nixpkgs-suyu/nixos/doc/manual/release-notes/rl-2111.section.md
Florian Klink c1536f5c78 nixos/systemd: fix NSS database ordering
- The order of NSS (host) modules has been brought in line with upstream
  recommendations:

  - The `myhostname` module is placed before the `resolve` (optional) and `dns`
    entries, but after `file` (to allow overriding via `/etc/hosts` /
    `networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
    hijacking `.localhost` domains)
  - The `mymachines` module, which provides hostname resolution for local
    containers (registered with `systemd-machined`) is placed to the front, to
    make sure its mappings are preferred over other resolvers.
  - If systemd-networkd is enabled, the `resolve` module is placed before
    `files` and `myhostname`, as it provides the same logic internally, with
    caching.
  - The `mdns(_minimal)` module has been updated to the new priorities.

  If you use your own NSS host modules, make sure to update your priorities
  according to these rules:

  - NSS modules which should be queried before `resolved` DNS resolution should
    use mkBefore.
  - NSS modules which should be queried after `resolved`, `files` and
    `myhostname`, but before `dns` should use the default priority
  - NSS modules which should come after `dns` should use mkAfter.
2021-07-17 23:55:35 +02:00

8.5 KiB

Release 21.11 (“?”, 2021.11/??)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Support is planned until the end of April 2022, handing over to 22.05.

Highlights

  • PHP now defaults to PHP 8.0, updated from 7.4.
  • kOps now defaults to 1.21.0, which uses containerd as the default runtime.

New Services

Backward Incompatibilities

  • The staticjinja package has been upgraded from 1.0.4 to 3.0.1

  • services.geoip-updater was broken and has been replaced by services.geoipupdate.

  • PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

  • Those making use of buildBazelPackage will need to regenerate the fetch hashes (preferred), or set fetchConfigured = false;.

  • consul was upgraded to a new major release with breaking changes, see upstream changelog.

  • fsharp41 has been removed in preference to use the latest dotnet-sdk

  • The following F#-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

    • ExtCore
    • Fake
    • Fantomas
    • FsCheck
    • FsCheck262
    • FsCheckNunit
    • FSharpAutoComplete
    • FSharpCompilerCodeDom
    • FSharpCompilerService
    • FSharpCompilerTools
    • FSharpCore302
    • FSharpCore3125
    • FSharpCore4001
    • FSharpCore4117
    • FSharpData
    • FSharpData225
    • FSharpDataSQLProvider
    • FSharpFormatting
    • FsLexYacc
    • FsLexYacc706
    • FsLexYaccRuntime
    • FsPickler
    • FsUnit
    • Projekt
    • Suave
    • UnionArgParser
    • ExcelDnaRegistration
    • MathNetNumerics
  • programs.x2goserver is now services.x2goserver

  • The following dotnet-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

    • Autofac
    • SystemValueTuple
    • MicrosoftDiaSymReader
    • MicrosoftDiaSymReaderPortablePdb
    • SystemCollectionsImmutable
    • SystemCollectionsImmutable131
    • SystemReflectionMetadata
    • NUnit350
    • Deedle
    • ExcelDna
    • GitVersionTree
    • NDeskOptions
  • The antlr package now defaults to the 4.x release instead of the old 2.7.7 version.

  • The pulseeffects package updated to version 4.x and renamed to easyeffects.

  • The libwnck package now defaults to the 3.x release instead of the old 2.31.0 version.

  • The bitwarden_rs packages and modules were renamed to vaultwarden following upstream. More specifically,

    • pkgs.bitwarden_rs, pkgs.bitwarden_rs-sqlite, pkgs.bitwarden_rs-mysql and pkgs.bitwarden_rs-postgresql were renamed to pkgs.vaultwarden, pkgs.vaultwarden-sqlite, pkgs.vaultwarden-mysql and pkgs.vaultwarden-postgresql, respectively.

      • Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
      • The bitwarden_rs executable was also renamed to vaultwarden in all packages.
    • pkgs.bitwarden_rs-vault was renamed to pkgs.vaultwarden-vault.

      • pkgs.bitwarden_rs-vault is preserved as an alias for backwards compatibility, but may be removed in the future.
      • The static files were moved from /usr/share/bitwarden_rs to /usr/share/vaultwarden.
    • The services.bitwarden_rs config module was renamed to services.vaultwarden.

      • services.bitwarden_rs is preserved as an alias for backwards compatibility, but may be removed in the future.
    • systemd.services.bitwarden_rs, systemd.services.backup-bitwarden_rs and systemd.timers.backup-bitwarden_rs were renamed to systemd.services.vaultwarden, systemd.services.backup-vaultwarden and systemd.timers.backup-vaultwarden, respectively.

      • Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
    • users.users.bitwarden_rs and users.groups.bitwarden_rs were renamed to users.users.vaultwarden and users.groups.vaultwarden, respectively.

    • The data directory remains located at /var/lib/bitwarden_rs, for backwards compatibility.

  • yggdrasil was upgraded to a new major release with breaking changes, see upstream changelog.

  • icingaweb2 was upgraded to a new release which requires a manual database upgrade, see upstream changelog.

Other Notable Changes

  • The setting services.openssh.logLevel "VERBOSE" "INFO". This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

    However, if services.fail2ban.enable is true, the fail2ban will override the verbosity to "VERBOSE", so that fail2ban can observe the failed login attempts from the SSH logs.

  • Sway: The terminal emulator rxvt-unicode is no longer installed by default via programs.sway.extraPackages. The current default configuration uses alacritty (and soon foot) so this is only an issue when using a customized configuration and not installing rxvt-unicode explicitly.

  • The claws-mail package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the claws-mail-gtk2 package.

  • The wordpress module provides a new interface which allows to use different webservers with the new option services.wordpress.webserver. Currently httpd and nginx are supported. The definitions of wordpress sites should now be set in services.wordpress.sites.

    Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

  • The order of NSS (host) modules has been brought in line with upstream recommendations:

    • The myhostname module is placed before the resolve (optional) and dns entries, but after file (to allow overriding via /etc/hosts / networking.extraHosts, and prevent ISPs with catchall-DNS resolvers from hijacking .localhost domains)
    • The mymachines module, which provides hostname resolution for local containers (registered with systemd-machined) is placed to the front, to make sure its mappings are preferred over other resolvers.
    • If systemd-networkd is enabled, the resolve module is placed before files and myhostname, as it provides the same logic internally, with caching.
    • The mdns(_minimal) module has been updated to the new priorities.

    If you use your own NSS host modules, make sure to update your priorities according to these rules:

    • NSS modules which should be queried before resolved DNS resolution should use mkBefore.
    • NSS modules which should be queried after resolved, files and myhostname, but before dns should use the default priority
    • NSS modules which should come after dns should use mkAfter.