nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md
2023-01-04 06:01:44 +00:00

12 KiB

Release 23.05 (“Stoat”, 2023.05/??)

Support is planned until the end of December 2023, handing over to 23.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

New Services

Backward Incompatibilities

  • carnix and cratesIO has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead.

  • borgbackup module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.borgbackup.jobs.<name>.inhibitsSleep.

  • podman now uses the netavark network stack. Users will need to delete all of their local containers, images, volumes, etc, by running podman system reset --force once before upgrading their systems.

  • The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from /etc/ec2-metadata should now have an after dependency on fetch-ec2-metadata.service

  • minio removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration we keep around the last version that still supports the old filesystem backend as minio_legacy_fs. Use it via services.minio.package = minio_legacy_fs; to export your data before switching to the new version. See the corresponding issue for more details.

  • services.sourcehut.dispatch and the corresponding package (sourcehut.dispatchsrht) have been removed due to upstream deprecation.

  • The services.snapserver.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.tmate-ssh-server.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.unifi-video.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • llvmPackages_rocm.llvm will not contain clang or compiler-rt. llvmPackages_rocm.clang will not contain llvm. llvmPackages_rocm.clangNoCompilerRt has been removed in favor of using llvmPackages_rocm.clang-unwrapped.

  • The Nginx module now validates the syntax of config files at build time. For more complex configurations (using include with out-of-store files notably) you may need to disable this check by setting services.nginx.validateConfig to false.

  • The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing /tmp on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.

  • The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

  • Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.

  • In mastodon it is now necessary to specify location of file with PostgreSQL database password. In services.mastodon.database.passwordFile parameter default value /var/lib/mastodon/secrets/db-password has been changed to null.

  • The nix.readOnlyStore option has been renamed to boot.readOnlyNixStore to clarify that it configures the NixOS boot process, not the Nix daemon.

  • Deprecated xlibsWrapper transitional package has been removed in favour of direct use of its constitutents: xorg.libX11, freetype and others.

Other Notable Changes

  • vim_configurable has been renamed to vim-full to avoid confusion: vim-full's build-time features are configurable, but both vim and vim-full are customizable (in the sense of user configuration, like vimrc).

  • The module for the application firewall opensnitch got the ability to configure rules. Available as services.opensnitch.rules

  • The module usbmuxd now has the ability to change the package used by the daemon. In case you're experiencing issues with usbmuxd you can try an alternative program like usbmuxd2. Available as services.usbmuxd.package

  • services.mastodon gained a tootctl wrapped named mastodon-tootctl similar to nextcloud-occ which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

  • The dnsmasq service now takes configuration via the services.dnsmasq.settings attribute set. The option services.dnsmasq.extraConfig will be deprecated when NixOS 22.11 reaches end of life.

  • To reduce closure size in nixos/modules/profiles/minimal.nix profile disabled installation documentations and manuals. Also disabled logrotate and udisks2 services.

  • The minimal ISO image now uses the nixos/modules/profiles/minimal.nix profile.

  • mastodon now supports connection to a remote PostgreSQL database.

  • services.peertube now requires you to specify the secret file secrets.secretsFile. It can be generated by running openssl rand -hex 32. Before upgrading, read the release notes for PeerTube:

    And backup your data.

  • services.chronyd is now started with additional systemd sandbox/hardening options for better security.

  • The module services.headscale was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:

  • nixos/lib/make-disk-image.nix can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.

  • services.grafana listens only on localhost by default again. This was changed to upstreams default of 0.0.0.0 by accident in the freeform setting conversion.

  • A new virtualisation.rosetta module was added to allow running x86_64 binaries through Rosetta inside virtualised NixOS guests on Apple silicon. This feature works by default with the UTM virtualisation package.

  • The new option users.motdFile allows configuring a Message Of The Day that can be updated dynamically.

  • Enabling global redirect in services.nginx.virtualHosts now allows one to add exceptions with the locations option.

  • A new option recommendedBrotliSettings has been added to services.nginx. Learn more about compression in Brotli format here.

  • Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and force services.garage.package or upgrade accordingly system.stateVersion.

  • hip has been separated into hip, hip-common and hipcc.

  • Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

  • The firewall and nat module now has a nftables based implementation. Enable networking.nftables to use it.

  • The services.fwupd module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings).

  • The unifi-poller package and corresponding NixOS module have been renamed to unpoller to match upstream.

  • The new option services.tailscale.useRoutingFeatures controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to server, otherwise if you wish to use an exit node you can set this setting to client. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

  • Xastir can now access AX.25 interfaces via the libax25 package.