nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2009.section.xml
David Arnold 1f6969dd5e
docs: nixos release notes (w/o 2105 - separate PR)
docs: nixos release notes (revise code blocks)

docs: nixos release notes (fix opt links outside of code blocks)

docs: nixos release notes (fix opt links inside of code blocks)

went fishing with:

```console
rg -A1 \
   --multiline \
   --multiline-dotall \
   '<programlisting>[^</programlisting>]+' \
| rg linkend
```

docs: nixos release notes (prettier)

docs: nixos release notes (fix zonefile codeblocks)

docs: nixos release notes (restore admonition from prettier destriction)

docs: nixos release notes (recreate xml files)

docs: nixos release notes (fix trnslation error md -> xml)

admonition with a title seem not to work

docs: nixos release notes (fix code block indentation)

docs: nixos release notes (diff after converting with https://github.com/NixOS/nixpkgs/pull/127270)

docs: nixos release notes (fix remaingin '???')

Those where not catched i a previous iteration since they didn't satisfy
the then presumed search regex `#opt-.*`

doc: nixos release notes make docbook/md conversion consistent
2021-06-22 09:52:13 -05:00

2207 lines
85 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-20.09">
<title>Release 20.09 (<quote>Nightingale</quote>, 2020.10/27)</title>
<para>
Support is planned until the end of June 2021, handing over to
21.05. (Plans
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md#core-changes">
have shifted</link> by two months since release of 20.09.)
</para>
<section xml:id="sec-release-20.09-highlights">
<title>Highlights</title>
<para>
In addition to 7349 new, 14442 updated, and 8181 removed packages,
this release has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Core version changes:
</para>
<itemizedlist>
<listitem>
<para>
gcc: 9.2.0 -&gt; 9.3.0
</para>
</listitem>
<listitem>
<para>
glibc: 2.30 -&gt; 2.31
</para>
</listitem>
<listitem>
<para>
linux: still defaults to 5.4.x, all supported kernels
available
</para>
</listitem>
<listitem>
<para>
mesa: 19.3.5 -&gt; 20.1.7
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Desktop Environments:
</para>
<itemizedlist>
<listitem>
<para>
plasma5: 5.17.5 -&gt; 5.18.5
</para>
</listitem>
<listitem>
<para>
kdeApplications: 19.12.3 -&gt; 20.08.1
</para>
</listitem>
<listitem>
<para>
gnome3: 3.34 -&gt; 3.36, see its
<link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release
notes</link>
</para>
</listitem>
<listitem>
<para>
cinnamon: added at 4.6
</para>
</listitem>
<listitem>
<para>
NixOS now distributes an official
<link xlink:href="https://nixos.org/download.html#nixos-iso">GNOME
ISO</link>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Programming Languages and Frameworks:
</para>
<itemizedlist>
<listitem>
<para>
Agda ecosystem was heavily reworked (see more details
below)
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 7.4, updated from 7.3
</para>
</listitem>
<listitem>
<para>
PHP 7.2 is no longer supported due to upstream not
supporting this version for the entire lifecycle of the
20.09 release
</para>
</listitem>
<listitem>
<para>
Python 3 now defaults to Python 3.8 instead of 3.7
</para>
</listitem>
<listitem>
<para>
Python 3.5 reached its upstream EOL at the end of
September 2020: it has been removed from the list of
available packages
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Databases and Service Monitoring:
</para>
<itemizedlist>
<listitem>
<para>
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
Please read the related upgrade instructions under
<link linkend="sec-release-20.09-incompatibilities">backwards
incompatibilities</link> before upgrading.
</para>
</listitem>
<listitem>
<para>
Zabbix now defaults to 5.0, updated from 4.4. Please read
related sections under
<link linkend="sec-release-20.09-incompatibilities">backwards
compatibilities</link> before upgrading.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Major module changes:
</para>
<itemizedlist>
<listitem>
<para>
Quickly configure a complete, private, self-hosted video
conferencing solution with the new Jitsi Meet module.
</para>
</listitem>
<listitem>
<para>
Two new options,
<link xlink:href="options.html#opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
and
<link xlink:href="options.html#opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>,
have been added to the <literal>openssh</literal> module.
If you have <literal>AuthorizedKeysCommand</literal> in
your
<link xlink:href="options.html#opt-services.openssh.extraConfig">services.openssh.extraConfig</link>
you should make use of these new options instead.
</para>
</listitem>
<listitem>
<para>
There is a new module for Podman
(<literal>virtualisation.podman</literal>), a drop-in
replacement for the Docker command line.
</para>
</listitem>
<listitem>
<para>
The new <literal>virtualisation.containers</literal>
module manages configuration shared by the CRI-O and
Podman modules.
</para>
</listitem>
<listitem>
<para>
Declarative Docker containers are renamed from
<literal>docker-containers</literal> to
<literal>virtualisation.oci-containers.containers</literal>.
This is to make it possible to use
<literal>podman</literal> instead of
<literal>docker</literal>.
</para>
</listitem>
<listitem>
<para>
The new option
<link xlink:href="options.html#opt-documentation.man.generateCaches">documentation.man.generateCaches</link>
has been added to automatically generate the
<literal>man-db</literal> caches, which are needed by
utilities like <literal>whatis</literal> and
<literal>apropos</literal>. The caches are generated
during the build of the NixOS configuration: since this
can be expensive when a large number of packages are
installed, the feature is disabled by default.
</para>
</listitem>
<listitem>
<para>
<literal>services.postfix.sslCACert</literal> was replaced
by
<literal>services.postfix.tlsTrustedAuthorities</literal>
which now defaults to system certificate authorities.
</para>
</listitem>
<listitem>
<para>
The various documented workarounds to use steam have been
converted to a module.
<literal>programs.steam.enable</literal> enables steam,
controller support and the workarounds.
</para>
</listitem>
<listitem>
<para>
Support for built-in LCDs in various pieces of Logitech
hardware (keyboards and USB speakers).
<literal>hardware.logitech.lcd.enable</literal> enables
support for all hardware supported by the
<link xlink:href="https://sourceforge.net/projects/g15daemon/">g15daemon
project</link>.
</para>
</listitem>
<listitem>
<para>
The GRUB module gained support for basic password
protection, which allows to restrict non-default entries
in the boot menu to one or more users. The users and
passwords are defined via the option
<literal>boot.loader.grub.users</literal>. Note: Password
support is only available in GRUB version 2.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
NixOS module changes:
</para>
<itemizedlist>
<listitem>
<para>
The NixOS module system now supports freeform modules as a
mix between <literal>types.attrsOf</literal> and
<literal>types.submodule</literal>. These allow you to
explicitly declare a subset of options while still
permitting definitions without an associated option. See
<xref linkend="sec-freeform-modules" /> for how to use
them.
</para>
</listitem>
<listitem>
<para>
Following its deprecation in 20.03, the Perl NixOS test
driver has been removed. All remaining tests have been
ported to the Python test framework. Code outside nixpkgs
using <literal>make-test.nix</literal> or
<literal>testing.nix</literal> needs to be ported to
<literal>make-test-python.nix</literal> and
<literal>testing-python.nix</literal> respectively.
</para>
</listitem>
<listitem>
<para>
Subordinate GID and UID mappings are now set up
automatically for all normal users. This will make
container tools like Podman work as non-root users out of
the box.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Starting with this release, the hydra-build-result
<literal>nixos-YY.MM</literal> branches no longer exist in the
<link xlink:href="https://github.com/nixos/nixpkgs-channels">deprecated
nixpkgs-channels repository</link>. These branches are now in
<link xlink:href="https://github.com/nixos/nixpkgs">the main
nixpkgs repository</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-20.09-new-services">
<title>New Services</title>
<para>
In addition to 1119 new, 118 updated, and 476 removed options; 61
new modules were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
Hardware:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="options.html#opt-hardware.system76.firmware-daemon.enable">hardware.system76.firmware-daemon.enable</link>
adds easy support of system76 firmware
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-hardware.uinput.enable">hardware.uinput.enable</link>
loads uinput kernel module
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-hardware.video.hidpi.enable">hardware.video.hidpi.enable</link>
enable good defaults for HiDPI displays
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-hardware.wooting.enable">hardware.wooting.enable</link>
support for Wooting keyboards
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-hardware.xpadneo.enable">hardware.xpadneo.enable</link>
xpadneo driver for Xbox One wireless controllers
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Programs:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="options.html#opt-programs.hamster.enable">programs.hamster.enable</link>
enable hamster time tracking
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-programs.steam.enable">programs.steam.enable</link>
adds easy enablement of steam and related system
configuration
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Security:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="options.html#opt-security.doas.enable">security.doas.enable</link>
alternative to sudo, allows non-root users to execute
commands as root
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-security.tpm2.enable">security.tpm2.enable</link>
add Trusted Platform Module 2 support
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
System:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<link xlink:href="options.html#opt-boot.initrd.network.openvpn.enable">boot.initrd.network.openvpn.enable</link>
start an OpenVPN client during initrd boot
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Virtualization:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="options.html#opt-boot.enableContainers">boot.enableContainers</link>
use nixos-containers
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.oci-containers.containers">virtualisation.oci-containers.containers</link>
run OCI (Docker) containers
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-virtualisation.podman.enable">virtualisation.podman.enable</link>
daemonless container engine
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Services:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="options.html#opt-services.ankisyncd.enable">services.ankisyncd.enable</link>
Anki sync server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.bazarr.enable">services.bazarr.enable</link>
Subtitle manager for Sonarr and Radarr
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.biboumi.enable">services.biboumi.enable</link>
Biboumi XMPP gateway to IRC
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.blockbook-frontend">services.blockbook-frontend</link>
Blockbook-frontend, a service for the Trezor wallet
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.cage.enable">services.cage.enable</link>
Wayland cage service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.convos.enable">services.convos.enable</link>
IRC daemon, which can be accessed throught the browser
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.engelsystem.enable">services.engelsystem.enable</link>
Tool for coordinating volunteers and shifts on large
events
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.espanso.enable">services.espanso.enable</link>
text-expander written in rust
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.foldingathome.enable">services.foldingathome.enable</link>
Folding@home client
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.gerrit.enable">services.gerrit.enable</link>
Web-based team code collaboration tool
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.go-neb.enable">services.go-neb.enable</link>
Matrix bot
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.hardware.xow.enable">services.hardware.xow.enable</link>
xow as a systemd service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.hercules-ci-agent.enable">services.hercules-ci-agent.enable</link>
Hercules CI build agent
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.jicofo.enable">services.jicofo.enable</link>
Jitsi Conference Focus, component of Jitsi Meet
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.jirafeau.enable">services.jirafeau.enable</link>
A web file repository
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.jitsi-meet.enable">services.jitsi-meet.enable</link>
Secure, simple and scalable video conferences
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.jitsi-videobridge.enable">services.jitsi-videobridge.enable</link>
Jitsi Videobridge, a WebRTC compatible router
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.jupyterhub.enable">services.jupyterhub.enable</link>
Jupyterhub development server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.k3s.enable">services.k3s.enable</link>
Lightweight Kubernetes distribution
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.magic-wormhole-mailbox-server.enable">services.magic-wormhole-mailbox-server.enable</link>
Magic Wormhole Mailbox Server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.malcontent.enable">services.malcontent.enable</link>
Parental Control support
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.matrix-appservice-discord.enable">services.matrix-appservice-discord.enable</link>
Matrix and Discord bridge
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.mautrix-telegram.enable">services.mautrix-telegram.enable</link>
Matrix-Telegram puppeting/relaybot bridge
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.mirakurun.enable">services.mirakurun.enable</link>
Japanese DTV Tuner Server Service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.molly-brown.enable">services.molly-brown.enable</link>
Molly-Brown Gemini server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.mullvad-vpn.enable">services.mullvad-vpn.enable</link>
Mullvad VPN daemon
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.ncdns.enable">services.ncdns.enable</link>
Namecoin to DNS bridge
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.nextdns.enable">services.nextdns.enable</link>
NextDNS to DoH Proxy service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.nix-store-gcs-proxy">services.nix-store-gcs-proxy</link>
Google storage bucket to be used as a nix store
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.onedrive.enable">services.onedrive.enable</link>
OneDrive sync service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.pinnwand.enable">services.pinnwand.enable</link>
Pastebin-like service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.pixiecore.enable">services.pixiecore.enable</link>
Manage network booting of machines
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.privacyidea.enable">services.privacyidea.enable</link>
Privacy authentication server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.quorum.enable">services.quorum.enable</link>
Quorum blockchain daemon
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.robustirc-bridge.enable">services.robustirc-bridge.enable</link>
RobustIRC bridge
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.rss-bridge.enable">services.rss-bridge.enable</link>
Generate RSS and Atom feeds
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.rtorrent.enable">services.rtorrent.enable</link>
rTorrent service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.smartdns.enable">services.smartdns.enable</link>
SmartDNS DNS server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.sogo.enable">services.sogo.enable</link>
SOGo groupware
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.teeworlds.enable">services.teeworlds.enable</link>
Teeworlds game server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.torque.mom.enable">services.torque.mom.enable</link>
torque computing node
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.torque.server.enable">services.torque.server.enable</link>
torque server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.tuptime.enable">services.tuptime.enable</link>
A total uptime service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.urserver.enable">services.urserver.enable</link>
X11 remote server
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.wasabibackend.enable">services.wasabibackend.enable</link>
Wasabi backend service
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.yubikey-agent.enable">services.yubikey-agent.enable</link>
Yubikey agent
</para>
</listitem>
<listitem>
<para>
<link xlink:href="options.html#opt-services.zigbee2mqtt.enable">services.zigbee2mqtt.enable</link>
Zigbee to MQTT bridge
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-20.09-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
Before you upgrade, it would be best to take a backup of your
database. For MariaDB Galera Cluster, see
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading
from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link>
instead. Before doing the upgrade read
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible
Changes Between 10.3 and 10.4</link>. After the upgrade you
will need to run <literal>mysql_upgrade</literal>. MariaDB
10.4 introduces a number of changes to the authentication
process, intended to make things easier and more intuitive.
See
<link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication
from MariaDB 10.4</link>. unix_socket auth plugin does not use
a password, and uses the connecting user's UID instead. When a
new MariaDB data directory is initialized, two MariaDB users
are created and can be used with new unix_socket auth plugin,
as well as traditional mysql_native_password plugin:
root@localhost and mysql@localhost. To actually use the
traditional mysql_native_password plugin method, one must run
the following:
</para>
<programlisting language="bash">
{
services.mysql.initialScript = pkgs.writeText &quot;mariadb-init.sql&quot; ''
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD(&quot;verysecret&quot;);
'';
}
</programlisting>
<para>
When MariaDB data directory is just upgraded (not
initialized), the users are not created or modified.
</para>
</listitem>
<listitem>
<para>
MySQL server is now started with additional systemd
sandbox/hardening options for better security. The PrivateTmp,
ProtectHome, and ProtectSystem options may be problematic when
MySQL is attempting to read from or write to your filesystem
anywhere outside of its own state directory, for example when
calling
<literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>.
In this scenario a variant of the following may be required: -
allow MySQL to read from /home and /tmp directories when using
<literal>LOAD DATA INFILE</literal>
</para>
<programlisting language="bash">
{
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce &quot;read-only&quot;;
}
</programlisting>
<para>
- allow MySQL to write to custom folder
<literal>/var/data</literal> when using
<literal>SELECT * INTO OUTFILE</literal>, assuming the mysql
user has write access to <literal>/var/data</literal>
</para>
<programlisting language="bash">
{
systemd.services.mysql.serviceConfig.ReadWritePaths = [ &quot;/var/data&quot; ];
}
</programlisting>
<para>
The MySQL service no longer runs its
<literal>systemd</literal> service startup script as
<literal>root</literal> anymore. A dedicated non
<literal>root</literal> super user account is required for
operation. This means users with an existing MySQL or MariaDB
database server are required to run the following SQL
statements as a super admin user before upgrading:
</para>
<programlisting language="SQL">
CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
</programlisting>
<para>
If you use MySQL instead of MariaDB please replace
<literal>unix_socket</literal> with
<literal>auth_socket</literal>. If you have changed the value
of
<link xlink:href="options.html#opt-services.mysql.user">services.mysql.user</link>
from the default of <literal>mysql</literal> to a different
user please change <literal>'mysql'@'localhost'</literal> to
the corresponding user instead.
</para>
</listitem>
<listitem>
<para>
Zabbix now defaults to 5.0, updated from 4.4. Please carefully
read through
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the
upgrade guide</link> and apply any changes required. Be sure
to take special note of the section on
<link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling
extended range of numeric (float) values</link> as you will
need to apply this database migration manually.
</para>
<para>
If you are using Zabbix Server with a MySQL or MariaDB
database you should note that using a character set of
<literal>utf8</literal> and a collate of
<literal>utf8_bin</literal> has become mandatory with this
release. See the upstream
<link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link>
for further discussion. Before upgrading you should check the
character set and collation used by your database and ensure
they are correct:
</para>
<programlisting language="SQL">
SELECT
default_character_set_name,
default_collation_name
FROM
information_schema.schemata
WHERE
schema_name = 'zabbix';
</programlisting>
<para>
If these values are not correct you should take a backup of
your database and convert the character set and collation as
required. Here is an
<link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link>
of how to do so, taken from the Zabbix forums:
</para>
<programlisting language="SQL">
ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
-- the following will produce a list of SQL commands you should subsequently execute
SELECT CONCAT(&quot;ALTER TABLE &quot;, TABLE_NAME,&quot; CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;&quot;) AS ExecuteTheString
FROM information_schema.`COLUMNS`
WHERE table_schema = &quot;zabbix&quot; AND COLLATION_NAME = &quot;utf8_general_ci&quot;;
</programlisting>
</listitem>
<listitem>
<para>
maxx package removed along with
<literal>services.xserver.desktopManager.maxx</literal>
module. Please migrate to cdesktopenv and
<literal>services.xserver.desktopManager.cde</literal> module.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.matrix-synapse.enable">matrix-synapse</link>
module no longer includes optional dependencies by default,
they have to be added through the
<link xlink:href="options.html#opt-services.matrix-synapse.plugins">plugins</link>
option.
</para>
</listitem>
<listitem>
<para>
<literal>buildGoModule</literal> now internally creates a
vendor directory in the source tree for downloaded modules
instead of using go's
<link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module
proxy protocol</link>. This storage format is simpler and
therefore less likely to break with future versions of go. As
a result <literal>buildGoModule</literal> switched from
<literal>modSha256</literal> to the
<literal>vendorSha256</literal> attribute to pin fetched
version data.
</para>
</listitem>
<listitem>
<para>
Grafana is now built without support for phantomjs by default.
Phantomjs support has been
<link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated
in Grafana</link> and the phantomjs project is
<link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently
unmaintained</link>. It can still be enabled by providing
<literal>phantomJsSupport = true</literal> to the package
instantiation:
</para>
<programlisting language="bash">
{
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
phantomJsSupport = true;
});
}
</programlisting>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.supybot.enable">supybot</link>
module now uses <literal>/var/lib/supybot</literal> as its
default
<link xlink:href="options.html#opt-services.supybot.stateDir">stateDir</link>
path if <literal>stateVersion</literal> is 20.09 or higher. It
also enables a number of
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd
sandboxing options</link> which may possibly interfere with
some plugins. If this is the case you can disable the options
through attributes in
<literal>systemd.services.supybot.serviceConfig</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>security.duosec.skey</literal> option, which
stored a secret in the nix store, has been replaced by a new
<link xlink:href="options.html#opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
option for better security.
</para>
<para>
<literal>security.duosec.ikey</literal> has been renamed to
<link xlink:href="options.html#opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
<listitem>
<para>
<literal>vmware</literal> has been removed from the
<literal>services.x11.videoDrivers</literal> defaults. For
VMWare guests set
<literal>virtualisation.vmware.guest.enable</literal> to
<literal>true</literal> which will include the appropriate
drivers.
</para>
</listitem>
<listitem>
<para>
The initrd SSH support now uses OpenSSH rather than Dropbear
to allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format,
and at least one pre-generated key must be specified.
</para>
<para>
If you used the
<literal>boot.initrd.network.ssh.host*Key</literal> options,
you'll get an error explaining how to convert your host keys
and migrate to the new
<literal>boot.initrd.network.ssh.hostKeys</literal> option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the <literal>hostKeys</literal> option
documentation for instructions.
</para>
</listitem>
<listitem>
<para>
Since this release there's an easy way to customize your PHP
install to get a much smaller base PHP with only wanted
extensions enabled. See the following snippet installing a
smaller PHP with the extensions <literal>imagick</literal>,
<literal>opcache</literal>, <literal>pdo</literal> and
<literal>pdo_mysql</literal> loaded:
</para>
<programlisting language="bash">
{
environment.systemPackages = [
(pkgs.php.withExtensions
({ all, ... }: with all; [
imagick
opcache
pdo
pdo_mysql
])
)
];
}
</programlisting>
<para>
The default <literal>php</literal> attribute hasn't lost any
extensions. The <literal>opcache</literal> extension has been
added. All upstream PHP extensions are available under
php.extensions.&lt;name?&gt;.
</para>
<para>
All PHP <literal>config</literal> flags have been removed for
the following reasons:
</para>
</listitem>
<listitem>
<para>
The updated <literal>php</literal> attribute is now easily
customizable to your liking by using
<literal>php.withExtensions</literal> or
<literal>php.buildEnv</literal> instead of writing config
files or changing configure flags.
</para>
</listitem>
<listitem>
<para>
The remaining configuration flags can now be set directly on
the <literal>php</literal> attribute. For example, instead of
</para>
<programlisting language="bash">
{
php.override {
config.php.embed = true;
config.php.apxs2 = false;
}
}
</programlisting>
<para>
you should now write
</para>
<programlisting language="bash">
{
php.override {
embedSupport = true;
apxs2Support = false;
}
}
</programlisting>
</listitem>
<listitem>
<para>
The ACME module has been overhauled for simplicity and
maintainability. Cert generation now implicitly uses the
<literal>acme</literal> user, and the
<literal>security.acme.certs._name_.user</literal> option has
been removed. Instead, certificate access from other services
is now managed through group permissions. The module no longer
runs lego twice under certain conditions, and will correctly
renew certificates if their configuration is changed. Services
which reload nginx and httpd after certificate renewal are now
properly configured too so you no longer have to do this
manually if you are using HTTPS enabled virtual hosts. A
mechanism for regenerating certs on demand has also been added
and documented.
</para>
</listitem>
<listitem>
<para>
Gollum received a major update to version 5.x and you may have
to change some links in your wiki when migrating from gollum
4.x. More information can be found
<link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>.
</para>
</listitem>
<listitem>
<para>
Deluge 2.x was added and is used as default for new NixOS
installations where stateVersion is &gt;= 20.09. If you are
upgrading from a previous NixOS version, you can set
<literal>service.deluge.package = pkgs.deluge-2_x</literal> to
upgrade to Deluge 2.x and migrate the state to the new format.
Be aware that backwards state migrations are not supported by
Deluge.
</para>
</listitem>
<listitem>
<para>
Nginx web server now starting with additional
sandbox/hardening options. By default, write access to
<literal>/var/log/nginx</literal> and
<literal>/var/cache/nginx</literal> is allowed. To allow
writing to other folders, use
<literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
</para>
<programlisting language="bash">
{
systemd.services.nginx.serviceConfig.ReadWritePaths = [ &quot;/var/www&quot; ];
}
</programlisting>
<para>
Nginx is also started with the systemd option
<literal>ProtectHome = mkDefault true;</literal> which forbids
it to read anything from <literal>/home</literal>,
<literal>/root</literal> and <literal>/run/user</literal> (see
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome
docs</link> for details). If you require serving files from
home directories, you may choose to set e.g.
</para>
<programlisting language="bash">
{
systemd.services.nginx.serviceConfig.ProtectHome = &quot;read-only&quot;;
}
</programlisting>
</listitem>
<listitem>
<para>
The NixOS options <literal>nesting.clone</literal> and
<literal>nesting.children</literal> have been deleted, and
replaced with named
<link xlink:href="options.html#opt-specialisation">specialisation</link>
configurations.
</para>
<para>
Replace a <literal>nesting.clone</literal> entry with:
</para>
<programlisting language="bash">
{
specialisation.example-sub-configuration = {
configuration = {
...
};
};
</programlisting>
<para>
Replace a <literal>nesting.children</literal> entry with:
</para>
<programlisting language="bash">
{
specialisation.example-sub-configuration = {
inheritParentConfig = false;
configuration = {
...
};
};
</programlisting>
<para>
To switch to a specialised configuration at runtime you need
to run:
</para>
<programlisting>
$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
</programlisting>
<para>
Before you would have used:
</para>
<programlisting>
$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
</programlisting>
</listitem>
<listitem>
<para>
The Nginx log directory has been moved to
<literal>/var/log/nginx</literal>, the cache directory to
<literal>/var/cache/nginx</literal>. The option
<literal>services.nginx.stateDir</literal> has been removed.
</para>
</listitem>
<listitem>
<para>
The httpd web server previously started its main process as
root privileged, then ran worker processes as a less
privileged identity user. This was changed to start all of
httpd as a less privileged user (defined by
<link xlink:href="options.html#opt-services.httpd.user">services.httpd.user</link>
and
<link xlink:href="options.html#opt-services.httpd.group">services.httpd.group</link>).
As a consequence, all files that are needed for httpd to run
(included configuration fragments, SSL certificates and keys,
etc.) must now be readable by this less privileged user/group.
</para>
<para>
The default value for
<link xlink:href="options.html#opt-services.httpd.mpm">services.httpd.mpm</link>
has been changed from <literal>prefork</literal> to
<literal>event</literal>. Along with this change the default
value for
<link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.http2</link>
has been set to <literal>true</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>systemd-networkd</literal> option
<literal>systemd.network.networks.&lt;name&gt;.dhcp.CriticalConnection</literal>
has been removed following upstream systemd's deprecation of
the same. It is recommended to use
<literal>systemd.network.networks.&lt;name&gt;.networkConfig.KeepConfiguration</literal>
instead. See systemd.network 5 for details.
</para>
</listitem>
<listitem>
<para>
The <literal>systemd-networkd</literal> option
<literal>systemd.network.networks._name_.dhcpConfig</literal>
has been renamed to
<link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link>
following upstream systemd's documentation change. See
systemd.network 5 for details.
</para>
</listitem>
<listitem>
<para>
In the <literal>picom</literal> module, several options that
accepted floating point numbers encoded as strings (for
example
<link xlink:href="options.html#opt-services.picom.activeOpacity">services.picom.activeOpacity</link>)
have been changed to the (relatively) new native
<literal>float</literal> type. To migrate your configuration
simply remove the quotes around the numbers.
</para>
</listitem>
<listitem>
<para>
When using <literal>buildBazelPackage</literal> from Nixpkgs,
<literal>flat</literal> hash mode is now used for dependencies
instead of <literal>recursive</literal>. This is to better
allow using hashed mirrors where needed. As a result, these
hashes will have changed.
</para>
</listitem>
<listitem>
<para>
The syntax of the PostgreSQL configuration file is now checked
at build time. If your configuration includes a file
inaccessible inside the build sandbox, set
<literal>services.postgresql.checkConfig</literal> to
<literal>false</literal>.
</para>
</listitem>
<listitem>
<para>
The rkt module has been removed, it was archived by upstream.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="https://bazaar.canonical.com">Bazaar</link>
VCS is unmaintained and, as consequence of the Python 2 EOL,
the packages <literal>bazaar</literal> and
<literal>bazaarTools</literal> were removed. Breezy, the
backward compatible fork of Bazaar (see the
<link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>),
was packaged as <literal>breezy</literal> and can be used
instead.
</para>
<para>
Regarding Nixpkgs, <literal>fetchbzr</literal>,
<literal>nix-prefetch-bzr</literal> and Bazaar support in
Hydra will continue to work through Breezy.
</para>
</listitem>
<listitem>
<para>
In addition to the hostname, the fully qualified domain name
(FQDN), which consists of
<literal>${networking.hostName}</literal> and
<literal>${networking.domain}</literal> is now added to
<literal>/etc/hosts</literal>, to allow local FQDN resolution,
as used by the <literal>hostname --fqdn</literal> command and
other applications that try to determine the FQDN. These new
entries take precedence over entries from the DNS which could
cause regressions in some very specific setups. Additionally
the hostname is now resolved to <literal>127.0.0.2</literal>
instead of <literal>127.0.1.1</literal> to be consistent with
what <literal>nss-myhostname</literal> (from systemd) returns.
The old behaviour can e.g. be restored by using
<literal>networking.hosts = lib.mkForce { &quot;127.0.1.1&quot; = [ config.networking.hostName ]; };</literal>.
</para>
</listitem>
<listitem>
<para>
The hostname (<literal>networking.hostName</literal>) must now
be a valid DNS label (see RFC 1035, RFC 1123) and as such must
not contain the domain part. This means that the hostname must
start with a letter or digit, end with a letter or digit, and
have as interior characters only letters, digits, and hyphen.
The maximum length is 63 characters. Additionally it is
recommended to only use lower-case characters. If (e.g. for
legacy reasons) a FQDN is required as the Linux kernel network
node hostname (<literal>uname --nodename</literal>) the option
<literal>boot.kernel.sysctl.&quot;kernel.hostname&quot;</literal>
can be used as a workaround (but be aware of the 64 character
limit).
</para>
</listitem>
<listitem>
<para>
The GRUB specific option
<literal>boot.loader.grub.extraInitrd</literal> has been
replaced with the generic option
<literal>boot.initrd.secrets</literal>. This option creates a
secondary initrd from the specified files, rather than using a
manually created initrd file. Due to an existing bug with
<literal>boot.loader.grub.extraInitrd</literal>, it is not
possible to directly boot an older generation that used that
option. It is still possible to rollback to that generation if
the required initrd file has not been deleted.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
package and NixOS module have been removed from Nixpkgs as the
software is unmaintained and can't be built. For more
information see issue
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
</para>
</listitem>
<listitem>
<para>
In the <literal>resilio</literal> module,
<link xlink:href="options.html#opt-services.resilio.httpListenAddr">services.resilio.httpListenAddr</link>
has been changed to listen to <literal>[::1]</literal> instead
of <literal>0.0.0.0</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>sslh</literal> has been updated to version
<literal>1.21</literal>. The <literal>ssl</literal> probe must
be renamed to <literal>tls</literal> in
<link xlink:href="options.html#opt-services.sslh.appendConfig">services.sslh.appendConfig</link>.
</para>
</listitem>
<listitem>
<para>
Users of <link xlink:href="http://openafs.org">OpenAFS
1.6</link> must upgrade their services to OpenAFS 1.8! In this
release, the OpenAFS package version 1.6.24 is marked broken
but can be used during transition to OpenAFS 1.8.x. Use the
options
<literal>services.openafsClient.packages.module</literal>,
<literal>services.openafsClient.packages.programs</literal>
and <literal>services.openafsServer.package</literal> to
select a different OpenAFS package. OpenAFS 1.6 will be
removed in the next release. The package
<literal>openafs</literal> and the service options will then
silently point to the OpenAFS 1.8 release.
</para>
<para>
See also the OpenAFS
<link xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator
Guide</link> for instructions. Beware of the following when
updating servers:
</para>
<itemizedlist>
<listitem>
<para>
The storage format of the server key has changed and the
key must be converted before running the new release.
</para>
</listitem>
<listitem>
<para>
When updating multiple database servers, turn off the
database servers from the highest IP down to the lowest
with resting periods in between. Start up in reverse
order. Do not concurrently run database servers working
with different OpenAFS releases!
</para>
</listitem>
<listitem>
<para>
Update servers first, then clients.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Radicale's default package has changed from 2.x to 3.x. An
upgrade checklist can be found
<link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>.
You can use the newer version in the NixOS service by setting
the <literal>package</literal> to
<literal>radicale3</literal>, which is done automatically if
<literal>stateVersion</literal> is 20.09 or higher.
</para>
</listitem>
<listitem>
<para>
<literal>udpt</literal> experienced a complete rewrite from
C++ to rust. The configuration format changed from ini to
toml. The new configuration documentation can be found at
<link xlink:href="https://naim94a.github.io/udpt/config.html">the
official website</link> and example configuration is packaged
in <literal>${udpt}/share/udpt/udpt.toml</literal>.
</para>
</listitem>
<listitem>
<para>
We now have a unified
<link xlink:href="options.html#opt-services.xserver.displayManager.autoLogin">services.xserver.displayManager.autoLogin</link>
option interface to be used for every display-manager in
NixOS.
</para>
</listitem>
<listitem>
<para>
The <literal>bitcoind</literal> module has changed to
multi-instance, using submodules. Therefore, it is now
mandatory to name each instance. To use this new
multi-instance config with an existing bitcoind data directory
and user, you have to adjust the original config, e.g.:
</para>
<programlisting language="bash">
{
services.bitcoind = {
enable = true;
extraConfig = &quot;...&quot;;
...
};
}
</programlisting>
<para>
To something similar:
</para>
<programlisting language="bash">
{
services.bitcoind.mainnet = {
enable = true;
dataDir = &quot;/var/lib/bitcoind&quot;;
user = &quot;bitcoin&quot;;
extraConfig = &quot;...&quot;;
...
};
}
</programlisting>
<para>
The key settings are:
</para>
<itemizedlist>
<listitem>
<para>
<literal>dataDir</literal> - to continue using the same
data directory.
</para>
</listitem>
<listitem>
<para>
<literal>user</literal> - to continue using the same user
so that bitcoind maintains access to its files.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Graylog introduced a change in the LDAP server certificate
validation behaviour for version 3.3.3 which might break
existing setups. When updating Graylog from a version before
3.3.3 make sure to check the Graylog
<link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release
info</link> for information on how to avoid the issue.
</para>
</listitem>
<listitem>
<para>
The <literal>dokuwiki</literal> module has changed to
multi-instance, using submodules. Therefore, it is now
mandatory to name each instance. Moreover, forcing SSL by
default has been dropped, so <literal>nginx.forceSSL</literal>
and <literal>nginx.enableACME</literal> are no longer set to
<literal>true</literal>. To continue using your service with
the original SSL settings, you have to adjust the original
config, e.g.:
</para>
<programlisting language="bash">
{
services.dokuwiki = {
enable = true;
...
};
}
</programlisting>
<para>
To something similar:
</para>
<programlisting language="bash">
{
services.dokuwiki.&quot;mywiki&quot; = {
enable = true;
nginx = {
forceSSL = true;
enableACME = true;
};
...
};
}
</programlisting>
<para>
The base package has also been upgraded to the 2020-07-29
&quot;Hogfather&quot; release. Plugins might be incompatible
or require upgrading.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link>
option is now set to
<literal>&quot;/var/lib/postgresql/${cfg.package.psqlSchema}&quot;</literal>
regardless of your
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.
Users with an existing postgresql install that have a
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>
of <literal>17.03</literal> or below should double check what
the value of their
<link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link>
option is (<literal>/var/db/postgresql</literal>) and then
explicitly set this value to maintain compatibility:
</para>
<programlisting language="bash">
{
services.postgresql.dataDir = &quot;/var/db/postgresql&quot;;
}
</programlisting>
<para>
The postgresql module now expects there to be a database super
user account called <literal>postgres</literal> regardless of
your
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.
Users with an existing postgresql install that have a
<link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>
of <literal>17.03</literal> or below should run the following
SQL statements as a database super admin user before
upgrading:
</para>
<programlisting language="SQL">
CREATE ROLE postgres LOGIN SUPERUSER;
</programlisting>
</listitem>
<listitem>
<para>
The USBGuard module now removes options and instead hardcodes
values for <literal>IPCAccessControlFiles</literal>,
<literal>ruleFiles</literal>, and
<literal>auditFilePath</literal>. Audit logs can be found in
the journal.
</para>
</listitem>
<listitem>
<para>
The NixOS module system now evaluates option definitions more
strictly, allowing it to detect a larger set of problems. As a
result, what previously evaluated may not do so anymore. See
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the
PR that changed this</link> for more info.
</para>
</listitem>
<listitem>
<para>
For NixOS configuration options, the type
<literal>loaOf</literal>, after its initial deprecation in
release 20.03, has been removed. In NixOS and Nixpkgs options
using this type have been converted to
<literal>attrsOf</literal>. For more information on this
change have look at these links:
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue
#1800</link>,
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR
#63103</link>.
</para>
</listitem>
<listitem>
<para>
<literal>config.systemd.services.${name}.path</literal> now
returns a list of paths instead of a colon-separated string.
</para>
</listitem>
<listitem>
<para>
Caddy module now uses Caddy v2 by default. Caddy v1 can still
be used by setting
<link xlink:href="options.html#opt-services.caddy.package">services.caddy.package</link>
to <literal>pkgs.caddy1</literal>.
</para>
<para>
New option
<link xlink:href="options.html#opt-services.caddy.adapter">services.caddy.adapter</link>
has been added.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.jellyfin.enable">jellyfin</link>
module will use and stay on the Jellyfin version
<literal>10.5.5</literal> if <literal>stateVersion</literal>
is lower than <literal>20.09</literal>. This is because
significant changes were made to the database schema, and it
is highly recommended to backup your instance before
upgrading. After making your backup, you can upgrade to the
latest version either by setting your
<literal>stateVersion</literal> to <literal>20.09</literal> or
higher, or set the
<literal>services.jellyfin.package</literal> to
<literal>pkgs.jellyfin</literal>. If you do not wish to
upgrade Jellyfin, but want to change your
<literal>stateVersion</literal>, you can set the value of
<literal>services.jellyfin.package</literal> to
<literal>pkgs.jellyfin_10_5</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>security.rngd</literal> service is now disabled
by default. This choice was made because there's krngd in the
linux kernel space making it (for most usecases) functionally
redundent.
</para>
</listitem>
<listitem>
<para>
The <literal>hardware.nvidia.optimus_prime.enable</literal>
service has been renamed to
<literal>hardware.nvidia.prime.sync.enable</literal> and has
many new enhancements. Related nvidia prime settings may have
also changed.
</para>
</listitem>
<listitem>
<para>
The package nextcloud17 has been removed and nextcloud18 was
marked as insecure since both of them will
<link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html">
will be EOL (end of life) within the lifetime of 20.09</link>.
</para>
<para>
It's necessary to upgrade to nextcloud19:
</para>
<itemizedlist>
<listitem>
<para>
From nextcloud17, you have to upgrade to nextcloud18 first
as Nextcloud doesn't allow going multiple major revisions
forward in a single upgrade. This is possible by setting
<link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
to nextcloud18.
</para>
</listitem>
<listitem>
<para>
From nextcloud18, it's possible to directly upgrade to
nextcloud19 by setting
<link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
to nextcloud19.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The GNOME desktop manager no longer default installs
gnome3.epiphany. It was chosen to do this as it has a
usability breaking issue (see issue
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>)
that makes it unsuitable to be a default app.
</para>
<note>
<para>
Issue
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>
is now fixed and gnome3.epiphany is once again installed by
default.
</para>
</note>
</listitem>
<listitem>
<para>
If you want to manage the configuration of wpa_supplicant
outside of NixOS you must ensure that none of
<link xlink:href="options.html#opt-networking.wireless.networks">networking.wireless.networks</link>,
<link xlink:href="options.html#opt-networking.wireless.extraConfig">networking.wireless.extraConfig</link>
or
<link xlink:href="options.html#opt-networking.wireless.userControlled.enable">networking.wireless.userControlled.enable</link>
is being used or <literal>true</literal>. Using any of those
options will cause wpa_supplicant to be started with a NixOS
generated configuration file instead of your own.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-20.09-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
SD images are now compressed by default using
<literal>zstd</literal>. The compression for ISO images has
also been changed to <literal>zstd</literal>, but ISO images
are still not compressed by default.
</para>
</listitem>
<listitem>
<para>
<literal>services.journald.rateLimitBurst</literal> was
updated from <literal>1000</literal> to
<literal>10000</literal> to follow the new upstream systemd
default.
</para>
</listitem>
<listitem>
<para>
The notmuch package move its emacs-related binaries and emacs
lisp files to a separate output. They're not part of the
default <literal>out</literal> output anymore - if you relied
on the <literal>notmuch-emacs-mua</literal> binary or the
emacs lisp files, access them via the
<literal>notmuch.emacs</literal> output. Device tree overlay
support was improved in
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link>
and now uses
<link xlink:href="options.html#opt-hardware.deviceTree.kernelPackage">hardware.deviceTree.kernelPackage</link>
instead of <literal>hardware.deviceTree.base</literal>.
<link xlink:href="options.html#opt-hardware.deviceTree.overlays">hardware.deviceTree.overlays</link>
configuration was extended to support <literal>.dts</literal>
files with symbols. Device trees can now be filtered by
setting
<link xlink:href="options.html#opt-hardware.deviceTree.filter">hardware.deviceTree.filter</link>
option.
</para>
</listitem>
<listitem>
<para>
The default output of <literal>buildGoPackage</literal> is now
<literal>$out</literal> instead of <literal>$bin</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>buildGoModule</literal> <literal>doCheck</literal>
now defaults to <literal>true</literal>.
</para>
</listitem>
<listitem>
<para>
Packages built using <literal>buildRustPackage</literal> now
use <literal>release</literal> mode for the
<literal>checkPhase</literal> by default.
</para>
<para>
Please note that Rust packages utilizing a custom
build/install procedure (e.g. by using a
<literal>Makefile</literal>) or test suites that rely on the
structure of the <literal>target/</literal> directory may
break due to those assumptions. For further information,
please read the Rust section in the Nixpkgs manual.
</para>
</listitem>
<listitem>
<para>
The cc- and binutils-wrapper's &quot;infix salt&quot; and
<literal>_BUILD_</literal> and <literal>_TARGET_</literal>
user infixes have been replaced with with a &quot;suffix
salt&quot; and suffixes and <literal>_FOR_BUILD</literal> and
<literal>_FOR_TARGET</literal>. This matches the autotools
convention for env vars which standard for these things,
making interfacing with other tools easier.
</para>
</listitem>
<listitem>
<para>
Additional Git documentation (HTML and text files) is now
available via the <literal>git-doc</literal> package.
</para>
</listitem>
<listitem>
<para>
Default algorithm for ZRAM swap was changed to
<literal>zstd</literal>.
</para>
</listitem>
<listitem>
<para>
The installer now enables sshd by default. This improves
installation on headless machines especially ARM
single-board-computer. To login through ssh, either a password
or an ssh key must be set for the root user or the nixos user.
</para>
</listitem>
<listitem>
<para>
The scripted networking system now uses
<literal>.link</literal> files in
<literal>/etc/systemd/network</literal> to configure mac
address and link MTU, instead of the sometimes buggy
<literal>network-link-*</literal> units, which have been
removed. Bringing the interface up has been moved to the
beginning of the <literal>network-addresses-*</literal> unit.
Note this doesn't require <literal>systemd-networkd</literal>
- it's udev that parses <literal>.link</literal> files. Extra
care needs to be taken in the presence of
<link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy
udev rules</link> to rename interfaces, as MAC Address and MTU
defined in these options can only match on the original link
name. In such cases, you most likely want to create a
<literal>10-*.link</literal> file through
<link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link>
and set both name and MAC Address / MTU there.
</para>
</listitem>
<listitem>
<para>
Grafana received a major update to version 7.x. A plugin is
now needed for image rendering support, and plugins must now
be signed by default. More information can be found
<link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in
the Grafana documentation</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>hardware.u2f</literal> module, which was
installing udev rules was removed, as udev gained native
support to handle FIDO security tokens.
</para>
</listitem>
<listitem>
<para>
The <literal>services.transmission</literal> module was
enhanced with the new options:
<link xlink:href="options.html#opt-services.transmission.credentialsFile">services.transmission.credentialsFile</link>,
<link xlink:href="options.html#opt-services.transmission.openFirewall">services.transmission.openFirewall</link>,
and
<link xlink:href="options.html#opt-services.transmission.performanceNetParameters">services.transmission.performanceNetParameters</link>.
</para>
<para>
<literal>transmission-daemon</literal> is now started with
additional systemd sandbox/hardening options for better
security. Please
<link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
any use case where this is not working well. In particular,
the <literal>RootDirectory</literal> option newly set forbids
uploading or downloading a torrent outside of the default
directory configured at
<link xlink:href="options.html#opt-services.transmission.settings">settings.download-dir</link>.
If you really need Transmission to access other directories,
you must include those directories into the
<literal>BindPaths</literal> of the service:
</para>
<programlisting language="bash">
{
systemd.services.transmission.serviceConfig.BindPaths = [ &quot;/path/to/alternative/download-dir&quot; ];
}
</programlisting>
<para>
Also, connection to the RPC (Remote Procedure Call) of
<literal>transmission-daemon</literal> is now only available
on the local network interface by default. Use:
</para>
<programlisting language="bash">
{
services.transmission.settings.rpc-bind-address = &quot;0.0.0.0&quot;;
}
</programlisting>
<para>
to get the previous behavior of listening on all network
interfaces.
</para>
</listitem>
<listitem>
<para>
With this release <literal>systemd-networkd</literal> (when
enabled through
<link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>)
has it's netlink socket created through a
<literal>systemd.socket</literal> unit. This gives us control
over socket buffer sizes and other parameters. For larger
setups where networkd has to create a lot of (virtual) devices
the default buffer size (currently 128MB) is not enough.
</para>
<para>
On a machine with &gt;100 virtual interfaces (e.g., wireguard
tunnels, VLANs, …), that all have to be brought up during
system startup, the receive buffer size will spike for a brief
period. Eventually some of the message will be dropped since
there is not enough (permitted) buffer space available.
</para>
<para>
By having <literal>systemd-networkd</literal> start with a
netlink socket created by <literal>systemd</literal> we can
configure the <literal>ReceiveBufferSize=</literal> parameter
in the socket options (i.e.
<literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>)
without recompiling <literal>systemd-networkd</literal>.
</para>
<para>
Since the actual memory requirements depend on hardware,
timing, exact configurations etc. it isn't currently possible
to infer a good default from within the NixOS module system.
Administrators are advised to monitor the logs of
<literal>systemd-networkd</literal> for
<literal>rtnl: kernel receive buffer overrun</literal> spam
and increase the memory limit as they see fit.
</para>
<para>
Note: Increasing the <literal>ReceiveBufferSize=</literal>
doesn't allocate any memory. It just increases the upper bound
on the kernel side. The memory allocation depends on the
amount of messages that are queued on the kernel side of the
netlink socket.
</para>
</listitem>
<listitem>
<para>
Specifying
<link xlink:href="options.html#opt-services.dovecot2.mailboxes">mailboxes</link>
in the dovecot2 module as a list is deprecated and will break
eval in 21.05. Instead, an attribute-set should be specified
where the <literal>name</literal> should be the key of the
attribute.
</para>
<para>
This means that a configuration like this
</para>
<programlisting language="bash">
{
services.dovecot2.mailboxes = [
{ name = &quot;Junk&quot;;
auto = &quot;create&quot;;
}
];
}
</programlisting>
<para>
should now look like this:
</para>
<programlisting language="bash">
{
services.dovecot2.mailboxes = {
Junk.auto = &quot;create&quot;;
};
}
</programlisting>
</listitem>
<listitem>
<para>
netbeans was upgraded to 12.0 and now defaults to OpenJDK 11.
This might cause problems if your projects depend on packages
that were removed in Java 11.
</para>
</listitem>
<listitem>
<para>
nextcloud has been updated to
<link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>.
</para>
<para>
If you have an existing installation, please make sure that
you're on nextcloud18 before upgrading to nextcloud19 since
Nextcloud doesn't support upgrades across multiple major
versions.
</para>
</listitem>
<listitem>
<para>
The <literal>nixos-run-vms</literal> script now deletes the
previous run machines states on test startup. You can use the
<literal>--keep-vm-state</literal> flag to match the previous
behaviour and keep the same VM state between different test
runs.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-nix.buildMachines">nix.buildMachines</link>
option is now type-checked. There are no functional changes,
however this may require updating some configurations to use
correct types for all attributes.
</para>
</listitem>
<listitem>
<para>
The <literal>fontconfig</literal> module stopped generating
config and cache files for fontconfig 2.10.x, the
<literal>/etc/fonts/fonts.conf</literal> now belongs to the
latest fontconfig, just like on other Linux distributions, and
we will
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no
longer</link> be versioning the config directories.
</para>
<para>
Fontconfig 2.10.x was removed from Nixpkgs since it hasnt
been used in any Nixpkgs package for years now.
</para>
</listitem>
<listitem>
<para>
Nginx module
<literal>nginxModules.fastcgi-cache-purge</literal> renamed to
official name <literal>nginxModules.cache-purge</literal>.
Nginx module <literal>nginxModules.ngx_aws_auth</literal>
renamed to official name
<literal>nginxModules.aws-auth</literal>.
</para>
</listitem>
<listitem>
<para>
The option <literal>defaultPackages</literal> was added. It
installs the packages perl, rsync and strace for now. They
were added unconditionally to
<literal>systemPackages</literal> before, but are not strictly
necessary for a minimal NixOS install. You can set it to an
empty list to have a more minimal system. Be aware that some
functionality might still have an impure dependency on those
packages, so things might break.
</para>
</listitem>
<listitem>
<para>
The <literal>undervolt</literal> option no longer needs to
apply its settings every 30s. If they still become undone,
open an issue and restore the previous behaviour using
<literal>undervolt.useTimer</literal>.
</para>
</listitem>
<listitem>
<para>
Agda has been heavily reworked.
</para>
<itemizedlist>
<listitem>
<para>
<literal>agda.mkDerivation</literal> has been heavily
changed and is now located at agdaPackages.mkDerivation.
</para>
</listitem>
<listitem>
<para>
New top-level packages agda and
<literal>agda.withPackages</literal> have been added, the
second of which sets up agda with access to chosen
libraries.
</para>
</listitem>
<listitem>
<para>
All agda libraries now live under
<literal>agdaPackages</literal>.
</para>
</listitem>
<listitem>
<para>
Many broken libraries have been removed.
</para>
</listitem>
</itemizedlist>
<para>
See the
<link xlink:href="https://nixos.org/nixpkgs/manual/#agda">new
documentation</link> for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>deepin</literal> package set has been removed
from nixpkgs. It was a work in progress to package the
<link xlink:href="https://www.deepin.org/en/dde/">Deepin
Desktop Environment (DDE)</link>, including libraries, tools
and applications, and it was still missing a service to launch
the desktop environment. It has shown to no longer be a
feasible goal due to reasons discussed in
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue
#94870</link>. The package
<literal>netease-cloud-music</literal> has also been removed,
as it depends on libraries from deepin.
</para>
</listitem>
<listitem>
<para>
The <literal>opendkim</literal> module now uses systemd
sandboxing features to limit the exposure of the system
towards the opendkim service.
</para>
</listitem>
<listitem>
<para>
Kubernetes has been upgraded to 1.19.1, which also means that
the golang version to build it has been bumped to 1.15. This
may have consequences for your existing clusters and their
certificates. Please consider
<link xlink:href="https://relnotes.k8s.io/?markdown=93264">
the release notes for Kubernetes 1.19 carefully </link> before
upgrading.
</para>
</listitem>
<listitem>
<para>
For AMD GPUs, Vulkan can now be used by adding
<literal>amdvlk</literal> to
<literal>hardware.opengl.extraPackages</literal>.
</para>
</listitem>
<listitem>
<para>
Similarly, still for AMD GPUs, the ROCm OpenCL stack can now
be used by adding <literal>rocm-opencl-icd</literal> to
<literal>hardware.opengl.extraPackages</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-20.09-contributions">
<title>Contributions</title>
<para>
I, Jonathan Ringer, would like to thank the following individuals
for their work on nixpkgs. This release could not be done without
the hard work of the NixOS community. There were 31282
contributions across 1313 contributors.
</para>
<orderedlist numeration="arabic">
<listitem>
<para>
2288 Mario Rodas
</para>
</listitem>
<listitem>
<para>
1837 Frederik Rietdijk
</para>
</listitem>
<listitem>
<para>
946 Jörg Thalheim
</para>
</listitem>
<listitem>
<para>
925 Maximilian Bosch
</para>
</listitem>
<listitem>
<para>
687 Jonathan Ringer
</para>
</listitem>
<listitem>
<para>
651 Jan Tojnar
</para>
</listitem>
<listitem>
<para>
622 Daniël de Kok
</para>
</listitem>
<listitem>
<para>
605 WORLDofPEACE
</para>
</listitem>
<listitem>
<para>
597 Florian Klink
</para>
</listitem>
<listitem>
<para>
528 José Romildo Malaquias
</para>
</listitem>
<listitem>
<para>
281 volth
</para>
</listitem>
<listitem>
<para>
101 Robert Scott
</para>
</listitem>
<listitem>
<para>
86 Tim Steinbach
</para>
</listitem>
<listitem>
<para>
76 WORLDofPEACE
</para>
</listitem>
<listitem>
<para>
49 Maximilian Bosch
</para>
</listitem>
<listitem>
<para>
42 Thomas Tuegel
</para>
</listitem>
<listitem>
<para>
37 Doron Behar
</para>
</listitem>
<listitem>
<para>
36 Vladimír Čunát
</para>
</listitem>
<listitem>
<para>
27 Jonathan Ringer
</para>
</listitem>
<listitem>
<para>
27 Maciej Krüger
</para>
</listitem>
</orderedlist>
<para>
I, Jonathan Ringer, would also like to personally thank
@WORLDofPEACE for their help in mentoring me on the release
process. Special thanks also goes to Thomas Tuegel for helping
immensely with stabilizing Qt, KDE, and Plasma5; I would also like
to thank Robert Scott for his numerous fixes and pull request
reviews.
</para>
</section>
</section>