8a76f5d811
This is a fixup of 9728907c
1244 lines
51 KiB
XML
1244 lines
51 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03">
|
||
<title>Release 20.03 (“Markhor”, 2020.04/20)</title>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-highlights">
|
||
<title>Highlights</title>
|
||
|
||
<para>
|
||
In addition to numerous new and upgraded packages, this release has the
|
||
following highlights:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Support is planned until the end of October 2020, handing over to 20.09.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>Core version changes:</para>
|
||
<para>gcc: 8.3.0 -> 9.2.0</para>
|
||
<para>glibc: 2.27 -> 2.30</para>
|
||
<para>linux: 4.19 -> 5.4</para>
|
||
<para>mesa: 19.1.5 -> 19.3.3</para>
|
||
<para>openssl: 1.0.2u -> 1.1.1d</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>Desktop version changes:</para>
|
||
<para>plasma5: 5.16.5 -> 5.17.5</para>
|
||
<para>kdeApplications: 19.08.2 -> 19.12.3</para>
|
||
<para>gnome3: 3.32 -> 3.34</para>
|
||
<para>pantheon: 5.0 -> 5.1.3</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Linux kernel is updated to branch 5.4 by default (from 4.19).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Postgresql for NixOS service now defaults to v11.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The graphical installer image starts the graphical session automatically.
|
||
Before you'd be greeted by a tty and asked to enter <command>systemctl start display-manager</command>.
|
||
It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal>
|
||
quirk in the boot menu.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GNOME 3 has been upgraded to 3.34. Please take a look at their
|
||
<link xlink:href="https://help.gnome.org/misc/release-notes/3.34">Release Notes</link>
|
||
for details.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
If you enable the Pantheon Desktop Manager via
|
||
<xref linkend="opt-services.xserver.desktopManager.pantheon.enable" />, we now default to also use
|
||
<link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/">
|
||
Pantheon's newly designed greeter
|
||
</link>.
|
||
Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of
|
||
NixOS 20.03 when backwards compatible.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
By default zfs pools will now be trimmed on a weekly basis.
|
||
Trimming is only done on supported devices (i.e. NVME or SSDs)
|
||
and should improve throughput and lifetime of these devices.
|
||
It is controlled by the <varname>services.zfs.trim.enable</varname> varname.
|
||
The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>)
|
||
and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>)
|
||
are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or
|
||
<varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain
|
||
zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness,
|
||
and adding a <option>-r</option> option which prints all options and their values recursively.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<option>services.xserver.desktopManager.default</option> and <option>services.xserver.windowManager.default</option> options were replaced by a single <xref linkend="opt-services.xserver.displayManager.defaultSession"/> option to improve support for upstream session files. If you used something like:
|
||
<programlisting>
|
||
services.xserver.desktopManager.default = "xfce";
|
||
services.xserver.windowManager.default = "icewm";
|
||
</programlisting>
|
||
you should change it to:
|
||
<programlisting>
|
||
services.xserver.displayManager.defaultSession = "xfce+icewm";
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The testing driver implementation in NixOS is now in Python <filename>make-test-python.nix</filename>.
|
||
This was done by Jacek Galowicz (<link xlink:href="https://github.com/tfc">@tfc</link>), and with the
|
||
collaboration of Julian Stecklina (<link xlink:href="https://github.com/blitz">@blitz</link>) and
|
||
Jana Traue (<link xlink:href="https://github.com/jtraue">@jtraue</link>). All documentation has been updated to use this
|
||
testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation,
|
||
<filename>make-test.nix</filename>, is slated for removal. This should give users of the NixOS integration framework
|
||
a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see
|
||
this warning everytime they use it:
|
||
<screen>
|
||
<prompt>$ </prompt>warning: Perl VM tests are deprecated and will be removed for 20.09.
|
||
Please update your tests to use the python test driver.
|
||
See https://github.com/NixOS/nixpkgs/pull/71684 for details.
|
||
</screen>
|
||
API compatibility is planned to be kept for at least the next release with the perl driver.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-new-services">
|
||
<title>New Services</title>
|
||
|
||
<para>
|
||
The following new services were added since the last release:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The kubernetes kube-proxy now supports a new hostname configuration
|
||
<literal>services.kubernetes.proxy.hostname</literal> which has to
|
||
be set if the hostname of the node should be non default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
UPower's configuration is now managed by NixOS and can be customized
|
||
via <option>services.upower</option>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
To use Geary you should enable <xref linkend="opt-programs.geary.enable"/> instead of
|
||
just adding it to <xref linkend="opt-environment.systemPackages"/>.
|
||
It was created so Geary could function properly outside of GNOME.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./config/console.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./hardware/brillo.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./hardware/tuxedo-keyboard.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./programs/bandwhich.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./programs/bash-my-aws.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./programs/liboping.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./programs/traceroute.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/backup/sanoid.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/backup/syncoid.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/backup/zfs-replication.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/continuous-integration/buildkite-agents.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/databases/victoriametrics.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/desktops/gnome3/gnome-initial-setup.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/desktops/neard.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/games/openarena.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/hardware/fancontrol.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/mail/sympa.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/misc/freeswitch.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/misc/mame.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/monitoring/do-agent.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/monitoring/prometheus/xmpp-alerts.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/network-filesystems/orangefs/server.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/network-filesystems/orangefs/client.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/3proxy.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/corerad.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/go-shadowsocks2.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/ntp/openntpd.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/shorewall.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/shorewall6.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/spacecookie.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/trickster.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/v2ray.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/xandikos.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/networking/yggdrasil.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/dokuwiki.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/gotify-server.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/grocy.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/ihatemoney</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/moinmoin.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/trac.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/trilium.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-apps/shiori.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/web-servers/ttyd.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/x11/picom.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/x11/hardware/digimend.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./services/x11/imwheel.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<filename>./virtualisation/cri-o.nix</filename>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-incompatibilities">
|
||
<title>Backward Incompatibilities</title>
|
||
|
||
<para>
|
||
When upgrading from a previous release, please be aware of the following
|
||
incompatible changes:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <package>dhcpcd</package> package <link xlink:href="https://roy.marples.name/archives/dhcpcd-discuss/0002621.html">
|
||
does not request IPv4 addresses for tap and bridge interfaces anymore by default</link>.
|
||
In order to still get an address on a bridge interface, one has to disable
|
||
<literal>networking.useDHCP</literal> and explicitly enable
|
||
<literal>networking.interfaces.<name>.useDHCP</literal> on
|
||
every interface, that should get an address via DHCP. This way, dhcpcd
|
||
is configured in an explicit way about which interface to run on.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
GnuPG is now built without support for a graphical passphrase entry
|
||
by default. Please enable the <literal>gpg-agent</literal> user service
|
||
via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
|
||
Note that upstream recommends using <literal>gpg-agent</literal> and
|
||
will spawn a <literal>gpg-agent</literal> on the first invocation of
|
||
GnuPG anyway.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>dynamicHosts</literal> option has been removed from the
|
||
<link linkend="opt-networking.networkmanager.enable">NetworkManager</link>
|
||
module. Allowing (multiple) regular users to override host entries
|
||
affecting the whole system opens up a huge attack vector.
|
||
There seem to be very rare cases where this might be useful.
|
||
Consider setting system-wide host entries using
|
||
<link linkend="opt-networking.hosts">networking.hosts</link>, provide
|
||
them via the DNS server in your network, or use
|
||
<link linkend="opt-environment.etc">environment.etc</link>
|
||
to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
|
||
reconfiguring <literal>hostsdir</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>99-main.network</literal> file was removed. Matching all
|
||
network interfaces caused many breakages, see
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link>
|
||
and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>.
|
||
</para>
|
||
<para>
|
||
We already don't support the global <link linkend="opt-networking.useDHCP">networking.useDHCP</link>,
|
||
<link linkend="opt-networking.defaultGateway">networking.defaultGateway</link> and
|
||
<link linkend="opt-networking.defaultGateway6">networking.defaultGateway6</link> options
|
||
if <link linkend="opt-networking.useNetworkd">networking.useNetworkd</link> is enabled,
|
||
but direct users to configure the per-device
|
||
<link linkend="opt-networking.interfaces">networking.interfaces.<name>.…</link> options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables.
|
||
Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before.
|
||
Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The SLIM Display Manager has been removed, as it has been unmaintained since 2013.
|
||
Consider migrating to a different display manager such as LightDM (current default in NixOS),
|
||
SDDM, GDM, or using the startx module which uses Xinitrc.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
|
||
There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The BEAM package set has been deleted. You will only find there the different interpreters.
|
||
You should now use the different build tools coming with the languages with sandbox mode disabled.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
|
||
and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
|
||
packages. And in the future NixOS releases will be the latest released version of Xfce available at the
|
||
time of the release's development (if viable).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
|
||
<literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
|
||
If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
|
||
setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The BeeGFS module has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The osquery module has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default.
|
||
If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>.
|
||
The aforementioned option was added this release.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
|
||
This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1
|
||
and bitmap fonts are no longer supported in applications relying on Pango for font rendering
|
||
(notably, GTK application). See <link xlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386">
|
||
upstream issue</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>roundcube</literal> module has been hardened.
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The password of the database is not written world readable in the store any more. If <literal>database.host</literal> is set to <literal>localhost</literal>, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option <literal>database.passwordFile</literal>, which should be set to the path of a file containing the password and readable by the user <literal>nginx</literal> only. The <literal>database.password</literal> option is insecure and deprecated. Usage of this option will print a warning.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
A random <literal>des_key</literal> is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The packages <literal>openobex</literal> and <literal>obexftp</literal>
|
||
are no longer installed when enabling Bluetooth via
|
||
<option>hardware.bluetooth.enable</option>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090
|
||
as its upstream. However, this version does not have an internal webserver anymore. The
|
||
assets in the <literal>share/dump1090</literal> directory of the derivation can be used
|
||
in conjunction with an external webserver to replace this functionality.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The fourStore and fourStoreEndpoint modules have been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Polkit no longer has the user of uid 0 (root) as an admin identity.
|
||
We now follow the upstream default of only having every member of the wheel
|
||
group admin privileged. Before it was root and members of wheel.
|
||
The positive outcome of this is pkexec GUI popups or terminal prompts
|
||
will no longer require the user to choose between two essentially equivalent
|
||
choices (whether to perform the action as themselves with wheel permissions, or as the root user).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
NixOS containers no longer build NixOS manual by default. This saves evaluation time,
|
||
especially if there are many declarative containers defined. Note that this is already done
|
||
when <literal><nixos/modules/profiles/minimal.nix></literal> module is included
|
||
in container config.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>kresd</literal> services deprecates the <literal>interfaces</literal> option
|
||
in favor of the <literal>listenPlain</literal> option which requires full
|
||
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=">systemd.socket compatible</link>
|
||
declaration which always include a port.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Virtual console options have been reorganized and can be found under
|
||
a single top-level attribute: <literal>console</literal>.
|
||
The full set of changes is as follows:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleFont</literal> renamed to
|
||
<link linkend="opt-console.font">console.font</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleKeyMap</literal> renamed to
|
||
<link linkend="opt-console.keyMap">console.keyMap</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleColors</literal> renamed to
|
||
<link linkend="opt-console.colors">console.colors</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consolePackages</literal> renamed to
|
||
<link linkend="opt-console.packages">console.packages</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleUseXkbConfig</literal> renamed to
|
||
<link linkend="opt-console.useXkbConfig">console.useXkbConfig</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>boot.earlyVconsoleSetup</literal> renamed to
|
||
<link linkend="opt-console.earlySetup">console.earlySetup</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>boot.extraTTYs</literal> renamed to
|
||
<literal>console.extraTTYs</literal>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.awstats.enable">awstats</link> module has been rewritten
|
||
to serve stats via static html pages, updated on a timer, over <link linkend="opt-services.nginx.virtualHosts">nginx</link>,
|
||
instead of dynamic cgi pages over <link linkend="opt-services.httpd.enable">apache</link>.
|
||
</para>
|
||
<para>
|
||
Minor changes will be required to migrate existing configurations. Details of the
|
||
required changes can seen by looking through the <link linkend="opt-services.awstats.enable">awstats</link>
|
||
module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The httpd module no longer provides options to support serving web content without defining a virtual host. As a
|
||
result of this the <link linkend="opt-services.httpd.logPerVirtualHost">services.httpd.logPerVirtualHost</link>
|
||
option now defaults to <literal>true</literal> instead of <literal>false</literal>. Please update your
|
||
configuration to make use of <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts</link>.
|
||
</para>
|
||
<para>
|
||
The <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name></link>
|
||
option has changed type from a list of submodules to an attribute set of submodules, better matching
|
||
<link linkend="opt-services.nginx.virtualHosts">services.nginx.virtualHosts.<name></link>.
|
||
</para>
|
||
<para>
|
||
This change comes with the addition of the following options which mimic the functionality of their <literal>nginx</literal> counterparts:
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.addSSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.forceSSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.onlySSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.enableACME</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.acmeRoot</link>, and
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.useACMEHost</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS configuration options, the <literal>loaOf</literal> type has
|
||
been deprecated and will be removed in a future release. In nixpkgs,
|
||
options of this type will be changed to <literal>attrsOf</literal>
|
||
instead. If you were using one of these in your configuration, you will
|
||
see a warning suggesting what changes will be required.
|
||
</para>
|
||
<para>
|
||
For example, <link linkend="opt-users.users">users.users</link> is a
|
||
<literal>loaOf</literal> option that is commonly used as follows:
|
||
<programlisting>
|
||
users.users =
|
||
[ { name = "me";
|
||
description = "My personal user.";
|
||
isNormalUser = true;
|
||
}
|
||
];
|
||
</programlisting>
|
||
This should be rewritten by removing the list and using the
|
||
value of <literal>name</literal> as the name of the attribute set:
|
||
<programlisting>
|
||
users.users.me =
|
||
{ description = "My personal user.";
|
||
isNormalUser = true;
|
||
};
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
For more information on this change have look at these links:
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>,
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS modules, the types <literal>types.submodule</literal> and <literal>types.submoduleWith</literal> now support
|
||
paths as allowed values, similar to how <literal>imports</literal> supports paths.
|
||
Because of this, if you have a module that defines an option of type
|
||
<literal>either (submodule ...) path</literal>, it will break since a path
|
||
is now treated as the first type instead of the second. To fix this, change
|
||
the type to <literal>either path (submodule ...)</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.buildkite-agents">Buildkite
|
||
Agent</link> module and corresponding packages have been updated to
|
||
3.x, and to support multiple instances of the agent running at the
|
||
same time. This means you will have to rename
|
||
<literal>services.buildkite-agent</literal> to
|
||
<literal>services.buildkite-agents.<name></literal>. Furthermore,
|
||
the following options have been changed:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.buildkite-agent.meta-data</literal> has been renamed to
|
||
<link linkend="opt-services.buildkite-agents">services.buildkite-agents.<name>.tags</link>,
|
||
to match upstreams naming for 3.x.
|
||
Its type has also changed - it now accepts an attrset of strings.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> option
|
||
has been removed, as it's not necessary to deploy public keys to clone private
|
||
repositories.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.buildkite-agent.openssh.privateKeyPath</literal>
|
||
has been renamed to
|
||
<link linkend="opt-services.buildkite-agents">buildkite-agents.<name>.privateSshKeyPath</link>,
|
||
as the whole <literal>openssh</literal> now only contained that single option.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link linkend="opt-services.buildkite-agents">services.buildkite-agents.<name>.shell</link>
|
||
has been introduced, allowing to specify a custom shell to be used.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>citrix_workspace_19_3_0</literal> package has been removed as
|
||
it will be EOLed within the lifespan of 20.03. For further information,
|
||
please refer to the <link xlink:href="https://www.citrix.com/de-de/support/product-lifecycle/milestones/receiver.html">support and maintenance information</link> from upstream.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>gcc5</literal> and <literal>gfortran5</literal> packages have been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <option>services.xserver.displayManager.auto</option> module has been removed.
|
||
It was only intended for use in internal NixOS tests, and gave the false impression
|
||
of it being a special display manager when it's actually LightDM.
|
||
Please use the <option>services.xserver.displayManager.lightdm.autoLogin</option> options instead,
|
||
or any other display manager in NixOS as they all support auto-login. If you used this module specifically
|
||
because it permitted root auto-login you can override the lightdm-autologin pam module like:
|
||
<programlisting>
|
||
<link xlink:href="#opt-security.pam.services._name_.text">security.pam.services.lightdm-autologin.text</link> = lib.mkForce ''
|
||
auth requisite pam_nologin.so
|
||
auth required pam_succeed_if.so quiet
|
||
auth required pam_permit.so
|
||
|
||
account include lightdm
|
||
|
||
password include lightdm
|
||
|
||
session include lightdm
|
||
'';
|
||
</programlisting>
|
||
The difference is the:
|
||
<programlisting>
|
||
auth required pam_succeed_if.so quiet
|
||
</programlisting>
|
||
line, where default it's:
|
||
<programlisting>
|
||
auth required pam_succeed_if.so uid >= 1000 quiet
|
||
</programlisting>
|
||
not permitting users with uid's below 1000 (like root).
|
||
All other display managers in NixOS are configured like this.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There have been lots of improvements to the Mailman module. As
|
||
a result,
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <option>services.mailman.hyperkittyBaseUrl</option>
|
||
option has been renamed to <xref
|
||
linkend="opt-services.mailman.hyperkitty.baseUrl"/>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <option>services.mailman.hyperkittyApiKey</option>
|
||
option has been removed. This is because having an option
|
||
for the Hyperkitty API key meant that the API key would be
|
||
stored in the world-readable Nix store, which was a
|
||
security vulnerability. A new Hyperkitty API key will be
|
||
generated the first time the new Hyperkitty service is run,
|
||
and it will then be persisted outside of the Nix store. To
|
||
continue using Hyperkitty, you must set <xref
|
||
linkend="opt-services.mailman.hyperkitty.enable"/> to
|
||
<literal>true</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Additionally, some Postfix configuration must now be set
|
||
manually instead of automatically by the Mailman module:
|
||
<programlisting>
|
||
<xref linkend="opt-services.postfix.relayDomains"/> = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||
<xref linkend="opt-services.postfix.config"/>.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||
<xref linkend="opt-services.postfix.config"/>.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||
</programlisting>
|
||
This is because some users may want to include other values
|
||
in these lists as well, and this was not possible if they
|
||
were set automatically by the Mailman module. It would not
|
||
have been possible to just concatenate values from multiple
|
||
modules each setting the values they needed, because the
|
||
order of elements in the list is significant.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <option>networking.interfaces.*.preferTempAddress</option> option has
|
||
been replaced by <option>networking.interfaces.*.tempAddress</option>.
|
||
The new option allows better control of the IPv6 temporary addresses,
|
||
including completely disabling them for interfaces where they are not
|
||
needed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Rspamd was updated to version 2.2. Read
|
||
<link xlink:href="https://rspamd.com/doc/migration.html#migration-to-rspamd-20">
|
||
the upstream migration notes</link> carefully. Please be especially
|
||
aware that some modules were removed and the default Bayes backend is
|
||
now Redis.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>*psu</literal> versions of <package>oraclejdk8</package> have been removed
|
||
as they aren't provided by upstream anymore.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <option>services.dnscrypt-proxy</option> module has been removed
|
||
as it used the deprecated version of dnscrypt-proxy. We've added
|
||
<xref linkend="opt-services.dnscrypt-proxy2.enable"/> to use the supported version.
|
||
This module supports configuration via the Nix attribute set
|
||
<xref linkend="opt-services.dnscrypt-proxy2.settings" />, or by passing a TOML configuration file via
|
||
<xref linkend="opt-services.dnscrypt-proxy2.configFile" />.
|
||
<programlisting>
|
||
# Example configuration:
|
||
services.dnscrypt-proxy2.enable = true;
|
||
services.dnscrypt-proxy2.settings = {
|
||
listen_addresses = [ "127.0.0.1:43" ];
|
||
sources.public-resolvers = {
|
||
urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
|
||
cache_file = "public-resolvers.md";
|
||
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
|
||
refresh_delay = 72;
|
||
};
|
||
};
|
||
|
||
services.dnsmasq.enable = true;
|
||
services.dnsmasq.servers = [ "127.0.0.1#43" ];
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>qesteidutil</literal> has been deprecated in favor of <literal>qdigidoc</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>sqldeveloper_18</package> has been removed as it's not maintained anymore,
|
||
<package>sqldeveloper</package> has been updated to version <literal>19.4</literal>.
|
||
Please note that this means that this means that the <package>oraclejdk</package> is now
|
||
required. For further information please read the
|
||
<link xlink:href="https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html">release notes</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Haskell <varname>env</varname> and <varname>shellFor</varname> dev shell environments now organize dependencies the same way as regular builds.
|
||
In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.
|
||
</para>
|
||
<para>
|
||
This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a <varname>buildDepends</varname> or run-time Haskell dependency as a <varname>setupDepends</varname>, whereas things would have worked before they may not work now.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <package>gcc-snapshot</package>-package has been removed. It's marked as broken for >2 years and used to point
|
||
to a fairly old snapshot from the <package>gcc7</package>-branch.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <citerefentry><refentrytitle>nixos-build-vms</refentrytitle><manvolnum>8</manvolnum>
|
||
</citerefentry>-script now uses the python test-driver.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <package>riot-web</package> package now accepts configuration overrides as an attribute set instead of a string.
|
||
A formerly used JSON configuration can be converted to an attribute set with <literal>builtins.fromJSON</literal>.
|
||
</para>
|
||
<para>
|
||
The new default configuration also disables automatic guest account registration and analytics to improve privacy.
|
||
The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Stand-alone usage of <literal>Upower</literal> now requires
|
||
<option>services.upower.enable</option> instead of just installing into
|
||
<xref linkend="opt-environment.systemPackages"/>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
|
||
that users from NixOS 19.09 can't upgrade directly since you can only move one version
|
||
forward and 19.09 uses <literal>v16.0.8</literal>.
|
||
</para>
|
||
<para>
|
||
To provide a safe upgrade-path and to circumvent similar issues in the future, the following
|
||
measures were taken:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
|
||
versioned attributes (currently <package>pkgs.nextcloud17</package> and
|
||
<package>pkgs.nextcloud18</package>). With this change major-releases can be backported
|
||
without breaking stuff and to make upgrade-paths easier.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Existing setups will be detected using
|
||
<link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
|
||
<package>nextcloud17</package> will be used, but will raise a warning which notes
|
||
that after that deploy it's recommended to update to the latest stable version
|
||
(<package>nextcloud18</package>) by declaring the newly introduced setting
|
||
<link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Users with an overlay (e.g. to use <package>nextcloud</package> at version
|
||
<literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
|
||
by default. This is done to ensure that our
|
||
<link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
|
||
older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
|
||
or to set <link linkend="opt-services.nextcloud.package">package</link> to
|
||
<package>pkgs.nextcloud</package> explicitly.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
<warning>
|
||
<para>
|
||
Please note that if you're coming from <literal>19.03</literal> or older, you have
|
||
to manually upgrade to <literal>19.09</literal> first to upgrade your server
|
||
to Nextcloud v16.
|
||
</para>
|
||
</warning>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>Hydra</package> has gained a massive performance improvement due to
|
||
<link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema
|
||
changes</link> by adding several IDs and better indexing. However, it's necessary
|
||
to upgrade Hydra in multiple steps:
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
At first, an older version of Hydra needs to be deployed which adds those
|
||
(nullable) columns. When having set <link linkend="opt-system.stateVersion">stateVersion
|
||
</link> to a value older than <literal>20.03</literal>, this package will be selected
|
||
by default from the module when upgrading. Otherwise, the package can be deployed using
|
||
the following config:
|
||
<programlisting>{ pkgs, ... }: {
|
||
<link linkend="opt-services.hydra.package">services.hydra.package</link> = pkgs.hydra-migration;
|
||
}</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Automatically fill the newly added ID columns on the server by running the following
|
||
command:
|
||
<screen>
|
||
<prompt>$ </prompt>hydra-backfill-ids
|
||
</screen>
|
||
<warning>
|
||
<para>Please note that this process can take a while depending on your database-size!</para>
|
||
</warning>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Deploy a newer version of Hydra to activate the DB optimizations. This can be done by
|
||
using <package>hydra-unstable</package>. This package already includes
|
||
<link xlink:href="https://github.com/nixos/rfcs/pull/49">flake-support</link> and is
|
||
therefore compiled against <package>pkgs.nixFlakes</package>.
|
||
<warning>
|
||
<para>
|
||
If your <link linkend="opt-system.stateVersion">stateVersion</link> is set to
|
||
<literal>20.03</literal> or greater, <package>hydra-unstable</package> will be used
|
||
automatically! This will break your setup if you didn't run the migration.
|
||
</para>
|
||
</warning>
|
||
Please note that Hydra is currently not available with <package>nixStable</package>
|
||
as this doesn't compile anymore.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<warning>
|
||
<para>
|
||
<package>pkgs.hydra</package> has been removed to ensure a graceful database-migration
|
||
using the dedicated package-attributes. If you still have <package>pkgs.hydra</package>
|
||
defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
|
||
you need to set <xref linkend="opt-services.hydra.package" /> to <package>pkgs.hydra</package>
|
||
explicitly and make sure you know what you're doing!
|
||
</para>
|
||
</warning>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The TokuDB storage engine will be disabled in <package>mariadb</package> 10.5. It is recommended to switch
|
||
to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-notable-changes">
|
||
<title>Other Notable Changes</title>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The nginx web server previously started its master process as root
|
||
privileged, then ran worker processes as a less privileged identity user
|
||
(the <literal>nginx</literal> user).
|
||
This was changed to start all of nginx as a less privileged user (defined by
|
||
<literal>services.nginx.user</literal> and
|
||
<literal>services.nginx.group</literal>). As a consequence, all files that
|
||
are needed for nginx to run (included configuration fragments, SSL
|
||
certificates and keys, etc.) must now be readable by this less privileged
|
||
user/group.
|
||
</para>
|
||
<para>
|
||
To continue to use the old approach, you can configure:
|
||
<programlisting>
|
||
services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
|
||
systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
|
||
but with potential incompatibilities. Consult the
|
||
<link xlink:href="https://www.openssh.com/txt/release-8.1">
|
||
release announcement</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>PRETTY_NAME</literal> in <literal>/etc/os-release</literal>
|
||
now uses the short rather than full version string.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The ACME module has switched from simp-le to <link xlink:href="https://github.com/go-acme/lego">lego</link>
|
||
which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added:
|
||
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.dnsProvider</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.credentialsFile</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.dnsPropagationCheck</link>.
|
||
As well as this, the options <literal>security.acme.acceptTerms</literal> and either
|
||
<literal>security.acme.email</literal> or <literal>security.acme.certs.<name>.email</literal>
|
||
must be set in order to use the ACME module.
|
||
Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
|
||
In particular private keys will not be preserved. However, the credentials for simp-le are preserved and
|
||
thus it is possible to roll back to previous versions without breaking certificate generation.
|
||
Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can
|
||
have consequences if you embed your public key in apps.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
|
||
via <option>boot.initrd.luks.fido2Support</option>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Predictably named network interfaces get renamed in stage-1. This means that it is possible
|
||
to use the proper interface name for e.g. Dropbear setups.
|
||
</para>
|
||
<para>
|
||
For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <package>matrix-synapse</package>-package has been updated to
|
||
<link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
|
||
Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
|
||
for database configuration when using <package>postgresql</package>, the automated database setup
|
||
of the module has been removed to avoid any further edge-cases.
|
||
</para>
|
||
<para>
|
||
<package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
|
||
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
|
||
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
|
||
instructs <literal>postgresql</literal> to ignore any locale-based preferences.
|
||
</para>
|
||
<para>
|
||
Depending on your setup, you need to incorporate one of the following changes in your setup to
|
||
upgrade to 20.03:
|
||
<itemizedlist>
|
||
<listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
|
||
<listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
|
||
to change anything as well since this module was never designed to configure remote databases.
|
||
</para></listitem>
|
||
<listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
|
||
<literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
|
||
explicitly:
|
||
<programlisting>{ ... }: {
|
||
services.matrix-synapse = {
|
||
<link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
|
||
/* and all the other config you've defined here */
|
||
};
|
||
<link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
|
||
}</programlisting>
|
||
</para></listitem>
|
||
<listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
|
||
the database yourself (e.g. by using the
|
||
<link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
|
||
option). An example for this can be found in the
|
||
<link linkend="module-services-matrix">documentation of the Matrix module</link>.
|
||
</para></listitem>
|
||
<listitem><para>If you initially deployed your <package>matrix-synapse</package> on
|
||
<literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
|
||
your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
|
||
startup with a warning, but it's recommended to reconfigure the database to set the values
|
||
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
|
||
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
|
||
</para></listitem>
|
||
</itemizedlist>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
|
||
even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
|
||
This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
|
||
not <command>systemd-networkd</command>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
|
||
<warning>
|
||
<para>
|
||
Please note that <package>mongodb</package> has been relicensed under their own
|
||
<link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal>
|
||
sspl</literal></link>-license. Since it's not entirely free and not OSI-approved,
|
||
it's listed as non-free. This means that Hydra doesn't provide prebuilt
|
||
<package>mongodb</package>-packages and needs to be built locally.
|
||
</para>
|
||
</warning>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|