nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md

4.3 KiB

Release 24.11 (“Vicuña”, 2024.11/??)

Highlights

  • Create the first release note entry in this section!

New Services

Backward Incompatibilities

  • nginx package no longer includes gd and geoip dependencies. For enabling it, override nginx package with the optionals withImageFilter and withGeoIP.

  • openssh and openssh_hpn are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the new opensshWithKerberos and openssh_hpnWithKerberos flavors (e.g. programs.ssh.package = pkgs.openssh_gssapi).

  • nvimpager was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in -c and --cmd now override the respective default settings because they are executed later.

  • services.forgejo.mailerPasswordFile has been deprecated by the drop-in replacement services.forgejo.secrets.mailer.PASSWD, which is part of the new free-form services.forgejo.secrets option. services.forgejo.secrets is a small wrapper over systemd's LoadCredential=. It has the same structure (sections/keys) as services.forgejo.settings but takes file paths that will be read before service startup instead of some plaintext value.

  • The Invoiceplane module now only accepts the structured settings option. extraConfig is now removed.

  • Legacy package stalwart-mail_0_6 was dropped, please note the manual upgrade process before changing the package to pkgs.stalwart-mail in services.stalwart-mail.package.

  • The stalwart-mail module now uses RocksDB as the default storage backend for stateVersion ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs).

  • zx was updated to v8, which introduces several breaking changes. See the v8 changelog for more information.

  • system.stateVersion is now validated. If you never changed this yourself, you don't need to do anything. If your stateVersion is not a valid NixOS release version (e.g. "24.11" is valid), your system was already at risk of experiencing silent incompatible state updates. If your previous value is a well-formed version but not a valid release (e.g. "23.12"), round down to the nearest actual release. If it wasn't a well-formed version (e.g. "nixos-unstable"), set it to the version of NixOS that you originally installed.

  • The portunus package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:

    services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
    services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
    

Other Notable Changes

  • To facilitate dependency injection, the imgui package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use imgui.src if you just want to access the unpacked sources.