1f6969dd5e
docs: nixos release notes (revise code blocks) docs: nixos release notes (fix opt links outside of code blocks) docs: nixos release notes (fix opt links inside of code blocks) went fishing with: ```console rg -A1 \ --multiline \ --multiline-dotall \ '<programlisting>[^</programlisting>]+' \ | rg linkend ``` docs: nixos release notes (prettier) docs: nixos release notes (fix zonefile codeblocks) docs: nixos release notes (restore admonition from prettier destriction) docs: nixos release notes (recreate xml files) docs: nixos release notes (fix trnslation error md -> xml) admonition with a title seem not to work docs: nixos release notes (fix code block indentation) docs: nixos release notes (diff after converting with https://github.com/NixOS/nixpkgs/pull/127270) docs: nixos release notes (fix remaingin '???') Those where not catched i a previous iteration since they didn't satisfy the then presumed search regex `#opt-.*` doc: nixos release notes make docbook/md conversion consistent
1197 lines
48 KiB
XML
1197 lines
48 KiB
XML
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.09">
|
|
<title>Release 19.09 (<quote>Loris</quote>, 2019/10/09)</title>
|
|
<section xml:id="sec-release-19.09-highlights">
|
|
<title>Highlights</title>
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release
|
|
has the following highlights:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
End of support is planned for end of April 2020, handing over
|
|
to 20.03.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Nix has been updated to 2.3; see its
|
|
<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release
|
|
notes</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Core version changes:
|
|
</para>
|
|
<para>
|
|
systemd: 239 -> 243
|
|
</para>
|
|
<para>
|
|
gcc: 7 -> 8
|
|
</para>
|
|
<para>
|
|
glibc: 2.27 (unchanged)
|
|
</para>
|
|
<para>
|
|
linux: 4.19 LTS (unchanged)
|
|
</para>
|
|
<para>
|
|
openssl: 1.0 -> 1.1
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Desktop version changes:
|
|
</para>
|
|
<para>
|
|
plasma5: 5.14 -> 5.16
|
|
</para>
|
|
<para>
|
|
gnome3: 3.30 -> 3.32
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP now defaults to PHP 7.3, updated from 7.2.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP 7.1 is no longer supported due to upstream not supporting
|
|
this version for the entire lifecycle of the 19.09 release.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The binfmt module is now easier to use. Additional systems can
|
|
be added through
|
|
<literal>boot.binfmt.emulatedSystems</literal>. For instance,
|
|
<literal>boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal>
|
|
will set up binfmt interpreters for each of those listed
|
|
systems.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The installer now uses a less privileged
|
|
<literal>nixos</literal> user whereas before we logged in as
|
|
root. To gain root privileges use <literal>sudo -i</literal>
|
|
without a password.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We've updated to Xfce 4.14, which brings a new module
|
|
<literal>services.xserver.desktopManager.xfce4-14</literal>.
|
|
If you'd like to upgrade, please switch from the
|
|
<literal>services.xserver.desktopManager.xfce</literal> module
|
|
as it will be deprecated in a future release. They're
|
|
incompatibilities with the current Xfce module; it doesn't
|
|
support <literal>thunarPlugins</literal> and it isn't
|
|
recommended to use
|
|
<literal>services.xserver.desktopManager.xfce</literal> and
|
|
<literal>services.xserver.desktopManager.xfce4-14</literal>
|
|
simultaneously or to downgrade from Xfce 4.14 after upgrading.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The GNOME 3 desktop manager module sports an interface to
|
|
enable/disable core services, applications, and optional GNOME
|
|
packages like games.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.gnome3.core-os-services.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.gnome3.core-shell.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.gnome3.core-utilities.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.gnome3.games.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
With these options we hope to give users finer grained control
|
|
over their systems. Prior to this change you'd either have to
|
|
manually disable options or use
|
|
<literal>environment.gnome3.excludePackages</literal> which
|
|
only excluded the optional applications.
|
|
<literal>environment.gnome3.excludePackages</literal> is now
|
|
unguarded, it can exclude any package installed with
|
|
<literal>environment.systemPackages</literal> in the GNOME 3
|
|
module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Orthogonal to the previous changes to the GNOME 3 desktop
|
|
manager module, we've updated all default services and
|
|
applications to match as close as possible to a default
|
|
reference GNOME 3 experience.
|
|
</para>
|
|
<para>
|
|
<emphasis role="strong">The following changes were enacted in
|
|
<literal>services.gnome3.core-utilities.enable</literal></emphasis>
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>accerciser</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>dconf-editor</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>evolution</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-documents</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-nettool</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-power-manager</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-todo</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-tweaks</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-usage</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gucharmap</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>nautilus-sendto</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>vinagre</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>cheese</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>geary</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
<emphasis role="strong">The following changes were enacted in
|
|
<literal>services.gnome3.core-shell.enable</literal></emphasis>
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnome-color-manager</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>orca</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.avahi.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.09-new-services">
|
|
<title>New Services</title>
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>./programs/dwm-status.nix</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The new <literal>hardware.printers</literal> module allows to
|
|
declaratively configure CUPS printers via the
|
|
<literal>ensurePrinters</literal> and
|
|
<literal>ensureDefaultPrinter</literal> options.
|
|
<literal>ensurePrinters</literal> will never delete existing
|
|
printers, but will make sure that the given printers are
|
|
configured as declared.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There is a new
|
|
<link xlink:href="options.html#opt-services.system-config-printer.enable">services.system-config-printer.enable</link>
|
|
and
|
|
<link xlink:href="options.html#opt-programs.system-config-printer.enable">programs.system-config-printer.enable</link>
|
|
module for the program of the same name. If you previously had
|
|
<literal>system-config-printer</literal> enabled through some
|
|
other means you should migrate to using one of these modules.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.desktopManager.plasma5</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.desktopManager.gnome3</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.desktopManager.pantheon</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.desktopManager.mate</literal>
|
|
Note Mate uses
|
|
<literal>programs.system-config-printer</literal> as it
|
|
doesn't use it as a service, but its graphical interface
|
|
directly.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.blueman.enable">services.blueman.enable</link>
|
|
has been added. If you previously had blueman installed via
|
|
<literal>environment.systemPackages</literal> please migrate
|
|
to using the NixOS module, as this would result in an
|
|
insufficiently configured blueman.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.09-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the
|
|
following incompatible changes:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Buildbot no longer supports Python 2, as support was dropped
|
|
upstream in version 2.0.0. Configurations may need to be
|
|
modified to make them compatible with Python 3.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PostgreSQL now uses <literal>/run/postgresql</literal> as its
|
|
socket directory instead of <literal>/tmp</literal>. So if you
|
|
run an application like eg. Nextcloud, where you need to use
|
|
the Unix socket path as the database host name, you need to
|
|
change it accordingly.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle
|
|
and has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The options
|
|
<literal>services.prometheus.alertmanager.user</literal> and
|
|
<literal>services.prometheus.alertmanager.group</literal> have
|
|
been removed because the alertmanager service is now using
|
|
systemd's
|
|
<link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
|
|
DynamicUser mechanism</link> which obviates these options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The NetworkManager systemd unit was renamed back from
|
|
network-manager.service to NetworkManager.service for better
|
|
compatibility with other applications expecting this name. The
|
|
same applies to ModemManager where modem-manager.service is
|
|
now called ModemManager.service again.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.nzbget.configFile</literal> and
|
|
<literal>services.nzbget.openFirewall</literal> options were
|
|
removed as they are managed internally by the nzbget. The
|
|
<literal>services.nzbget.dataDir</literal> option hadn't
|
|
actually been used by the module for some time and so was
|
|
removed as cleanup.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.mysql.pidDir</literal> option was
|
|
removed, as it was only used by the wordpress apache-httpd
|
|
service to wait for mysql to have started up. This can be
|
|
accomplished by either describing a dependency on
|
|
mysql.service (preferred) or waiting for the (hardcoded)
|
|
<literal>/run/mysqld/mysql.sock</literal> file to appear.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.emby.enable</literal> module has been
|
|
removed, see <literal>services.jellyfin.enable</literal>
|
|
instead for a free software fork of Emby. See the Jellyfin
|
|
documentation:
|
|
<link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
|
|
Migrating from Emby to Jellyfin </link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
IPv6 Privacy Extensions are now enabled by default for
|
|
undeclared interfaces. The previous behaviour was quite
|
|
misleading — even though the default value for
|
|
<literal>networking.interfaces.*.preferTempAddress</literal>
|
|
was <literal>true</literal>, undeclared interfaces would not
|
|
prefer temporary addresses. Now, interfaces not mentioned in
|
|
the config will prefer temporary addresses. EUI64 addresses
|
|
can still be set as preferred by explicitly setting the option
|
|
to <literal>false</literal> for the interface in question.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Since Bittorrent Sync was superseded by Resilio Sync in 2016,
|
|
the <literal>bittorrentSync</literal>,
|
|
<literal>bittorrentSync14</literal>, and
|
|
<literal>bittorrentSync16</literal> packages have been removed
|
|
in favor of <literal>resilio-sync</literal>.
|
|
</para>
|
|
<para>
|
|
The corresponding module, <literal>services.btsync</literal>
|
|
has been replaced by the <literal>services.resilio</literal>
|
|
module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The httpd service no longer attempts to start the postgresql
|
|
service. If you have come to depend on this behaviour then you
|
|
can preserve the behavior with the following configuration:
|
|
<literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal>
|
|
</para>
|
|
<para>
|
|
The option <literal>services.httpd.extraSubservices</literal>
|
|
has been marked as deprecated. You may still use this feature,
|
|
but it will be removed in a future release of NixOS. You are
|
|
encouraged to convert any httpd subservices you may have
|
|
written to a full NixOS module.
|
|
</para>
|
|
<para>
|
|
Most of the httpd subservices packaged with NixOS have been
|
|
replaced with full NixOS modules including LimeSurvey,
|
|
WordPress, and Zabbix. These modules can be enabled using the
|
|
<literal>services.limesurvey.enable</literal>,
|
|
<literal>services.mediawiki.enable</literal>,
|
|
<literal>services.wordpress.enable</literal>, and
|
|
<literal>services.zabbixWeb.enable</literal> options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option
|
|
<literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</literal>
|
|
was renamed to
|
|
<literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</literal>
|
|
(capital <literal>L</literal>). This follows
|
|
<link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
|
|
upstreams renaming </link> of the setting.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
As of this release the NixOps feature
|
|
<literal>autoLuks</literal> is deprecated. It no longer works
|
|
with our systemd version without manual intervention.
|
|
</para>
|
|
<para>
|
|
Whenever the usage of the module is detected the evaluation
|
|
will fail with a message explaining why and how to deal with
|
|
the situation.
|
|
</para>
|
|
<para>
|
|
A new knob named
|
|
<literal>nixops.enableDeprecatedAutoLuks</literal> has been
|
|
introduced to disable the eval failure and to acknowledge the
|
|
notice was received and read. If you plan on using the feature
|
|
please note that it might break with subsequent updates.
|
|
</para>
|
|
<para>
|
|
Make sure you set the <literal>_netdev</literal> option for
|
|
each of the file systems referring to block devices provided
|
|
by the autoLuks module. Not doing this might render the system
|
|
in a state where it doesn't boot anymore.
|
|
</para>
|
|
<para>
|
|
If you are actively using the <literal>autoLuks</literal>
|
|
module please let us know in
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue
|
|
#62211</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The setopt declarations will be evaluated at the end of
|
|
<literal>/etc/zshrc</literal>, so any code in
|
|
<link xlink:href="options.html#opt-programs.zsh.interactiveShellInit">programs.zsh.interactiveShellInit</link>,
|
|
<link xlink:href="options.html#opt-programs.zsh.loginShellInit">programs.zsh.loginShellInit</link>
|
|
and
|
|
<link xlink:href="options.html#opt-programs.zsh.promptInit">programs.zsh.promptInit</link>
|
|
may break if it relies on those options being set.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>prometheus-nginx-exporter</literal> package now
|
|
uses the offical exporter provided by NGINX Inc. Its metrics
|
|
are differently structured and are incompatible to the old
|
|
ones. For information about the metrics, have a look at the
|
|
<link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official
|
|
repo</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>shibboleth-sp</literal> package has been updated
|
|
to version 3. It is largely backward compatible, for further
|
|
information refer to the
|
|
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release
|
|
notes</link> and
|
|
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade
|
|
guide</link>.
|
|
</para>
|
|
<para>
|
|
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has
|
|
been dropped.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
By default, prometheus exporters are now run with
|
|
<literal>DynamicUser</literal> enabled. Exporters that need a
|
|
real user, now run under a seperate user and group which
|
|
follow the pattern
|
|
<literal><exporter-name>-exporter</literal>, instead of
|
|
the previous default <literal>nobody</literal> and
|
|
<literal>nogroup</literal>. Only some exporters are affected
|
|
by the latter, namely the exporters
|
|
<literal>dovecot</literal>, <literal>node</literal>,
|
|
<literal>postfix</literal> and <literal>varnish</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>ibus-qt</literal> package is not installed by
|
|
default anymore when
|
|
<link xlink:href="options.html#opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link>
|
|
is set to <literal>ibus</literal>. If IBus support in Qt 4.x
|
|
applications is required, add the <literal>ibus-qt</literal>
|
|
package to your
|
|
<link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>
|
|
manually.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The CUPS Printing service now uses socket-based activation by
|
|
default, only starting when needed. The previous behavior can
|
|
be restored by setting
|
|
<literal>services.cups.startWhenNeeded</literal> to
|
|
<literal>false</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.systemhealth</literal> module has been
|
|
removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.mantisbt</literal> module has been
|
|
removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Squid 3 has been removed and the <literal>squid</literal>
|
|
derivation now refers to Squid 4.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.pdns-recursor.extraConfig</literal>
|
|
option has been replaced by
|
|
<literal>services.pdns-recursor.settings</literal>. The new
|
|
option allows setting extra configuration while being better
|
|
type-checked and mergeable.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
No service depends on <literal>keys.target</literal> anymore
|
|
which is a systemd target that indicates if all
|
|
<link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps
|
|
keys</link> were successfully uploaded. Instead,
|
|
<literal><key-name>-key.service</literal> should be used
|
|
to define a dependency of a key in a service. The full issue
|
|
behind the <literal>keys.target</literal> dependency is
|
|
described at
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
|
|
</para>
|
|
<para>
|
|
The following services are affected by this:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.nsd.enable"><literal>services.nsd</literal></link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.softether.enable"><literal>services.softether</literal></link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.strongswan.enable"><literal>services.strongswan</literal></link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="options.html#opt-services.httpd.enable"><literal>services.httpd</literal></link>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>security.acme.directory</literal> option has been
|
|
replaced by a read-only
|
|
<literal>security.acme.certs.<cert>.directory</literal>
|
|
option for each certificate you define. This will be a
|
|
subdirectory of <literal>/var/lib/acme</literal>. You can use
|
|
this read-only option to figure out where the certificates are
|
|
stored for a specific certificate. For example, the
|
|
<literal>services.nginx.virtualhosts.<name>.enableACME</literal>
|
|
option will use this directory option to find the certs for
|
|
the virtual host.
|
|
</para>
|
|
<para>
|
|
<literal>security.acme.preDelay</literal> and
|
|
<literal>security.acme.activationDelay</literal> options have
|
|
been removed. To execute a service before certificates are
|
|
provisioned or renewed add a
|
|
<literal>RequiredBy=acme-${cert}.service</literal> to any
|
|
service.
|
|
</para>
|
|
<para>
|
|
Furthermore, the acme module will not automatically add a
|
|
dependency on <literal>lighttpd.service</literal> anymore. If
|
|
you are using certficates provided by letsencrypt for
|
|
lighttpd, then you should depend on the certificate service
|
|
<literal>acme-${cert}.service></literal> manually.
|
|
</para>
|
|
<para>
|
|
For nginx, the dependencies are still automatically managed
|
|
when
|
|
<literal>services.nginx.virtualhosts.<name>.enableACME</literal>
|
|
is enabled just like before. What changed is that nginx now
|
|
directly depends on the specific certificates that it needs,
|
|
instead of depending on the catch-all
|
|
<literal>acme-certificates.target</literal>. This target unit
|
|
was also removed from the codebase. This will mean nginx will
|
|
no longer depend on certificates it isn't explicitly managing
|
|
and fixes a bug with certificate renewal ordering racing with
|
|
nginx restarting which could lead to nginx getting in a broken
|
|
state as described at
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The old deprecated <literal>emacs</literal> package sets have
|
|
been dropped. What used to be called
|
|
<literal>emacsPackagesNg</literal> is now simply called
|
|
<literal>emacsPackages</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.desktopManager.xterm</literal> is
|
|
now disabled by default if <literal>stateVersion</literal> is
|
|
19.09 or higher. Previously the xterm desktopManager was
|
|
enabled when xserver was enabled, but it isn't useful for all
|
|
people so it didn't make sense to have any desktopManager
|
|
enabled default.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The WeeChat plugin
|
|
<literal>pkgs.weechatScripts.weechat-xmpp</literal> has been
|
|
removed as it doesn't receive any updates from upstream and
|
|
depends on outdated Python2-based modules.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Old unsupported versions (<literal>logstash5</literal>,
|
|
<literal>kibana5</literal>, <literal>filebeat5</literal>,
|
|
<literal>heartbeat5</literal>, <literal>metricbeat5</literal>,
|
|
<literal>packetbeat5</literal>) of the ELK-stack and Elastic
|
|
beats have been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For NixOS 19.03, both Prometheus 1 and 2 were available to
|
|
allow for a seamless transition from version 1 to 2 with
|
|
existing setups. Because Prometheus 1 is no longer developed,
|
|
it was removed. Prometheus 2 is now configured with
|
|
<literal>services.prometheus</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Citrix Receiver (<literal>citrix_receiver</literal>) has been
|
|
dropped in favor of Citrix Workspace
|
|
(<literal>citrix_workspace</literal>).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.gitlab</literal> module has had its
|
|
literal secret options
|
|
(<literal>services.gitlab.smtp.password</literal>,
|
|
<literal>services.gitlab.databasePassword</literal>,
|
|
<literal>services.gitlab.initialRootPassword</literal>,
|
|
<literal>services.gitlab.secrets.secret</literal>,
|
|
<literal>services.gitlab.secrets.db</literal>,
|
|
<literal>services.gitlab.secrets.otp</literal> and
|
|
<literal>services.gitlab.secrets.jws</literal>) replaced by
|
|
file-based versions
|
|
(<literal>services.gitlab.smtp.passwordFile</literal>,
|
|
<literal>services.gitlab.databasePasswordFile</literal>,
|
|
<literal>services.gitlab.initialRootPasswordFile</literal>,
|
|
<literal>services.gitlab.secrets.secretFile</literal>,
|
|
<literal>services.gitlab.secrets.dbFile</literal>,
|
|
<literal>services.gitlab.secrets.otpFile</literal> and
|
|
<literal>services.gitlab.secrets.jwsFile</literal>). This was
|
|
done so that secrets aren't stored in the world-readable nix
|
|
store, but means that for each option you'll have to create a
|
|
file with the same exact string, add "File" to the
|
|
end of the option name, and change the definition to a string
|
|
pointing to the corresponding file; e.g.
|
|
<literal>services.gitlab.databasePassword = "supersecurepassword"</literal>
|
|
becomes
|
|
<literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal>
|
|
where the file <literal>secret_file</literal> contains the
|
|
string <literal>supersecurepassword</literal>.
|
|
</para>
|
|
<para>
|
|
The state path (<literal>services.gitlab.statePath</literal>)
|
|
now has the following restriction: no parent directory can be
|
|
owned by any other user than <literal>root</literal> or the
|
|
user specified in <literal>services.gitlab.user</literal>;
|
|
i.e. if <literal>services.gitlab.statePath</literal> is set to
|
|
<literal>/var/lib/gitlab/state</literal>,
|
|
<literal>gitlab</literal> and all parent directories must be
|
|
owned by either <literal>root</literal> or the user specified
|
|
in <literal>services.gitlab.user</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>networking.useDHCP</literal> option is
|
|
unsupported in combination with
|
|
<literal>networking.useNetworkd</literal> in anticipation of
|
|
defaulting to it. It has to be set to <literal>false</literal>
|
|
and enabled per interface with
|
|
<literal>networking.interfaces.<name>.useDHCP = true;</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Twitter client <literal>corebird</literal> has been
|
|
dropped as
|
|
<link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it
|
|
is discontinued and does not work against the new Twitter
|
|
API</link>. Please use the fork <literal>cawbird</literal>
|
|
instead which has been adapted to the API changes and is still
|
|
maintained.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>nodejs-11_x</literal> package has been removed as
|
|
it's EOLed by upstream.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Because of the systemd upgrade, systemd-timesyncd will no
|
|
longer work if <literal>system.stateVersion</literal> is not
|
|
set correctly. When upgrading from NixOS 19.03, please make
|
|
sure that <literal>system.stateVersion</literal> is set to
|
|
<literal>"19.03"</literal>, or lower if the
|
|
installation dates back to an earlier version of NixOS.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Due to the short lifetime of non-LTS kernel releases package
|
|
attributes like <literal>linux_5_1</literal>,
|
|
<literal>linux_5_2</literal> and <literal>linux_5_3</literal>
|
|
have been removed to discourage dependence on specific non-LTS
|
|
kernel versions in stable NixOS releases. Going forward,
|
|
versioned attributes like <literal>linux_4_9</literal> will
|
|
exist for LTS versions only. Please use
|
|
<literal>linux_latest</literal> or
|
|
<literal>linux_testing</literal> if you depend on non-LTS
|
|
releases. Keep in mind that <literal>linux_latest</literal>
|
|
and <literal>linux_testing</literal> will change versions
|
|
under the hood during the lifetime of a stable release and
|
|
might include breaking changes.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Because of the systemd upgrade, some network interfaces might
|
|
change their name. For details see
|
|
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History">
|
|
upstream docs</link> or
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086">
|
|
our ticket</link>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.09-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <literal>documentation</literal> module gained an option
|
|
named <literal>documentation.nixos.includeAllModules</literal>
|
|
which makes the generated configuration.nix 5 manual page
|
|
include all options from all NixOS modules included in a given
|
|
<literal>configuration.nix</literal> configuration file.
|
|
Currently, it is set to <literal>false</literal> by default as
|
|
enabling it frequently prevents evaluation. But the plan is to
|
|
eventually have it set to <literal>true</literal> by default.
|
|
Please set it to <literal>true</literal> now in your
|
|
<literal>configuration.nix</literal> and fix all the bugs it
|
|
uncovers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>vlc</literal> package gained support for
|
|
Chromecast streaming, enabled by default. TCP port 8010 must
|
|
be open for it to work, so something like
|
|
<literal>networking.firewall.allowedTCPPorts = [ 8010 ];</literal>
|
|
may be required in your configuration. Also consider enabling
|
|
<link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
|
|
Accelerated Video Playback</link> for better transcoding
|
|
performance.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The following changes apply if the
|
|
<literal>stateVersion</literal> is changed to 19.09 or higher.
|
|
For <literal>stateVersion = "19.03"</literal> or
|
|
lower the old behavior is preserved.
|
|
</para>
|
|
<itemizedlist spacing="compact">
|
|
<listitem>
|
|
<para>
|
|
<literal>solr.package</literal> defaults to
|
|
<literal>pkgs.solr_8</literal>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>hunspellDicts.fr-any</literal> dictionary now
|
|
ships with <literal>fr_FR.{aff,dic}</literal> which is linked
|
|
to <literal>fr-toutesvariantes.{aff,dic}</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>mysql</literal> service now runs as
|
|
<literal>mysql</literal> user. Previously, systemd did execute
|
|
it as root, and mysql dropped privileges itself. This includes
|
|
<literal>ExecStartPre=</literal> and
|
|
<literal>ExecStartPost=</literal> phases. To accomplish that,
|
|
runtime and data directory setup was delegated to
|
|
RuntimeDirectory and tmpfiles.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
With the upgrade to systemd version 242 the
|
|
<literal>systemd-timesyncd</literal> service is no longer
|
|
using <literal>DynamicUser=yes</literal>. In order for the
|
|
upgrade to work we rely on an activation script to move the
|
|
state from the old to the new directory. The older directory
|
|
(prior <literal>19.09</literal>) was
|
|
<literal>/var/lib/private/systemd/timesync</literal>.
|
|
</para>
|
|
<para>
|
|
As long as the <literal>system.config.stateVersion</literal>
|
|
is below <literal>19.09</literal> the state folder will
|
|
migrated to its proper location
|
|
(<literal>/var/lib/systemd/timesync</literal>), if required.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The package <literal>avahi</literal> is now built to look up
|
|
service definitions from
|
|
<literal>/etc/avahi/services</literal> instead of its output
|
|
directory in the nix store. Accordingly the module
|
|
<literal>avahi</literal> now supports custom service
|
|
definitions via
|
|
<literal>services.avahi.extraServiceFiles</literal>, which are
|
|
then placed in the aforementioned directory. See
|
|
avahi.service5 for more information on custom service
|
|
definitions.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Since version 0.1.19, <literal>cargo-vendor</literal> honors
|
|
package includes that are specified in the
|
|
<literal>Cargo.toml</literal> file of Rust crates.
|
|
<literal>rustPlatform.buildRustPackage</literal> uses
|
|
<literal>cargo-vendor</literal> to collect and build dependent
|
|
crates. Since this change in <literal>cargo-vendor</literal>
|
|
changes the set of vendored files for most Rust packages, the
|
|
hash that use used to verify the dependencies,
|
|
<literal>cargoSha256</literal>, also changes.
|
|
</para>
|
|
<para>
|
|
The <literal>cargoSha256</literal> hashes of all in-tree
|
|
derivations that use <literal>buildRustPackage</literal> have
|
|
been updated to reflect this change. However, third-party
|
|
derivations that use <literal>buildRustPackage</literal> may
|
|
have to be updated as well.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>consul</literal> package was upgraded past
|
|
version <literal>1.5</literal>, so its deprecated legacy UI is
|
|
no longer available.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default resample-method for PulseAudio has been changed
|
|
from the upstream default <literal>speex-float-1</literal> to
|
|
<literal>speex-float-5</literal>. Be aware that low-powered
|
|
ARM-based and MIPS-based boards will struggle with this so
|
|
you'll need to set
|
|
<literal>hardware.pulseaudio.daemon.config.resample-method</literal>
|
|
back to <literal>speex-float-1</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>phabricator</literal> package and associated
|
|
<literal>httpd.extraSubservice</literal>, as well as the
|
|
<literal>phd</literal> service have been removed from nixpkgs
|
|
due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>mercurial</literal>
|
|
<literal>httpd.extraSubservice</literal> has been removed from
|
|
nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>trac</literal>
|
|
<literal>httpd.extraSubservice</literal> has been removed from
|
|
nixpkgs because it was unmaintained.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>foswiki</literal> package and associated
|
|
<literal>httpd.extraSubservice</literal> have been removed
|
|
from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>tomcat-connector</literal>
|
|
<literal>httpd.extraSubservice</literal> has been removed from
|
|
nixpkgs.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
It's now possible to change configuration in
|
|
<link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link>
|
|
after the initial deploy since all config parameters are
|
|
persisted in an additional config file generated by the
|
|
module. Previously core configuration like database parameters
|
|
were set using their imperative installer after creating
|
|
<literal>/var/lib/nextcloud</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There exists now <literal>lib.forEach</literal>, which is like
|
|
<literal>map</literal>, but with arguments flipped. When
|
|
mapping function body spans many lines (or has nested
|
|
<literal>map</literal>s), it is often hard to follow which
|
|
list is modified.
|
|
</para>
|
|
<para>
|
|
Previous solution to this problem was either to use
|
|
<literal>lib.flip map</literal> idiom or extract that
|
|
anonymous mapping function to a named one. Both can still be
|
|
used but <literal>lib.forEach</literal> is preferred over
|
|
<literal>lib.flip map</literal>.
|
|
</para>
|
|
<para>
|
|
The <literal>/etc/sysctl.d/nixos.conf</literal> file
|
|
containing all the options set via
|
|
<link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
|
|
was moved to <literal>/etc/sysctl.d/60-nixos.conf</literal>,
|
|
as sysctl.d5 recommends prefixing all filenames in
|
|
<literal>/etc/sysctl.d</literal> with a two-digit number and a
|
|
dash to simplify the ordering of the files.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We now install the sysctl snippets shipped with systemd.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Loose reverse path filtering
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Source route filtering
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>fq_codel</literal> as a packet scheduler (this
|
|
helps to fight bufferbloat)
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>
|
|
This also configures the kernel to pass core dumps to
|
|
<literal>systemd-coredump</literal>, and restricts the SysRq
|
|
key combinations to the sync command only. These sysctl
|
|
snippets can be found in
|
|
<literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via
|
|
<link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
|
|
(which will place the parameters in
|
|
<literal>/etc/sysctl.d/60-nixos.conf</literal>).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Core dumps are now processed by
|
|
<literal>systemd-coredump</literal> by default.
|
|
<literal>systemd-coredump</literal> behaviour can still be
|
|
modified via <literal>systemd.coredump.extraConfig</literal>.
|
|
To stick to the old behaviour (having the kernel dump to a
|
|
file called <literal>core</literal> in the working directory),
|
|
without piping it through <literal>systemd-coredump</literal>,
|
|
set <literal>systemd.coredump.enable</literal> to
|
|
<literal>false</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>systemd.packages</literal> option now also supports
|
|
generators and shutdown scripts. Old
|
|
<literal>systemd.generator-packages</literal> option has been
|
|
removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>rmilter</literal> package was removed with
|
|
associated module and options due deprecation by upstream
|
|
developer. Use <literal>rspamd</literal> in proxy mode
|
|
instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
systemd cgroup accounting via the
|
|
<link xlink:href="options.html#opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
|
|
option is now enabled by default. It now also enables the more
|
|
recent Block IO and IP accounting features.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
We no longer enable custom font rendering settings with
|
|
<literal>fonts.fontconfig.penultimate.enable</literal> by
|
|
default. The defaults from fontconfig are sufficient.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>crashplan</literal> package and the
|
|
<literal>crashplan</literal> service have been removed from
|
|
nixpkgs due to crashplan shutting down the service, while the
|
|
<literal>crashplansb</literal> package and
|
|
<literal>crashplan-small-business</literal> service have been
|
|
removed from nixpkgs due to lack of maintainer.
|
|
</para>
|
|
<para>
|
|
The
|
|
<link xlink:href="options.html#opt-services.redis.enable">redis
|
|
module</link> was hardcoded to use the
|
|
<literal>redis</literal> user, <literal>/run/redis</literal>
|
|
as runtime directory and <literal>/var/lib/redis</literal> as
|
|
state directory. Note that the NixOS module for Redis now
|
|
disables kernel support for Transparent Huge Pages (THP),
|
|
because this features causes major performance problems for
|
|
Redis, e.g. (https://redis.io/topics/latency).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Using <literal>fonts.enableDefaultFonts</literal> adds a
|
|
default emoji font <literal>noto-fonts-emoji</literal>.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>programs.sway.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>programs.way-cooler.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xrdp.enable</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>altcoins</literal> categorization of packages has
|
|
been removed. You now access these packages at the top level,
|
|
ie. <literal>nix-shell -p dogecoin</literal> instead of
|
|
<literal>nix-shell -p altcoins.dogecoin</literal>, etc.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Ceph has been upgraded to v14.2.1. See the
|
|
<link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release
|
|
notes</link> for details. The mgr dashboard as well as osds
|
|
backed by loop-devices is no longer explicitly supported by
|
|
the package and module. Note: There's been some issues with
|
|
python-cherrypy, which is used by the dashboard and prometheus
|
|
mgr modules (and possibly others), hence
|
|
0000-dont-check-cherrypy-version.patch.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>pkgs.weechat</literal> is now compiled against
|
|
<literal>pkgs.python3</literal>. Weechat also recommends
|
|
<link xlink:href="https://weechat.org/scripts/python3/">to use
|
|
Python3 in their docs.</link>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|