diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml')
-rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml | 705 |
1 files changed, 705 insertions, 0 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml new file mode 100644 index 000000000000..6dd14d6051e4 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2105.xml @@ -0,0 +1,705 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-21.05"> + <title>Release 21.05 (“Okapi”, 2021.05/??)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-21.05-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + Support is planned until the end of December 2021, handing over to 21.11. + </para> + </listitem> + <listitem> + <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finnally</link> + packaged, along with a rewrite to the Nix expressions, allowing users to + override the features upstream supports selecting to compile or not to. + Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code> + now point to an externally wrapped by default derivations, that allow you to + also add `extraPythonPackages` to the Python interpreter used by GNURadio. + Missing environmental variables needed for operational GUI were also added + (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#7547</link>). + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-21.05-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://www.keycloak.org/">Keycloak</link>, + an open source identity and access management server with + support for <link + xlink:href="https://openid.net/connect/">OpenID Connect</link>, + <link xlink:href="https://oauth.net/2/">OAUTH 2.0</link> and + <link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML + 2.0</link>. + </para> + <para> + See the <link linkend="module-services-keycloak">Keycloak + section of the NixOS manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.samba-wsdd.enable" /> Web Services Dynamic Discovery host daemon + </para> + </listitem> + </itemizedlist> + + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-21.05-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>. + </para> + </listitem> + <listitem> + <para> + If the <varname>services.dbus</varname> module is enabled, then + the user D-Bus session is now always socket activated. The + associated options <varname>services.dbus.socketActivated</varname> + and <varname>services.xserver.startDbusSession</varname> have + therefore been removed and you will receive a warning if + they are present in your configuration. This change makes the + user D-Bus session available also for non-graphical logins. + </para> + </listitem> + <listitem> + <para> + The <varname>networking.wireless.iwd</varname> module now installs + the upstream-provided 80-iwd.link file, which sets the NamePolicy= + for all wlan devices to "keep kernel", to avoid race conditions + between iwd and networkd. If you don't want this, you can set + <literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>rubyMinimal</literal> was removed due to being unused and + unusable. The default ruby interpreter includes JIT support, which makes + it reference it's compiler. Since JIT support is probably needed by some + Gems, it was decided to enable this feature with all cc references by + default, and allow to build a Ruby derivation without references to cc, + by setting <literal>jitSupport = false;</literal> in an overlay. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link> + for more info. + </para> + </listitem> + <listitem> + <para> + Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use. + + WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>! + </para> + </listitem> + <listitem> + <para> + The option <option>fonts.enableFontDir</option> has been renamed to + <xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory + has also been changed to <literal>/run/current-system/sw/share/X11/fonts</literal>, + for consistency with other X11 resources. + </para> + </listitem> + <listitem> + <para> + A number of options have been renamed in the kicad interface. <literal>oceSupport</literal> + has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed + to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to + <literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to + <literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer + provides default argument values since these are provided by + <literal>kicad/default.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The socket for the <literal>pdns-recursor</literal> module was moved from <literal>/var/lib/pdns-recursor</literal> + to <literal>/run/pdns-recursor</literal> to match upstream. + </para> + </listitem> + <listitem> + <para> + Paperwork was updated to version 2. The on-disk format slightly changed, + and it is not possible to downgrade from Paperwork 2 back to Paperwork + 1.3. Back your documents up before upgrading. See <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details. + </para> + </listitem> + <listitem> + <para> + PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please + be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link> + provided by upstream before upgrading. Worth specifically noting is that the service now runs + entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal> + and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from + <literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>. + </para> + </listitem> + <listitem> + <para> + xfsprogs was update from 4.19 to 5.10. It now enables reflink support by default on filesystem creation. + Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. + If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them + with <literal>mkfs.xfs -m reflink=0</literal>. + </para> + </listitem> + <listitem> + <para> + The uWSGI server is now built with POSIX capabilities. As a consequence, + root is no longer required in emperor mode and the service defaults to + running as the unprivileged <literal>uwsgi</literal> user. Any additional + capability can be added via the new option + <xref linkend="opt-services.uwsgi.capabilities"/>. + The previous behaviour can be restored by setting: +<programlisting> + <xref linkend="opt-services.uwsgi.user"/> = "root"; + <xref linkend="opt-services.uwsgi.group"/> = "root"; + <xref linkend="opt-services.uwsgi.instance"/> = + { + uid = "uwsgi"; + gid = "uwsgi"; + }; +</programlisting> + </para> + <para> + Another incompatibility from the previous release is that vassals running under a + different user or group need to use <literal>immediate-{uid,gid}</literal> + instead of the usual <literal>uid,gid</literal> options. + </para> + </listitem> + <listitem> + <para> + <package>btc1</package> has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + <package>cpp_ethereum</package> (aleth) has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + <package>riak-cs</package> package removed along with <varname>services.riak-cs</varname> module. + </para> + </listitem> + <listitem> + <para> + <package>stanchion</package> package removed along with <varname>services.stanchion</varname> module. + </para> + </listitem> + <listitem> + <para> + <package>mutt</package> has been updated to a new major version (2.x), which comes with + some backward incompatible changes that are described in the + <link xlink:href="http://www.mutt.org/relnotes/2.0/">release notes for Mutt 2.0</link>. + </para> + </listitem> + <listitem> + <para> + <literal>vim</literal> switched to Python 3, dropping all Python 2 support. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link> + previously did nothing, but has been fixed. However its default has been + changed to <literal>false</literal> to preserve the existing default + behaviour. If you have this explicitly set to <literal>true</literal>, + please note that your non-root pools will now be forcibly imported. + </para> + </listitem> + <listitem> + <para> + <package>openafs</package> now points to <package>openafs_1_8</package>, + which is the new stable release. OpenAFS 1.6 was removed. + </para> + </listitem> + <listitem> + <para> + MariaDB has been updated to 10.5. + Before you upgrade, it would be best to take a backup of your database and read + <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105"> + Incompatible Changes Between 10.4 and 10.5</link>. + After the upgrade you will need to run <literal>mysql_upgrade</literal>. + </para> + </listitem> + <listitem> + <para> + The TokuDB storage engine dropped in <package>mariadb</package> 10.5 and removed in <package>mariadb</package> 10.6. + It is recommended to switch to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link> and + <link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780: Remove the TokuDB storage engine</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>openldap</literal> module now has support for OLC-style + configuration, users of the <literal>configDir</literal> option may wish + to migrate. If you continue to use <literal>configDir</literal>, ensure that + <literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>. + </para> + <para> + As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal> + are removed. To help with migration, you can convert your <literal>slapd.conf</literal> + file to OLC configuration with the following script (find the location of this + configuration file by running <literal>systemctl status openldap</literal>, it is the + <literal>-f</literal> option. + </para> + <programlisting> + TMPDIR=$(mktemp -d) + slaptest -f /path/to/slapd.conf $TMPDIR + slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' + </programlisting> + <para> + This will dump your current configuration in LDIF format, which should be + straightforward to convert into Nix settings. This does not show your schema + configuration, as this is unnecessarily verbose for users of the default schemas + and <literal>slaptest</literal> is buggy with schemas directly in the config file. + </para> + </listitem> + <listitem> + <para> + Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance + metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and + restarting the instance will now cause it to fetch and apply the new user data. + </para> + <warning> + <para> + Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read + from this directory are guarded to only run if the files they want to manipulate do not already exist, and so + will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is + only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from + user data if they do not exist in <literal>/etc/ssh</literal>. + </para> + </warning> + </listitem> + <listitem> + <para> + The <literal>rspamd</literal> services is now sandboxed. It is run as + a dynamic user instead of root, so secrets and other files may have to + be moved or their permissions may have to be fixed. The sockets are now + located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>. + </para> + </listitem> + <listitem> + <para> + Enabling the Tor client no longer silently also enables and + configures Privoxy, and the + <varname>services.tor.client.privoxy.enable</varname> option has + been removed. To enable Privoxy, and to configure it to use + Tor's faster port, use the following configuration: + </para> + <programlisting> + <xref linkend="opt-services.privoxy.enable" /> = true; + <xref linkend="opt-services.privoxy.enableTor" /> = true; + </programlisting> + </listitem> + <listitem> + <para> + The <literal>services.tor</literal> module has a new exhaustively typed <xref linkend="opt-services.tor.settings" /> option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. + The corresponding systemd service has been hardened, + but there is a chance that the service still requires more permissions, + so please report any related trouble on the bugtracker. + Onion services v3 are now supported in <xref linkend="opt-services.tor.relay.onionServices" />. + A new <xref linkend="opt-services.tor.openFirewall" /> option as been introduced for allowing connections on all the TCP ports configured. + </para> + </listitem> + <listitem> + <para> + The options <literal>services.slurm.dbdserver.storagePass</literal> + and <literal>services.slurm.dbdserver.configFile</literal> have been removed. + Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password. + Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service. + This avoids that the password gets exposed in the nix store. + </para> + </listitem> + <listitem> + <para> + The <literal>wafHook</literal> hook does not wrap Python anymore. + Packages depending on <literal>wafHook</literal> need to include any Python into their <literal>nativeBuildInputs</literal>. + </para> + </listitem> + <listitem> + <para> + Starting with version 1.7.0, the project formerly named <literal>CodiMD</literal> + is now named <literal>HedgeDoc</literal>. + New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. + Based on <xref linkend="opt-system.stateVersion" />, existing installations will continue to work. + </para> + </listitem> + <listitem> + <para> + The <package>fish-foreign-env</package> package has been replaced with + <package>fishPlugins.foreign-env</package>, in which the fish + functions have been relocated to the + <literal>vendor_functions.d</literal> directory to be loaded automatically. + </para> + </listitem> + <listitem> + <para> + The prometheus json exporter is now managed by the prometheus community. Together with additional features + some backwards incompatibilities were introduced. + Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the + endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's + <literal>/probe</literal> endpoint. + In the prometheus scrape configuration the scrape target might look like this: + <programlisting> +http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint + </programlisting> + </para> + <para> + Existing configuration for the exporter needs to be updated, but can partially be re-used. + Documentation is available in the upstream repository and a small example for NixOS is available + in the corresponding NixOS test. + </para> + <para> + These changes also affect <xref linkend="opt-services.prometheus.exporters.rspamd.enable" />, which is + just a preconfigured instance of the json exporter. + </para> + <para> + For more information, take a look at the <link xlink:href="https://github.com/prometheus-community/json_exporter"> + official documentation</link> of the json_exporter. + </para> + </listitem> + <listitem> + <para> + Androidenv was updated, removing the <literal>includeDocs</literal> and <literal>lldbVersions</literal> + arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, + and both are no longer available to download from the Android package repositories. Additionally, since + the package lists have been updated, some older versions of Android packages may not be bundled. If you + depend on older versions of Android packages, we recommend overriding the repo. + </para> + <para> + Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments + <literal>repoJson</literal> and <literal>repoXmls</literal> have been added to allow overriding the built-in + androidenv repo.json with your own. Additionally, license files are now written to allow compatibility + with Gradle-based tools, and the <literal>extraLicenses</literal> argument has been added to accept more + SDK licenses if your project requires it. See the androidenv documentation for more details. + </para> + </listitem> + <listitem> + <para> + The attribute <varname>mpi</varname> is now consistently used to + provide a default, system-wide MPI implementation. + The default implementation is openmpi, which has been used before by + all derivations affects by this change. + Note that all packages that have used <varname>mpi ? null</varname> in the input + for optional MPI builds, have been changed to the boolean input paramater + <varname>useMpi</varname> to enable building with MPI. + + Building all packages with <varname>mpich</varname> instead + of the default <varname>openmpi</varname> can now be achived like this: + <programlisting> +self: super: +{ + mpi = super.mpich; +} + </programlisting> + </para> + </listitem> + <listitem> + <para> + The Searx module has been updated with the ability to configure the + service declaratively and uWSGI integration. + The option <literal>services.searx.configFile</literal> has been renamed + to <xref linkend="opt-services.searx.settingsFile"/> for consistency with + the new <xref linkend="opt-services.searx.settings"/>. In addition, the + <literal>searx</literal> uid and gid reservations have been removed + since they were not necessary: the service is now running with a + dynamically allocated uid. + </para> + </listitem> + <listitem> + <para> + The libinput module has been updated with the ability to configure mouse and touchpad settings separately. + The options in <literal>services.xserver.libinput</literal> have been renamed to <literal>services.xserver.libinput.touchpad</literal>, + while there is a new <literal>services.xserver.libinput.mouse</literal> for mouse related configuration. + </para> + <para> + Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in + mouse section. + </para> + </listitem> + <listitem> + <para> + ALSA OSS emulation (<varname>sound.enableOSSEmulation</varname>) is now disabled by default. + </para> + </listitem> + <listitem> + <para> + Thinkfan as been updated to <literal>1.2.x</literal>, which comes with a + new YAML based configuration format. For this reason, several NixOS options + of the thinkfan module have been changed to non-backward compatible types. + In addition, a new <xref linkend="opt-services.thinkfan.settings"/> option has + been added. + </para> + <para> + Please read the <link xlink:href="https://github.com/vmatare/thinkfan#readme"> + thinkfan documentation</link> before updating. + </para> + </listitem> + <listitem> + <para> + Adobe Flash Player support has been dropped from the tree. In particular, + the following packages no longer support it: + <itemizedlist> + <listitem><simpara><package>chromium</package></simpara></listitem> + <listitem><simpara><package>firefox</package></simpara></listitem> + <listitem><simpara><package>qt48</package></simpara></listitem> + <listitem><simpara><package>qt5.qtwebkit</package></simpara></listitem> + </itemizedlist> + Additionally, packages <package>flashplayer</package> and + <package>hal-flash</package> were removed along with the + <varname>services.flashpolicyd</varname> module. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-21.05-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + <literal>stdenv.lib</literal> has been deprecated and will break + eval in 21.11. Please use <literal>pkgs.lib</literal> instead. + See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link> + for details. + </para> + </listitem> + <listitem> + <para> + The Mailman NixOS module (<literal>services.mailman</literal>) has a new + option <xref linkend="opt-services.mailman.enablePostfix" />, defaulting + to true, that controls integration with Postfix. + </para> + <para> + If this option is disabled, default MTA config becomes not set and you + should set the options in <literal>services.mailman.settings.mta</literal> + according to the desired configuration as described in + <link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman documentation</link>. + </para> + </listitem> + <listitem> + <para> + The default-version of <literal>nextcloud</literal> is <package>nextcloud20</package>. + Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal> + across multiple major versions! This means that it's e.g. not possible to upgrade + from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy. + </para> + <para> + The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" /> + to <package>nextcloud20</package>. + </para> + </listitem> + <listitem> + <para> + The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces. + </para> + </listitem> + <listitem> + <para> + NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details. + </para> + <para> + All services should use <xref linkend="opt-systemd.services._name_.startLimitIntervalSec" /> or <literal>StartLimitIntervalSec</literal> in <xref linkend="opt-systemd.services._name_.unitConfig" /> instead. + </para> + </listitem> + <listitem> + <para> + The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues. + </para> + + <para> + It is now possible to enable a local UNIX control socket for unbound by setting the <xref linkend="opt-services.unbound.localControlSocketPath" /> + option. + </para> + + <para> + Previously we just applied a very minimal set of restrictions and + trusted unbound to properly drop root privs and capabilities. + </para> + + <para> + As of this we are (for the most part) just using the upstream + example unit file for unbound. The main difference is that we start + unbound as <literal>unbound</literal> user with the required capabilities instead of + letting unbound do the chroot & uid/gid changes. + </para> + + <para> + The upstream unit configuration this is based on is a lot stricter with + all kinds of permissions then our previous variant. It also came with + the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also + using the <literal>unbound-with-systemd</literal> package here. Unbound will start up, + read the configuration files and start listening on the configured ports + before systemd will declare the unit <literal>active (running)</literal>. + This will likely help with startup order and the occasional race condition during system + activation where the DNS service is started but not yet ready to answer + queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal> + are now be able to use unbound when those targets have been reached. + </para> + + <para> + Aditionally to the much stricter runtime environmet the + <literal>/dev/urandom</literal> mount lines we previously had in the code (that would + randomly failed during the stop-phase) have been removed as systemd will take care of those for us. + </para> + + <para> + The <literal>preStart</literal> script is now only required if we enabled the trust + anchor updates (which are still enabled by default). + </para> + + <para> + Another benefit of the refactoring is that we can now issue reloads via + either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the + running configuration without taking the daemon offline. A prerequisite + of this was that unbound configuration is available on a well known path + on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the + default in the CLI tooling which in turn enables us to use + <literal>unbound-control</literal> without passing a custom configuration location. + </para> + </listitem> + <listitem> + <para> + The <literal>services.dnscrypt-proxy2</literal> module now takes the upstream's example configuration and updates it with the user's settings. + + An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. + </para> + </listitem> + <listitem> + <para> + NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). + See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link> + for details on why this is desirable, and how it impacts containers. + </para> + <para> + If you want to run containers with a runtime that does not yet support cgroupsv2, + you can switch back to the old behaviour by setting + <xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>; + and rebooting. + </para> + </listitem> + <listitem> + <para> + PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. + See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>. + </para> + + <para> + GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing + logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link> + for more information. + </para> + </listitem> + <listitem> + <para> + The <package>zookeeper</package> package does not provide + <literal>zooInspector.sh</literal> anymore, as that "contrib" has + been dropped from upstream releases. + </para> + </listitem> + <listitem> + <para> + In the ACME module, the data used to build the hash for the account + directory has changed to accomodate new features to reduce account + rate limit issues. This will trigger new account creation on the first + rebuild following this update. No issues are expected to arise from this, + thanks to the new account creation handling. + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>. + Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. + The option's description was incorrect regarding ownership management and has been simplified greatly. + </para> + </listitem> + <listitem> + <para> + The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default. + </para> + </listitem> + <listitem> + <para> + NixOS now generates empty <literal>/etc/netgroup</literal>. + <literal>/etc/netgroup</literal> defines network-wide groups and may affect to setups using NIS. + </para> + </listitem> + <listitem> + <para> + Platforms, like <varname>stdenv.hostPlatform</varname>, no longer have a <varname>platform</varname> attribute. + It has been (mostly) flattoned away: + </para> + <itemizedlist> + <listitem><para><varname>platform.gcc</varname> is now <varname>gcc</varname></para></listitem> + <listitem><para><literal>platform.kernel*</literal> is now <literal>linux-kernel.*</literal></para></listitem> + </itemizedlist> + <para> + Additionally, <varname>platform.kernelArch</varname> moved to the top level as <varname>linuxArch</varname> to match the other <literal>*Arch</literal> variables. + </para> + <para> + The <varname>platform</varname> grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal. + </para> + </listitem> + <listitem> + <para> + <varname>services.restic</varname> now uses a dedicated cache directory for every backup defined in <varname>services.restic.backups</varname>. The old global cache directory, <literal>/root/.cache/restic</literal>, is now unused and can be removed to free up disk space. + </para> + </listitem> + <listitem> + <para> + <literal>isync</literal>: The <literal>isync</literal> compatibility wrapper was removed and the Master/Slave + terminology has been deprecated and should be replaced with Far/Near in the configuration file. + </para> + </listitem> + </itemizedlist> + </section> +</section> |