The problem behind this is that the hardened patchset[1]. Quite recently this led to a weird problem when Linux 5.12 was dropped (and thus had to be removed from `nixpkgs`), there were no patches for 5.13, so `linuxPackages_hardened_latest` had to be downgraded to 5.10 as base[2] which may be rather unintuitive and unexpected. To avoid these kind of "silent downgrades" in the future, it makes sense to drop the attribute entirely. If somebody wants to use a hardened kernel, it's better to explicitly pin it using the newly introduced versioned attributes, e.g. `linuxPackages_4_14_hardened`. [1] https://github.com/anthraxx/linux-hardened/ [2] https://github.com/NixOS/nixpkgs/pull/133587
14 KiB
Release 21.11 (“?”, 2021.11/??)
In addition to numerous new and upgraded packages, this release has the following highlights:
- Support is planned until the end of June 2022, handing over to 22.05.
Highlights
-
PHP now defaults to PHP 8.0, updated from 7.4.
-
kOps now defaults to 1.21.0, which uses containerd as the default runtime.
-
python3
now defaults to Python 3.9, updated from Python 3.8. -
PostgreSQL now defaults to major version 13.
New Services
-
btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.
-
clipcat, an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#o pt-services.clipcat.enable).
-
geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.
-
Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.
-
sourcehut, a collection of tools useful for software development. Available as services.sourcehut.
-
ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.
-
Users of flashrom should migrate to programs.flashrom.enable and add themselves to the
flashrom
group to be able to access programmers supported by flashrom. -
vikunja, a to-do list app. Available as services.vikunja.
-
snapraid, a backup program for disk arrays. Available as snapraid.
-
Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.
-
buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.
-
influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.
-
mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.
-
MeshCentral, a remote administration service ("TeamViewer but self-hosted and with more features") is now available with a package and a module: services.meshcentral.enable
-
moonraker, an API web server for Klipper. Available as moonraker.
-
influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.
-
isso, a commenting server similar to Disqus. Available as isso
Backward Incompatibilities
-
The
staticjinja
package has been upgraded from 1.0.4 to 3.0.1 -
The
erigon
ethereum node has moved to a new database format in2021-05-04
, and requires a full resync -
services.geoip-updater
was broken and has been replaced by services.geoipupdate. -
PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.
-
Those making use of
buildBazelPackage
will need to regenerate the fetch hashes (preferred), or setfetchConfigured = false;
. -
consul
was upgraded to a new major release with breaking changes, see upstream changelog. -
fsharp41 has been removed in preference to use the latest dotnet-sdk
-
The following F#-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.- ExtCore
- Fake
- Fantomas
- FsCheck
- FsCheck262
- FsCheckNunit
- FSharpAutoComplete
- FSharpCompilerCodeDom
- FSharpCompilerService
- FSharpCompilerTools
- FSharpCore302
- FSharpCore3125
- FSharpCore4001
- FSharpCore4117
- FSharpData
- FSharpData225
- FSharpDataSQLProvider
- FSharpFormatting
- FsLexYacc
- FsLexYacc706
- FsLexYaccRuntime
- FsPickler
- FsUnit
- Projekt
- Suave
- UnionArgParser
- ExcelDnaRegistration
- MathNetNumerics
-
programs.x2goserver
is nowservices.x2goserver
-
The following dotnet-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.- Autofac
- SystemValueTuple
- MicrosoftDiaSymReader
- MicrosoftDiaSymReaderPortablePdb
- SystemCollectionsImmutable
- SystemCollectionsImmutable131
- SystemReflectionMetadata
- NUnit350
- Deedle
- ExcelDna
- GitVersionTree
- NDeskOptions
-
The
antlr
package now defaults to the 4.x release instead of the old 2.7.7 version. -
The
pulseeffects
package updated to version 4.x and renamed toeasyeffects
. -
The
libwnck
package now defaults to the 3.x release instead of the old 2.31.0 version. -
The
bitwarden_rs
packages and modules were renamed tovaultwarden
following upstream. More specifically,-
pkgs.bitwarden_rs
,pkgs.bitwarden_rs-sqlite
,pkgs.bitwarden_rs-mysql
andpkgs.bitwarden_rs-postgresql
were renamed topkgs.vaultwarden
,pkgs.vaultwarden-sqlite
,pkgs.vaultwarden-mysql
andpkgs.vaultwarden-postgresql
, respectively.- Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
- The
bitwarden_rs
executable was also renamed tovaultwarden
in all packages.
-
pkgs.bitwarden_rs-vault
was renamed topkgs.vaultwarden-vault
.pkgs.bitwarden_rs-vault
is preserved as an alias for backwards compatibility, but may be removed in the future.- The static files were moved from
/usr/share/bitwarden_rs
to/usr/share/vaultwarden
.
-
The
services.bitwarden_rs
config module was renamed toservices.vaultwarden
.services.bitwarden_rs
is preserved as an alias for backwards compatibility, but may be removed in the future.
-
systemd.services.bitwarden_rs
,systemd.services.backup-bitwarden_rs
andsystemd.timers.backup-bitwarden_rs
were renamed tosystemd.services.vaultwarden
,systemd.services.backup-vaultwarden
andsystemd.timers.backup-vaultwarden
, respectively.- Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
-
users.users.bitwarden_rs
andusers.groups.bitwarden_rs
were renamed tousers.users.vaultwarden
andusers.groups.vaultwarden
, respectively. -
The data directory remains located at
/var/lib/bitwarden_rs
, for backwards compatibility.
-
-
yggdrasil
was upgraded to a new major release with breaking changes, see upstream changelog. -
icingaweb2
was upgraded to a new release which requires a manual database upgrade, see upstream changelog. -
The
isabelle
package has been upgraded from 2020 to 2021 -
the
mingw-64
package has been upgraded from 6.0.0 to 9.0.0 -
tt-rss
was upgraded to the commit on 2021-06-21, which has breaking changes. If you useservices.tt-rss.extraConfig
you should migrate to theputenv
-style configuration. See this Discourse post in the tt-rss forums for more details. -
The following Visual Studio Code extensions were renamed to keep the naming convention uniform.
bbenoist.Nix
->bbenoist.nix
CoenraadS.bracket-pair-colorizer
->coenraads.bracket-pair-colorizer
golang.Go
->golang.go
-
services.uptimed
now uses/var/lib/uptimed
as its stateDirectory instead of/var/spool/uptimed
. Make sure to move all files to the new directory. -
Deprecated package aliases in
emacs.pkgs.*
have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible. -
programs.neovim.runtime
switched to alinkFarm
internally, making it impossible to use wildcards in thesource
argument. -
The
openrazer
andopenrazer-daemon
packages as well as thehardware.openrazer
module now require users to be members of theopenrazer
group instead ofplugdev
. With this change, users no longer need be granted the entire set ofplugdev
group permissions, which can include permissions other than those required byopenrazer
. This is desirable from a security point of view. The settingharware.openrazer.users
can be used to add users to theopenrazer
group. -
The
yambar
package has been split intoyambar
andyambar-wayland
, corresponding to the xorg and wayland backend respectively. Please switch toyambar-wayland
if you are on wayland. -
The
services.minio
module gained an additional optionconsoleAddress
, that configures the address and port the web UI is listening, it defaults to:9001
. To be able to access the web UI this port needs to be opened in the firewall. -
The
varnish
package was upgraded from 6.3.x to 6.5.x.varnish60
for the last LTS release is also still available. -
The
kubernetes
package was upgraded to 1.22. Thekubernetes.apiserver.kubeletHttps
option was removed and HTTPS is always used. -
The attribute
linuxPackages_latest_hardened
was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such aslinuxPackages_5_10_hardened
.
Other Notable Changes
-
The setting
services.openssh.logLevel
"VERBOSE"
"INFO"
. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.However, if
services.fail2ban.enable
istrue
, thefail2ban
will override the verbosity to"VERBOSE"
, so thatfail2ban
can observe the failed login attempts from the SSH logs. -
Sway: The terminal emulator
rxvt-unicode
is no longer installed by default viaprograms.sway.extraPackages
. The current default configuration usesalacritty
(and soonfoot
) so this is only an issue when using a customized configuration and not installingrxvt-unicode
explicitly. -
python3
now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What's New In Python 3.9 post for more information. -
The
claws-mail
package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install theclaws-mail-gtk2
package. -
The wordpress module provides a new interface which allows to use different webservers with the new option
services.wordpress.webserver
. Currentlyhttpd
andnginx
are supported. The definitions of wordpress sites should now be set inservices.wordpress.sites
.Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
-
The order of NSS (host) modules has been brought in line with upstream recommendations:
- The
myhostname
module is placed before theresolve
(optional) anddns
entries, but afterfile
(to allow overriding via/etc/hosts
/networking.extraHosts
, and prevent ISPs with catchall-DNS resolvers from hijacking.localhost
domains) - The
mymachines
module, which provides hostname resolution for local containers (registered withsystemd-machined
) is placed to the front, to make sure its mappings are preferred over other resolvers. - If systemd-networkd is enabled, the
resolve
module is placed beforefiles
andmyhostname
, as it provides the same logic internally, with caching. - The
mdns(_minimal)
module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities according to these rules:
- NSS modules which should be queried before
resolved
DNS resolution should use mkBefore. - NSS modules which should be queried after
resolved
,files
andmyhostname
, but beforedns
should use the default priority - NSS modules which should come after
dns
should use mkAfter.
- The
-
The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.
-
The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running
zfs allow your-pool-name
and usezfs unallow syncoid your-pool-name
to clean this up. -
Zfs:
latestCompatibleLinuxPackages
is now exported on the zfs package. One can useboot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
to always track the latest compatible kernel with a given version of zfs. -
Nginx will use the value of
sslTrustedCertificate
if provided for a virtual host, even ifenableACME
is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.