mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-02 22:10:08 +03:00
1197 lines
48 KiB
XML
1197 lines
48 KiB
XML
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.09">
|
||
<title>Release 19.09 (<quote>Loris</quote>, 2019/10/09)</title>
|
||
<section xml:id="sec-release-19.09-highlights">
|
||
<title>Highlights</title>
|
||
<para>
|
||
In addition to numerous new and upgraded packages, this release
|
||
has the following highlights:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
End of support is planned for end of April 2020, handing over
|
||
to 20.03.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Nix has been updated to 2.3; see its
|
||
<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release
|
||
notes</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Core version changes:
|
||
</para>
|
||
<para>
|
||
systemd: 239 -> 243
|
||
</para>
|
||
<para>
|
||
gcc: 7 -> 8
|
||
</para>
|
||
<para>
|
||
glibc: 2.27 (unchanged)
|
||
</para>
|
||
<para>
|
||
linux: 4.19 LTS (unchanged)
|
||
</para>
|
||
<para>
|
||
openssl: 1.0 -> 1.1
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Desktop version changes:
|
||
</para>
|
||
<para>
|
||
plasma5: 5.14 -> 5.16
|
||
</para>
|
||
<para>
|
||
gnome3: 3.30 -> 3.32
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PHP now defaults to PHP 7.3, updated from 7.2.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PHP 7.1 is no longer supported due to upstream not supporting
|
||
this version for the entire lifecycle of the 19.09 release.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The binfmt module is now easier to use. Additional systems can
|
||
be added through
|
||
<literal>boot.binfmt.emulatedSystems</literal>. For instance,
|
||
<literal>boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal>
|
||
will set up binfmt interpreters for each of those listed
|
||
systems.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The installer now uses a less privileged
|
||
<literal>nixos</literal> user whereas before we logged in as
|
||
root. To gain root privileges use <literal>sudo -i</literal>
|
||
without a password.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
We’ve updated to Xfce 4.14, which brings a new module
|
||
<literal>services.xserver.desktopManager.xfce4-14</literal>.
|
||
If you’d like to upgrade, please switch from the
|
||
<literal>services.xserver.desktopManager.xfce</literal> module
|
||
as it will be deprecated in a future release. They’re
|
||
incompatibilities with the current Xfce module; it doesn’t
|
||
support <literal>thunarPlugins</literal> and it isn’t
|
||
recommended to use
|
||
<literal>services.xserver.desktopManager.xfce</literal> and
|
||
<literal>services.xserver.desktopManager.xfce4-14</literal>
|
||
simultaneously or to downgrade from Xfce 4.14 after upgrading.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The GNOME 3 desktop manager module sports an interface to
|
||
enable/disable core services, applications, and optional GNOME
|
||
packages like games.
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.gnome3.core-os-services.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.gnome3.core-shell.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.gnome3.core-utilities.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.gnome3.games.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
With these options we hope to give users finer grained control
|
||
over their systems. Prior to this change you’d either have to
|
||
manually disable options or use
|
||
<literal>environment.gnome3.excludePackages</literal> which
|
||
only excluded the optional applications.
|
||
<literal>environment.gnome3.excludePackages</literal> is now
|
||
unguarded, it can exclude any package installed with
|
||
<literal>environment.systemPackages</literal> in the GNOME 3
|
||
module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Orthogonal to the previous changes to the GNOME 3 desktop
|
||
manager module, we’ve updated all default services and
|
||
applications to match as close as possible to a default
|
||
reference GNOME 3 experience.
|
||
</para>
|
||
<para>
|
||
<emphasis role="strong">The following changes were enacted in
|
||
<literal>services.gnome3.core-utilities.enable</literal></emphasis>
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>accerciser</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>dconf-editor</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>evolution</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-documents</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-nettool</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-power-manager</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-todo</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-tweaks</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-usage</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>gucharmap</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>nautilus-sendto</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>vinagre</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>cheese</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>geary</literal>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
<emphasis role="strong">The following changes were enacted in
|
||
<literal>services.gnome3.core-shell.enable</literal></emphasis>
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>gnome-color-manager</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>orca</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.avahi.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-19.09-new-services">
|
||
<title>New Services</title>
|
||
<para>
|
||
The following new services were added since the last release:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>./programs/dwm-status.nix</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The new <literal>hardware.printers</literal> module allows to
|
||
declaratively configure CUPS printers via the
|
||
<literal>ensurePrinters</literal> and
|
||
<literal>ensureDefaultPrinter</literal> options.
|
||
<literal>ensurePrinters</literal> will never delete existing
|
||
printers, but will make sure that the given printers are
|
||
configured as declared.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There is a new
|
||
<link xlink:href="options.html#opt-services.system-config-printer.enable">services.system-config-printer.enable</link>
|
||
and
|
||
<link xlink:href="options.html#opt-programs.system-config-printer.enable">programs.system-config-printer.enable</link>
|
||
module for the program of the same name. If you previously had
|
||
<literal>system-config-printer</literal> enabled through some
|
||
other means you should migrate to using one of these modules.
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.desktopManager.plasma5</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.desktopManager.gnome3</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.desktopManager.pantheon</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.desktopManager.mate</literal>
|
||
Note Mate uses
|
||
<literal>programs.system-config-printer</literal> as it
|
||
doesn’t use it as a service, but its graphical interface
|
||
directly.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.blueman.enable">services.blueman.enable</link>
|
||
has been added. If you previously had blueman installed via
|
||
<literal>environment.systemPackages</literal> please migrate
|
||
to using the NixOS module, as this would result in an
|
||
insufficiently configured blueman.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-19.09-incompatibilities">
|
||
<title>Backward Incompatibilities</title>
|
||
<para>
|
||
When upgrading from a previous release, please be aware of the
|
||
following incompatible changes:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Buildbot no longer supports Python 2, as support was dropped
|
||
upstream in version 2.0.0. Configurations may need to be
|
||
modified to make them compatible with Python 3.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PostgreSQL now uses <literal>/run/postgresql</literal> as its
|
||
socket directory instead of <literal>/tmp</literal>. So if you
|
||
run an application like eg. Nextcloud, where you need to use
|
||
the Unix socket path as the database host name, you need to
|
||
change it accordingly.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle
|
||
and has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The options
|
||
<literal>services.prometheus.alertmanager.user</literal> and
|
||
<literal>services.prometheus.alertmanager.group</literal> have
|
||
been removed because the alertmanager service is now using
|
||
systemd’s
|
||
<link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
|
||
DynamicUser mechanism</link> which obviates these options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The NetworkManager systemd unit was renamed back from
|
||
network-manager.service to NetworkManager.service for better
|
||
compatibility with other applications expecting this name. The
|
||
same applies to ModemManager where modem-manager.service is
|
||
now called ModemManager.service again.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.nzbget.configFile</literal> and
|
||
<literal>services.nzbget.openFirewall</literal> options were
|
||
removed as they are managed internally by the nzbget. The
|
||
<literal>services.nzbget.dataDir</literal> option hadn’t
|
||
actually been used by the module for some time and so was
|
||
removed as cleanup.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.mysql.pidDir</literal> option was
|
||
removed, as it was only used by the wordpress apache-httpd
|
||
service to wait for mysql to have started up. This can be
|
||
accomplished by either describing a dependency on
|
||
mysql.service (preferred) or waiting for the (hardcoded)
|
||
<literal>/run/mysqld/mysql.sock</literal> file to appear.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.emby.enable</literal> module has been
|
||
removed, see <literal>services.jellyfin.enable</literal>
|
||
instead for a free software fork of Emby. See the Jellyfin
|
||
documentation:
|
||
<link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
|
||
Migrating from Emby to Jellyfin </link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
IPv6 Privacy Extensions are now enabled by default for
|
||
undeclared interfaces. The previous behaviour was quite
|
||
misleading — even though the default value for
|
||
<literal>networking.interfaces.*.preferTempAddress</literal>
|
||
was <literal>true</literal>, undeclared interfaces would not
|
||
prefer temporary addresses. Now, interfaces not mentioned in
|
||
the config will prefer temporary addresses. EUI64 addresses
|
||
can still be set as preferred by explicitly setting the option
|
||
to <literal>false</literal> for the interface in question.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Since Bittorrent Sync was superseded by Resilio Sync in 2016,
|
||
the <literal>bittorrentSync</literal>,
|
||
<literal>bittorrentSync14</literal>, and
|
||
<literal>bittorrentSync16</literal> packages have been removed
|
||
in favor of <literal>resilio-sync</literal>.
|
||
</para>
|
||
<para>
|
||
The corresponding module, <literal>services.btsync</literal>
|
||
has been replaced by the <literal>services.resilio</literal>
|
||
module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The httpd service no longer attempts to start the postgresql
|
||
service. If you have come to depend on this behaviour then you
|
||
can preserve the behavior with the following configuration:
|
||
<literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal>
|
||
</para>
|
||
<para>
|
||
The option <literal>services.httpd.extraSubservices</literal>
|
||
has been marked as deprecated. You may still use this feature,
|
||
but it will be removed in a future release of NixOS. You are
|
||
encouraged to convert any httpd subservices you may have
|
||
written to a full NixOS module.
|
||
</para>
|
||
<para>
|
||
Most of the httpd subservices packaged with NixOS have been
|
||
replaced with full NixOS modules including LimeSurvey,
|
||
WordPress, and Zabbix. These modules can be enabled using the
|
||
<literal>services.limesurvey.enable</literal>,
|
||
<literal>services.mediawiki.enable</literal>,
|
||
<literal>services.wordpress.enable</literal>, and
|
||
<literal>services.zabbixWeb.enable</literal> options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The option
|
||
<literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</literal>
|
||
was renamed to
|
||
<literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</literal>
|
||
(capital <literal>L</literal>). This follows
|
||
<link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
|
||
upstreams renaming </link> of the setting.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
As of this release the NixOps feature
|
||
<literal>autoLuks</literal> is deprecated. It no longer works
|
||
with our systemd version without manual intervention.
|
||
</para>
|
||
<para>
|
||
Whenever the usage of the module is detected the evaluation
|
||
will fail with a message explaining why and how to deal with
|
||
the situation.
|
||
</para>
|
||
<para>
|
||
A new knob named
|
||
<literal>nixops.enableDeprecatedAutoLuks</literal> has been
|
||
introduced to disable the eval failure and to acknowledge the
|
||
notice was received and read. If you plan on using the feature
|
||
please note that it might break with subsequent updates.
|
||
</para>
|
||
<para>
|
||
Make sure you set the <literal>_netdev</literal> option for
|
||
each of the file systems referring to block devices provided
|
||
by the autoLuks module. Not doing this might render the system
|
||
in a state where it doesn’t boot anymore.
|
||
</para>
|
||
<para>
|
||
If you are actively using the <literal>autoLuks</literal>
|
||
module please let us know in
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue
|
||
#62211</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The setopt declarations will be evaluated at the end of
|
||
<literal>/etc/zshrc</literal>, so any code in
|
||
<link xlink:href="options.html#opt-programs.zsh.interactiveShellInit">programs.zsh.interactiveShellInit</link>,
|
||
<link xlink:href="options.html#opt-programs.zsh.loginShellInit">programs.zsh.loginShellInit</link>
|
||
and
|
||
<link xlink:href="options.html#opt-programs.zsh.promptInit">programs.zsh.promptInit</link>
|
||
may break if it relies on those options being set.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>prometheus-nginx-exporter</literal> package now
|
||
uses the official exporter provided by NGINX Inc. Its metrics
|
||
are differently structured and are incompatible to the old
|
||
ones. For information about the metrics, have a look at the
|
||
<link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official
|
||
repo</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>shibboleth-sp</literal> package has been updated
|
||
to version 3. It is largely backward compatible, for further
|
||
information refer to the
|
||
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release
|
||
notes</link> and
|
||
<link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade
|
||
guide</link>.
|
||
</para>
|
||
<para>
|
||
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has
|
||
been dropped.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
By default, prometheus exporters are now run with
|
||
<literal>DynamicUser</literal> enabled. Exporters that need a
|
||
real user, now run under a separate user and group which
|
||
follow the pattern
|
||
<literal><exporter-name>-exporter</literal>, instead of
|
||
the previous default <literal>nobody</literal> and
|
||
<literal>nogroup</literal>. Only some exporters are affected
|
||
by the latter, namely the exporters
|
||
<literal>dovecot</literal>, <literal>node</literal>,
|
||
<literal>postfix</literal> and <literal>varnish</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>ibus-qt</literal> package is not installed by
|
||
default anymore when
|
||
<link xlink:href="options.html#opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link>
|
||
is set to <literal>ibus</literal>. If IBus support in Qt 4.x
|
||
applications is required, add the <literal>ibus-qt</literal>
|
||
package to your
|
||
<link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>
|
||
manually.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The CUPS Printing service now uses socket-based activation by
|
||
default, only starting when needed. The previous behavior can
|
||
be restored by setting
|
||
<literal>services.cups.startWhenNeeded</literal> to
|
||
<literal>false</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.systemhealth</literal> module has been
|
||
removed from nixpkgs due to lack of maintainer.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.mantisbt</literal> module has been
|
||
removed from nixpkgs due to lack of maintainer.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Squid 3 has been removed and the <literal>squid</literal>
|
||
derivation now refers to Squid 4.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.pdns-recursor.extraConfig</literal>
|
||
option has been replaced by
|
||
<literal>services.pdns-recursor.settings</literal>. The new
|
||
option allows setting extra configuration while being better
|
||
type-checked and mergeable.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
No service depends on <literal>keys.target</literal> anymore
|
||
which is a systemd target that indicates if all
|
||
<link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps
|
||
keys</link> were successfully uploaded. Instead,
|
||
<literal><key-name>-key.service</literal> should be used
|
||
to define a dependency of a key in a service. The full issue
|
||
behind the <literal>keys.target</literal> dependency is
|
||
described at
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
|
||
</para>
|
||
<para>
|
||
The following services are affected by this:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.nsd.enable"><literal>services.nsd</literal></link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.softether.enable"><literal>services.softether</literal></link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.strongswan.enable"><literal>services.strongswan</literal></link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<link xlink:href="options.html#opt-services.httpd.enable"><literal>services.httpd</literal></link>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>security.acme.directory</literal> option has been
|
||
replaced by a read-only
|
||
<literal>security.acme.certs.<cert>.directory</literal>
|
||
option for each certificate you define. This will be a
|
||
subdirectory of <literal>/var/lib/acme</literal>. You can use
|
||
this read-only option to figure out where the certificates are
|
||
stored for a specific certificate. For example, the
|
||
<literal>services.nginx.virtualhosts.<name>.enableACME</literal>
|
||
option will use this directory option to find the certs for
|
||
the virtual host.
|
||
</para>
|
||
<para>
|
||
<literal>security.acme.preDelay</literal> and
|
||
<literal>security.acme.activationDelay</literal> options have
|
||
been removed. To execute a service before certificates are
|
||
provisioned or renewed add a
|
||
<literal>RequiredBy=acme-${cert}.service</literal> to any
|
||
service.
|
||
</para>
|
||
<para>
|
||
Furthermore, the acme module will not automatically add a
|
||
dependency on <literal>lighttpd.service</literal> anymore. If
|
||
you are using certficates provided by letsencrypt for
|
||
lighttpd, then you should depend on the certificate service
|
||
<literal>acme-${cert}.service></literal> manually.
|
||
</para>
|
||
<para>
|
||
For nginx, the dependencies are still automatically managed
|
||
when
|
||
<literal>services.nginx.virtualhosts.<name>.enableACME</literal>
|
||
is enabled just like before. What changed is that nginx now
|
||
directly depends on the specific certificates that it needs,
|
||
instead of depending on the catch-all
|
||
<literal>acme-certificates.target</literal>. This target unit
|
||
was also removed from the codebase. This will mean nginx will
|
||
no longer depend on certificates it isn’t explicitly managing
|
||
and fixes a bug with certificate renewal ordering racing with
|
||
nginx restarting which could lead to nginx getting in a broken
|
||
state as described at
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The old deprecated <literal>emacs</literal> package sets have
|
||
been dropped. What used to be called
|
||
<literal>emacsPackagesNg</literal> is now simply called
|
||
<literal>emacsPackages</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.desktopManager.xterm</literal> is
|
||
now disabled by default if <literal>stateVersion</literal> is
|
||
19.09 or higher. Previously the xterm desktopManager was
|
||
enabled when xserver was enabled, but it isn’t useful for all
|
||
people so it didn’t make sense to have any desktopManager
|
||
enabled default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The WeeChat plugin
|
||
<literal>pkgs.weechatScripts.weechat-xmpp</literal> has been
|
||
removed as it doesn’t receive any updates from upstream and
|
||
depends on outdated Python2-based modules.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Old unsupported versions (<literal>logstash5</literal>,
|
||
<literal>kibana5</literal>, <literal>filebeat5</literal>,
|
||
<literal>heartbeat5</literal>, <literal>metricbeat5</literal>,
|
||
<literal>packetbeat5</literal>) of the ELK-stack and Elastic
|
||
beats have been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS 19.03, both Prometheus 1 and 2 were available to
|
||
allow for a seamless transition from version 1 to 2 with
|
||
existing setups. Because Prometheus 1 is no longer developed,
|
||
it was removed. Prometheus 2 is now configured with
|
||
<literal>services.prometheus</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Citrix Receiver (<literal>citrix_receiver</literal>) has been
|
||
dropped in favor of Citrix Workspace
|
||
(<literal>citrix_workspace</literal>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>services.gitlab</literal> module has had its
|
||
literal secret options
|
||
(<literal>services.gitlab.smtp.password</literal>,
|
||
<literal>services.gitlab.databasePassword</literal>,
|
||
<literal>services.gitlab.initialRootPassword</literal>,
|
||
<literal>services.gitlab.secrets.secret</literal>,
|
||
<literal>services.gitlab.secrets.db</literal>,
|
||
<literal>services.gitlab.secrets.otp</literal> and
|
||
<literal>services.gitlab.secrets.jws</literal>) replaced by
|
||
file-based versions
|
||
(<literal>services.gitlab.smtp.passwordFile</literal>,
|
||
<literal>services.gitlab.databasePasswordFile</literal>,
|
||
<literal>services.gitlab.initialRootPasswordFile</literal>,
|
||
<literal>services.gitlab.secrets.secretFile</literal>,
|
||
<literal>services.gitlab.secrets.dbFile</literal>,
|
||
<literal>services.gitlab.secrets.otpFile</literal> and
|
||
<literal>services.gitlab.secrets.jwsFile</literal>). This was
|
||
done so that secrets aren’t stored in the world-readable nix
|
||
store, but means that for each option you’ll have to create a
|
||
file with the same exact string, add <quote>File</quote> to
|
||
the end of the option name, and change the definition to a
|
||
string pointing to the corresponding file; e.g.
|
||
<literal>services.gitlab.databasePassword = "supersecurepassword"</literal>
|
||
becomes
|
||
<literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal>
|
||
where the file <literal>secret_file</literal> contains the
|
||
string <literal>supersecurepassword</literal>.
|
||
</para>
|
||
<para>
|
||
The state path (<literal>services.gitlab.statePath</literal>)
|
||
now has the following restriction: no parent directory can be
|
||
owned by any other user than <literal>root</literal> or the
|
||
user specified in <literal>services.gitlab.user</literal>;
|
||
i.e. if <literal>services.gitlab.statePath</literal> is set to
|
||
<literal>/var/lib/gitlab/state</literal>,
|
||
<literal>gitlab</literal> and all parent directories must be
|
||
owned by either <literal>root</literal> or the user specified
|
||
in <literal>services.gitlab.user</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>networking.useDHCP</literal> option is
|
||
unsupported in combination with
|
||
<literal>networking.useNetworkd</literal> in anticipation of
|
||
defaulting to it. It has to be set to <literal>false</literal>
|
||
and enabled per interface with
|
||
<literal>networking.interfaces.<name>.useDHCP = true;</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The Twitter client <literal>corebird</literal> has been
|
||
dropped as
|
||
<link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it
|
||
is discontinued and does not work against the new Twitter
|
||
API</link>. Please use the fork <literal>cawbird</literal>
|
||
instead which has been adapted to the API changes and is still
|
||
maintained.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>nodejs-11_x</literal> package has been removed as
|
||
it’s EOLed by upstream.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Because of the systemd upgrade, systemd-timesyncd will no
|
||
longer work if <literal>system.stateVersion</literal> is not
|
||
set correctly. When upgrading from NixOS 19.03, please make
|
||
sure that <literal>system.stateVersion</literal> is set to
|
||
<literal>"19.03"</literal>, or lower if the
|
||
installation dates back to an earlier version of NixOS.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Due to the short lifetime of non-LTS kernel releases package
|
||
attributes like <literal>linux_5_1</literal>,
|
||
<literal>linux_5_2</literal> and <literal>linux_5_3</literal>
|
||
have been removed to discourage dependence on specific non-LTS
|
||
kernel versions in stable NixOS releases. Going forward,
|
||
versioned attributes like <literal>linux_4_9</literal> will
|
||
exist for LTS versions only. Please use
|
||
<literal>linux_latest</literal> or
|
||
<literal>linux_testing</literal> if you depend on non-LTS
|
||
releases. Keep in mind that <literal>linux_latest</literal>
|
||
and <literal>linux_testing</literal> will change versions
|
||
under the hood during the lifetime of a stable release and
|
||
might include breaking changes.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Because of the systemd upgrade, some network interfaces might
|
||
change their name. For details see
|
||
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History">
|
||
upstream docs</link> or
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086">
|
||
our ticket</link>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
<section xml:id="sec-release-19.09-notable-changes">
|
||
<title>Other Notable Changes</title>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The <literal>documentation</literal> module gained an option
|
||
named <literal>documentation.nixos.includeAllModules</literal>
|
||
which makes the generated configuration.nix 5 manual page
|
||
include all options from all NixOS modules included in a given
|
||
<literal>configuration.nix</literal> configuration file.
|
||
Currently, it is set to <literal>false</literal> by default as
|
||
enabling it frequently prevents evaluation. But the plan is to
|
||
eventually have it set to <literal>true</literal> by default.
|
||
Please set it to <literal>true</literal> now in your
|
||
<literal>configuration.nix</literal> and fix all the bugs it
|
||
uncovers.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>vlc</literal> package gained support for
|
||
Chromecast streaming, enabled by default. TCP port 8010 must
|
||
be open for it to work, so something like
|
||
<literal>networking.firewall.allowedTCPPorts = [ 8010 ];</literal>
|
||
may be required in your configuration. Also consider enabling
|
||
<link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
|
||
Accelerated Video Playback</link> for better transcoding
|
||
performance.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The following changes apply if the
|
||
<literal>stateVersion</literal> is changed to 19.09 or higher.
|
||
For <literal>stateVersion = "19.03"</literal> or
|
||
lower the old behavior is preserved.
|
||
</para>
|
||
<itemizedlist spacing="compact">
|
||
<listitem>
|
||
<para>
|
||
<literal>solr.package</literal> defaults to
|
||
<literal>pkgs.solr_8</literal>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>hunspellDicts.fr-any</literal> dictionary now
|
||
ships with <literal>fr_FR.{aff,dic}</literal> which is linked
|
||
to <literal>fr-toutesvariantes.{aff,dic}</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>mysql</literal> service now runs as
|
||
<literal>mysql</literal> user. Previously, systemd did execute
|
||
it as root, and mysql dropped privileges itself. This includes
|
||
<literal>ExecStartPre=</literal> and
|
||
<literal>ExecStartPost=</literal> phases. To accomplish that,
|
||
runtime and data directory setup was delegated to
|
||
RuntimeDirectory and tmpfiles.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
With the upgrade to systemd version 242 the
|
||
<literal>systemd-timesyncd</literal> service is no longer
|
||
using <literal>DynamicUser=yes</literal>. In order for the
|
||
upgrade to work we rely on an activation script to move the
|
||
state from the old to the new directory. The older directory
|
||
(prior <literal>19.09</literal>) was
|
||
<literal>/var/lib/private/systemd/timesync</literal>.
|
||
</para>
|
||
<para>
|
||
As long as the <literal>system.config.stateVersion</literal>
|
||
is below <literal>19.09</literal> the state folder will
|
||
migrated to its proper location
|
||
(<literal>/var/lib/systemd/timesync</literal>), if required.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The package <literal>avahi</literal> is now built to look up
|
||
service definitions from
|
||
<literal>/etc/avahi/services</literal> instead of its output
|
||
directory in the nix store. Accordingly the module
|
||
<literal>avahi</literal> now supports custom service
|
||
definitions via
|
||
<literal>services.avahi.extraServiceFiles</literal>, which are
|
||
then placed in the aforementioned directory. See
|
||
avahi.service5 for more information on custom service
|
||
definitions.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Since version 0.1.19, <literal>cargo-vendor</literal> honors
|
||
package includes that are specified in the
|
||
<literal>Cargo.toml</literal> file of Rust crates.
|
||
<literal>rustPlatform.buildRustPackage</literal> uses
|
||
<literal>cargo-vendor</literal> to collect and build dependent
|
||
crates. Since this change in <literal>cargo-vendor</literal>
|
||
changes the set of vendored files for most Rust packages, the
|
||
hash that use used to verify the dependencies,
|
||
<literal>cargoSha256</literal>, also changes.
|
||
</para>
|
||
<para>
|
||
The <literal>cargoSha256</literal> hashes of all in-tree
|
||
derivations that use <literal>buildRustPackage</literal> have
|
||
been updated to reflect this change. However, third-party
|
||
derivations that use <literal>buildRustPackage</literal> may
|
||
have to be updated as well.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>consul</literal> package was upgraded past
|
||
version <literal>1.5</literal>, so its deprecated legacy UI is
|
||
no longer available.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The default resample-method for PulseAudio has been changed
|
||
from the upstream default <literal>speex-float-1</literal> to
|
||
<literal>speex-float-5</literal>. Be aware that low-powered
|
||
ARM-based and MIPS-based boards will struggle with this so
|
||
you’ll need to set
|
||
<literal>hardware.pulseaudio.daemon.config.resample-method</literal>
|
||
back to <literal>speex-float-1</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>phabricator</literal> package and associated
|
||
<literal>httpd.extraSubservice</literal>, as well as the
|
||
<literal>phd</literal> service have been removed from nixpkgs
|
||
due to lack of maintainer.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>mercurial</literal>
|
||
<literal>httpd.extraSubservice</literal> has been removed from
|
||
nixpkgs due to lack of maintainer.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>trac</literal>
|
||
<literal>httpd.extraSubservice</literal> has been removed from
|
||
nixpkgs because it was unmaintained.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>foswiki</literal> package and associated
|
||
<literal>httpd.extraSubservice</literal> have been removed
|
||
from nixpkgs due to lack of maintainer.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>tomcat-connector</literal>
|
||
<literal>httpd.extraSubservice</literal> has been removed from
|
||
nixpkgs.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
It’s now possible to change configuration in
|
||
<link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link>
|
||
after the initial deploy since all config parameters are
|
||
persisted in an additional config file generated by the
|
||
module. Previously core configuration like database parameters
|
||
were set using their imperative installer after creating
|
||
<literal>/var/lib/nextcloud</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There exists now <literal>lib.forEach</literal>, which is like
|
||
<literal>map</literal>, but with arguments flipped. When
|
||
mapping function body spans many lines (or has nested
|
||
<literal>map</literal>s), it is often hard to follow which
|
||
list is modified.
|
||
</para>
|
||
<para>
|
||
Previous solution to this problem was either to use
|
||
<literal>lib.flip map</literal> idiom or extract that
|
||
anonymous mapping function to a named one. Both can still be
|
||
used but <literal>lib.forEach</literal> is preferred over
|
||
<literal>lib.flip map</literal>.
|
||
</para>
|
||
<para>
|
||
The <literal>/etc/sysctl.d/nixos.conf</literal> file
|
||
containing all the options set via
|
||
<link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
|
||
was moved to <literal>/etc/sysctl.d/60-nixos.conf</literal>,
|
||
as sysctl.d5 recommends prefixing all filenames in
|
||
<literal>/etc/sysctl.d</literal> with a two-digit number and a
|
||
dash to simplify the ordering of the files.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
We now install the sysctl snippets shipped with systemd.
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Loose reverse path filtering
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Source route filtering
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>fq_codel</literal> as a packet scheduler (this
|
||
helps to fight bufferbloat)
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
<para>
|
||
This also configures the kernel to pass core dumps to
|
||
<literal>systemd-coredump</literal>, and restricts the SysRq
|
||
key combinations to the sync command only. These sysctl
|
||
snippets can be found in
|
||
<literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via
|
||
<link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
|
||
(which will place the parameters in
|
||
<literal>/etc/sysctl.d/60-nixos.conf</literal>).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Core dumps are now processed by
|
||
<literal>systemd-coredump</literal> by default.
|
||
<literal>systemd-coredump</literal> behaviour can still be
|
||
modified via <literal>systemd.coredump.extraConfig</literal>.
|
||
To stick to the old behaviour (having the kernel dump to a
|
||
file called <literal>core</literal> in the working directory),
|
||
without piping it through <literal>systemd-coredump</literal>,
|
||
set <literal>systemd.coredump.enable</literal> to
|
||
<literal>false</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>systemd.packages</literal> option now also supports
|
||
generators and shutdown scripts. Old
|
||
<literal>systemd.generator-packages</literal> option has been
|
||
removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>rmilter</literal> package was removed with
|
||
associated module and options due deprecation by upstream
|
||
developer. Use <literal>rspamd</literal> in proxy mode
|
||
instead.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
systemd cgroup accounting via the
|
||
<link xlink:href="options.html#opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
|
||
option is now enabled by default. It now also enables the more
|
||
recent Block IO and IP accounting features.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
We no longer enable custom font rendering settings with
|
||
<literal>fonts.fontconfig.penultimate.enable</literal> by
|
||
default. The defaults from fontconfig are sufficient.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>crashplan</literal> package and the
|
||
<literal>crashplan</literal> service have been removed from
|
||
nixpkgs due to crashplan shutting down the service, while the
|
||
<literal>crashplansb</literal> package and
|
||
<literal>crashplan-small-business</literal> service have been
|
||
removed from nixpkgs due to lack of maintainer.
|
||
</para>
|
||
<para>
|
||
The
|
||
<link xlink:href="options.html#opt-services.redis.enable">redis
|
||
module</link> was hardcoded to use the
|
||
<literal>redis</literal> user, <literal>/run/redis</literal>
|
||
as runtime directory and <literal>/var/lib/redis</literal> as
|
||
state directory. Note that the NixOS module for Redis now
|
||
disables kernel support for Transparent Huge Pages (THP),
|
||
because this features causes major performance problems for
|
||
Redis, e.g. (https://redis.io/topics/latency).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Using <literal>fonts.enableDefaultFonts</literal> adds a
|
||
default emoji font <literal>noto-fonts-emoji</literal>.
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xserver.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>programs.sway.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>programs.way-cooler.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>services.xrdp.enable</literal>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>altcoins</literal> categorization of packages has
|
||
been removed. You now access these packages at the top level,
|
||
ie. <literal>nix-shell -p dogecoin</literal> instead of
|
||
<literal>nix-shell -p altcoins.dogecoin</literal>, etc.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Ceph has been upgraded to v14.2.1. See the
|
||
<link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release
|
||
notes</link> for details. The mgr dashboard as well as osds
|
||
backed by loop-devices is no longer explicitly supported by
|
||
the package and module. Note: There’s been some issues with
|
||
python-cherrypy, which is used by the dashboard and prometheus
|
||
mgr modules (and possibly others), hence
|
||
0000-dont-check-cherrypy-version.patch.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>pkgs.weechat</literal> is now compiled against
|
||
<literal>pkgs.python3</literal>. Weechat also recommends
|
||
<link xlink:href="https://weechat.org/scripts/python3/">to use
|
||
Python3 in their docs.</link>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|