nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md

Release 23.11 (“Tapir”, 2023.11/??)

Highlights

• FoundationDB now defaults to major version 7.

• Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the hostapd package, along with a significant rework of the hostapd module.

• LXD now supports virtual machine instances to complement the existing container support

• The nixos-rebuild command has been given a list-generations subcommand. See man nixos-rebuild for more details.

New Services

• MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.

• acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.

• river, A dynamic tiling wayland compositor. Available as programs.river.

• wayfire, A modular and extensible wayland compositor. Available as programs.wayfire.

• mautrix-whatsapp A Matrix-WhatsApp puppeting bridge

• hddfancontrol, a service to regulate fan speeds based on hard drive temperature. Available as services.hddfancontrol.

• GoToSocial, an ActivityPub social network server, written in Golang. Available as services.gotosocial.

• Typesense, a fast, typo-tolerant search engine for building delightful search experiences. Available as services.typesense.

• NS-USBLoader, an all-in-one tool for managing Nintendo Switch homebrew. Available as programs.ns-usbloader.

• Mobilizon, a Fediverse platform for publishing events.

• Anuko Time Tracker, a simple, easy to use, open source time tracking system. Available as services.anuko-time-tracker.

• Prometheus MySQL exporter, a MySQL server exporter for Prometheus. Available as services.prometheus.exporters.mysqld.

• sitespeed-io, a tool that can generate metrics (timings, diagnostics) for websites. Available as services.sitespeed-io.

• stalwart-mail, an all-in-one email server (SMTP, IMAP, JMAP). Available as services.stalwart-mail.

• Jool, a kernelspace NAT64 and SIIT implementation, providing translation between IPv4 and IPv6. Available as networking.jool.enable.

• Apache Guacamole, a cross-platform, clientless remote desktop gateway. Available as services.guacamole-server and services.guacamole-client services.

• pgBouncer, a PostgreSQL connection pooler. Available as services.pgbouncer.

• trust-dns, a Rust based DNS server built to be safe and secure from the ground up. Available as services.trust-dns.

• osquery, a SQL powered operating system instrumentation, monitoring, and analytics.

• ebusd, a daemon for handling communication with eBUS devices connected to a 2-wire bus system (“energy bus” used by numerous heating systems). Available as services.ebusd.

• systemd-sysupdate, atomically updates the host OS, container images, portable service images or other sources. Available as systemd.sysupdate.

• eris-server. ERIS is an encoding for immutable storage and this server provides block exchange as well as content decoding over HTTP and through a FUSE file-system. Available as services.eris-server.

• hardware/infiniband.nix adds infiniband subnet manager support using an opensm systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as hardware.infiniband.enable.

• Honk, a complete ActivityPub server with minimal setup and support costs. Available as services.honk.

• NNCP. Added nncp-daemon and nncp-caller services. Configuration is set with programs.nncp.settings and the daemons are enabled at services.nncp.

Backward Incompatibilities

• The boot.loader.raspberryPi options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs (before mid-2019) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

• python3.pkgs.sequoia was removed in favor of python3.pkgs.pysequoia. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from gitlab:sequoia-pgp/sequoia were removed long ago.

• writeTextFile now requires executable to be boolean, values like null or "" will now fail to evaluate.

• The latest version of clonehero now stores custom content in ~/.clonehero. See the migration instructions. Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in ~/.config/unity3d/srylain Inc_/Clone Hero.

• The services.hostapd module was rewritten to support passwordFile like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.

  • hostapd is now started with additional systemd sandbox/hardening options for better security.
  • services.hostapd.interface was replaced with a per-radio and per-bss configuration scheme using services.hostapd.radios.
  • services.hostapd.wpa has been replaced by services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword and services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords which configure WPA2-PSK and WP3-SAE respectively.
  • The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.

• python3.pkgs.fetchPypi (and python3Packages.fetchPypi) has been deprecated in favor of top-level fetchPypi.

• pass now does not contain password-store.el. Users should get password-store.el from Emacs lisp package set emacs.pkgs.password-store.

• mu now does not install mu4e files by default. Users should get mu4e from Emacs lisp package set emacs.pkgs.mu4e.

• mariadb now defaults to mariadb_1011 instead of mariadb_106, meaning the default version was upgraded from 10.6.x to 10.11.x. See the upgrade notes for potential issues.

• getent has been moved from glibc's bin output to its own dedicated output, reducing closure size for many dependents. Dependents using the getent alias should not be affected; others should move from using glibc.bin or getBin glibc to getent (which also improves compatibility with non-glibc platforms).

• The users.users.<name>.passwordFile has been renamed to users.users.<name>.hashedPasswordFile to avoid possible confusions. The option is in fact the file-based version of hashedPassword, not password, and expects a file containing the {manpage}crypt(3) hash of the user password.

• The services.ananicy.extraRules option now has the type of listOf attrs instead of string.

• JACK tools (jack_* except jack_control) have moved from the jack2 package to jack-example-tools

• The matrix-synapse package & module have undergone some significant internal changes, for most setups no intervention is needed, though:

  • The option services.matrix-synapse.package is now read-only. For modifying the package, use an overlay which modifies matrix-synapse-unwrapped instead. More on that below.
  • The enableSystemd & enableRedis arguments have been removed and matrix-synapse has been renamed to matrix-synapse-unwrapped. Also, several optional dependencies (such as psycopg2 or authlib) have been removed.
  • These optional dependencies are automatically added via a wrapper (pkgs.matrix-synapse.override { extras = ["redis"]; } for hiredis & txredisapi for instance) if the relevant config section is declared in services.matrix-synapse.settings. For instance, if services.matrix-synapse.settings.redis.enabled is set to true, "redis" will be automatically added to the extras list of pkgs.matrix-synapse.
  • A list of all extras (and the extras enabled by default) can be found at the option's reference for services.matrix-synapse.extras.
  • In some cases (e.g. for running synapse workers) it was necessary to re-use the PYTHONPATH of matrix-synapse.service's environment to have all plugins available. This isn't necessary anymore, instead config.services.matrix-synapse.package can be used as it points to the wrapper with properly configured extras and also all plugins defined via services.matrix-synapse.plugins available. This is also the reason for why the option is read-only now, it's supposed to be set by the module only.

• etcd has been updated to 3.5, you will want to read the 3.3 to 3.4 and 3.4 to 3.5 upgrade guides

• gitlab installations created or updated between versions [15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading to gitlab >=16.2.0. A workaround for affected users can be found in the GitLab docs.

• consul has been updated to 1.16.0. See the release note for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.

• himalaya has been updated to 0.8.0, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the release note for more details.

• The services.caddy.acmeCA option now defaults to null instead of "https://acme-v02.api.letsencrypt.org/directory", to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.

• The default priorities of services.nextcloud.phpOptions have changed. This means that e.g. services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23"; doesn't discard all of the other defaults from this option anymore. The attribute values of phpOptions are still defaults, these can be overridden as shown here.

  To override all of the options (including including upload_max_filesize, post_max_size and memory_limit which all point to services.nextcloud.maxUploadSize by default) can be done like this:

  {
    services.nextcloud.phpOptions = lib.mkForce {
      /* ... */
    };
  }
  

• php80 is no longer supported due to upstream not supporting this version anymore.

• PHP now defaults to PHP 8.2, updated from 8.1.

• The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq.

• prometheus-unbound-exporter has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notable controlInterface needs migration towards unbound.host and requires either the tcp:// or unix:// URI scheme.

• odoo now defaults to 16, updated from 15.

• util-linux is now supported on Darwin and is no longer an alias to unixtools. Use the unixtools.util-linux package for access to the Apple variants of the utilities.

• services.keyd changed API. Now you can create multiple configuration files.

• baloo, the file indexer/search engine used by KDE now has a patch to prevent files from constantly being reindexed when the device ids of the their underlying storage changes. This happens frequently when using btrfs or LVM. The patch has not yet been accepted upstream but it provides a significantly improved experience. When upgrading, reset baloo to get a clean index: balooctl disable ; balooctl purge ; balooctl enable.

• services.ddclient has been removed on the request of the upstream maintainer because it is unmaintained and has bugs. Please switch to a different software like inadyn or knsupdate.

• The vlock program from the kbd package has been moved into its own package output and should now be referenced explicitly as kbd.vlock or replaced with an alternative such as the standalone vlock package or physlock.

• fileSystems.<name>.autoFormat now uses systemd-makefs, which does not accept formatting options. Therefore, fileSystems.<name>.formatOptions has been removed.

• fileSystems.<name>.autoResize now uses systemd-growfs to resize the file system online in stage 2. This means that f2fs and ext2 can no longer be auto resized, while xfs and btrfs now can be.

• The services.vaultwarden.config option default value was changed to make Vaultwarden only listen on localhost, following the secure defaults for most NixOS services.

• services.lemmy.settings.federation was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the release notes for more details.

• pict-rs was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems with stateVersion = "23.05"; or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and set services.pict-rs.package = pkgs.pict-rs;.

• The following packages in haskellPackages have now a separate bin output: cabal-fmt, calligraphy, eventlog2html, ghc-debug-brick, hindent, nixfmt, releaser. This means you need to replace e.g. "${pkgs.haskellPackages.nixfmt}/bin/nixfmt" with "${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt" or "${lib.getExe pkgs.haskellPackages.nixfmt}". The binaries also won’t be in scope if you rely on them being installed e.g. via ghcWithPackages. environment.packages picks the bin output automatically, so for normal installation no intervention is required. Also, toplevel attributes like pkgs.nixfmt are not impacted negatively by this change.

• spamassassin no longer supports the Hashcash module. The module needs to be removed from the loadplugin list if it was copied over from the default initPreConf option.

• services.outline.sequelizeArguments has been removed, as outline no longer executes database migrations via the sequelize cli.

• The binary of the package cloud-sql-proxy has changed from cloud_sql_proxy to cloud-sql-proxy.

• The woodpecker-* CI packages have been updated to 1.0.0. This release is wildly incompatible with the 0.15.X versions that were previously packaged. Please read upstream's documentation to learn how to update your CI configurations.

• The Caddy module gained a new option named services.caddy.enableReload which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the Caddy admin API. If you keep this option enabled, you should consider setting grace_period to a non-infinite value to prevent Caddy from delaying the reload indefinitely.

• mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by stateVersion), but the appropriate settings will be generated by nixos-generate-config when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use stateVersion correctly or set boot.swraid.enable manually. On systems with an updated stateVersion we now also emit warnings if mdadm.conf does not contain the minimum required configuration necessary to run the dynamically enabled monitoring daemons.

• The go-ethereum package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from leveldb to pebble but leveldb can be forced with the --db.engine=leveldb flag. The checkpoint-admin command was removed along with trusted checkpoints.

• The aseprite-unfree package has been upgraded from 1.2.16.3 to 1.2.40. The free version of aseprite has been dropped because it is EOL and the package attribute now points to the unfree version. A maintained fork of the last free version of Aseprite, named 'LibreSprite', is available in the libresprite package.

• The default kops version is now 1.27.0 and support for 1.24 and older has been dropped.

• pharo has been updated to latest stable (PharoVM 10.0.5), which is compatible with the latest stable and oldstable images (Pharo 10 and 11). The VM in question is the 64bit Spur. The 32bit version has been dropped due to lack of maintenance. The Cog VM has been deleted because it is severily outdated. Finally, the pharo-launcher package has been deleted because it was not compatible with the newer VM, and due to lack of maintenance.

• Emacs mainline version 29 was introduced. This new version includes many major additions, most notably tree-sitter support (enabled by default) and the pgtk variant (useful for Wayland users), which is available under the attribute emacs29-pgtk.

• Emacs macport version 29 was introduced.

• The option services.networking.networkmanager.enableFccUnlock was removed in favor of networking.networkmanager.fccUnlockScripts, which allows specifying unlock scripts explicitly. The previous option simply did enable all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all.

• The html-proofer package has been updated from major version 3 to major version 5, which includes breaking changes.

• kratos has been updated from 0.10.1 to the first stable version 1.0.0, please read the 0.10.1 to 0.11.0, 0.11.0 to 0.11.1, 0.11.1 to 0.13.0 and 0.13.0 to 1.0.0 upgrade guides. The most notable breaking change is the introduction of one-time passwords (code) and update of the default recovery strategy from link to code.

• The hail NixOS module was removed, as hail was unmaintained since 2017.

• Package noto-fonts-emoji was renamed to noto-fonts-color-emoji; see #221181.

• Package pash was removed due to being archived upstream. Use powershell as an alternative.

Other Notable Changes

• The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; from your NixOS configuration.

• GNOME, Pantheon, Cinnamon module no longer forces Qt applications to use Adwaita style since it was buggy and is no longer maintained upstream (specifically, Cinnamon now defaults to the gtk2 style instead, following the default in Linux Mint). If you still want it, you can add the following options to your configuration but it will probably be eventually removed:

  qt = {
    enable = true;
    platformTheme = "gnome";
    style = "adwaita";
  };
  

• fontconfig now defaults to using greyscale antialiasing instead of subpixel antialiasing because of a recommendation from one of the downstreams. You can change this value by configuring accordingly.

• The latest available version of Nextcloud is v27 (available as pkgs.nextcloud27). The installation logic is as follows:

  • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
  • If system.stateVersion is >=23.11, pkgs.nextcloud27 will be installed by default.
  • If system.stateVersion is >=23.05, pkgs.nextcloud26 will be installed by default.
  • Please note that an upgrade from v25 (or older) to v27 directly is not possible. Please upgrade to nextcloud26 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud26;.

• New options were added to services.searx for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server.

• A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing virtualisation.vlans is still supported for cases where the name of the network interface is irrelevant.

• DocBook option documentation is no longer supported, all module documentation now uses markdown.

• buildGoModule go-modules attrs have been renamed to goModules.

• The fonts.fonts and fonts.enableDefaultFonts options have been renamed to fonts.packages and fonts.enableDefaultPackages respectively.

• services.fail2ban.jails can now be configured with attribute sets defining settings and filters instead of lines. The stringed options daemonConfig and extraSettings have respectively been replaced by daemonSettings and jails.DEFAULT.settings which use attribute sets.

• The application firewall opensnitch now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting services.opensnitch.settings.ProcMonitorMethod.

• The module services.ankisyncd has been switched to anki-sync-server-rs from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action.

• services.nginx gained a defaultListen option at server-level with support for PROXY protocol listeners, also proxyProtocol is now exposed in services.nginx.virtualHosts.<name>.listen option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see #213510 for more details.

• services.restic.backups now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easly be run from the command line. This behavior can be disabled by setting createWrapper to false, per backup configuration.

• services.prometheus.exporters has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called Scaphandre, see #239803 for more details.

• The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recomended to review the upstream release notes.

• The module services.calibre-server has new options to configure the host, port, auth.enable, auth.mode and auth.userDb path, see #216497 for more details.

• services.prometheus.exporters has a new exporter to monitor PHP-FPM processes, see #240394 for more details.

• services.github-runner / services.github-runners.<name> gained the option nodeRuntimes. The option defaults to [ "node20" ], i.e., the service supports Node.js 20 GitHub Actions only. The list of Node.js versions accepted by nodeRuntimes tracks the versions the upstream GitHub Actions runner supports. See #249103 for details.

• programs.gnupg.agent.pinentryFlavor is now set in /etc/gnupg/gpg-agent.conf, and will no longer take precedence over a pinentry-program set in ~/.gnupg/gpg-agent.conf.

• dockerTools.buildImage, dockerTools.buildLayeredImage and dockerTools.streamLayeredImage now use lib.makeOverridable to allow dockerTools-based images to be customized more efficiently at the nix-level.

• services.influxdb2 now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see #249502 for more details.

• wrapHelm now exposes passthru.pluginsDir which can be passed to helmfile. For convenience, a top-level package helmfile-wrapped has been added, which inherits passthru.pluginsDir from kubernetes-helm-wrapped. See #217768 for details.

• boot.initrd.network.udhcp.enable allows control over dhcp during stage 1 regardless of what networking.useDHCP is set to.

• Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see upstream release notes for more details.

• networking.nftables now has the option networking.nftables.table.<table> to create tables and have them be updated atomically, instead of flushing the ruleset.

• networking.nftables is no longer flushing all rulesets on every reload. Use networking.nftables.flushRuleset = true; to get back the old behaviour.

• The cawbird package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream.

• hardware.nvidia gained datacenter options for enabling NVIDIA Data Center drivers and configuration of NVLink/NVSwitch topologies through nv-fabricmanager.

• Certificate generation via the security.acme now limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to 5 and can be adjusted via maxConcurrentRenewals. Setting it to 0 disables the limits altogether.

• New boot.bcache.enable (default enabled) allows completely removing bcache mount support.

Nixpkgs internals

• The use of sourceRoot = "source";, sourceRoot = "source/subdir";, and similar lines in package derivations using the default unpackPhase is deprecated as it requires unpackPhase to always produce a directory named "source". Use sourceRoot = src.name, sourceRoot = "${src.name}/subdir";, or setSourceRoot = "sourceRoot=$(echo */subdir)"; or similar instead.

• The django alias in the python package set was upgraded to Django 4.x. Applications that consume Django should always pin their python environment to a compatible major version, so they can move at their own pace.

  python = python3.override {
    packageOverrides = self: super: {
      django = super.django_3;
    };
  };
  

• The qemu-vm.nix module by default now identifies block devices via persistent names available in /dev/disk/by-*. Because the rootDevice is identfied by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added (nixos/tests/common/auto-format-root-device.nix). To use this in a NixOS test, import the module, e.g. imports = [ ./common/auto-format-root-device.nix ]; When you use the systemd initrd, you can automatically format the root device by setting virtualisation.fileSystems."/".autoFormat = true;.

• The electron packages now places its application files in $out/libexec/electron instead of $out/lib/electron. Packages using electron-builder will fail to build and need to be adjusted by changing lib to libexec.