mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-23 14:13:35 +00:00
56a7bc05e1
The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384
553 lines
24 KiB
XML
553 lines
24 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-19.09">
|
|
<title>Release 19.09 (“Loris”, 2019/09/??)</title>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-19.09-highlights">
|
|
<title>Highlights</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
End of support is planned for end of April 2020, handing over to 20.03.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP now defaults to PHP 7.3, updated from 7.2.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The binfmt module is now easier to use. Additional systems can
|
|
be added through <option>boot.binfmt.emulatedSystems</option>.
|
|
For instance, <literal>boot.binfmt.emulatedSystems = [
|
|
"wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> will
|
|
set up binfmt interpreters for each of those listed systems.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root.
|
|
To gain root privileges use <literal>sudo -i</literal> without a password.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-19.09-new-services">
|
|
<title>New Services</title>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>./programs/dwm-status.nix</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-19.09-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Buildbot no longer supports Python 2, as support was dropped upstream in
|
|
version 2.0.0. Configurations may need to be modified to make them
|
|
compatible with Python 3.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PostgreSQL now uses
|
|
<filename class="directory">/run/postgresql</filename> as its socket
|
|
directory instead of <filename class="directory">/tmp</filename>. So
|
|
if you run an application like eg. Nextcloud, where you need to use
|
|
the Unix socket path as the database host name, you need to change it
|
|
accordingly.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The options <option>services.prometheus.alertmanager.user</option> and
|
|
<option>services.prometheus.alertmanager.group</option> have been removed
|
|
because the alertmanager service is now using systemd's <link
|
|
xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
|
|
DynamicUser mechanism</link> which obviates these options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The NetworkManager systemd unit was renamed back from network-manager.service to
|
|
NetworkManager.service for better compatibility with other applications expecting this name.
|
|
The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.nzbget.configFile</option> and <option>services.nzbget.openFirewall</option>
|
|
options were removed as they are managed internally by the nzbget. The
|
|
<option>services.nzbget.dataDir</option> option hadn't actually been used by
|
|
the module for some time and so was removed as cleanup.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.mysql.pidDir</option> option was removed, as it was only used by the wordpress
|
|
apache-httpd service to wait for mysql to have started up.
|
|
This can be accomplished by either describing a dependency on mysql.service (preferred)
|
|
or waiting for the (hardcoded) <filename>/run/mysqld/mysql.sock</filename> file to appear.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.emby.enable</option> module has been removed, see
|
|
<option>services.jellyfin.enable</option> instead for a free software fork of Emby.
|
|
|
|
See the Jellyfin documentation:
|
|
<link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
|
|
Migrating from Emby to Jellyfin
|
|
</link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IPv6 Privacy Extensions are now enabled by default for undeclared
|
|
interfaces. The previous behaviour was quite misleading — even though
|
|
the default value for
|
|
<option>networking.interfaces.*.preferTempAddress</option> was
|
|
<literal>true</literal>, undeclared interfaces would not prefer temporary
|
|
addresses. Now, interfaces not mentioned in the config will prefer
|
|
temporary addresses. EUI64 addresses can still be set as preferred by
|
|
explicitly setting the option to <literal>false</literal> for the
|
|
interface in question.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Since Bittorrent Sync was superseded by Resilio Sync in 2016, the
|
|
<literal>bittorrentSync</literal>, <literal>bittorrentSync14</literal>,
|
|
and <literal>bittorrentSync16</literal> packages have been removed in
|
|
favor of <literal>resilio-sync</literal>.
|
|
</para>
|
|
<para>
|
|
The corresponding module, <option>services.btsync</option> has been
|
|
replaced by the <option>services.resilio</option> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The httpd service no longer attempts to start the postgresql service. If you have come to depend
|
|
on this behaviour then you can preserve the behavior with the following configuration:
|
|
<literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal>
|
|
</para>
|
|
<para>
|
|
The option <option>services.httpd.extraSubservices</option> has been
|
|
marked as deprecated. You may still use this feature, but it will be
|
|
removed in a future release of NixOS. You are encouraged to convert any
|
|
httpd subservices you may have written to a full NixOS module.
|
|
</para>
|
|
<para>
|
|
Most of the httpd subservices packaged with NixOS have been replaced with
|
|
full NixOS modules including LimeSurvey, WordPress, and Zabbix. These
|
|
modules can be enabled using the <option>services.limesurvey.enable</option>,
|
|
<option>services.mediawiki.enable</option>, <option>services.wordpress.enable</option>,
|
|
and <option>services.zabbixWeb.enable</option> options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</option>
|
|
was renamed to <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</option>
|
|
(capital <literal>L</literal>). This follows
|
|
<link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
|
|
upstreams renaming
|
|
</link> of the setting.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works
|
|
with our systemd version without manual intervention.
|
|
</para>
|
|
<para>
|
|
Whenever the usage of the module is detected the evaluation will fail with a message
|
|
explaining why and how to deal with the situation.
|
|
</para>
|
|
<para>
|
|
A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal>
|
|
has been introduced to disable the eval failure and to acknowledge the notice was received and read.
|
|
If you plan on using the feature please note that it might break with subsequent updates.
|
|
</para>
|
|
<para>
|
|
Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block
|
|
devices provided by the autoLuks module. Not doing this might render the system in a
|
|
state where it doesn't boot anymore.
|
|
</para>
|
|
<para>
|
|
If you are actively using the <literal>autoLuks</literal> module please let us know in
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The setopt declarations will be evaluated at the end of <literal>/etc/zshrc</literal>, so any code in <xref linkend="opt-programs.zsh.interactiveShellInit" />,
|
|
<xref linkend="opt-programs.zsh.loginShellInit" /> and <xref linkend="opt-programs.zsh.promptInit" /> may break if it relies on those options being set.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>prometheus-nginx-exporter</literal> package now uses the offical exporter provided by NGINX Inc.
|
|
Its metrics are differently structured and are incompatible to the old ones. For information about the metrics,
|
|
have a look at the <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official repo</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>shibboleth-sp</literal> package has been updated to version 3.
|
|
It is largely backward compatible, for further information refer to the
|
|
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link>
|
|
and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>.
|
|
</para>
|
|
<para>
|
|
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled.
|
|
Exporters that need a real user, now run under a seperate user and group which follow the pattern <literal><exporter-name>-exporter</literal>, instead of the previous default <literal>nobody</literal> and <literal>nogroup</literal>.
|
|
Only some exporters are affected by the latter, namely the exporters <literal>dovecot</literal>, <literal>node</literal>, <literal>postfix</literal> and <literal>varnish</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>ibus-qt</literal> package is not installed by default anymore when <xref linkend="opt-i18n.inputMethod.enabled" /> is set to <literal>ibus</literal>.
|
|
If IBus support in Qt 4.x applications is required, add the <literal>ibus-qt</literal> package to your <xref linkend="opt-environment.systemPackages" /> manually.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The CUPS Printing service now uses socket-based activation by
|
|
default, only starting when needed. The previous behavior can
|
|
be restored by setting
|
|
<option>services.cups.startWhenNeeded</option> to
|
|
<literal>false</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <option>services.pdns-recursor.extraConfig</option> option has been replaced by
|
|
<option>services.pdns-recursor.settings</option>. The new option allows setting extra
|
|
configuration while being better type-checked and mergeable.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
No service depends on <literal>keys.target</literal> anymore which is a systemd
|
|
target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
|
|
Instead, <literal><key-name>-key.service</literal> should be used to define
|
|
a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
|
|
dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
|
|
</para>
|
|
<para>
|
|
The following services are affected by this:
|
|
<itemizedlist>
|
|
<listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
|
|
<listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
|
|
<listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
|
|
<listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
|
|
<listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
|
|
<listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-19.09-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <option>documentation</option> module gained an option named
|
|
<option>documentation.nixos.includeAllModules</option> which makes the
|
|
generated <citerefentry>
|
|
<refentrytitle>configuration.nix</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry> manual page include all options
|
|
from all NixOS modules included in a given
|
|
<literal>configuration.nix</literal> configuration file. Currently, it is
|
|
set to <literal>false</literal> by default as enabling it frequently
|
|
prevents evaluation. But the plan is to eventually have it set to
|
|
<literal>true</literal> by default. Please set it to
|
|
<literal>true</literal> now in your <literal>configuration.nix</literal>
|
|
and fix all the bugs it uncovers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>vlc</literal> package gained support for Chromecast
|
|
streaming, enabled by default. TCP port 8010 must be open for it to work,
|
|
so something like <literal>networking.firewall.allowedTCPPorts = [ 8010
|
|
];</literal> may be required in your configuration. Also consider enabling
|
|
<link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
|
|
Accelerated Video Playback</link> for better transcoding performance.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The following changes apply if the <literal>stateVersion</literal> is
|
|
changed to 19.09 or higher. For <literal>stateVersion = "19.03"</literal>
|
|
or lower the old behavior is preserved.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>solr.package</literal> defaults to
|
|
<literal>pkgs.solr_8</literal>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal>
|
|
which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>mysql</literal> service now runs as <literal>mysql</literal>
|
|
user. Previously, systemd did execute it as root, and mysql dropped privileges
|
|
itself.
|
|
This includes <literal>ExecStartPre=</literal> and
|
|
<literal>ExecStartPost=</literal> phases.
|
|
To accomplish that, runtime and data directory setup was delegated to
|
|
RuntimeDirectory and tmpfiles.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal>
|
|
service is no longer using <literal>DynamicUser=yes</literal>. In order for the
|
|
upgrade to work we rely on an activation script to move the state from the old
|
|
to the new directory. The older directory (prior <literal>19.09</literal>) was
|
|
<literal>/var/lib/private/systemd/timesync</literal>.
|
|
</para>
|
|
<para>
|
|
As long as the <literal>system.config.stateVersion</literal> is below
|
|
<literal>19.09</literal> the state folder will migrated to its proper location
|
|
(<literal>/var/lib/systemd/timesync</literal>), if required.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The package <literal>avahi</literal> is now built to look up service
|
|
definitions from <literal>/etc/avahi/services</literal> instead of its
|
|
output directory in the nix store. Accordingly the module
|
|
<option>avahi</option> now supports custom service definitions via
|
|
<option>services.avahi.extraServiceFiles</option>, which are then placed
|
|
in the aforementioned directory. See <citerefentry>
|
|
<refentrytitle>avahi.service</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry> for more information on custom service definitions.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Since version 0.1.19, <literal>cargo-vendor</literal> honors package
|
|
includes that are specified in the <filename>Cargo.toml</filename>
|
|
file of Rust crates. <literal>rustPlatform.buildRustPackage</literal> uses
|
|
<literal>cargo-vendor</literal> to collect and build dependent crates.
|
|
Since this change in <literal>cargo-vendor</literal> changes the set of
|
|
vendored files for most Rust packages, the hash that use used to verify
|
|
the dependencies, <literal>cargoSha256</literal>, also changes.
|
|
</para>
|
|
<para>
|
|
The <literal>cargoSha256</literal> hashes of all in-tree derivations that
|
|
use <literal>buildRustPackage</literal> have been updated to reflect this
|
|
change. However, third-party derivations that use
|
|
<literal>buildRustPackage</literal> may have to be updated as well.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>consul</literal> package was upgraded past version <literal>1.5</literal>,
|
|
so its deprecated legacy UI is no longer available.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default resample-method for PulseAudio has been changed from the upstream default <literal>speex-float-1</literal>
|
|
to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this
|
|
so you'll need to set <option>hardware.pulseaudio.daemon.config.resample-method</option> back to <literal>speex-float-1</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>phabricator</literal> package and associated <literal>httpd.extraSubservice</literal>, as well as the
|
|
<literal>phd</literal> service have been removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>mercurial</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>trac</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs because it was unmaintained.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>foswiki</literal> package and associated <literal>httpd.extraSubservice</literal> have been removed
|
|
from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>tomcat-connector</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
It's now possible to change configuration in
|
|
<link linkend="opt-services.nextcloud.enable">services.nextcloud</link> after the initial deploy
|
|
since all config parameters are persisted in an additional config file generated by the module.
|
|
Previously core configuration like database parameters were set using their imperative
|
|
installer after creating <literal>/var/lib/nextcloud</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with
|
|
arguments flipped. When mapping function body spans many lines (or has nested
|
|
<literal>map</literal>s), it is often hard to follow which list is modified.
|
|
</para>
|
|
<para>
|
|
Previous solution to this problem was either to use <literal>lib.flip map</literal>
|
|
idiom or extract that anonymous mapping function to a named one. Both can still be used
|
|
but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
|
|
</para>
|
|
<para>
|
|
The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
|
|
<link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
|
|
<literal>/etc/sysctl.d/60-nixos.conf</literal>, as
|
|
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
|
|
two-digit number and a dash to simplify the ordering of the files.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We now install the sysctl snippets shipped with systemd.
|
|
<itemizedlist>
|
|
<para>This enables:</para>
|
|
<listitem>
|
|
<para>Loose reverse path filtering</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Source route filtering</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
|
|
These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
|
|
and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
|
|
(which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
|
|
<literal>systemd-coredump</literal> behaviour can still be modified via
|
|
<option>systemd.coredump.extraConfig</option>.
|
|
To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
|
|
in the working directory), without piping it through <literal>systemd-coredump</literal>, set
|
|
<option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>systemd.packages</literal> option now also supports generators and
|
|
shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
|
|
been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
|
|
Use <literal>rspamd</literal> in proxy mode instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
systemd cgroup accounting via the
|
|
<link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
|
|
option is now enabled by default. It now also enables the more recent Block IO and IP accounting
|
|
features.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|