Merge commit '8d1510abfb592339e13ce8f6db6f29c1f8b72924'

1 files changed, 113 insertions, 0 deletions

diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml
index b780cba357e8..36bea28530be 100644
--- a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml
@@ -48,6 +48,15 @@
      To gain root privileges use <literal>sudo -i</literal> without a password.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      We've updated to Xfce 4.14, which brings a new module <option>services.xserver.desktopManager.xfce4-14</option>.
+      If you'd like to upgrade, please switch from the <option>services.xserver.desktopManager.xfce</option> module as it
+      will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support
+      <option>thunarPlugins</option> and it isn't recommended to use <option>services.xserver.desktopManager.xfce</option>
+      and <option>services.xserver.desktopManager.xfce4-14</option> simultaneously or to downgrade from Xfce 4.14 after upgrading.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -237,6 +246,12 @@
     </para>
    </listitem>
    <listitem>
+    <para>
+     The <literal>shibboleth-sp</literal> package has been updated to version 3.
+     It is largely backward compatible, for further information refer to the
+     <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link>
+     and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>.
+    </para>
      <para>
        Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
      </para>
@@ -263,6 +278,48 @@
        <literal>false</literal>.
      </para>
    </listitem>
+   <listitem>
+     <para>
+       The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       The <option>services.pdns-recursor.extraConfig</option> option has been replaced by
+       <option>services.pdns-recursor.settings</option>. The new option allows setting extra
+       configuration while being better type-checked and mergeable.
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+     No service depends on <literal>keys.target</literal> anymore which is a systemd
+     target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
+     Instead, <literal>&lt;key-name&gt;-key.service</literal> should be used to define
+     a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
+     dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
+    </para>
+    <para>
+     The following services are affected by this:
+     <itemizedlist>
+      <listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
+     </itemizedlist>
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -435,6 +492,48 @@
      idiom or extract that anonymous mapping function to a named one. Both can still be used
      but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
     </para>
+    <para>
+      The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
+      <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
+      <literal>/etc/sysctl.d/60-nixos.conf</literal>, as
+      <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
+      two-digit number and a dash to simplify the ordering of the files.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      We now install the sysctl snippets shipped with systemd.
+    <itemizedlist>
+     <para>This enables:</para>
+     <listitem>
+      <para>Loose reverse path filtering</para>
+     </listitem>
+     <listitem>
+      <para>Source route filtering</para>
+     </listitem>
+     <listitem>
+      <para>
+       <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
+      </para>
+     </listitem>
+    </itemizedlist>
+
+     This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
+     These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
+     and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
+     (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+      Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
+      <literal>systemd-coredump</literal> behaviour can still be modified via
+      <option>systemd.coredump.extraConfig</option>.
+      To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
+      in the working directory), without piping it through <literal>systemd-coredump</literal>, set
+      <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
+    </para>
    </listitem>
   <listitem>
    <para>
@@ -443,6 +542,20 @@
     been removed.
    </para>
   </listitem>
+  <listitem>
+   <para>
+    The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer.
+    Use <literal>rspamd</literal> in proxy mode instead.
+   </para>
+  </listitem>
+  <listitem>
+   <para>
+     systemd cgroup accounting via the
+     <link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
+     option is now enabled by default. It now also enables the more recent Block IO and IP accounting
+     features.
+   </para>
+  </listitem>
   </itemizedlist>
  </section>
 </section>