summary refs log tree commit diff
path: root/nixos/doc/manual/release-notes/rl-1809.xml
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-1809.xml')
-rw-r--r--nixos/doc/manual/release-notes/rl-1809.xml205
1 files changed, 163 insertions, 42 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml
index 0ae630945db2..7fd6483bca1a 100644
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -19,6 +19,27 @@
 
   <itemizedlist>
    <listitem>
+     <para>
+       Support for wrapping binaries using <literal>firejail</literal> has been
+       added through <varname>programs.firejail.wrappedBinaries</varname>.
+     </para>
+     <para>
+       For example
+     </para>
+<programlisting>
+programs.firejail = {
+  enable = true;
+  wrappedBinaries = {
+    firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
+    mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
+  };
+};
+</programlisting>
+      <para>
+        This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail.
+      </para>
+   </listitem>
+   <listitem>
     <para>
      User channels are now in the default <literal>NIX_PATH</literal>, allowing
      users to use their personal <command>nix-channel</command> defined
@@ -53,10 +74,12 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
 
   <itemizedlist>
    <listitem>
-     <para>When enabled the <literal>iproute2</literal> will copy the files
-       expected by ip route (e.g., <filename>rt_tables</filename>) in
-       <filename>/run/iproute2</filename>. This allows to write aliases for
-       routing tables for instance.</para>
+    <para>
+     When enabled the <literal>iproute2</literal> will copy the files expected
+     by ip route (e.g., <filename>rt_tables</filename>) in
+     <filename>/run/iproute2</filename>. This allows to write aliases for
+     routing tables for instance.
+    </para>
    </listitem>
   </itemizedlist>
  </section>
@@ -99,20 +122,36 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
    </listitem>
    <listitem>
     <para>
-     The <varname>services.docker-registry.extraConfig</varname> object doesn't contain
-     environment variables anymore. Instead it needs to provide an object structure
-     that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>.
+     The <varname>services.docker-registry.extraConfig</varname> object doesn't
+     contain environment variables anymore. Instead it needs to provide an
+     object structure that can be mapped onto the YAML configuration defined in
+     <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the
+     <varname>docker/distribution</varname> docs</link>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <literal>gnucash</literal> has changed from version 2.4 to 3.x. If you've
+     been using <literal>gnucash</literal> (version 2.4) instead of
+     <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data
+     file(s) with <literal>gnucash26</literal> and then save them to upgrade
+     the file format. Then you may use your data file(s) with Gnucash 3.x. See
+     the upgrade
+     <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
+     Gnucash 2.4 is still available under the attribute
+     <literal>gnucash24</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
+     Make sure the key file is accessible to the daemon.
     </para>
    </listitem>
    <listitem>
     <para>
-     <literal>gnucash</literal> has changed from version 2.4 to 3.x.
-     If you've been using <literal>gnucash</literal> (version 2.4) instead of
-     <literal>gnucash26</literal> (version 2.6) you must open your Gnucash 
-     data file(s) with <literal>gnucash26</literal> and then save them to
-     upgrade the file format. Then you may use your data file(s) with
-     Gnucash 3.x. See the upgrade <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
-     Gnucash 2.4 is still available under the attribute <literal>gnucash24</literal>.
+      <varname>dockerTools.buildImage</varname> now uses <literal>null</literal> as default value for <varname>tag</varname>,
+      which indicates that the nix output hash will be used as tag.
     </para>
    </listitem>
   </itemizedlist>
@@ -128,9 +167,9 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
   <itemizedlist>
    <listitem>
     <para>
-     <literal>dockerTools.pullImage</literal> relies on image digest
-     instead of image tag to download the image. The
-     <literal>sha256</literal> of a pulled image has to be updated.
+     <literal>dockerTools.pullImage</literal> relies on image digest instead of
+     image tag to download the image. The <literal>sha256</literal> of a pulled
+     image has to be updated.
     </para>
    </listitem>
    <listitem>
@@ -166,9 +205,26 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
    </listitem>
    <listitem>
     <para>
-     <literal>lib.traceValIfNot</literal> has been deprecated. Use
-     <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal>
-     instead.
+      The <literal>pkgs</literal> argument to NixOS modules can now be set directly using <literal>nixpkgs.pkgs</literal>. Previously, only the <literal>system</literal>, <literal>config</literal> and <literal>overlays</literal> arguments could be used to influence <literal>pkgs</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
+      <programlisting>
+inherit (pkgs.nixos {
+  boot.loader.grub.enable = false;
+  fileSystems."/".device = "/dev/xvda1";
+}) toplevel kernel initialRamdisk manual;
+      </programlisting>
+
+      This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      <literal>lib.traceValIfNot</literal> has been deprecated. Use
+      <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> instead.
     </para>
    </listitem>
    <listitem>
@@ -187,32 +243,40 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
     <para>
      The module for <option>security.dhparams</option> has two new options now:
     </para>
-
     <variablelist>
      <varlistentry>
-      <term><option>security.dhparams.stateless</option></term>
-      <listitem><para>
-       Puts the generated Diffie-Hellman parameters into the Nix store instead
-       of managing them in a stateful manner in
-       <filename class="directory">/var/lib/dhparams</filename>.
-      </para></listitem>
+      <term>
+       <option>security.dhparams.stateless</option>
+      </term>
+      <listitem>
+       <para>
+        Puts the generated Diffie-Hellman parameters into the Nix store instead
+        of managing them in a stateful manner in
+        <filename class="directory">/var/lib/dhparams</filename>.
+       </para>
+      </listitem>
      </varlistentry>
      <varlistentry>
-      <term><option>security.dhparams.defaultBitSize</option></term>
-      <listitem><para>
-       The default bit size to use for the generated Diffie-Hellman parameters.
-      </para></listitem>
+      <term>
+       <option>security.dhparams.defaultBitSize</option>
+      </term>
+      <listitem>
+       <para>
+        The default bit size to use for the generated Diffie-Hellman
+        parameters.
+       </para>
+      </listitem>
      </varlistentry>
     </variablelist>
-
-    <note><para>
-     The path to the actual generated parameter files should now be queried
-     using
-     <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
-     because it might be either in the Nix store or in a directory configured
-     by <option>security.dhparams.path</option>.
-    </para></note>
-
+    <note>
+     <para>
+      The path to the actual generated parameter files should now be queried
+      using
+      <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
+      because it might be either in the Nix store or in a directory configured
+      by <option>security.dhparams.path</option>.
+     </para>
+    </note>
     <note>
      <title>For developers:</title>
      <para>
@@ -237,8 +301,65 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
    </listitem>
    <listitem>
     <para>
-     <literal>networking.networkmanager.useDnsmasq</literal> has been deprecated. Use
-     <literal>networking.networkmanager.dns</literal> instead.
+     <literal>networking.networkmanager.useDnsmasq</literal> has been
+     deprecated. Use <literal>networking.networkmanager.dns</literal> instead.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The option
+     <varname>services.kubernetes.apiserver.admissionControl</varname> was
+     renamed to
+     <varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS)
+     Therefore; public service port for the dashboard has changed to 443
+     (container port 8443) and scheme to https.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The option <varname>services.kubernetes.apiserver.address</varname>
+     was renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>.
+     Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The option <varname>services.kubernetes.apiserver.publicAddress</varname>
+     was not used and thus has been removed.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname>
+     was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The Kubernetes Dashboard now has only minimal RBAC permissions by default.
+     If dashboard cluster-admin rights are desired,
+     set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true.
+     On existing clusters, in order for the revocation of privileges to take effect,
+     the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:
+     <literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <varname>programs.screen</varname> module provides allows to configure
+     <literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as
+     the config exists, but the package wasn't available. Since 18.09 <literal>pkgs.screen</literal>
+     will be added to <literal>environment.systemPackages</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      The module <option>services.networking.hostapd</option> now uses WPA2 by default.
     </para>
    </listitem>
   </itemizedlist>
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-29 00:01:59 +0000