
The <literal>security.rngd</literal> module has been removed.
It was disabled by default in 20.09 as it was functionally redundant
with krngd in the linux kernel. It is not necessary for any device that the kernel recognises
as an hardware RNG, as it will automatically run the krngd task to periodically collect random
data from the device and mix it into the kernel's RNG.
</para>
<para>
The default SMTP port for GitLab has been changed to
<literal>25</literal> from its previous default of
<literal>465</literal>. If you depended on this default, you
should now set the <xref linkend="opt-services.gitlab.smtp.port" />
option.
</para>
</listitem>
<listitem>
<para>
The default version of ImageMagick has been updated from 6 to 7.
You can use <package>imagemagick6</package>,
<package>imagemagick6_light</package>, and
<package>imagemagick6Big</package> if you need the older version.
</para>
</listitem>
<listitem>
<para>
<xref linkend="opt-services.xserver.videoDrivers" /> no longer uses the deprecated <literal>cirrus</literal> and <literal>vesa</literal> device dependent X drivers by default. It also enables both <literal>amdgpu</literal> and <literal>nouveau</literal> drivers by default now.
</para>
</listitem>
<listitem>
<para>
The <package>apacheKafka</package> packages are now built with
version-matched JREs. Versions 2.6 and above, the ones that recommend it,
use jdk11, while versions below remain on jdk8. The NixOS service has
been adjusted to start the service using the same version as the package,
adjustable with the new
<link linkend="opt-services.apache-kafka.jre">services.apache-kafka.jre</link>
option. Furthermore, the default list of
<link linkend="opt-services.apache-kafka.jvmOptions">services.apache-kafka.jvmOptions</link>
have been removed. You should set your own according to the
<link xlink:href="https://kafka.apache.org/documentation/#java">upstream documentation</link>
for your Kafka version.
</para>
</listitem>
<listitem>
<para>
The <package>kodi</package> package has been modified to allow concise addon management. Consider
the following configuration from previous releases of NixOS to install <package>kodi</package>,
including the <package>kodiPackages.inputstream-adaptive</package> and <package>kodiPackages.vfs-sftp</package>
addons:
<programlisting>
environment.systemPackages = [
pkgs.kodi
];
nixpkgs.config.kodi = {
enableInputStreamAdaptive = true;
enableVFSSFTP = true;
};
</programlisting>
All Kodi <literal>config</literal> flags have been removed, and as a result the above configuration
should now be written as:
<programlisting>
environment.systemPackages = [
(pkgs.kodi.withPackages (p: with p; [
inputstream-adaptive
vfs-sftp
]))
];
</programlisting>
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-21.05-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
<literal>stdenv.lib</literal> has been deprecated and will break
eval in 21.11. Please use <literal>pkgs.lib</literal> instead.
See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link>
for details.
</para>
</listitem>
<listitem>
<para>
The Mailman NixOS module (<literal>services.mailman</literal>) has a new
option <xref linkend="opt-services.mailman.enablePostfix" />, defaulting
to true, that controls integration with Postfix.
</para>
<para>
If this option is disabled, default MTA config becomes not set and you
should set the options in <literal>services.mailman.settings.mta</literal>
according to the desired configuration as described in
<link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman documentation</link>.
</para>
</listitem>
<listitem>
<para>
The default-version of <literal>nextcloud</literal> is <package>nextcloud21</package>.
Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal>
across multiple major versions! This means that it's e.g. not possible to upgrade
from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy and
most <literal>20.09</literal> users will have to upgrade to <package>nextcloud20</package>
first.
</para>
<para>
The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" />
to <package>nextcloud21</package>.
</para>
</listitem>
<listitem>
<para>
The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces.
</para>
</listitem>
<listitem>
<para>
NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details.
</para>
<para>
All services should use <xref linkend="opt-systemd.services._name_.startLimitIntervalSec" /> or <literal>StartLimitIntervalSec</literal> in <xref linkend="opt-systemd.services._name_.unitConfig" /> instead.
</para>
</listitem>
<listitem>
<para>
The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
</para>
<para>
It is now possible to enable a local UNIX control socket for unbound by setting the <xref linkend="opt-services.unbound.localControlSocketPath" />
option.
</para>
<para>
Previously we just applied a very minimal set of restrictions and
trusted unbound to properly drop root privs and capabilities.
</para>
<para>
As of this we are (for the most part) just using the upstream
example unit file for unbound. The main difference is that we start
unbound as <literal>unbound</literal> user with the required capabilities instead of
letting unbound do the chroot &amp; uid/gid changes.
</para>
<para>
The upstream unit configuration this is based on is a lot stricter with
all kinds of permissions then our previous variant. It also came with
the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also
using the <literal>unbound-with-systemd</literal> package here. Unbound will start up,
read the configuration files and start listening on the configured ports
before systemd will declare the unit <literal>active (running)</literal>.
This will likely help with startup order and the occasional race condition during system
activation where the DNS service is started but not yet ready to answer
queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal>
are now be able to use unbound when those targets have been reached.
</para>
<para>
Aditionally to the much stricter runtime environmet the
<literal>/dev/urandom</literal> mount lines we previously had in the code (that would
randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
</para>
<para>
The <literal>preStart</literal> script is now only required if we enabled the trust
anchor updates (which are still enabled by default).
</para>
<para>
Another benefit of the refactoring is that we can now issue reloads via
either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the
running configuration without taking the daemon offline. A prerequisite
of this was that unbound configuration is available on a well known path
on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the
default in the CLI tooling which in turn enables us to use
<literal>unbound-control</literal> without passing a custom configuration location.
</para>
</listitem>
<listitem>
<para>
The <literal>services.dnscrypt-proxy2</literal> module now takes the upstream's example configuration and updates it with the user's settings.
An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch.
</para>
</listitem>
<listitem>
<para>
NixOS now defaults to the unified cgroup hierarchy (cgroupsv2).
See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link>
for details on why this is desirable, and how it impacts containers.
</para>
<para>
If you want to run containers with a runtime that does not yet support cgroupsv2,
you can switch back to the old behaviour by setting
<xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>;
and rebooting.
</para>
</listitem>
<listitem>
<para>
PulseAudio was upgraded to 14.0, with changes to the handling of default sinks.
See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>.
</para>
<para>
GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing
logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link>
for more information.
</para>
</listitem>
<listitem>
<para>
The <package>zookeeper</package> package does not provide
<literal>zooInspector.sh</literal> anymore, as that "contrib" has
been dropped from upstream releases.
</para>
</listitem>
<listitem>
<para>
In the ACME module, the data used to build the hash for the account
directory has changed to accomodate new features to reduce account
rate limit issues. This will trigger new account creation on the first
rebuild following this update. No issues are expected to arise from this,
thanks to the new account creation handling.
</para>
</listitem>
<listitem>
<para>
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others.
The option's description was incorrect regarding ownership management and has been simplified greatly.
</para>
</listitem>
<listitem>
<para>
The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.
</para>
</listitem>
<listitem>
<para>
NixOS now generates empty <literal>/etc/netgroup</literal>.
<literal>/etc/netgroup</literal> defines network-wide groups and may affect to setups using NIS.
</para>
</listitem>
<listitem>
<para>
Platforms, like <varname>stdenv.hostPlatform</varname>, no longer have a <varname>platform</varname> attribute.
It has been (mostly) flattoned away:
</para>
<itemizedlist>
<listitem><para><varname>platform.gcc</varname> is now <varname>gcc</varname></para></listitem>
<listitem><para><literal>platform.kernel*</literal> is now <literal>linux-kernel.*</literal></para></listitem>
</itemizedlist>
<para>
Additionally, <varname>platform.kernelArch</varname> moved to the top level as <varname>linuxArch</varname> to match the other <literal>*Arch</literal> variables.
</para>
<para>
The <varname>platform</varname> grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.
</para>
</listitem>
<listitem>
<para>
<varname>services.restic</varname> now uses a dedicated cache directory for every backup defined in <varname>services.restic.backups</varname>. The old global cache directory, <literal>/root/.cache/restic</literal>, is now unused and can be removed to free up disk space.
</para>
</listitem>
<listitem>
<para>
<literal>isync</literal>: The <literal>isync</literal> compatibility wrapper was removed and the Master/Slave
terminology has been deprecated and should be replaced with Far/Near in the configuration file.
</para>
</listitem>
<listitem>
<para>
The nix-gc service now accepts randomizedDelaySec (default: 0) and persistent (default: true) parameters.
By default nix-gc will now run immediately if it would have been triggered at least
once during the time when the timer was inactive.
</para>
</listitem>
<listitem>
<para>
The <literal>rustPlatform.buildRustPackage</literal> function is split into several hooks:
<package>cargoSetupHook</package> to set up vendoring for Cargo-based projects,
<package>cargoBuildHook</package> to build a project using Cargo,
<package>cargoInstallHook</package> to install a project using Cargo, and
<package>cargoCheckHook</package> to run tests in Cargo-based projects. With this change,
mixed-language projects can use the relevant hooks within builders other than
<literal>buildRustPackage</literal>. However, these changes also required several API changes to
<literal>buildRustPackage</literal> itself:
<itemizedlist>
<listitem>
<para>
The <literal>target</literal> argument was removed. Instead, <literal>buildRustPackage</literal>
will always use the same target as the C/C++ compiler that is used.
</para>
</listitem>
<listitem>
<para>
The <literal>cargoParallelTestThreads</literal> argument was removed. Parallel tests are
now disabled through <literal>dontUseCargoParallelTests</literal>.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The <literal>rustPlatform.maturinBuildHook</literal> hook was added. This hook can be used
with <literal>buildPythonPackage</literal> to build Python packages that are written in Rust
and use Maturin as their build tool.
</para>
</listitem>
<listitem>
<para>
Kubernetes has <link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated docker</link> as container runtime.
As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default.
Note that containerd is more strict regarding container image OCI-compliance.
As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker.
Please test your setup and container images with containerd prior to upgrading.
</para>
</listitem>
</itemizedlist>
</section>
</section>