nifi: init at 1.16.0
43 KiB
Release 22.05 (“Quokka”, 2022.05/??)
In addition to numerous new and upgraded packages, this release has the following highlights:
- Support is planned until the end of December 2022, handing over to 22.11.
Highlights
-
The
firefox
browser onx86_64-linux
is now making use of profile-guided optimization resulting in a much more responsive browsing experience. -
security.acme.defaults
has been added to simplify configuring settings for many certificates at once. This also opens up the the option to use DNS-01 validation when usingenableACME
on web server virtual hosts (e.g.services.nginx.virtualHosts.*.enableACME
). -
GNOME has been upgraded to 42. Please take a look at their Release Notes for details. Notably, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross), and GNOME Screenshot with a tool built into the Shell.
-
PHP 8.1 is now available
-
Mattermost has been updated to extended support release 6.3, as the previously packaged extended support release 5.37 is reaching its end of life. Migrations may take a while, see the changelog and important upgrade notes.
-
systemd services can now set systemd.services.<name>.reloadTriggers instead of
reloadIfChanged
for a more granular distinction between reloads and restarts. -
Systemd has been upgraded to the version 250.
-
kops
defaults to 1.22.4, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes 1.22. This will increase security by default, but may break some types of workloads. See the release notes for details. -
Module authors can use
mkRenamedOptionModuleWith
to automate the deprecation cycle without annoying out-of-tree module authors and their users. -
The default GHC version has been updated from 8.10.7 to 9.0.2.
pkgs.haskellPackages
andpkgs.ghc
will now use this version by default.
New Services
-
aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd.
-
rootless Docker, a
systemd --user
Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable. -
matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.
-
nethoscope, listen to your network traffic. Available as programs.nethoscope.
-
filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.
-
apfs, a kernel module for mounting the Apple File System (APFS).
-
FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as services.frr
-
heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge.
-
snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy.
-
ergochat, a modern IRC with IRCv3 features. Available as services.ergochat.
-
PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin.
-
pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin.
-
input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper.
-
InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane.
-
maddy, a composable all-in-one mail server. Available as services.maddy.
-
K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the
k40
group to be able to access the device. -
mozillavpn, the client for the Mozilla VPN service. Available as services.mozillavpn.
-
mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter.
-
prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve.
-
netbox, infrastructure resource modeling (IRM) tool. Available as services.netbox.
-
tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd.
-
agate, a very simple server for the Gemini hypertext protocol. Available as services.agate.
-
ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm.
-
teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport.
-
BaGet, a lightweight NuGet and symbol server. Available at services.baget.
-
moosefs, fault tolerant petabyte distributed file system. Available as moosefs.
-
prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer.
-
systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.
-
ethercalc, an online collaborative spreadsheet. Available as services.ethercalc.
-
nbd, a Network Block Device server. Available as services.nbd.
-
nix-ld, Run unpatched dynamic binaries on NixOS. Available as programs.nix-ld.
-
timetagger, an open source time-tracker with an intuitive user experience and powerful reporting. services.timetagger.
-
rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server.
-
headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale
-
blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features.
-
pacemaker cluster resource manager
-
nifi, an easy to use, powerful, and reliable system to process and distribute data. Available as services.nifi.
Backward Incompatibilities
-
pkgs.ghc
now refers topkgs.targetPackages.haskellPackages.ghc
. This only makes a difference if you are cross-compiling and will ensure thatpkgs.ghc
always runs on the host platform and compiles for the target platform (similar topkgs.gcc
for example).haskellPackages.ghc
still behaves as before, running on the build platform and compiling for the host platform (similar tostdenv.cc
). This means you don't have to adjust your derivations if you usehaskellPackages.callPackage
, but when usingpkgs.callPackage
and takingghc
as an input, you should now usebuildPackages.ghc
instead to ensure cross compilation keeps working (or switch tohaskellPackages.callPackage
). -
pkgs.ghc.withPackages
as well ashaskellPackages.ghcWithPackages
etc. now needs be overridden directly, as opposed to overriding the result of calling it. Additionally, thewithLLVM
parameter has been renamed touseLLVM
. So instead of(ghc.withPackages (p: [])).override { withLLVM = true; }
, one needs to use(ghc.withPackages.override { useLLVM = true; }) (p: [])
. -
The
home-assistant
module now requires users that don't want their configuration to be managed declaratively to setservices.home-assistant.config = null;
. This is required due to the way default settings are handled with the new settings style.Additionally the default list of
extraComponents
now includes the minimal dependencies to successfully complete the onboarding procedure. -
pkgs.emacsPackages.orgPackages
is removed because org elpa is deprecated. The packages in the top level ofpkgs.emacsPackages
, such as org and org-contrib, refer to the ones inpkgs.emacsPackages.elpaPackages
andpkgs.emacsPackages.nongnuPackages
where the new versions will release. -
security.klogd
was removed. Logging of kernel messages is handled by systemd since Linux 3.5. -
services.kubernetes.addons.dashboard
was removed due to it being an outdated version. -
services.kubernetes.scheduler.{port,address}
now set--secure-port
and--bind-address
instead of--port
and--address
, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. -
openssh
has been update to 8.9p1, changing the FIDO security key middleware interface. -
services.k3s.enable
no longer impliessystemd.enableUnifiedCgroupHierarchy = false
, and will default to the 'systemd' cgroup driver when usingservices.k3s.docker = true
. This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly settingsystemd.enableUnifiedCgroupHierarchy = false
in your configuration. -
fonts.fonts
no longer includes ancient bitmap fonts when bothconfig.services.xserver.enable
andconfig.nixpkgs.config.allowUnfree
are enabled. If you still want these fonts, use:{ fonts.fonts = [ pkgs.xorg.fontbhlucidatypewriter100dpi pkgs.xorg.fontbhlucidatypewriter75dpi pkgs.xorg.fontbh100dpi ]; }
-
The DHCP server (
services.dhcpd4
,services.dhcpd6
) has been hardened. The service is now using the systemd'sDynamicUser
mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in/var/lib/dhcpd{4,6}
and theservices.dhcpd4.stateDir
andservice.dhcpd6.stateDir
options have been removed. If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g.systemd.services.dhcpd6.serviceConfig.AmbientCapabilities
. -
The
mailpile
email webclient (services.mailpile
) has been removed due to its reliance on python2. -
services.ipfs.extraFlags
is now escaped withutils.escapeSystemdExecArgs
. If you rely on systemd interpolatingextraFlags
in the serviceExecStart
, this will no longer work. -
The
matrix-synapse
service (services.matrix-synapse
) has been converted to use thesettings
option defined in RFC42. This means that options that are part of yourhomeserver.yaml
configuration, and that were specified at the top-level of the module (services.matrix-synapse
) now need to be moved intoservices.matrix-synapse.settings
. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.The
listeners.*.bind_address
option was renamed tobind_addresses
in order to match the upstreamhomeserver.yaml
option name. It is now also a list of strings instead of a string.An example to make the required migration clearer:
Before:
{ services.matrix-synapse = { enable = true; server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_address = ""; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; }
After:
{ services.matrix-synapse = { enable = true; # this attribute set holds all values that go into your homeserver.yaml configuration # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for # possible values. settings = { server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_addresses = [ "::" "0.0.0.0" ]; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; extraConfigFiles = [ /run/keys/matrix-synapse/secrets.yaml ]; }; }
The secrets in your original config should be migrated into a YAML file that is included via
extraConfigFiles
.Additionally a few option defaults have been synced up with upstream default values, for example the
max_upload_size
grew from10M
to50M
. For the same reason, the defaultmedia_store_path
was changed from${dataDir}/media
to${dataDir}/media_store
ifsystem.stateVersion
is at least22.05
. Files will need to be manually moved to the new location if thestateVersion
is updated. -
The MoinMoin wiki engine (
services.moinmoin
) has been removed, because Python 2 is being retired from nixpkgs. -
Services in the
hadoop
module previously setopenFirewall
to true by default. This has now been changed to false. Node definitions for multi-node clusters would needopenFirewall = true;
to be added to to hadoop services when upgrading from NixOS 21.11. -
services.hadoop.yarn.nodemanager
now uses cgroup-based CPU limit enforcement by default. Additionally, the optionuseCGroups
was added to nodemanagers as an easy way to switch back to the old behavior. -
The
wafHook
hook now honorsNIX_BUILD_CORES
whenenableParallelBuilding
is not set explicitly. Packages can restore the old behaviour by settingenableParallelBuilding=false
. -
pkgs.claws-mail-gtk2
, representing Claws Mail's older release version three, was removed in order to get rid of Python 2. Please switch toclaws-mail
, which is Claws Mail's latest release based on GTK+3 and Python 3. -
The
writers.writePython2
and correspondingwriters.writePython2Bin
convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use withwriters.writePython3
orwriters.writePyPy2
needs to be used. -
buildGoModule
was updated to usego_1_17
, third party derivations that specify >= go 1.17 in the maingo.mod
will need to regenerate theirvendorSha256
hash. -
The
gnome-passwordsafe
package updated to version 6.x and renamed tognome-secrets
. -
services.gnome.experimental-features.realtime-scheduling
option has been removed, as GNOME Shell now uses rtkit. Usesecurity.rtkit.enable = true;
instead. As before, you will need to have it enabled using GSettings. -
services.telepathy
will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari. -
If you previously used
/etc/docker/daemon.json
, you need to incorporate the changes into the new optionvirtualisation.docker.daemon.settings
. -
Ntopng (
services.ntopng
) is updated to 5.2.1 and uses a separate Redis instance ifsystem.stateVersion
is at least22.05
. Existing setups shouldn't be affected. -
The backward compatibility in
services.wordpress
to configure sites with the old interface has been removed. Please useservices.wordpress.sites
instead. -
The backward compatibility in
services.dokuwiki
to configure sites with the old interface has been removed. Please useservices.dokuwiki.sites
instead. -
opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
-
services.miniflux.adminCredentialFiles
is now required, instead of defaulting toadmin
andpassword
. -
The
autorestic
package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details. -
For
pkgs.python3.pkgs.ipython
, its direct dependencypkgs.python3.pkgs.matplotlib-inline
(which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend onpkgs.python3.pkgs.matplotlib
anymore. This is closer to a non-Nix install of ipython. This has the added benefit to reduce the closure size ofipython
from ~400MB to ~160MB (including ~100MB for python itself). -
documentation.man
has been refactored to support choosing a man implementation other than GNU'sman-db
. For this,documentation.man.manualPages
has been renamed todocumentation.man.man-db.manualPages
. If you want to use the new alternative man implementationmandoc
, adddocumentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }
to your configuration. -
Normal users (with
isNormalUser = true
) which have non-emptysubUidRanges
orsubGidRanges
set no longer have additional implicit ranges allocated. To enable automatic allocation back setautoSubUidGidRange = true
. -
idris2
now requires--package
when using packagescontrib
andnetwork
, while previously these idris2 packages were automatically loaded. -
The iputils package, which is installed by default, no longer provides the legacy tools
tftpd
andtraceroute6
. More tools (ninfod
,rarpd
, andrdisc
) are going to be removed in the next release. See upstream's release notes for more details and available replacements. -
services.thelounge.private
was removed in favor ofservices.thelounge.public
, to follow with upstream changes. -
pkgs.docbookrx
was removed since it's unmaintained -
pkgs._7zz
is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code -
The
vim.customize
function produced byvimUtils.makeCustomizable
now has a slightly different interface:- The wrapper now includes everything in the given Vim derivation if
name
is"vim"
(the default). This makes thewrapManual
argument obsolete, but this behavior can be overriden by setting thestandalone
argument. - All the executables present in the given derivation (or, in
standalone
mode, only the*vim
ones) are wrapped. This makes thewrapGui
argument obsolete. - The
vimExecutableName
andgvimExecutableName
arguments were replaced by a singleexecutableName
argument in which the shell variable$exe
can be used to refer to the wrapped executable's name.
See the comments in
pkgs/applications/editors/vim/plugins/vim-utils.nix
for more details.vimUtils.vimWithRC
was removed. You should instead usecustomize
on a Vim derivation, which now acceptsvimrcFile
andgvimrcFile
arguments. - The wrapper now includes everything in the given Vim derivation if
-
tilp2
was removed together with its module -
The F-PROT antivirus (
fprot
package) and its service module were removed because it reached end-of-life. -
bird1
and its modulesservices.bird
as well asservices.bird6
have been removed. Upgrade toservices.bird2
. -
The options
networking.interfaces.<name>.ipv4.routes
andnetworking.interfaces.<name>.ipv6.routes
are no longer ignored when using networkd instead of the default scripted network backend by settingnetworking.useNetworkd
totrue
. -
The
miller
package has been upgraded from 5.10.3 to 6.2.0. See What's new in Miller 6. -
MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename
~/.local/share/multimc
to~/.local/share/polymc
. The main config file's path has also moved from~/.local/share/multimc/multimc.cfg
to~/.local/share/polymc/polymc.cfg
. -
systemd-nspawn@.service
settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to setsystemd.nspawn.<name>.execConfig.PrivateUsers = false
-
The Tor SOCKS proxy is now actually disabled if
services.tor.client.enable
is set tofalse
(the default). If you are using this functionality but didn't change the setting or set it tofalse
, you now need to set it totrue
. -
The terraform 0.12 compatibility has been removed and the
terraform.withPlugins
andterraform-providers.mkProvider
implementations simplified. Providers now need to be stored under$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>
(which mkProvider does).This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly.
-
The
dendrite
package has been upgraded from 0.5.1 to 0.6.5. Instances configured with split sqlite databases, which has been the default in NixOS, require merging of the federation sender and signing key databases. See upstream release notes on version 0.6.0 for details on database changes. -
The existing
pkgs.opentelemetry-collector
has been moved topkgs.opentelemetry-collector-contrib
to match the actual source being the "contrib" edition.pkgs.opentelemetry-collector
is now the actual core release of opentelemetry-collector. If you use the community contributions you should change the package you refer to. If you don't need them update your commands fromotelcontribcol
tootelcorecol
and enjoy a 7x smaller binary. -
pkgs.pgadmin
now refers topkgs.pgadmin4
.pgadmin3
has been removed. -
pkgs.noto-fonts-cjk
is now deprecated in favor ofpkgs.noto-fonts-cjk-sans
andpkgs.noto-fonts-cjk-serif
because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs,pkgs.noto-fonts-cjk
is currently an alias ofpkgs.noto-fonts-cjk-sans
and doesn't include serif fonts. -
pkgs.epgstation
has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format. -
Some top-level settings under services.epgstation is now deprecated because it was redudant due to the same options being present in services.epgstation.settings.
-
The option
services.epgstation.basicAuth
was removed because basic authentication support was dropped by upstream. -
The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary.
-
The services.epgstation.settings option now expects options for
config.yml
in EPGStation v2. -
Existing data for the services.epgstation module would have to be backed up prior to the upgrade. To back up exising data to
/tmp/epgstation.bak
, runsudo -u epgstation epgstation run backup /tmp/epgstation.bak
. To import that data after to the upgrade, runsudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak
-
switch-to-configuration
(the script that is run when runningnixos-rebuild switch
for example) has been reworked- The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file
/run/nixos/activation-restart-list
that honorsrestartIfChanged
andreloadIfChanged
of the units.- Preferring to reload instead of restarting can still be achieved using
/run/nixos/activation-reload-list
.
- Preferring to reload instead of restarting can still be achieved using
- The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don't use the NixOS systemd moule.
RefuseManualStop
,X-OnlyManualStart
,X-StopOnRemoval
,X-StopOnReconfiguration
are only searched in the[Unit]
sectionX-ReloadIfChanged
,X-RestartIfChanged
,X-StopIfChanged
are only searched in the[Service]
section
- The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file
-
The
services.bookstack.cacheDir
option has been removed, since the cache directory is now handled by systemd. -
The
services.bookstack.extraConfig
option has been replaced byservices.bookstack.config
which implements a settings-style configuration. -
lib.assertMsg
andlib.assertOneOf
no longer returnfalse
if the passed condition isfalse
,throw
ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper forassert
conditions. -
The
vpnc
package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. -
pkgs.vimPlugins.onedark-nvim
now refers to navarasu/onedark.nvim (formerly refers to olimorris/onedarkpro.nvim). -
services.pipewire.enable
will default to enabling the WirePlumber session manager instead of pipewire-media-session. pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by settingservices.pipewire.media-session.enable
totrue
andservices.pipewire.wireplumber.enable
tofalse
. -
pkgs.makeDesktopItem
has been refactored to provide a more idiomatic API. Specifically:- All valid options as of FDO Desktop Entry specification version 1.4 can now be passed in as explicit arguments
exec
can now be null, for entries that are not of type ApplicationmimeType
argument is renamed tomimeTypes
for consistencymimeTypes
,categories
,implements
,keywords
,onlyShowIn
andnotShowIn
take lists of strings instead of one string with semicolon separatorsextraDesktopEntries
renamed toextraConfig
for consistency- Actions should now be provided as an attrset
actions
, theActions
line will be autogenerated. extraEntries
is removed.- Additional validation is added both at eval time and at build time.
See the
vscode
package for a more detailed example. -
Existing
resholve*
functions have been renamed and nested underpkgs.resholve
. Update uses to:resholvePackage
->resholve.mkDerivation
resholveScript
->resholve.writeScript
resholveScriptBin
->resholve.writeScriptBin
-
pkgs.cosmopolitan
no longer provides thecosmoc
command. It has been moved topkgs.cosmoc
.
Other Notable Changes
-
The option services.redis.servers was added to support per-application
redis-server
which is more secure since Redis databases are only mere key prefixes without any configuration or ACL of their own. Backward-compatibility is preserved by mapping oldservices.redis.settings
toservices.redis.servers."".settings
, but you are strongly encouraged to name eachredis-server
instance after the application using it, instead of keeping that nameless one. Except for the namelessservices.redis.servers.""
still accessible at127.0.0.1:6379
, and to the members of the Unix groupredis
through the Unix socket/run/redis/redis.sock
, all otherservices.redis.servers.${serverName}
are only accessible by default to the members of the Unix groupredis-${serverName}
through the Unix socket/run/redis-${serverName}/redis.sock
. -
The option virtualisation.vmVariant was added to allow users to make changes to the
nixos-rebuild build-vm
configuration that do not apply to their normal system.The
config.system.build.vm
attribute now always exists and defaults to the value fromvmVariant
. Configurations that import thevirtualisation/qemu-vm.nix
module themselves will override this value, such thatvmVariant
is not used.Similarly virtualisation.vmVariantWithBootloader was added.
-
The configuration portion of the
nix-daemon
module has been reworked and exposed as nix.settings:- Legacy options have been mapped to the corresponding options under under nix.settings and will be deprecated when NixOS 21.11 reaches end of life.
- nix.buildMachines.publicHostKey has been added.
-
The
writers.writePyPy2
/writers.writePyPy3
and correspondingwriters.writePyPy2Bin
/writers.writePyPy3Bin
convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. -
Some improvements have been made to the
hadoop
module:- A
gatewayRole
option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services - Support for older versions of hadoop have been added to the module
- Overriding and extending site XML files has been made easier
- A
-
If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable
NIXOS_OZONE_WL=1
(for example viaenvironment.sessionVariables.NIXOS_OZONE_WL = "1"
). This is not enabled by default because Ozone Wayland is still under heavy development and behavior is not always flawless. Furthermore, not all Electron apps use the latest Electron versions. -
A new option group
systemd.network.wait-online
was added, with options to configuresystemd-networkd-wait-online.service
:anyInterface
allows specifying that the network should be considered online when at least one interface is online (useful on laptops)timeout
defines how long to wait for the network to come onlineextraArgs
for everything else
-
The
influxdb2
package was split intoinfluxdb2-server
andinfluxdb2-cli
, matching the split that took place upstream. A combinedinfluxdb2
package is still provided in this release for backwards compatibilty, but will be removed at a later date. -
The
unifi
package was switched fromunifi6
tounifi7
. Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6. -
programs.zsh.autosuggestions.strategy
now takes a list of strings instead of a string. -
The
asterisk
andasterisk-stable
packages were switched fromasterisk_18
to the newly-packagedasterisk_19
. Asterisk 13 and 17 have been removed as they have reached their end of life. -
The
services.unifi.openPorts
option default value oftrue
is now deprecated and will be changed tofalse
in 22.11. Configurations using this default will print a warning when rebuilt. -
The
services.unifi-video.openPorts
option default value oftrue
is now deprecated and will be changed tofalse
in 22.11. Configurations using this default will print a warning when rebuilt. -
security.acme
certificates will now correctly check for CA revokation before reaching their minimum age. -
Removing domains from
security.acme.certs._name_.extraDomainNames
will now correctly remove those domains during rebuild/renew. -
MariaDB is now offered in several versions, not just the newest one. So if you have a need for running MariaDB 10.4 for example, you can now just set
services.mysql.package = pkgs.mariadb_104;
. In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience. Sometimes software is also incompatible with the newest version of MariaDB. -
The option programs.ssh.enableAskPassword was added, decoupling the setting of
SSH_ASKPASS
fromservices.xserver.enable
. This allows easy usage in non-X11 environments, e.g. Wayland. -
programs.ssh.knownHosts has gained an
extraHostNames
option to augmenthostNames
. It is now possible to use the attribute name of aknownHosts
entry as the primary host name and specify secondary host names usingextraHostNames
without having to duplicate the primary host name. -
The
services.stubby
module was converted to a settings-style configuration. -
A new module was added for the Envoy reverse proxy, providing the options
services.envoy.enable
andservices.envoy.settings
. -
The option
services.duplicati.dataDir
has been added to allow changing the location of duplicati's files. -
The options
boot.extraModprobeConfig
andboot.blacklistedKernelModules
now also take effect in the initrd by copying the file/etc/modprobe.d/nixos.conf
into the initrd. -
nixos-generate-config
now puts the dhcp configuration inhardware-configuration.nix
instead ofconfiguration.nix
. -
ORY Kratos was updated to version 0.8.3-alpha.1.pre.0, which introduces some breaking changes:
- If you are relying on the SQLite images, update your Docker Pull commands as follows:
docker pull oryd/kratos:{version}
- Additionally, all passwords now have to be at least 8 characters long.
- For more details, see:
- If you are relying on the SQLite images, update your Docker Pull commands as follows:
-
fetchFromSourcehut
now allows fetching repositories recursively usingfetchgit
orfetchhg
if the argumentfetchSubmodules
is set totrue
. -
A module for declarative configuration of openconnect VPN profiles was added under
networking.openconnect
. -
The
element-desktop
package now has anuseKeytar
option (defaults totrue
), which allows disablingkeytar
and in turnlibsecret
usage (which binds to native credential managers / keychain libraries). -
The option
services.thelounge.plugins
has been added to allow installing plugins for The Lounge. Plugins can be found inpkgs.theLoungePlugins.plugins
andpkgs.theLoungePlugins.themes
. -
The option
services.xserver.videoDriver = [ "nvidia" ];
will now also install nvidia VA-API drivers by default. -
The
firmwareLinuxNonfree
package has been renamed tolinux-firmware
. -
It is now possible to specify wordlists to include as handy to access environment variables using the
config.environment.wordlist
configuration options. -
The
services.mbpfan
module was converted to a RFC 0042 configuration. -
The default value for
programs.spacefm.settings.graphical_su
got unset. It previously pointed togksu
which has been removed. -
A new module was added for the Starship shell prompt, providing the options
programs.starship.enable
andprograms.starship.settings
. -
The Dino XMPP client was updated to 0.3, adding support for audio and video calls.
-
services.mattermost.plugins
has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. -
services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default.
-
The logrotate module also has been updated to freeform syntax: services.logrotate.paths and services.logrotate.extraConfig will work, but issue deprecation warnings and services.logrotate.settings should now be used instead.
-
security.pam.ussh
has been added, which allows authorizing PAM sessions based on SSH certificates held within an SSH agent, using pam-ussh. -
The
zrepl
package has been updated from 0.4.0 to 0.5:- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
- A bug involving encrypt-on-receive has been fixed. Read the zrepl documentation and check the output of
zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS
on the receiver.
-
Renamed option
services.openssh.challengeResponseAuthentication
toservices.openssh.kbdInteractiveAuthentication
. Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. -
services.autorandr
now allows for adding hooks and profiles declaratively. -
The
pomerium-cli
command has been moved out of thepomerium
package into thepomerium-cli
package, following upstream's repository split. If you are using thepomerium-cli
command, you should now install thepomerium-cli
package. -
The option services.networking.networkmanager.enableFccUnlock was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See the docs for more details.
-
programs.tmux
has a new optionplugins
that accepts a list of packages from thetmuxPlugins
group. The specified packages are added to the system and loaded bytmux
. -
The polkit service, available at
security.polkit.enable
, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. -
xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with
mkfs.xfs -m bigtime=0 -m inobtcount=0
. -
services.xserver.desktopManager.xfce
now includes Xfce's screen locker,xfce4-screensaver
. -
The
hadoop
package has added support foraarch64-linux
andaarch64-darwin
as of 3.3.1 (#158613). -
The
R
package now builds again onaarch64-darwin
(#158992). -
The
spark3
package has been updated from 3.1.2 to 3.2.1 (#160075): -
The
programs.nncp
options were added for generating host-global NNCP configuration.