diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/release-notes')
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/release-notes.xml | 23 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1310.xml | 11 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1404.xml | 179 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1412.xml | 467 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1509.xml | 750 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1603.xml | 671 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml | 277 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml | 817 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1709.xml | 899 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1803.xml | 855 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1809.xml | 933 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1903.xml | 768 | ||||
| -rw-r--r-- | nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml | 561 |
13 files changed, 7211 insertions, 0 deletions
diff --git a/nixpkgs/nixos/doc/manual/release-notes/release-notes.xml b/nixpkgs/nixos/doc/manual/release-notes/release-notes.xml new file mode 100644 index 000000000000..02b591477214 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/release-notes.xml @@ -0,0 +1,23 @@ +<appendix xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="ch-release-notes"> + <title>Release Notes</title> + <para> + This section lists the release notes for each stable version of NixOS and + current unstable revision. + </para> + <xi:include href="rl-1909.xml" /> + <xi:include href="rl-1903.xml" /> + <xi:include href="rl-1809.xml" /> + <xi:include href="rl-1803.xml" /> + <xi:include href="rl-1709.xml" /> + <xi:include href="rl-1703.xml" /> + <xi:include href="rl-1609.xml" /> + <xi:include href="rl-1603.xml" /> + <xi:include href="rl-1509.xml" /> + <xi:include href="rl-1412.xml" /> + <xi:include href="rl-1404.xml" /> + <xi:include href="rl-1310.xml" /> +</appendix> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1310.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1310.xml new file mode 100644 index 000000000000..248bab70c36b --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1310.xml @@ -0,0 +1,11 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-13.10"> + <title>Release 13.10 (“Aardvark”, 2013/10/31)</title> + + <para> + This is the first stable release branch of NixOS. + </para> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1404.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1404.xml new file mode 100644 index 000000000000..8d8cea4303a3 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1404.xml @@ -0,0 +1,179 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-14.04"> + <title>Release 14.04 (“Baboon”, 2014/04/30)</title> + + <para> + This is the second stable release branch of NixOS. In addition to numerous + new and upgraded packages and modules, this release has the following + highlights: + <itemizedlist> + <listitem> + <para> + Installation on UEFI systems is now supported. See + <xref linkend="sec-installation"/> for details. + </para> + </listitem> + <listitem> + <para> + Systemd has been updated to version 212, which has + <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous + improvements</link>. NixOS now automatically starts systemd user instances + when you log in. You can define global user units through the + <option>systemd.unit.*</option> options. + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.19 and GCC 4.8. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.12. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.12. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 experimental support has been added. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 1.7 + (<link + xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>). + </para> + </listitem> + <listitem> + <para> + NixOS now supports fully declarative management of users and groups. If + you set <option>users.mutableUsers</option> to <literal>false</literal>, + then the contents of <filename>/etc/passwd</filename> and + <filename>/etc/group</filename> will be + <link + xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link> + to your NixOS configuration. For instance, if you remove a user from + <option>users.extraUsers</option> and run + <command>nixos-rebuild</command>, the user account will cease to exist. + Also, imperative commands for managing users and groups, such as + <command>useradd</command>, are no longer available. If + <option>users.mutableUsers</option> is <literal>true</literal> (the + default), then behaviour is unchanged from NixOS 13.10. + </para> + </listitem> + <listitem> + <para> + NixOS now has basic container support, meaning you can easily run a NixOS + instance as a container in a NixOS host system. These containers are + suitable for testing and experimentation but not production use, since + they’re not fully isolated from the host. See + <xref linkend="ch-containers"/> for details. + </para> + </listitem> + <listitem> + <para> + Systemd units provided by packages can now be overridden from the NixOS + configuration. For instance, if a package <literal>foo</literal> provides + systemd units, you can say: +<programlisting> +systemd.packages = [ pkgs.foo ]; +</programlisting> + to enable those units. You can then set or override unit options in the + usual way, e.g. +<programlisting> +systemd.services.foo.wantedBy = [ "multi-user.target" ]; +systemd.services.foo.serviceConfig.MemoryLimit = "512M"; +</programlisting> + </para> + </listitem> + </itemizedlist> + </para> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + Nixpkgs no longer exposes unfree packages by default. If your NixOS + configuration requires unfree packages from Nixpkgs, you need to enable + support for them explicitly by setting: +<programlisting> +nixpkgs.config.allowUnfree = true; +</programlisting> + Otherwise, you get an error message such as: +<screen> +error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ + has an unfree license, refusing to evaluate +</screen> + </para> + </listitem> + <listitem> + <para> + The Adobe Flash player is no longer enabled by default in the Firefox and + Chromium wrappers. To enable it, you must set: +<programlisting> +nixpkgs.config.allowUnfree = true; +nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox +nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium +</programlisting> + </para> + </listitem> + <listitem> + <para> + The firewall is now enabled by default. If you don’t want this, you need + to disable it explicitly: +<programlisting> +networking.firewall.enable = false; +</programlisting> + </para> + </listitem> + <listitem> + <para> + The option <option>boot.loader.grub.memtest86</option> has been renamed to + <option>boot.loader.grub.memtest86.enable</option>. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql55</literal> service has been merged into the + <literal>mysql</literal> service, which no longer sets a default for the + option <option>services.mysql.package</option>. + </para> + </listitem> + <listitem> + <para> + Package variants are now differentiated by suffixing the name, rather than + the version. For instance, <filename>sqlite-3.8.4.3-interactive</filename> + is now called <filename>sqlite-interactive-3.8.4.3</filename>. This + ensures that <literal>nix-env -i sqlite</literal> is unambiguous, and that + <literal>nix-env -u</literal> won’t “upgrade” + <literal>sqlite</literal> to <literal>sqlite-interactive</literal> or vice + versa. Notably, this change affects the Firefox wrapper (which provides + plugins), as it is now called <literal>firefox-wrapper</literal>. So when + using <command>nix-env</command>, you should do <literal>nix-env -e + firefox; nix-env -i firefox-wrapper</literal> if you want to keep using + the wrapper. This change does not affect declarative package management, + since attribute names like <literal>pkgs.firefoxWrapper</literal> were + already unambiguous. + </para> + </listitem> + <listitem> + <para> + The symlink <filename>/etc/ca-bundle.crt</filename> is gone. Programs + should instead use the environment variable + <envar>OPENSSL_X509_CERT_FILE</envar> (which points to + <filename>/etc/ssl/certs/ca-bundle.crt</filename>). + </para> + </listitem> + </itemizedlist> + </para> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1412.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1412.xml new file mode 100644 index 000000000000..139f61c2a550 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1412.xml @@ -0,0 +1,467 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-14.12"> + <title>Release 14.12 (“Caterpillar”, 2014/12/30)</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + <itemizedlist> + <listitem> + <para> + Systemd has been updated to version 217, which has numerous + <link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg13957.html"> + Nix has been updated to 1.8.</link> + </para> + </listitem> + <listitem> + <para> + NixOS is now based on Glibc 2.20. + </para> + </listitem> + <listitem> + <para> + KDE has been updated to 4.14. + </para> + </listitem> + <listitem> + <para> + The default Linux kernel has been updated to 3.14. + </para> + </listitem> + <listitem> + <para> + If <option>users.mutableUsers</option> is enabled (the default), changes + made to the declaration of a user or group will be correctly realised when + running <command>nixos-rebuild</command>. For instance, removing a user + specification from <filename>configuration.nix</filename> will cause the + actual user account to be deleted. If <option>users.mutableUsers</option> + is disabled, it is no longer necessary to specify UIDs or GIDs; if + omitted, they are allocated dynamically. + </para> + </listitem> + </itemizedlist> + </para> + + <para> + Following new services were added since the last release: + <itemizedlist> + <listitem> + <para> + <literal>atftpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bosun</literal> + </para> + </listitem> + <listitem> + <para> + <literal>bspwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>chronos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>collectd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>consul</literal> + </para> + </listitem> + <listitem> + <para> + <literal>cpuminer-cryptonight</literal> + </para> + </listitem> + <listitem> + <para> + <literal>crashplan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>dnscrypt-proxy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker-registry</literal> + </para> + </listitem> + <listitem> + <para> + <literal>docker</literal> + </para> + </listitem> + <listitem> + <para> + <literal>etcd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fail2ban</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fcgiwrap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fleet</literal> + </para> + </listitem> + <listitem> + <para> + <literal>fluxbox</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gdm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>geoclue2</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitlab</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gitolite</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-documents</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gnome-online-miners</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.gvfs</literal> + </para> + </listitem> + <listitem> + <para> + <literal>gnome3.seahorse</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hbase</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i2pd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>influxdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>kubernetes</literal> + </para> + </listitem> + <listitem> + <para> + <literal>liquidsoap</literal> + </para> + </listitem> + <listitem> + <para> + <literal>lxc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mailpile</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mesos</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mlmmj</literal> + </para> + </listitem> + <listitem> + <para> + <literal>monetdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>mopidy</literal> + </para> + </listitem> + <listitem> + <para> + <literal>neo4j</literal> + </para> + </listitem> + <listitem> + <para> + <literal>nsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openntpd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>opentsdb</literal> + </para> + </listitem> + <listitem> + <para> + <literal>openvswitch</literal> + </para> + </listitem> + <listitem> + <para> + <literal>parallels-guest</literal> + </para> + </listitem> + <listitem> + <para> + <literal>peerflix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>phd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>polipo</literal> + </para> + </listitem> + <listitem> + <para> + <literal>prosody</literal> + </para> + </listitem> + <listitem> + <para> + <literal>radicale</literal> + </para> + </listitem> + <listitem> + <para> + <literal>redmine</literal> + </para> + </listitem> + <listitem> + <para> + <literal>riemann</literal> + </para> + </listitem> + <listitem> + <para> + <literal>scollector</literal> + </para> + </listitem> + <listitem> + <para> + <literal>seeks</literal> + </para> + </listitem> + <listitem> + <para> + <literal>siproxd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>strongswan</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tcsd</literal> + </para> + </listitem> + <listitem> + <para> + <literal>teamspeak3</literal> + </para> + </listitem> + <listitem> + <para> + <literal>thermald</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/mrom</literal> + </para> + </listitem> + <listitem> + <para> + <literal>torque/server</literal> + </para> + </listitem> + <listitem> + <para> + <literal>uhub</literal> + </para> + </listitem> + <listitem> + <para> + <literal>unifi</literal> + </para> + </listitem> + <listitem> + <para> + <literal>znc</literal> + </para> + </listitem> + <listitem> + <para> + <literal>zookeeper</literal> + </para> + </listitem> + </itemizedlist> + </para> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + The default version of Apache httpd is now 2.4. If you use the + <option>extraConfig</option> option to pass literal Apache configuration + text, you may need to update it — see + <link +xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s + documentation</link> for details. If you wish to continue to use httpd + 2.2, add the following line to your NixOS configuration: +<programlisting> +services.httpd.package = pkgs.apacheHttpd_2_2; +</programlisting> + </para> + </listitem> + <listitem> + <para> + PHP 5.3 has been removed because it is no longer supported by the PHP + project. A <link +xlink:href="http://php.net/migration54">migration + guide</link> is available. + </para> + </listitem> + <listitem> + <para> + The host side of a container virtual Ethernet pair is now called + <literal>ve-<replaceable>container-name</replaceable></literal> rather + than <literal>c-<replaceable>container-name</replaceable></literal>. + </para> + </listitem> + <listitem> + <para> + GNOME 3.10 support has been dropped. The default GNOME version is now + 3.12. + </para> + </listitem> + <listitem> + <para> + VirtualBox has been upgraded to 4.3.20 release. Users may be required to + run <command>rm -rf /tmp/.vbox*</command>. The line <literal>imports = [ + <nixpkgs/nixos/modules/programs/virtualbox.nix> ]</literal> is no + longer necessary, use <literal>services.virtualboxHost.enable = + true</literal> instead. + </para> + <para> + Also, hardening mode is now enabled by default, which means that unless + you want to use USB support, you no longer need to be a member of the + <literal>vboxusers</literal> group. + </para> + </listitem> + <listitem> + <para> + Chromium has been updated to 39.0.2171.65. + <option>enablePepperPDF</option> is now enabled by default. + <literal>chromium*Wrapper</literal> packages no longer exist, because + upstream removed NSAPI support. <literal>chromium-stable</literal> has + been renamed to <literal>chromium</literal>. + </para> + </listitem> + <listitem> + <para> + Python packaging documentation is now part of nixpkgs manual. To override + the python packages available to a custom python you now use + <literal>pkgs.pythonFull.buildEnv.override</literal> instead of + <literal>pkgs.pythonFull.override</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most + users will want to leave it undefined, which takes the swap partitions + automatically. There is an evaluation assertion to ensure that the string + starts with a slash. + </para> + </listitem> + <listitem> + <para> + The system-wide default timezone for NixOS installations changed from + <literal>CET</literal> to <literal>UTC</literal>. To choose a different + timezone for your system, configure <literal>time.timeZone</literal> in + <literal>configuration.nix</literal>. A fairly complete list of possible + values for that setting is available at + <link +xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>. + </para> + </listitem> + <listitem> + <para> + GNU screen has been updated to 4.2.1, which breaks the ability to connect + to sessions created by older versions of screen. + </para> + </listitem> + <listitem> + <para> + The Intel GPU driver was updated to the 3.x prerelease version (used by + most distributions) and supports DRI3 now. + </para> + </listitem> + </itemizedlist> + </para> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1509.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1509.xml new file mode 100644 index 000000000000..5c4d99701785 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1509.xml @@ -0,0 +1,750 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-15.09"> + <title>Release 15.09 (“Dingo”, 2015/09/30)</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + The <link xlink:href="http://haskell.org/">Haskell</link> packages + infrastructure has been re-designed from the ground up ("Haskell + NG"). NixOS now distributes the latest version of every single package + registered on + <link + xlink:href="http://hackage.haskell.org/">Hackage</link> -- well + in excess of 8,000 Haskell packages. Detailed instructions on how to use + that infrastructure can be found in the + <link + xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + Guide to the Haskell Infrastructure</link>. Users migrating from an earlier + release may find helpful information below, in the list of + backwards-incompatible changes. Furthermore, we distribute 51(!) additional + Haskell package sets that provide every single + <link + xlink:href="http://www.stackage.org/">LTS Haskell</link> release + since version 0.0 as well as the most recent + <link + xlink:href="http://www.stackage.org/">Stackage Nightly</link> + snapshot. The announcement + <link + xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">"Full + Stackage Support in Nixpkgs"</link> gives additional details. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to version 1.10, which among other improvements + enables cryptographic signatures on binary caches for improved security. + </para> + </listitem> + <listitem> + <para> + You can now keep your NixOS system up to date automatically by setting +<programlisting> +system.autoUpgrade.enable = true; +</programlisting> + This will cause the system to periodically check for updates in your + current channel and run <command>nixos-rebuild</command>. + </para> + </listitem> + <listitem> + <para> + This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18. + </para> + </listitem> + <listitem> + <para> + GNOME has been upgraded to 3.16. + </para> + </listitem> + <listitem> + <para> + Xfce has been upgraded to 4.12. + </para> + </listitem> + <listitem> + <para> + KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and + Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10. + </para> + </listitem> + <listitem> + <para> + E19 has been upgraded to 0.16.8.15. + </para> + </listitem> + </itemizedlist> + + <para> + The following new services were added since the last release: + <itemizedlist> + <listitem> + <para> + <literal>services/mail/exim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/apache-kafka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/canto-daemon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/confd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/devmon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gitit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mbpfan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mediatomb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mwlib.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/parsoid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/plex.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-rest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ripple-data-api.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/subsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sundtek.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/cadvisor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/das_watchdog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/grafana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/riemann-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/teamviewer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/u9fs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/aiccu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/asterisk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/bird.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/charybdis.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/docker-registry-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/firefox/sync-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gateone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/heyefi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/i2p.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lambdabot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/mstpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nix-serve.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nylon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/racoon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/skydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/softether.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/sslh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinc.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tlsdated.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tox-bootstrapd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tvheadend.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/zerotierone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/scheduling/marathon.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/fprintd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/hologram.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/munge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cloud-init.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/shellinabox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/uwsgi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/sddm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/coredump.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/generic-extlinux-compatible</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/timesyncd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/exfat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/ntfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/vboxsf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/virtualbox-host.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/vmware-guest.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/xen-dom0.nix</literal> + </para> + </listitem> + </itemizedlist> + </para> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + <itemizedlist> + <listitem> + <para> + <command>sshd</command> no longer supports DSA and ECDSA host keys by + default. If you have existing systems with such host keys and want to + continue to use them, please set +<programlisting> +system.stateVersion = "14.12"; +</programlisting> + The new option <option>system.stateVersion</option> ensures that certain + configuration changes that could break existing systems (such as the + <command>sshd</command> host key setting) will maintain compatibility with + the specified NixOS release. NixOps sets the state version of existing + deployments automatically. + </para> + </listitem> + <listitem> + <para> + <command>cron</command> is no longer enabled by default, unless you have a + non-empty <option>services.cron.systemCronJobs</option>. To force + <command>cron</command> to be enabled, set <option>services.cron.enable = + true</option>. + </para> + </listitem> + <listitem> + <para> + Nix now requires binary caches to be cryptographically signed. If you have + unsigned binary caches that you want to continue to use, you should set + <option>nix.requireSignedBinaryCaches = false</option>. + </para> + </listitem> + <listitem> + <para> + Steam now doesn't need root rights to work. Instead of using + <literal>*-steam-chrootenv</literal>, you should now just run + <literal>steam</literal>. <literal>steamChrootEnv</literal> package was + renamed to <literal>steam</literal>, and old <literal>steam</literal> + package -- to <literal>steamOriginal</literal>. + </para> + </listitem> + <listitem> + <para> + CMPlayer has been renamed to bomi upstream. Package + <literal>cmplayer</literal> was accordingly renamed to + <literal>bomi</literal> + </para> + </listitem> + <listitem> + <para> + Atom Shell has been renamed to Electron upstream. Package + <literal>atom-shell</literal> was accordingly renamed to + <literal>electron</literal> + </para> + </listitem> + <listitem> + <para> + Elm is not released on Hackage anymore. You should now use + <literal>elmPackages.elm</literal> which contains the latest Elm platform. + </para> + </listitem> + <listitem> + <para> + The CUPS printing service has been updated to version + <literal>2.0.2</literal>. Furthermore its systemd service has been renamed + to <literal>cups.service</literal>. + </para> + <para> + Local printers are no longer shared or advertised by default. This + behavior can be changed by enabling + <option>services.printing.defaultShared</option> or + <option>services.printing.browsing</option> respectively. + </para> + </listitem> + <listitem> + <para> + The VirtualBox host and guest options have been named more consistently. + They can now found in <option>virtualisation.virtualbox.host.*</option> + instead of <option>services.virtualboxHost.*</option> and + <option>virtualisation.virtualbox.guest.*</option> instead of + <option>services.virtualboxGuest.*</option>. + </para> + <para> + Also, there now is support for the <literal>vboxsf</literal> file system + using the <option>fileSystems</option> configuration attribute. An example + of how this can be used in a configuration: +<programlisting> +fileSystems."/shiny" = { + device = "myshinysharedfolder"; + fsType = "vboxsf"; +}; +</programlisting> + </para> + </listitem> + <listitem> + <para> + "<literal>nix-env -qa</literal>" no longer discovers Haskell + packages by name. The only packages visible in the global scope are + <literal>ghc</literal>, <literal>cabal-install</literal>, and + <literal>stack</literal>, but all other packages are hidden. The reason + for this inconvenience is the sheer size of the Haskell package set. + Name-based lookups are expensive, and most <literal>nix-env -qa</literal> + operations would become much slower if we'd add the entire Hackage + database into the top level attribute set. Instead, the list of Haskell + packages can be displayed by running: + </para> +<programlisting> +nix-env -f "<nixpkgs>" -qaP -A haskellPackages +</programlisting> + <para> + Executable programs written in Haskell can be installed with: + </para> +<programlisting> +nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc +</programlisting> + <para> + Installing Haskell <emphasis>libraries</emphasis> this way, however, is no + longer supported. See the next item for more details. + </para> + </listitem> + <listitem> + <para> + Previous versions of NixOS came with a feature called + <literal>ghc-wrapper</literal>, a small script that allowed GHC to + transparently pick up on libraries installed in the user's profile. This + feature has been deprecated; <literal>ghc-wrapper</literal> was removed + from the distribution. The proper way to register Haskell libraries with + the compiler now is the <literal>haskellPackages.ghcWithPackages</literal> + function. The + <link + xlink:href="http://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's + Guide to the Haskell Infrastructure</link> provides more information about + this subject. + </para> + </listitem> + <listitem> + <para> + All Haskell builds that have been generated with version 1.x of the + <literal>cabal2nix</literal> utility are now invalid and need to be + re-generated with a current version of <literal>cabal2nix</literal> to + function. The most recent version of this tool can be installed by running + <literal>nix-env -i cabal2nix</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>haskellPackages</literal> set in Nixpkgs used to have a + function attribute called <literal>extension</literal> that users could + override in their <literal>~/.nixpkgs/config.nix</literal> files to + configure additional attributes, etc. That function still exists, but it's + now called <literal>overrides</literal>. + </para> + </listitem> + <listitem> + <para> + The OpenBLAS library has been updated to version + <literal>0.2.14</literal>. Support for the + <literal>x86_64-darwin</literal> platform was added. Dynamic architecture + detection was enabled; OpenBLAS now selects microarchitecture-optimized + routines at runtime, so optimal performance is achieved without the need + to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages + which use an optimized BLAS or LAPACK implementation. + </para> + </listitem> + <listitem> + <para> + The <literal>phpfpm</literal> is now using the default PHP version + (<literal>pkgs.php</literal>) instead of PHP 5.4 + (<literal>pkgs.php54</literal>). + </para> + </listitem> + <listitem> + <para> + The <literal>locate</literal> service no longer indexes the Nix store by + default, preventing packages with potentially numerous versions from + cluttering the output. Indexing the store can be activated by setting + <option>services.locate.includeStore = true</option>. + </para> + </listitem> + <listitem> + <para> + The Nix expression search path (<envar>NIX_PATH</envar>) no longer + contains <filename>/etc/nixos/nixpkgs</filename> by default. You can + override <envar>NIX_PATH</envar> by setting <option>nix.nixPath</option>. + </para> + </listitem> + <listitem> + <para> + Python 2.6 has been marked as broken (as it no longer receives security + updates from upstream). + </para> + </listitem> + <listitem> + <para> + Any use of module arguments such as <varname>pkgs</varname> to access + library functions, or to define <literal>imports</literal> attributes will + now lead to an infinite loop at the time of the evaluation. + </para> + <para> + In case of an infinite loop, use the <command>--show-trace</command> + command line argument and read the line just above the error message. +<screen> +<prompt>$ </prompt>nixos-rebuild build --show-trace +… +while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix": +infinite recursion encountered +</screen> + </para> + <para> + Any use of <literal>pkgs.lib</literal>, should be replaced by + <varname>lib</varname>, after adding it as argument of the module. The + following module +<programlisting> +{ config, pkgs, ... }: + +with pkgs.lib; + +{ + options = { + foo = mkOption { … }; + }; + config = mkIf config.foo { … }; +} +</programlisting> + should be modified to look like: +<programlisting> +{ config, pkgs, lib, ... }: + +with lib; + +{ + options = { + foo = mkOption { <replaceable>option declaration</replaceable> }; + }; + config = mkIf config.foo { <replaceable>option definition</replaceable> }; +} +</programlisting> + </para> + <para> + When <varname>pkgs</varname> is used to download other projects to import + their modules, and only in such cases, it should be replaced by + <literal>(import <nixpkgs> {})</literal>. The following module +<programlisting> +{ config, pkgs, ... }: + +let + myProject = pkgs.fetchurl { + src = <replaceable>url</replaceable>; + sha256 = <replaceable>hash</replaceable>; + }; +in + +{ + imports = [ "${myProject}/module.nix" ]; +} +</programlisting> + should be modified to look like: +<programlisting> +{ config, pkgs, ... }: + +let + myProject = (import <nixpkgs> {}).fetchurl { + src = <replaceable>url</replaceable>; + sha256 = <replaceable>hash</replaceable>; + }; +in + +{ + imports = [ "${myProject}/module.nix" ]; +} +</programlisting> + </para> + </listitem> + </itemizedlist> + </para> + + <para> + Other notable improvements: + <itemizedlist> + <listitem> + <para> + The nixos and nixpkgs channels were unified, so one + <emphasis>can</emphasis> use <literal>nix-env -iA nixos.bash</literal> + instead of <literal>nix-env -iA nixos.pkgs.bash</literal>. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the + commit</link> for details. + </para> + </listitem> + <listitem> + <para> + Users running an SSH server who worry about the quality of their + <literal>/etc/ssh/moduli</literal> file with respect to the + <link + xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities + discovered in the Diffie-Hellman key exchange</link> can now replace + OpenSSH's default version with one they generated themselves using the new + <option>services.openssh.moduliFile</option> option. + </para> + </listitem> + <listitem> + <para> + A newly packaged TeX Live 2015 is provided in + <literal>pkgs.texlive</literal>, split into 6500 nix packages. For basic + user documentation see + <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1" + >the + source</link>. Beware of + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757" + >an + issue</link> when installing a too large package set. The plan is to + deprecate and maybe delete the original TeX packages until the next + release. + </para> + </listitem> + <listitem> + <para> + <option>buildEnv.env</option> on all Python interpreters is now available + for nix-shell interoperability. + </para> + </listitem> + </itemizedlist> + </para> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1603.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1603.xml new file mode 100644 index 000000000000..9b512c4b1e58 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1603.xml @@ -0,0 +1,671 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-16.03"> + <title>Release 16.03 (“Emu”, 2016/03/31)</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + Systemd 229, bringing + <link + xlink:href="https://github.com/systemd/systemd/blob/v229/NEWS">numerous + improvements</link> over 217. + </para> + </listitem> + <listitem> + <para> + Linux 4.4 (was 3.18). + </para> + </listitem> + <listitem> + <para> + GCC 5.3 (was 4.9). Note that GCC 5 + <link + xlink:href="https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html">changes + the C++ ABI in an incompatible way</link>; this may cause problems if you + try to link objects compiled with different versions of GCC. + </para> + </listitem> + <listitem> + <para> + Glibc 2.23 (was 2.21). + </para> + </listitem> + <listitem> + <para> + Binutils 2.26 (was 2.23.1). See #909 + </para> + </listitem> + <listitem> + <para> + Improved support for ensuring + <link + xlink:href="https://reproducible-builds.org/">bitwise + reproducible builds</link>. For example, <literal>stdenv</literal> now sets + the environment variable + <envar + xlink:href="https://reproducible-builds.org/specs/source-date-epoch/">SOURCE_DATE_EPOCH</envar> + to a deterministic value, and Nix has + <link + xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.11">gained + an option</link> to repeat a build a number of times to test determinism. + An ongoing project, the goal of exact reproducibility is to allow binaries + to be verified independently (e.g., a user might only trust binaries that + appear in three independent binary caches). + </para> + </listitem> + <listitem> + <para> + Perl 5.22. + </para> + </listitem> + </itemizedlist> + + <para> + The following new services were added since the last release: + <itemizedlist> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/webcam/facetimehd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/fcitx.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/ibus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/nabi.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>i18n/input-method/uim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/fish.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/acme.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/audit.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/oath.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/irqbalance.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/dspam.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/opendkim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postsrsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rspamd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/rmilter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autofs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/bepasty.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/calibre-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/cfdyndns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gammu-smsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/mathics.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/matrix-synapse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/octoprint.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/hdaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/heapster.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/longview.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/netatalk.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/xtreemfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/autossh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnschain.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/gale.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miniupnpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/namecoind.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/ostinato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdnsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/shairport-sync.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/supplicant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/search/kibana.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/haka.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/physlock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pump.io.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/hardware/libinput.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/window-managers/windowlab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-network.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/initrd-ssh.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/loader/loader.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/networkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/resolved.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/rkt.nix</literal> + </para> + </listitem> + </itemizedlist> + </para> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + We no longer produce graphical ISO images and VirtualBox images for + <literal>i686-linux</literal>. A minimal ISO image is still provided. + </para> + </listitem> + <listitem> + <para> + Firefox and similar browsers are now <emphasis>wrapped by + default</emphasis>. The package and attribute names are plain + <literal>firefox</literal> or <literal>midori</literal>, etc. + Backward-compatibility attributes were set up, but note that + <command>nix-env -u</command> will <emphasis>not</emphasis> update your + current <literal>firefox-with-plugins</literal>; you have to uninstall it + and install <literal>firefox</literal> instead. + </para> + </listitem> + <listitem> + <para> + <command>wmiiSnap</command> has been replaced with + <command>wmii_hg</command>, but + <command>services.xserver.windowManager.wmii.enable</command> has been + updated respectively so this only affects you if you have explicitly + installed <command>wmiiSnap</command>. + </para> + </listitem> + <listitem> + <para> + <literal>jobs</literal> NixOS option has been removed. It served as + compatibility layer between Upstart jobs and SystemD services. All services + have been rewritten to use <literal>systemd.services</literal> + </para> + </listitem> + <listitem> + <para> + <command>wmiimenu</command> is removed, as it has been removed by the + developers upstream. Use <command>wimenu</command> from the + <command>wmii-hg</command> package. + </para> + </listitem> + <listitem> + <para> + Gitit is no longer automatically added to the module list in NixOS and as + such there will not be any manual entries for it. You will need to add an + import statement to your NixOS configuration in order to use it, e.g. +<programlisting><![CDATA[ +{ + imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; +} +]]></programlisting> + will include the Gitit service configuration options. + </para> + </listitem> + <listitem> + <para> + <command>nginx</command> does not accept flags for enabling and disabling + modules anymore. Instead it accepts <literal>modules</literal> argument, + which is a list of modules to be built in. All modules now reside in + <literal>nginxModules</literal> set. Example configuration: +<programlisting><![CDATA[ +nginx.override { + modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; +} +]]></programlisting> + </para> + </listitem> + <listitem> + <para> + <command>s3sync</command> is removed, as it hasn't been developed by + upstream for 4 years and only runs with ruby 1.8. For an actively-developer + alternative look at <command>tarsnap</command> and others. + </para> + </listitem> + <listitem> + <para> + <command>ruby_1_8</command> has been removed as it's not supported from + upstream anymore and probably contains security issues. + </para> + </listitem> + <listitem> + <para> + <literal>tidy-html5</literal> package is removed. Upstream only provided + <literal>(lib)tidy5</literal> during development, and now they went back to + <literal>(lib)tidy</literal> to work as a drop-in replacement of the + original package that has been unmaintained for years. You can (still) use + the <literal>html-tidy</literal> package, which got updated to a stable + release from this new upstream. + </para> + </listitem> + <listitem> + <para> + <literal>extraDeviceOptions</literal> argument is removed from + <literal>bumblebee</literal> package. Instead there are now two separate + arguments: <literal>extraNvidiaDeviceOptions</literal> and + <literal>extraNouveauDeviceOptions</literal> for setting extra X11 options + for nvidia and nouveau drivers, respectively. + </para> + </listitem> + <listitem> + <para> + The <literal>Ctrl+Alt+Backspace</literal> key combination no longer kills + the X server by default. There's a new option + <option>services.xserver.enableCtrlAltBackspace</option> allowing to enable + the combination again. + </para> + </listitem> + <listitem> + <para> + <literal>emacsPackagesNg</literal> now contains all packages from the ELPA, + MELPA, and MELPA Stable repositories. + </para> + </listitem> + <listitem> + <para> + Data directory for Postfix MTA server is moved from + <filename>/var/postfix</filename> to <filename>/var/lib/postfix</filename>. + Old configurations are migrated automatically. + <literal>service.postfix</literal> module has also received many + improvements, such as correct directories' access rights, new + <literal>aliasFiles</literal> and <literal>mapFiles</literal> options and + more. + </para> + </listitem> + <listitem> + <para> + Filesystem options should now be configured as a list of strings, not a + comma-separated string. The old style will continue to work, but print a + warning, until the 16.09 release. An example of the new style: +<programlisting> +fileSystems."/example" = { + device = "/dev/sdc"; + fsType = "btrfs"; + options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ]; +}; +</programlisting> + </para> + </listitem> + <listitem> + <para> + CUPS, installed by <literal>services.printing</literal> module, now has its + data directory in <filename>/var/lib/cups</filename>. Old configurations + from <filename>/etc/cups</filename> are moved there automatically, but + there might be problems. Also configuration options + <literal>services.printing.cupsdConf</literal> and + <literal>services.printing.cupsdFilesConf</literal> were removed because + they had been allowing one to override configuration variables required for + CUPS to work at all on NixOS. For most use cases, + <literal>services.printing.extraConf</literal> and new option + <literal>services.printing.extraFilesConf</literal> should be enough; if + you encounter a situation when they are not, please file a bug. + </para> + <para> + There are also Gutenprint improvements; in particular, a new option + <literal>services.printing.gutenprint</literal> is added to enable + automatic updating of Gutenprint PPMs; it's greatly recommended to enable + it instead of adding <literal>gutenprint</literal> to the + <literal>drivers</literal> list. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.vaapiDrivers</literal> has been removed. Use + <literal>hardware.opengl.extraPackages{,32}</literal> instead. You can also + specify VDPAU drivers there. + </para> + </listitem> + <listitem> + <para> + <literal>programs.ibus</literal> moved to + <literal>i18n.inputMethod.ibus</literal>. The option + <literal>programs.ibus.plugins</literal> changed to + <literal>i18n.inputMethod.ibus.engines</literal> and the option to enable + ibus changed from <literal>programs.ibus.enable</literal> to + <literal>i18n.inputMethod.enabled</literal>. + <literal>i18n.inputMethod.enabled</literal> should be set to the used input + method name, <literal>"ibus"</literal> for ibus. An example of the new + style: +<programlisting> +i18n.inputMethod.enabled = "ibus"; +i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; +</programlisting> + That is equivalent to the old version: +<programlisting> +programs.ibus.enable = true; +programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; +</programlisting> + </para> + </listitem> + <listitem> + <para> + <literal>services.udev.extraRules</literal> option now writes rules to + <filename>99-local.rules</filename> instead of + <filename>10-local.rules</filename>. This makes all the user rules apply + after others, so their results wouldn't be overriden by anything else. + </para> + </listitem> + <listitem> + <para> + Large parts of the <literal>services.gitlab</literal> module has been been + rewritten. There are new configuration options available. The + <literal>stateDir</literal> option was renamned to + <literal>statePath</literal> and the <literal>satellitesDir</literal> + option was removed. Please review the currently available options. + </para> + </listitem> + <listitem> + <para> + The option <option>services.nsd.zones.<name>.data</option> no longer + interpret the dollar sign ($) as a shell variable, as such it should not be + escaped anymore. Thus the following zone data: + </para> +<programlisting> +\$ORIGIN example.com. +\$TTL 1800 +@ IN SOA ns1.vpn.nbp.name. admin.example.com. ( + </programlisting> + <para> + Should modified to look like the actual file expected by nsd: + </para> +<programlisting> +$ORIGIN example.com. +$TTL 1800 +@ IN SOA ns1.vpn.nbp.name. admin.example.com. ( + </programlisting> + </listitem> + <listitem> + <para> + <literal>service.syncthing.dataDir</literal> options now has to point to + exact folder where syncthing is writing to. Example configuration should + look something like: + </para> +<programlisting> +services.syncthing = { + enable = true; + dataDir = "/home/somebody/.syncthing"; + user = "somebody"; +}; + </programlisting> + </listitem> + <listitem> + <para> + <literal>networking.firewall.allowPing</literal> is now enabled by default. + Users are encouraged to configure an appropriate rate limit for their + machines using the Kernel interface at + <filename>/proc/sys/net/ipv4/icmp_ratelimit</filename> and + <filename>/proc/sys/net/ipv6/icmp/ratelimit</filename> or using the + firewall itself, i.e. by setting the NixOS option + <literal>networking.firewall.pingLimit</literal>. + </para> + </listitem> + <listitem> + <para> + Systems with some broadcom cards used to result into a generated config + that is no longer accepted. If you get errors like +<screen>error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created</screen> + you should either re-run <command>nixos-generate-config</command> or + manually replace + <literal>"${config.boot.kernelPackages.broadcom_sta}"</literal> by + <literal>config.boot.kernelPackages.broadcom_sta</literal> in your + <filename>/etc/nixos/hardware-configuration.nix</filename>. More discussion + is on <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595"> the + github issue</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>services.xserver.startGnuPGAgent</literal> option has been + removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new + approach no longer requires (or even supports) the "start everything as a + child of the agent" scheme we've implemented in NixOS for older versions. + To configure the gpg-agent for your X session, add the following code to + <filename>~/.bashrc</filename> or some file that’s sourced when your + shell is started: +<programlisting> +GPG_TTY=$(tty) +export GPG_TTY + </programlisting> + If you want to use gpg-agent for SSH, too, add the following to your + session initialization (e.g. + <literal>displayManager.sessionCommands</literal>) +<programlisting> +gpg-connect-agent /bye +unset SSH_AGENT_PID +export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh" + </programlisting> + and make sure that +<programlisting> +enable-ssh-support + </programlisting> + is included in your <filename>~/.gnupg/gpg-agent.conf</filename>. You will + need to use <command>ssh-add</command> to re-add your ssh keys. If gpg’s + automatic transformation of the private keys to the new format fails, you + will need to re-import your private keyring as well: +<programlisting> +gpg --import ~/.gnupg/secring.gpg + </programlisting> + The <command>gpg-agent(1)</command> man page has more details about this + subject, i.e. in the "EXAMPLES" section. + </para> + </listitem> + </itemizedlist> + + <para> + Other notable improvements: + <itemizedlist> +<!-- + <listitem> + <para>The <command>command-not-found</command> hook was extended. + Apart from <literal>$NIX_AUTO_INSTALL</literal> variable, + it newly also checks for <literal>$NIX_AUTO_RUN</literal> + which causes it to directly run the missing commands via + <command>nix-shell</command> (without installing anything).</para> + </listitem> + --> + <listitem> + <para> + <literal>ejabberd</literal> module is brought back and now works on NixOS. + </para> + </listitem> + <listitem> + <para> + Input method support was improved. New NixOS modules (fcitx, nabi and + uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus + engines (hangul and m17n) have been added. + </para> + </listitem> + </itemizedlist> + </para> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml new file mode 100644 index 000000000000..4a2343edc970 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml @@ -0,0 +1,277 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-16.09"> + <title>Release 16.09 (“Flounder”, 2016/09/30)</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + Many NixOS configurations and Nix packages now use significantly less disk + space, thanks to the + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive + work on closure size reduction</link>. For example, the closure size of a + minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in + 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB. + </para> + </listitem> + <listitem> + <para> + To improve security, packages are now + <link + xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built + using various hardening features</link>. See the Nixpkgs manual for more + information. + </para> + </listitem> + <listitem> + <para> + Support for PXE netboot. See <xref + linkend="sec-booting-from-pxe" /> + for documentation. + </para> + </listitem> + <listitem> + <para> + X.org server 1.18. If you use the <literal>ati_unfree</literal> driver, + 1.17 is still used due to an ABI incompatibility. + </para> + </listitem> + <listitem> + <para> + This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default + Linux kernel remains 4.4. + </para> + </listitem> + </itemizedlist> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>(this will get automatically generated at release time)</literal> + </para> + </listitem> + </itemizedlist> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + A large number of packages have been converted to use the multiple outputs + feature of Nix to greatly reduce the amount of required disk space, as + mentioned above. This may require changes to any custom packages to make + them build again; see the relevant chapter in the Nixpkgs manual for more + information. (Additional caveat to packagers: some packaging conventions + related to multiple-output packages + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were + changed</link> late (August 2016) in the release cycle and differ from the + initial introduction of multiple outputs.) + </para> + </listitem> + <listitem> + <para> + Previous versions of Nixpkgs had support for all versions of the LTS + Haskell package set. That support has been dropped. The previously provided + <literal>haskell.packages.lts-x_y</literal> package sets still exist in + name to aviod breaking user code, but these package sets don't actually + contain the versions mandated by the corresponding LTS release. Instead, + our package set it loosely based on the latest available LTS release, i.e. + LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will + drop those old names entirely. + <link + xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The + motivation for this change</link> has been discussed at length on the + <literal>nix-dev</literal> mailing list and in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github + issue #14897</link>. Development strategies for Haskell hackers who want to + rely on Nix and NixOS have been described in + <link + xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another + nix-dev article</link>. + </para> + </listitem> + <listitem> + <para> + Shell aliases for systemd sub-commands + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were + dropped</link>: <command>start</command>, <command>stop</command>, + <command>restart</command>, <command>status</command>. + </para> + </listitem> + <listitem> + <para> + Redis now binds to 127.0.0.1 only instead of listening to all network + interfaces. This is the default behavior of Redis 3.2 + </para> + </listitem> + <listitem> + <para> + <literal>/var/empty</literal> is now immutable. Activation script runs + <command>chattr +i</command> to forbid any modifications inside the folder. + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the + pull request</link> for what bugs this caused. + </para> + </listitem> + <listitem> + <para> + Gitlab's maintainance script <command>gitlab-runner</command> was removed + and split up into the more clearer <command>gitlab-run</command> and + <command>gitlab-rake</command> scripts, because + <command>gitlab-runner</command> is a component of Gitlab CI. + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.libinput.accelProfile</literal> default changed + from <literal>flat</literal> to <literal>adaptive</literal>, as per + <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> + official documentation</link>. + </para> + </listitem> + <listitem> + <para> + <literal>fonts.fontconfig.ultimate.rendering</literal> was removed because + our presets were obsolete for some time. New presets are hardcoded into + FreeType; you can select a preset via + <literal>fonts.fontconfig.ultimate.preset</literal>. You can customize + those presets via ordinary environment variables, using + <literal>environment.variables</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>audit</literal> service is no longer enabled by default. Use + <literal>security.audit.enable = true</literal> to explicitly enable it. + </para> + </listitem> + <listitem> + <para> + <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the + kernel modules instead of the VirtualBox user space binaries. If you want + to reference the user space binaries, you have to use the new + <literal>pkgs.virtualbox</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>goPackages</literal> was replaced with separated Go applications + in appropriate <literal>nixpkgs</literal> categories. Each Go package uses + its own dependency set. There's also a new <literal>go2nix</literal> tool + introduced to generate a Go package definition from its Go source + automatically. + </para> + </listitem> + <listitem> + <para> + <literal>services.mongodb.extraConfig</literal> configuration format was + changed to YAML. + </para> + </listitem> + <listitem> + <para> + PHP has been upgraded to 7.0 + </para> + </listitem> + </itemizedlist> + + <para> + Other notable improvements: + </para> + + <itemizedlist> + <listitem> + <para> + Revamped grsecurity/PaX support. There is now only a single general-purpose + distribution kernel and the configuration interface has been streamlined. + Desktop users should be able to simply set +<programlisting>security.grsecurity.enable = true</programlisting> + to get a reasonably secure system without having to sacrifice too much + functionality. + </para> + </listitem> + <listitem> + <para> + Special filesystems, like <literal>/proc</literal>, <literal>/run</literal> + and others, now have the same mount options as recommended by systemd and + are unified across different places in NixOS. Mount options are updated + during <command>nixos-rebuild switch</command> if possible. One benefit + from this is improved security — most such filesystems are now mounted + with <literal>noexec</literal>, <literal>nodev</literal> and/or + <literal>nosuid</literal> options. + </para> + </listitem> + <listitem> + <para> + The reverse path filter was interfering with DHCPv4 server operation in the + past. An exception for DHCPv4 and a new option to log packets that were + dropped due to the reverse path filter was added + (<literal>networking.firewall.logReversePathDrops</literal>) for easier + debugging. + </para> + </listitem> + <listitem> + <para> + Containers configuration within + <literal>containers.<name>.config</literal> is + <link + xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now + properly typed and checked</link>. In particular, partial configurations + are merged correctly. + </para> + </listitem> + <listitem> + <para> + The directory container setuid wrapper programs, + <filename>/var/setuid-wrappers</filename>, + <link + xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now + updated atomically to prevent failures if the switch to a new configuration + is interrupted.</link> + </para> + </listitem> + <listitem> + <para> + <literal>services.xserver.startGnuPGAgent</literal> has been removed due to + GnuPG 2.1.x bump. See + <link + xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c"> + how to achieve similar behavior</link>. You might need to <literal>pkill + gpg-agent</literal> after the upgrade to prevent a stale agent being in the + way. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147"> + Declarative users could share the uid due to the bug in the script handling + conflict resolution. </link> + </para> + </listitem> + <listitem> + <para> + Gummi boot has been replaced using systemd-boot. + </para> + </listitem> + <listitem> + <para> + Hydra package and NixOS module were added for convenience. + </para> + </listitem> + </itemizedlist> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml new file mode 100644 index 000000000000..86f4a1ccfb78 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1703.xml @@ -0,0 +1,817 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.03"> + <title>Release 17.03 (“Gorilla”, 2017/03/31)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.03-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + Nixpkgs is now extensible through overlays. See the + <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs + manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The + default Linux kernel is 4.9 and Nix is at 1.11.8. + </para> + </listitem> + <listitem> + <para> + The default desktop environment now is KDE's Plasma 5. KDE 4 has been + removed + </para> + </listitem> + <listitem> + <para> + The setuid wrapper functionality now supports setting capabilities. + </para> + </listitem> + <listitem> + <para> + X.org server uses branch 1.19. Due to ABI incompatibilities, + <literal>ati_unfree</literal> keeps forcing 1.17 and + <literal>amdgpu-pro</literal> starts forcing 1.18. + </para> + </listitem> + <listitem> + <para> + Cross compilation has been rewritten. See the nixpkgs manual for details. + The most obvious breaking change is that in derivations there is no + <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now + cross by default, not native. + </para> + </listitem> + <listitem> + <para> + The <literal>overridePackages</literal> function has been rewritten to be + replaced by + <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> + overlays</link> + </para> + </listitem> + <listitem> + <para> + Packages in nixpkgs can be marked as insecure through listed + vulnerabilities. See the + <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs + manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.1 + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.03-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>hardware/ckb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/mcelog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/usb-wwan.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/video/capture/mwprocapture.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/adb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/chromium.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gphoto2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/java.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/mtr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/oblogout.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/vim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/wireshark.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/dhparams.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/ympd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/computing/boinc/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/buildbot/worker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/gitlab-runner.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/riak-cs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/stanchion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-terminal-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/editors/infinoted.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/illum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/hardware/trezord.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/offlineimap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/postgrey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/couchpotato.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/docker-registry.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/errbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/geoip-updater.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gogs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/leaps.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/nix-optimise.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/ssm-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/sssd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/arbtt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/netdata.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/alertmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/blackbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/json-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/nginx-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/node-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/snmp-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/unifi-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/varnish-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/sysstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/telegraf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/vnstat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/cachefilesd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/glusterfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/ipfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dante.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscrypt-wrapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fakeroute.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/flannel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/htpdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/miredo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/nftables.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/powerdns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/pdns-recursor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/quagga.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/redsocks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/wireguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/cgmanager.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/torrent/opentracker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/confluence.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/crowd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/atlassian/jira.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/frab.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nixbot.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/selfoss.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/quassel-webserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/unclutter-xfixes.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/urxvtd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>system/boot/systemd-nspawn.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/ecs-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/lxcfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/keystone.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>virtualisation/openstack/glance.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.03-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + Derivations have no <literal>.nativeDrv</literal> nor + <literal>.crossDrv</literal> and are now cross by default, not native. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.overrides</literal> is now expected to take + <literal>self</literal> and <literal>super</literal> arguments. See + <literal>lib.trivial.extends</literal> for what those parameters + represent. + </para> + </listitem> + <listitem> + <para> + <literal>ansible</literal> now defaults to ansible version 2 as version 1 + has been removed due to a serious + <link + xlink:href="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt"> + vulnerability</link> unpatched by upstream. + </para> + </listitem> + <listitem> + <para> + <literal>gnome</literal> alias has been removed along with + <literal>gtk</literal>, <literal>gtkmm</literal> and several others. Now + you need to use versioned attributes, like <literal>gnome3</literal>. + </para> + </listitem> + <listitem> + <para> + The attribute name of the Radicale daemon has been changed from + <literal>pythonPackages.radicale</literal> to <literal>radicale</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>stripHash</literal> bash function in + <literal>stdenv</literal> changed according to its documentation; it now + outputs the stripped name to <literal>stdout</literal> instead of putting + it in the variable <literal>strippedName</literal>. + </para> + </listitem> + <listitem> + <para> + PHP now scans for extra configuration .ini files in /etc/php.d instead of + /etc. This prevents accidentally loading non-PHP .ini files that may be in + /etc. + </para> + </listitem> + <listitem> + <para> + Two lone top-level dict dbs moved into <literal>dictdDBs</literal>. This + affects: <literal>dictdWordnet</literal> which is now at + <literal>dictdDBs.wordnet</literal> and <literal>dictdWiktionary</literal> + which is now at <literal>dictdDBs.wiktionary</literal> + </para> + </listitem> + <listitem> + <para> + Parsoid service now uses YAML configuration format. + <literal>service.parsoid.interwikis</literal> is now called + <literal>service.parsoid.wikis</literal> and is a list of either API URLs + or attribute sets as specified in parsoid's documentation. + </para> + </listitem> + <listitem> + <para> + <literal>Ntpd</literal> was replaced by + <literal>systemd-timesyncd</literal> as the default service to synchronize + system time with a remote NTP server. The old behavior can be restored by + setting <literal>services.ntp.enable</literal> to <literal>true</literal>. + Upstream time servers for all NTP implementations are now configured using + <literal>networking.timeServers</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>service.nylon</literal> is now declared using named instances. As + an example: +<programlisting> + services.nylon = { + enable = true; + acceptInterface = "br0"; + bindInterface = "tun1"; + port = 5912; + }; +</programlisting> + should be replaced with: +<programlisting> + services.nylon.myvpn = { + enable = true; + acceptInterface = "br0"; + bindInterface = "tun1"; + port = 5912; + }; +</programlisting> + this enables you to declare a SOCKS proxy for each uplink. + </para> + </listitem> + <listitem> + <para> + <literal>overridePackages</literal> function no longer exists. It is + replaced by + <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install"> + overlays</link>. For example, the following code: +<programlisting> +let + pkgs = import <nixpkgs> {}; +in + pkgs.overridePackages (self: super: ...) +</programlisting> + should be replaced by: +<programlisting> +let + pkgs = import <nixpkgs> {}; +in + import pkgs.path { overlays = [(self: super: ...)]; } +</programlisting> + </para> + </listitem> + <listitem> + <para> + Autoloading connection tracking helpers is now disabled by default. This + default was also changed in the Linux kernel and is considered insecure if + not configured properly in your firewall. If you need connection tracking + helpers (i.e. for active FTP) please enable + <literal>networking.firewall.autoLoadConntrackHelpers</literal> and tune + <literal>networking.firewall.connectionTrackingModules</literal> to suit + your needs. + </para> + </listitem> + <listitem> + <para> + <literal>local_recipient_maps</literal> is not set to empty value by + Postfix service. It's an insecure default as stated by Postfix + documentation. Those who want to retain this setting need to set it via + <literal>services.postfix.extraConfig</literal>. + </para> + </listitem> + <listitem> + <para> + Iputils no longer provide ping6 and traceroute6. The functionality of + these tools has been integrated into ping and traceroute respectively. To + enforce an address family the new flags <literal>-4</literal> and + <literal>-6</literal> have been added. One notable incompatibility is that + specifying an interface (for link-local IPv6 for instance) is no longer + done with the <literal>-I</literal> flag, but by encoding the interface + into the address (<literal>ping fe80::1%eth0</literal>). + </para> + </listitem> + <listitem> + <para> + The socket handling of the <literal>services.rmilter</literal> module has + been fixed and refactored. As rmilter doesn't support binding to more than + one socket, the options <literal>bindUnixSockets</literal> and + <literal>bindInetSockets</literal> have been replaced by + <literal>services.rmilter.bindSocket.*</literal>. The default is still a + unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to the + options documentation for more information. + </para> + </listitem> + <listitem> + <para> + The <literal>fetch*</literal> functions no longer support md5, please use + sha256 instead. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy module interface has been streamlined around the + <option>extraArgs</option> option. Where possible, legacy option + declarations are mapped to <option>extraArgs</option> but will emit + warnings. The <option>resolverList</option> has been outright removed: to + use an unlisted resolver, use the <option>customResolver</option> option. + </para> + </listitem> + <listitem> + <para> + torbrowser now stores local state under + <filename>~/.local/share/tor-browser</filename> by default. Any browser + profile data from the old location, <filename>~/.torbrowser4</filename>, + must be migrated manually. + </para> + </listitem> + <listitem> + <para> + The ihaskell, monetdb, offlineimap and sitecopy services have been + removed. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.03-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + Module type system have a new extensible option types feature that allow + to extend certain types, such as enum, through multiple option + declarations of the same option across multiple modules. + </para> + </listitem> + <listitem> + <para> + <literal>jre</literal> now defaults to GTK+ UI by default. This improves + visual consistency and makes Java follow system font style, improving the + situation on HighDPI displays. This has a cost of increased closure size; + for server and other headless workloads it's recommended to use + <literal>jre_headless</literal>. + </para> + </listitem> + <listitem> + <para> + Python 2.6 interpreter and package set have been removed. + </para> + </listitem> + <listitem> + <para> + The Python 2.7 interpreter does not use modules anymore. Instead, all + CPython interpreters now include the whole standard library except for + `tkinter`, which is available in the Python package set. + </para> + </listitem> + <listitem> + <para> + Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. + Minor modifications had to be made to the interpreters in order to + generate deterministic bytecode. This has security implications and is + relevant for those using Python in a <literal>nix-shell</literal>. See the + Nixpkgs manual for details. + </para> + </listitem> + <listitem> + <para> + The Python package sets now use a fixed-point combinator and the sets are + available as attributes of the interpreters. + </para> + </listitem> + <listitem> + <para> + The Python function <literal>buildPythonPackage</literal> has been + improved and can be used to build from Setuptools source, Flit source, and + precompiled Wheels. + </para> + </listitem> + <listitem> + <para> + When adding new or updating current Python libraries, the expressions + should be put in separate files in + <literal>pkgs/development/python-modules</literal> and called from + <literal>python-packages.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy service supports synchronizing the list of public + resolvers without working DNS resolution. This fixes issues caused by the + resolver list becoming outdated. It also improves the viability of + DNSCrypt only configurations. + </para> + </listitem> + <listitem> + <para> + Containers using bridged networking no longer lose their connection after + changes to the host networking. + </para> + </listitem> + <listitem> + <para> + ZFS supports pool auto scrubbing. + </para> + </listitem> + <listitem> + <para> + The bind DNS utilities (e.g. dig) have been split into their own output + and are now also available in <literal>pkgs.dnsutils</literal> and it is + no longer necessary to pull in all of <literal>bind</literal> to use them. + </para> + </listitem> + <listitem> + <para> + Per-user configuration was moved from <filename>~/.nixpkgs</filename> to + <filename>~/.config/nixpkgs</filename>. The former is still valid for + <filename>config.nix</filename> for backwards compatibility. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1709.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1709.xml new file mode 100644 index 000000000000..795c51d2923d --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1709.xml @@ -0,0 +1,899 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.09"> + <title>Release 17.09 (“Hummingbird”, 2017/09/??)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.09-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE + Applications to 17.08.1 and KDE Frameworks to 5.37. + </para> + </listitem> + <listitem> + <para> + The user handling now keeps track of deallocated UIDs/GIDs. When a user or + group is revived, this allows it to be allocated the UID/GID it had + before. A consequence is that UIDs and GIDs are no longer reused. + </para> + </listitem> + <listitem> + <para> + The module option <option>services.xserver.xrandrHeads</option> now causes + the first head specified in this list to be set as the primary head. Apart + from that, it's now possible to also set additional options by using an + attribute set, for example: +<programlisting> +{ services.xserver.xrandrHeads = [ + "HDMI-0" + { + output = "DVI-0"; + primary = true; + monitorConfig = '' + Option "Rotate" "right" + ''; + } + ]; +} +</programlisting> + This will set the <literal>DVI-0</literal> output to be the primary head, + even though <literal>HDMI-0</literal> is the first head in the list. + </para> + </listitem> + <listitem> + <para> + The handling of SSL in the <literal>services.nginx</literal> module has + been cleaned up, renaming the misnamed <literal>enableSSL</literal> to + <literal>onlySSL</literal> which reflects its original intention. This is + not to be used with the already existing <literal>forceSSL</literal> which + creates a second non-SSL virtual host redirecting to the SSL virtual host. + This by chance had worked earlier due to specific implementation details. + In case you had specified both please remove the + <literal>enableSSL</literal> option to keep the previous behaviour. + </para> + <para> + Another <literal>addSSL</literal> option has been introduced to configure + both a non-SSL virtual host and an SSL virtual host with the same + configuration. + </para> + <para> + Options to configure <literal>resolver</literal> options and + <literal>upstream</literal> blocks have been introduced. See their + information for further details. + </para> + <para> + The <literal>port</literal> option has been replaced by a more generic + <literal>listen</literal> option which makes it possible to specify + multiple addresses, ports and SSL configs dependant on the new SSL + handling mentioned above. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.09-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>config/fonts/fontconfig-penultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/fonts/fontconfig-ultimate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>config/terminfo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/sensor/iio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/nitrokey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>hardware/raid/hpsa.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/browserpass.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/gnupg.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/qt5ct.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/slock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>programs/thefuck.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/auditd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>security/lock-kernel-modules.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/docker.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>service-managers/trivial.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/master.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/admin/salt/minion.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/audio/slimserver.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/cluster/kubernetes/dashboard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/continuous-integration/hail.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/clickhouse.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/databases/postage.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gnome-disks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/desktops/gnome3/gpaste.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/SystemdJournal2Gelf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/heartbeat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/journalwatch.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/logging/syslogd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/mailhog.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/mail/nullmailer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/airsonic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/autorandr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/exhibitor.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/fstrim.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/gollum.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/irkerd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/jackett.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/radarr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/misc/snapper.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/osquery.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/collectd-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/network-filesystems/kbfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/dnscache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/fireqos.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/iwd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keepalived/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/keybase.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/lldpd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/matterbridge.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/squid.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/tinydns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/networking/xrdp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/shibboleth-sp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/sshguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/torify.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/usbguard.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/security/vault.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/earlyoom.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/system/saslauthd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/nexus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/pgpkeyserver-lite.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-apps/piwik.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/lighttpd/collectd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/web-servers/minio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/display-managers/xpra.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services/x11/xautolock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/filesystems/bcachefs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>tasks/powertop.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.09-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + <emphasis role="strong"> In an Qemu-based virtualization environment, the + network interface names changed from i.e. <literal>enp0s3</literal> to + <literal>ens3</literal>. </emphasis> + </para> + <para> + This is due to a kernel configuration change. The new naming is consistent + with those of other Linux distributions with systemd. See + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link> + for more information. + </para> + <para> + A machine is affected if the <literal>virt-what</literal> tool either + returns <literal>qemu</literal> or <literal>kvm</literal> + <emphasis>and</emphasis> has interface names used in any part of its NixOS + configuration, in particular if a static network configuration with + <literal>networking.interfaces</literal> is used. + </para> + <para> + Before rebooting affected machines, please ensure: + <itemizedlist> + <listitem> + <para> + Change the interface names in your NixOS configuration. The first + interface will be called <literal>ens3</literal>, the second one + <literal>ens8</literal> and starting from there incremented by 1. + </para> + </listitem> + <listitem> + <para> + After changing the interface names, rebuild your system with + <literal>nixos-rebuild boot</literal> to activate the new configuration + after a reboot. If you switch to the new configuration right away you + might lose network connectivity! If using <literal>nixops</literal>, + deploy with <literal>nixops deploy --force-reboot</literal>. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + The following changes apply if the <literal>stateVersion</literal> is + changed to 17.09 or higher. For <literal>stateVersion = "17.03"</literal> + or lower the old behavior is preserved. + </para> + <itemizedlist> + <listitem> + <para> + The <literal>postgres</literal> default version was changed from 9.5 to + 9.6. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> superuser name has changed from + <literal>root</literal> to <literal>postgres</literal> to more closely + follow what other Linux distributions are doing. + </para> + </listitem> + <listitem> + <para> + The <literal>postgres</literal> default <literal>dataDir</literal> has + changed from <literal>/var/db/postgres</literal> to + <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is + 9.6 for example. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql</literal> default <literal>dataDir</literal> has + changed from <literal>/var/mysql</literal> to + <literal>/var/lib/mysql</literal>. + </para> + </listitem> + <listitem> + <para> + Radicale's default package has changed from 1.x to 2.x. Instructions to + migrate can be found <link xlink:href="http://radicale.org/1to2/"> here + </link>. It is also possible to use the newer version by setting the + <literal>package</literal> to <literal>radicale2</literal>, which is + done automatically when <literal>stateVersion</literal> is 17.09 or + higher. The <literal>extraArgs</literal> option has been added to allow + passing the data migration arguments specified in the instructions; see + the + <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> + NixOS test for an example migration. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>aiccu</literal> package was removed. This is due to SixXS + <link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 + tunnel. + </para> + </listitem> + <listitem> + <para> + The <literal>fanctl</literal> package and <literal>fan</literal> module + have been removed due to the developers not upstreaming their iproute2 + patches and lagging with compatibility to recent iproute2 versions. + </para> + </listitem> + <listitem> + <para> + Top-level <literal>idea</literal> package collection was renamed. All + JetBrains IDEs are now at <literal>jetbrains</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>flexget</literal>'s state database cannot be upgraded to its new + internal format, requiring removal of any existing + <literal>db-config.sqlite</literal> which will be automatically recreated. + </para> + </listitem> + <listitem> + <para> + The <literal>ipfs</literal> service now doesn't ignore the + <literal>dataDir</literal> option anymore. If you've ever set this option + to anything other than the default you'll have to either unset it (so the + default gets used) or migrate the old data manually with +<programlisting> +dataDir=<valueOfDataDir> +mv /var/lib/ipfs/.ipfs/* $dataDir +rmdir /var/lib/ipfs/.ipfs +</programlisting> + </para> + </listitem> + <listitem> + <para> + The <literal>caddy</literal> service was previously using an extra + <literal>.caddy</literal> directory in the data directory specified with + the <literal>dataDir</literal> option. The contents of the + <literal>.caddy</literal> directory are now expected to be in the + <literal>dataDir</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>ssh-agent</literal> user service is not started by default + anymore. Use <literal>programs.ssh.startAgent</literal> to enable it if + needed. There is also a new <literal>programs.gnupg.agent</literal> module + that creates a <literal>gpg-agent</literal> user service. It can also + serve as a SSH agent if <literal>enableSSHSupport</literal> is set. + </para> + </listitem> + <listitem> + <para> + The <literal>services.tinc.networks.<name>.listenAddress</literal> + option had a misleading name that did not correspond to its behavior. It + now correctly defines the ip to listen for incoming connections on. To + keep the previous behaviour, use + <literal>services.tinc.networks.<name>.bindToAddress</literal> + instead. Refer to the description of the options for more details. + </para> + </listitem> + <listitem> + <para> + <literal>tlsdate</literal> package and module were removed. This is due to + the project being dead and not building with openssl 1.1. + </para> + </listitem> + <listitem> + <para> + <literal>wvdial</literal> package and module were removed. This is due to + the project being dead and not building with openssl 1.1. + </para> + </listitem> + <listitem> + <para> + <literal>cc-wrapper</literal>'s setup-hook now exports a number of + environment variables corresponding to binutils binaries, (e.g. + <envar>LD</envar>, <envar>STRIP</envar>, <envar>RANLIB</envar>, etc). This + is done to prevent packages' build systems guessing, which is harder to + predict, especially when cross-compiling. However, some packages have + broken due to this—their build systems either not supporting, or + claiming to support without adequate testing, taking such environment + variables as parameters. + </para> + </listitem> + <listitem> + <para> + <literal>services.firefox.syncserver</literal> now runs by default as a + non-root user. To accomodate this change, the default sqlite database + location has also been changed. Migration should work automatically. Refer + to the description of the options for more details. + </para> + </listitem> + <listitem> + <para> + The <literal>compiz</literal> window manager and package was removed. The + system support had been broken for several years. + </para> + </listitem> + <listitem> + <para> + Touchpad support should now be enabled through <literal>libinput</literal> + as <literal>synaptics</literal> is now deprecated. See the option + <literal>services.xserver.libinput.enable</literal>. + </para> + </listitem> + <listitem> + <para> + grsecurity/PaX support has been dropped, following upstream's decision to + cease free support. See + <link xlink:href="https://grsecurity.net/passing_the_baton.php"> + upstream's announcement</link> for more information. No complete + replacement for grsecurity/PaX is available presently. + </para> + </listitem> + <listitem> + <para> + <literal>services.mysql</literal> now has declarative configuration of + databases and users with the <literal>ensureDatabases</literal> and + <literal>ensureUsers</literal> options. + </para> + <para> + These options will never delete existing databases and users, especially + not when the value of the options are changed. + </para> + <para> + The MySQL users will be identified using + <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/"> + Unix socket authentication</link>. This authenticates the Unix user with + the same name only, and that without the need for a password. + </para> + <para> + If you have previously created a MySQL <literal>root</literal> user + <emphasis>with a password</emphasis>, you will need to add + <literal>root</literal> user for unix socket authentication before using + the new options. This can be done by running the following SQL script: +<programlisting language="sql"> +CREATE USER 'root'@'%' IDENTIFIED BY ''; +GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; +FLUSH PRIVILEGES; + +-- Optionally, delete the password-authenticated user: +-- DROP USER 'root'@'localhost'; +</programlisting> + </para> + </listitem> + <listitem> + <para> + <literal>services.mysqlBackup</literal> now works by default without any + user setup, including for users other than <literal>mysql</literal>. + </para> + <para> + By default, the <literal>mysql</literal> user is no longer the user which + performs the backup. Instead a system account + <literal>mysqlbackup</literal> is used. + </para> + <para> + The <literal>mysqlBackup</literal> service is also now using systemd + timers instead of <literal>cron</literal>. + </para> + <para> + Therefore, the <literal>services.mysqlBackup.period</literal> option no + longer exists, and has been replaced with + <literal>services.mysqlBackup.calendar</literal>, which is in the format + of + <link + xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>. + </para> + <para> + If you expect to be sent an e-mail when the backup fails, consider using a + script which monitors the systemd journal for errors. Regretfully, at + present there is no built-in functionality for this. + </para> + <para> + You can check that backups still work by running <command>systemctl start + mysql-backup</command> then <command>systemctl status + mysql-backup</command>. + </para> + </listitem> + <listitem> + <para> + Templated systemd services e.g <literal>container@name</literal> are now + handled currectly when switching to a new configuration, resulting in them + being reloaded. + </para> + </listitem> + <listitem> + <para> + Steam: the <literal>newStdcpp</literal> parameter was removed and should + not be needed anymore. + </para> + </listitem> + <listitem> + <para> + Redis has been updated to version 4 which mandates a cluster mass-restart, + due to changes in the network handling, in order to ensure compatibility + with networks NATing traffic. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-17.09-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + Modules can now be disabled by using + <link + xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules"> + disabledModules</link>, allowing another to take it's place. This can be + used to import a set of modules from another channel while keeping the + rest of the system on a stable release. + </para> + </listitem> + <listitem> + <para> + Updated to FreeType 2.7.1, including a new TrueType engine. The new engine + replaces the Infinality engine which was the default in NixOS. The default + font rendering settings are now provided by fontconfig-penultimate, + replacing fontconfig-ultimate; the new defaults are less invasive and + provide rendering that is more consistent with other systems and hopefully + with each font designer's intent. Some system-wide configuration has been + removed from the Fontconfig NixOS module where user Fontconfig settings + are available. + </para> + </listitem> + <listitem> + <para> + ZFS/SPL have been updated to 0.7.0, <literal>zfsUnstable, + splUnstable</literal> have therefore been removed. + </para> + </listitem> + <listitem> + <para> + The <option>time.timeZone</option> option now allows the value + <literal>null</literal> in addition to timezone strings. This value allows + changing the timezone of a system imperatively using <command>timedatectl + set-timezone</command>. The default timezone is still UTC. + </para> + </listitem> + <listitem> + <para> + Nixpkgs overlays may now be specified with a file as well as a directory. + The value of <literal><nixpkgs-overlays></literal> may be a file, and + <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of + the <filename>~/.config/nixpkgs/overlays</filename> directory. + </para> + <para> + See the overlays chapter of the Nixpkgs manual for more details. + </para> + </listitem> + <listitem> + <para> + Definitions for <filename>/etc/hosts</filename> can now be specified + declaratively with <literal>networking.hosts</literal>. + </para> + </listitem> + <listitem> + <para> + Two new options have been added to the installer loader, in addition to + the default having changed. The kernel log verbosity has been lowered to + the upstream default for the default options, in order to not spam the + console when e.g. joining a network. + </para> + <para> + This therefore leads to adding a new <literal>debug</literal> option to + set the log level to the previous verbose mode, to make debugging easier, + but still accessible easily. + </para> + <para> + Additionally a <literal>copytoram</literal> option has been added, which + makes it possible to remove the install medium after booting. This allows + tethering from your phone after booting from it. + </para> + </listitem> + <listitem> + <para> + <literal>services.gitlab-runner.configOptions</literal> has been added to + specify the configuration of gitlab-runners declaratively. + </para> + </listitem> + <listitem> + <para> + <literal>services.jenkins.plugins</literal> has been added to install + plugins easily, this can be generated with jenkinsPlugins2nix. + </para> + </listitem> + <listitem> + <para> + <literal>services.postfix.config</literal> has been added to specify the + main.cf with NixOS options. Additionally other options have been added to + the postfix module and has been improved further. + </para> + </listitem> + <listitem> + <para> + The GitLab package and module have been updated to the latest 10.0 + release. + </para> + </listitem> + <listitem> + <para> + The <literal>systemd-boot</literal> boot loader now lists the NixOS + version, kernel version and build date of all bootable generations. + </para> + </listitem> + <listitem> + <para> + The dnscrypt-proxy service now defaults to using a random upstream + resolver, selected from the list of public non-logging resolvers with + DNSSEC support. Existing configurations can be migrated to this mode of + operation by omitting the + <option>services.dnscrypt-proxy.resolverName</option> option or setting it + to <literal>"random"</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1803.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1803.xml new file mode 100644 index 000000000000..c14679eea071 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1803.xml @@ -0,0 +1,855 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.03"> + <title>Release 18.03 (“Impala”, 2018/04/04)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.03-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + End of support is planned for end of October 2018, handing over to 18.09. + </para> + </listitem> + <listitem> + <para> + Platform support: x86_64-linux and x86_64-darwin since release time (the + latter isn't NixOS, really). Binaries for aarch64-linux are available, but + no channel exists yet, as it's waiting for some test fixes, etc. + </para> + </listitem> + <listitem> + <para> + Nix now defaults to 2.0; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.0">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> + 7, systemd: 234 -> 237. + </para> + </listitem> + <listitem> + <para> + Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 + -> 5.12. + </para> + </listitem> + <listitem> + <para> + MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. + While upgrading a few changes have been made to the infrastructure + involved: + <itemizedlist> + <listitem> + <para> + <literal>libmysql</literal> has been deprecated, please use + <literal>mysql.connector-c</literal> instead, a compatibility passthru + has been added to the MySQL packages. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql57</literal> package has a new + <literal>static</literal> output containing the static libraries + including <literal>libmysqld.a</literal> + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.2, updated from 7.1. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.03-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>./config/krb5/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/digitalbitbox.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./misc/label.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/ccache.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/criu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/digitalbitbox/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/less.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/npm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/plotinus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/rootston.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/systemtap.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/sway.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/udevil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/way-cooler.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/yabar.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/zsh/zsh-autoenv.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/borgbackup.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/crashplan-small-business.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-renderer.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/dleyna-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/pipewire.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/chrome-gnome-shell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/gnome3/tracker-miners.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/fwupd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/interception-tools.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/u2f.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/usbmuxd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/clamsmtp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/dkimproxy-out.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/mail/pfix-srsd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/gitea.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/home-assistant.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/ihaskell.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/logkeys.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/novacomd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/osrm.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/plexpy.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/pykms.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/tzupdate.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/fusion-inventory.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/prometheus/exporters.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/beegfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/davfs2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/client.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/openafs/server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/network-filesystems/ceph.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/aria2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/monero.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nghttpx/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/nixops-dns.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/rxe.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/stunnel.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/matomo.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/restya-board.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/mighttpd2.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/x11/fractalart.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/binfmt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./system/boot/grow-partition.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./tasks/filesystems/ecryptfs.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/hyperv-guest.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.03-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>sound.enable</literal> now defaults to false. + </para> + </listitem> + <listitem> + <para> + Dollar signs in options under <option>services.postfix</option> are passed + verbatim to Postfix, which will interpret them as the beginning of a + parameter expression. This was already true for string-valued options in + the previous release, but not for list-valued options. If you need to pass + literal dollar signs through Postfix, double them. + </para> + </listitem> + <listitem> + <para> + The <literal>postage</literal> package (for web-based PostgreSQL + administration) has been renamed to <literal>pgmanage</literal>. The + corresponding module has also been renamed. To migrate please rename all + <option>services.postage</option> options to + <option>services.pgmanage</option>. + </para> + </listitem> + <listitem> + <para> + Package attributes starting with a digit have been prefixed with an + underscore sign. This is to avoid quoting in the configuration and other + issues with command-line tools like <literal>nix-env</literal>. The change + affects the following packages: + <itemizedlist> + <listitem> + <para> + <literal>2048-in-terminal</literal> → + <literal>_2048-in-terminal</literal> + </para> + </listitem> + <listitem> + <para> + <literal>90secondportraits</literal> → + <literal>_90secondportraits</literal> + </para> + </listitem> + <listitem> + <para> + <literal>2bwm</literal> → <literal>_2bwm</literal> + </para> + </listitem> + <listitem> + <para> + <literal>389-ds-base</literal> → <literal>_389-ds-base</literal> + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + <emphasis role="strong"> The OpenSSH service no longer enables support for + DSA keys by default, which could cause a system lock out. Update your keys + or, unfavorably, re-enable DSA support manually. </emphasis> + </para> + <para> + DSA support was + <link xlink:href="https://www.openssh.com/legacy.html">deprecated in + OpenSSH 7.0</link>, due to it being too weak. To re-enable support, add + <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your + <option>services.openssh.extraConfig</option>. + </para> + <para> + After updating the keys to be stronger, anyone still on a pre-17.03 + version is safe to jump to 17.03, as vetted + <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>openssh</literal> package now includes Kerberos support by + default; the <literal>openssh_with_kerberos</literal> package is now a + deprecated alias. If you do not want Kerberos support, you can do + <literal>openssh.override { withKerberos = false; }</literal>. Note, this + also applies to the <literal>openssh_hpn</literal> package. + </para> + </listitem> + <listitem> + <para> + <literal>cc-wrapper</literal> has been split in two; there is now also a + <literal>bintools-wrapper</literal>. The most commonly used files in + <filename>nix-support</filename> are now split between the two wrappers. + Some commonly used ones, like + <filename>nix-support/dynamic-linker</filename>, are duplicated for + backwards compatability, even though they rightly belong only in + <literal>bintools-wrapper</literal>. Other more obscure ones are just + moved. + </para> + </listitem> + <listitem> + <para> + The propagation logic has been changed. The new logic, along with new + types of dependencies that go with, is thoroughly documented in the + "Specifying dependencies" section of the "Standard Environment" chapter of + the nixpkgs manual. +<!-- That's <xref linkend="ssec-stdenv-attributes"> were we to merge the manuals. --> + The old logic isn't but is easy to describe: dependencies were propagated + as the same type of dependency no matter what. In practice, that means + that many <function>propagatedNativeBuildInputs</function> should instead + be <function>propagatedBuildInputs</function>. Thankfully, that was and is + the least used type of dependency. Also, it means that some + <function>propagatedBuildInputs</function> should instead be + <function>depsTargetTargetPropagated</function>. Other types dependencies + should be unaffected. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addPassthru drv passthru</literal> is removed. Use + <literal>lib.extendDerivation true passthru drv</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>memcached</literal> service no longer accept dynamic socket + paths via <option>services.memcached.socket</option>. Unix sockets can be + still enabled by <option>services.memcached.enableUnixSocket</option> and + will be accessible at <literal>/run/memcached/memcached.sock</literal>. + </para> + </listitem> + <listitem> + <para> + The <varname>hardware.amdHybridGraphics.disable</varname> option was + removed for lack of a maintainer. If you still need this module, you may + wish to include a copy of it from an older version of nixos in your + imports. + </para> + </listitem> + <listitem> + <para> + The merging of config options for + <varname>services.postfix.config</varname> was buggy. Previously, if other + options in the Postfix module like + <varname>services.postfix.useSrs</varname> were set and the user set + config options that were also set by such options, the resulting config + wouldn't include all options that were needed. They are now merged + correctly. If config options need to be overridden, + <literal>lib.mkForce</literal> or <literal>lib.mkOverride</literal> can be + used. + </para> + </listitem> + <listitem> + <para> + The following changes apply if the <literal>stateVersion</literal> is + changed to 18.03 or higher. For <literal>stateVersion = "17.09"</literal> + or lower the old behavior is preserved. + </para> + <itemizedlist> + <listitem> + <para> + <literal>matrix-synapse</literal> uses postgresql by default instead of + sqlite. Migration instructions can be found + <link xlink:href="https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst#porting-from-sqlite"> + here </link>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>jid</literal> package has been removed, due to maintenance + overhead of a go package having non-versioned dependencies. + </para> + </listitem> + <listitem> + <para> + When using <option>services.xserver.libinput</option> (enabled by default + in GNOME), it now handles all input devices, not just touchpads. As a + result, you might need to re-evaluate any custom Xorg configuration. In + particular, <literal>Option "XkbRules" "base"</literal> may result in + broken keyboard layout. + </para> + </listitem> + <listitem> + <para> + The <literal>attic</literal> package was removed. A maintained fork called + <link xlink:href="https://www.borgbackup.org/">Borg</link> should be used + instead. Migration instructions can be found + <link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>. + </para> + </listitem> + <listitem> + <para> + The Piwik analytics software was renamed to Matomo: + <itemizedlist> + <listitem> + <para> + The package <literal>pkgs.piwik</literal> was renamed to + <literal>pkgs.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The service <literal>services.piwik</literal> was renamed to + <literal>services.matomo</literal>. + </para> + </listitem> + <listitem> + <para> + The data directory <filename>/var/lib/piwik</filename> was renamed to + <filename>/var/lib/matomo</filename>. All files will be moved + automatically on first startup, but you might need to adjust your + backup scripts. + </para> + </listitem> + <listitem> + <para> + The default <option>serverName</option> for the nginx configuration + changed from <literal>piwik.${config.networking.hostName}</literal> to + <literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal> + if <option>config.networking.domain</option> is set, + <literal>matomo.${config.networking.hostName}</literal> if it is not + set. If you change your <option>serverName</option>, remember you'll + need to update the <literal>trustedHosts[]</literal> array in + <filename>/var/lib/matomo/config/config.ini.php</filename> as well. + </para> + </listitem> + <listitem> + <para> + The <literal>piwik</literal> user was renamed to + <literal>matomo</literal>. The service will adjust ownership + automatically for files in the data directory. If you use unix socket + authentication, remember to give the new <literal>matomo</literal> user + access to the database and to change the <literal>username</literal> to + <literal>matomo</literal> in the <literal>[database]</literal> section + of <filename>/var/lib/matomo/config/config.ini.php</filename>. + </para> + </listitem> + <listitem> + <para> + If you named your database `piwik`, you might want to rename it to + `matomo` to keep things clean, but this is neither enforced nor + required. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + <literal>nodejs-4_x</literal> is end-of-life. + <literal>nodejs-4_x</literal>, <literal>nodejs-slim-4_x</literal> and + <literal>nodePackages_4_x</literal> are removed. + </para> + </listitem> + <listitem> + <para> + The <literal>pump.io</literal> NixOS module was removed. It is now + maintained as an + <link xlink:href="https://github.com/rvl/pump.io-nixos">external + module</link>. + </para> + </listitem> + <listitem> + <para> + The Prosody XMPP server has received a major update. The following modules + were renamed: + <itemizedlist> + <listitem> + <para> + <option>services.prosody.modules.httpserver</option> is now + <option>services.prosody.modules.http_files</option> + </para> + </listitem> + <listitem> + <para> + <option>services.prosody.modules.console</option> is now + <option>services.prosody.modules.admin_telnet</option> + </para> + </listitem> + </itemizedlist> + </para> + <para> + Many new modules are now core modules, most notably + <option>services.prosody.modules.carbons</option> and + <option>services.prosody.modules.mam</option>. + </para> + <para> + The better-performing <literal>libevent</literal> backend is now enabled + by default. + </para> + <para> + <literal>withCommunityModules</literal> now passes through the modules to + <option>services.prosody.extraModules</option>. Use + <literal>withOnlyInstalledCommunityModules</literal> for modules that + should not be enabled directly, e.g <literal>lib_ldap</literal>. + </para> + </listitem> + <listitem> + <para> + All prometheus exporter modules are now defined as submodules. The + exporters are configured using + <literal>services.prometheus.exporters</literal>. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.03-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + ZNC option <option>services.znc.mutable</option> now defaults to + <literal>true</literal>. That means that old configuration is not + overwritten by default when update to the znc options are made. + </para> + </listitem> + <listitem> + <para> + The option <option>networking.wireless.networks.<name>.auth</option> + has been added for wireless networks with WPA-Enterprise authentication. + There is also a new <option>extraConfig</option> option to directly + configure <literal>wpa_supplicant</literal> and <option>hidden</option> to + connect to hidden networks. + </para> + </listitem> + <listitem> + <para> + In the module <option>networking.interfaces.<name></option> the + following options have been removed: + <itemizedlist> + <listitem> + <para> + <option>ipAddress</option> + </para> + </listitem> + <listitem> + <para> + <option>ipv6Address</option> + </para> + </listitem> + <listitem> + <para> + <option>prefixLength</option> + </para> + </listitem> + <listitem> + <para> + <option>ipv6PrefixLength</option> + </para> + </listitem> + <listitem> + <para> + <option>subnetMask</option> + </para> + </listitem> + </itemizedlist> + To assign static addresses to an interface the options + <option>ipv4.addresses</option> and <option>ipv6.addresses</option> should + be used instead. The options <option>ip4</option> and <option>ip6</option> + have been renamed to <option>ipv4.addresses</option> + <option>ipv6.addresses</option> respectively. The new options + <option>ipv4.routes</option> and <option>ipv6.routes</option> have been + added to set up static routing. + </para> + </listitem> + <listitem> + <para> + The option <option>services.logstash.listenAddress</option> is now + <literal>127.0.0.1</literal> by default. Previously the default behaviour + was to listen on all interfaces. + </para> + </listitem> + <listitem> + <para> + <literal>services.btrfs.autoScrub</literal> has been added, to + periodically check btrfs filesystems for data corruption. If there's a + correct copy available, it will automatically repair corrupted blocks. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.clock-format.</literal> has + been added, the clock format string (as expected by strftime, e.g. + <literal>%H:%M</literal>) to use with the lightdm gtk greeter panel. + </para> + <para> + If set to null the default clock format is used. + </para> + </listitem> + <listitem> + <para> + <literal>displayManager.lightdm.greeters.gtk.indicators</literal> has been + added, a list of allowed indicator modules to use with the lightdm gtk + greeter panel. + </para> + <para> + Built-in indicators include <literal>~a11y</literal>, + <literal>~language</literal>, <literal>~session</literal>, + <literal>~power</literal>, <literal>~clock</literal>, + <literal>~host</literal>, <literal>~spacer</literal>. Unity indicators can + be represented by short name (e.g. <literal>sound</literal>, + <literal>power</literal>), service file name, or absolute path. + </para> + <para> + If set to <literal>null</literal> the default indicators are used. + </para> + <para> + In order to have the previous default configuration add +<programlisting> + services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ + "~host" "~spacer" + "~clock" "~spacer" + "~session" + "~language" + "~a11y" + "~power" + ]; +</programlisting> + to your <literal>configuration.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The NixOS test driver supports user services declared by + <literal>systemd.user.services</literal>. The methods + <literal>waitForUnit</literal>, <literal>getUnitInfo</literal>, + <literal>startJob</literal> and <literal>stopJob</literal> provide an + optional <literal>$user</literal> argument for that purpose. + </para> + </listitem> + <listitem> + <para> + Enabling bash completion on NixOS, + <literal>programs.bash.enableCompletion</literal>, will now also enable + completion for the Nix command line tools by installing the + <link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link> + package. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1809.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1809.xml new file mode 100644 index 000000000000..3f10b26223dd --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1809.xml @@ -0,0 +1,933 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09"> + <title>Release 18.09 (“Jellyfish”, 2018/10/05)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following notable updates: + </para> + + <itemizedlist> + <listitem> + <para> + End of support is planned for end of April 2019, handing over to 19.03. + </para> + </listitem> + <listitem> + <para> + Platform support: x86_64-linux and x86_64-darwin as always. Support for + aarch64-linux is as with the previous releases, not equivalent to the + x86-64-linux release, but with efforts to reach parity. + </para> + </listitem> + <listitem> + <para> + Nix has been updated to 2.1; see its + <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.1">release + notes</link>. + </para> + </listitem> + <listitem> + <para> + Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 + (unchanged), systemd: 237 → 239. + </para> + </listitem> + <listitem> + <para> + Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 + → 5.13. + </para> + </listitem> + </itemizedlist> + + <para> + Notable changes and additions for 18.09 include: + </para> + + <itemizedlist> + <listitem> + <para> + Support for wrapping binaries using <literal>firejail</literal> has been + added through <varname>programs.firejail.wrappedBinaries</varname>. + </para> + <para> + For example + </para> +<programlisting> +programs.firejail = { + enable = true; + wrappedBinaries = { + firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; + mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; + }; +}; +</programlisting> + <para> + This will place <literal>firefox</literal> and <literal>mpv</literal> + binaries in the global path wrapped by firejail. + </para> + </listitem> + <listitem> + <para> + User channels are now in the default <literal>NIX_PATH</literal>, allowing + users to use their personal <command>nix-channel</command> defined + channels in <command>nix-build</command> and <command>nix-shell</command> + commands, as well as in imports like <code>import + <mychannel></code>. + </para> + <para> + For example + </para> +<programlisting> +$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable +$ nix-channel --update +$ nix-build '<nixpkgsunstable>' -A gitFull +$ nix run -f '<nixpkgsunstable>' gitFull +$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' +</programlisting> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-new-services"> + <title>New Services</title> + + <para> + A curated selection of new services that were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + The <varname>services.cassandra</varname> module has been reworked and was + rewritten from scratch. The service has succeeding tests for the versions + 2.1, 2.2, 3.0 and 3.11 of + <link + xlink:href="https://cassandra.apache.org/">Apache + Cassandra</link>. + </para> + </listitem> + <listitem> + <para> + There is a new <varname>services.foundationdb</varname> module for + deploying + <link xlink:href="https://www.foundationdb.org">FoundationDB</link> + clusters. + </para> + </listitem> + <listitem> + <para> + When enabled the <literal>iproute2</literal> will copy the files expected + by ip route (e.g., <filename>rt_tables</filename>) in + <filename>/etc/iproute2</filename>. This allows to write aliases for + routing tables for instance. + </para> + </listitem> + <listitem> + <para> + <varname>services.strongswan-swanctl</varname> is a modern replacement for + <varname>services.strongswan</varname>. You can use either one of them to + setup IPsec VPNs but not both at the same time. + </para> + <para> + <varname>services.strongswan-swanctl</varname> uses the + <link xlink:href="https://wiki.strongswan.org/projects/strongswan/wiki/swanctl">swanctl</link> + command which uses the modern + <link xlink:href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md">vici</link> + <emphasis>Versatile IKE Configuration Interface</emphasis>. The deprecated + <literal>ipsec</literal> command used in + <varname>services.strongswan</varname> is using the legacy + <link xlink:href="https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md">stroke + configuration interface</link>. + </para> + </listitem> + <listitem> + <para> + The new <varname>services.elasticsearch-curator</varname> service + periodically curates or manages, your Elasticsearch indices and snapshots. + </para> + </listitem> + </itemizedlist> + + <para> + Every new services: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>./config/xdg/autostart.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/icons.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/menus.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./config/xdg/mime.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/brightnessctl.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/onlykey.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./hardware/video/uvcvideo/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./misc/documentation.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/firejail.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/iftop.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/sedutil.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/singularity.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/xss-lock.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./programs/zsh/zsh-autosuggestions.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/admin/oxidized.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/duplicati.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/restic.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/backup/restic-rest-server.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/cluster/hadoop/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/databases/aerospike.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/databases/monetdb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/bamf.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/flatpak.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/desktops/zeitgeist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/development/bloop.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/development/jupyter/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/lcd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/hardware/undervolt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/clipmenu.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/gitweb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/serviio.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/safeeyes.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/sysprof.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/weechat.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/datadog-agent.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/monitoring/incron.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/dnsdist.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/freeradius.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/hans.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/morty.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/ndppd.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/ocserv.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/owamp.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/quagga.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/shadowsocks.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/stubby.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/networking/zeronet.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/certmgr.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/cfssl.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/security/oauth2_proxy_nginx.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/virtlyst.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-apps/youtrack.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/hitch/default.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/hydron.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/meguca.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./services/web-servers/nginx/gitweb.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/kvmgt.nix</literal> + </para> + </listitem> + <listitem> + <para> + <literal>./virtualisation/qemu-guest-agent.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + Some licenses that were incorrectly not marked as unfree now are. This is + the case for: + <itemizedlist> + <listitem> + <para> + cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike + 2.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike + 2.5 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike + 3.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike + 4.0 + </para> + </listitem> + <listitem> + <para> + cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00 + </para> + </listitem> + <listitem> + <para> + msrla: Microsoft Research License Agreement + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + The deprecated <varname>services.cassandra</varname> module has seen a + complete rewrite. (See above.) + </para> + </listitem> + <listitem> + <para> + <literal>lib.strict</literal> is removed. Use + <literal>builtins.seq</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>clementine</literal> package points now to the free + derivation. <literal>clementineFree</literal> is removed now and + <literal>clementineUnfree</literal> points to the package which is bundled + with the unfree <literal>libspotify</literal> package. + </para> + </listitem> + <listitem> + <para> + The <literal>netcat</literal> package is now taken directly from OpenBSD's + <literal>libressl</literal>, instead of relying on Debian's fork. The new + version should be very close to the old version, but there are some minor + differences. Importantly, flags like -b, -q, -C, and -Z are no longer + accepted by the nc command. + </para> + </listitem> + <listitem> + <para> + The <varname>services.docker-registry.extraConfig</varname> object doesn't + contain environment variables anymore. Instead it needs to provide an + object structure that can be mapped onto the YAML configuration defined in + <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the + <varname>docker/distribution</varname> docs</link>. + </para> + </listitem> + <listitem> + <para> + <literal>gnucash</literal> has changed from version 2.4 to 3.x. If you've + been using <literal>gnucash</literal> (version 2.4) instead of + <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data + file(s) with <literal>gnucash26</literal> and then save them to upgrade + the file format. Then you may use your data file(s) with Gnucash 3.x. See + the upgrade + <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>. + Gnucash 2.4 is still available under the attribute + <literal>gnucash24</literal>. + </para> + </listitem> + <listitem> + <para> + <varname>services.munge</varname> now runs as user (and group) + <literal>munge</literal> instead of root. Make sure the key file is + accessible to the daemon. + </para> + </listitem> + <listitem> + <para> + <varname>dockerTools.buildImage</varname> now uses <literal>null</literal> + as default value for <varname>tag</varname>, which indicates that the nix + output hash will be used as tag. + </para> + </listitem> + <listitem> + <para> + The ELK stack: <varname>elasticsearch</varname>, + <varname>logstash</varname> and <varname>kibana</varname> has been + upgraded from 2.* to 6.3.*. The 2.* versions have been + <link xlink:href="https://www.elastic.co/support/eol">unsupported since + last year</link> so they have been removed. You can still use the 5.* + versions under the names <varname>elasticsearch5</varname>, + <varname>logstash5</varname> and <varname>kibana5</varname>. + </para> + <para> + The elastic beats: <varname>filebeat</varname>, + <varname>heartbeat</varname>, <varname>metricbeat</varname> and + <varname>packetbeat</varname> have had the same treatment: they now target + 6.3.* as well. The 5.* versions are available under the names: + <varname>filebeat5</varname>, <varname>heartbeat5</varname>, + <varname>metricbeat5</varname> and <varname>packetbeat5</varname> + </para> + <para> + The ELK-6.3 stack now comes with + <link xlink:href="https://www.elastic.co/products/x-pack/open">X-Pack by + default</link>. Since X-Pack is licensed under the + <link xlink:href="https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt">Elastic + License</link> the ELK packages now have an unfree license. To use them + you need to specify <literal>allowUnfree = true;</literal> in your nixpkgs + configuration. + </para> + <para> + Fortunately there is also a free variant of the ELK stack without X-Pack. + The packages are available under the names: + <varname>elasticsearch-oss</varname>, <varname>logstash-oss</varname> and + <varname>kibana-oss</varname>. + </para> + </listitem> + <listitem> + <para> + Options + <literal>boot.initrd.luks.devices.<replaceable>name</replaceable>.yubikey.ramfsMountPoint</literal> + <literal>boot.initrd.luks.devices.<replaceable>name</replaceable>.yubikey.storage.mountPoint</literal> + were removed. <literal>luksroot.nix</literal> module never supported more + than one YubiKey at a time anyway, hence those options never had any + effect. You should be able to remove them from your config without any + issues. + </para> + </listitem> + <listitem> + <para> + <literal>stdenv.system</literal> and <literal>system</literal> in nixpkgs + now refer to the host platform instead of the build platform. For native + builds this is not change, let alone a breaking one. For cross builds, it + is a breaking change, and <literal>stdenv.buildPlatform.system</literal> + can be used instead for the old behavior. They should be using that + anyways for clarity. + </para> + </listitem> + <listitem> + <para> + Groups <literal>kvm</literal> and <literal>render</literal> are introduced + now, as systemd requires them. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-18.09-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + <literal>dockerTools.pullImage</literal> relies on image digest instead of + image tag to download the image. The <literal>sha256</literal> of a pulled + image has to be updated. + </para> + </listitem> + <listitem> + <para> + <literal>lib.attrNamesToStr</literal> has been deprecated. Use more + specific concatenation (<literal>lib.concat(Map)StringsSep</literal>) + instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.addErrorContextToAttrs</literal> has been deprecated. Use + <literal>builtins.addErrorContext</literal> directly. + </para> + </listitem> + <listitem> + <para> + <literal>lib.showVal</literal> has been deprecated. Use + <literal>lib.traceSeqN</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLVal</literal> has been deprecated. Use + <literal>lib.traceValFn builtins.toXml</literal> instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceXMLValMarked</literal> has been deprecated. Use + <literal>lib.traceValFn (x: str + builtins.toXML x)</literal> instead. + </para> + </listitem> + <listitem> + <para> + The <literal>pkgs</literal> argument to NixOS modules can now be set + directly using <literal>nixpkgs.pkgs</literal>. Previously, only the + <literal>system</literal>, <literal>config</literal> and + <literal>overlays</literal> arguments could be used to influence + <literal>pkgs</literal>. + </para> + </listitem> + <listitem> + <para> + A NixOS system can now be constructed more easily based on a preexisting + invocation of Nixpkgs. For example: +<programlisting> +inherit (pkgs.nixos { + boot.loader.grub.enable = false; + fileSystems."/".device = "/dev/xvda1"; +}) toplevel kernel initialRamdisk manual; + </programlisting> + This benefits evaluation performance, lets you write Nixpkgs packages that + depend on NixOS images and is consistent with a deployment architecture + that would be centered around Nixpkgs overlays. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceValIfNot</literal> has been deprecated. Use + <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> + instead. + </para> + </listitem> + <listitem> + <para> + <literal>lib.traceCallXml</literal> has been deprecated. Please complain + if you use the function regularly. + </para> + </listitem> + <listitem> + <para> + The attribute <literal>lib.nixpkgsVersion</literal> has been deprecated in + favor of <literal>lib.version</literal>. Please refer to the discussion in + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link> + for further reference. + </para> + </listitem> + <listitem> + <para> + <literal>lib.recursiveUpdateUntil</literal> was not acting according to + its specification. It has been fixed to act according to the docstring, + and a test has been added. + </para> + </listitem> + <listitem> + <para> + The module for <option>security.dhparams</option> has two new options now: + </para> + <variablelist> + <varlistentry> + <term> + <option>security.dhparams.stateless</option> + </term> + <listitem> + <para> + Puts the generated Diffie-Hellman parameters into the Nix store instead + of managing them in a stateful manner in + <filename class="directory">/var/lib/dhparams</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>security.dhparams.defaultBitSize</option> + </term> + <listitem> + <para> + The default bit size to use for the generated Diffie-Hellman + parameters. + </para> + </listitem> + </varlistentry> + </variablelist> + <note> + <para> + The path to the actual generated parameter files should now be queried + using + <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal> + because it might be either in the Nix store or in a directory configured + by <option>security.dhparams.path</option>. + </para> + </note> + <note> + <title>For developers:</title> + <para> + Module implementers should not set a specific bit size in order to let + users configure it by themselves if they want to have a different bit + size than the default (2048). + </para> + <para> + An example usage of this would be: +<programlisting> +{ config, ... }: + +{ + security.dhparams.params.myservice = {}; + environment.etc."myservice.conf".text = '' + dhparams = ${config.security.dhparams.params.myservice.path} + ''; +} +</programlisting> + </para> + </note> + </listitem> + <listitem> + <para> + <literal>networking.networkmanager.useDnsmasq</literal> has been + deprecated. Use <literal>networking.networkmanager.dns</literal> instead. + </para> + </listitem> + <listitem> + <para> + The Kubernetes package has been bumped to major version 1.11. Please + consult the + <link xlink:href="https://github.com/kubernetes/kubernetes/blob/release-1.11/CHANGELOG-1.11.md">release + notes</link> for details on new features and api changes. + </para> + </listitem> + <listitem> + <para> + The option + <varname>services.kubernetes.apiserver.admissionControl</varname> was + renamed to + <varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>. + </para> + </listitem> + <listitem> + <para> + Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) + Therefore; public service port for the dashboard has changed to 443 + (container port 8443) and scheme to https. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.address</varname> was + renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>. + Note that the default value has changed from 127.0.0.1 to 0.0.0.0. + </para> + </listitem> + <listitem> + <para> + The option <varname>services.kubernetes.apiserver.publicAddress</varname> + was not used and thus has been removed. + </para> + </listitem> + <listitem> + <para> + The option + <varname>services.kubernetes.addons.dashboard.enableRBAC</varname> was + renamed to + <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>. + </para> + </listitem> + <listitem> + <para> + The Kubernetes Dashboard now has only minimal RBAC permissions by default. + If dashboard cluster-admin rights are desired, set + <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> + to true. On existing clusters, in order for the revocation of privileges + to take effect, the current ClusterRoleBinding for kubernetes-dashboard + must be manually removed: <literal>kubectl delete clusterrolebinding + kubernetes-dashboard</literal> + </para> + </listitem> + <listitem> + <para> + The <varname>programs.screen</varname> module provides allows to configure + <literal>/etc/screenrc</literal>, however the module behaved fairly + counterintuitive as the config exists, but the package wasn't available. + Since 18.09 <literal>pkgs.screen</literal> will be added to + <literal>environment.systemPackages</literal>. + </para> + </listitem> + <listitem> + <para> + The module <option>services.networking.hostapd</option> now uses WPA2 by + default. + </para> + </listitem> + <listitem> + <para> + <varname>s6Dns</varname>, <varname>s6Networking</varname>, + <varname>s6LinuxUtils</varname> and <varname>s6PortableUtils</varname> + renamed to <varname>s6-dns</varname>, <varname>s6-networking</varname>, + <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> + respectively. + </para> + </listitem> + <listitem> + <para> + The module option <option>nix.useSandbox</option> is now defaulted to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + The config activation script of <literal>nixos-rebuild</literal> now + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemctl.html#Manager%20Lifecycle%20Commands">reloads</link> + all user units for each authenticated user. + </para> + </listitem> + <listitem> + <para> + The default display manager is now LightDM. To use SLiM set + <literal>services.xserver.displayManager.slim.enable</literal> to + <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> + NixOS option descriptions are now automatically broken up into individual + paragraphs if the text contains two consecutive newlines, so it's no + longer necessary to use <code></para><para></code> to start a + new paragraph. + </para> + </listitem> + <listitem> + <para> + Top-level <literal>buildPlatform</literal>, + <literal>hostPlatform</literal>, and <literal>targetPlatform</literal> in + Nixpkgs are deprecated. Please use their equivalents in + <literal>stdenv</literal> instead: + <literal>stdenv.buildPlatform</literal>, + <literal>stdenv.hostPlatform</literal>, and + <literal>stdenv.targetPlatform</literal>. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1903.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1903.xml new file mode 100644 index 000000000000..8ff1681d3b4a --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1903.xml @@ -0,0 +1,768 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.03"> + <title>Release 19.03 (“Koi”, 2019/04/11)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.03-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + End of support is planned for end of October 2019, handing over to 19.09. + </para> + </listitem> + <listitem> + <para> + The default Python 3 interpreter is now CPython 3.7 instead of CPython + 3.6. + </para> + </listitem> + <listitem> + <para> + Added the Pantheon desktop environment. It can be enabled through + <varname>services.xserver.desktopManager.pantheon.enable</varname>. + </para> + <note> + <para> + By default, <varname>services.xserver.desktopManager.pantheon</varname> + enables LightDM as a display manager, as pantheon's screen locking + implementation relies on it. + </para> + <para> + Because of that it is recommended to leave LightDM enabled. If you'd like + to disable it anyway, set + <option>services.xserver.displayManager.lightdm.enable</option> to + <literal>false</literal> and enable your preferred display manager. + </para> + </note> + <para> + Also note that Pantheon's LightDM greeter is not enabled by default, + because it has numerous issues in NixOS and isn't optimal for use here + yet. + </para> + </listitem> + <listitem> + <para> + A major refactoring of the Kubernetes module has been completed. + Refactorings primarily focus on decoupling components and enhancing + security. Two-way TLS and RBAC has been enabled by default for all + components, which slightly changes the way the module is configured. See: + <xref linkend="sec-kubernetes"/> for details. + </para> + </listitem> + <listitem> + <para> + There is now a set of <option>confinement</option> options for + <option>systemd.services</option>, which allows to restrict services + into a <citerefentry> + <refentrytitle>chroot</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>ed environment that only contains the store paths from + the runtime closure of the service. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.03-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>./programs/nm-applet.nix</literal> + </para> + </listitem> + <listitem> + <para> + There is a new <varname>security.googleOsLogin</varname> module for using + <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS + Login</link> to manage SSH access to Google Compute Engine instances, + which supersedes the imperative and broken + <literal>google-accounts-daemon</literal> used in + <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>./services/misc/beanstalkd.nix</literal> + </para> + </listitem> + <listitem> + <para> + There is a new <varname>services.cockroachdb</varname> module for running + CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, + available on <literal>x86_64-linux</literal> and + <literal>aarch64-linux</literal>. + </para> + </listitem> + </itemizedlist> + + <itemizedlist> + <listitem> + <para> + <literal>./security/duosec.nix</literal> + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo + Security</link> has been enabled for use. One can configure it using the + <option>security.duosec</option> options along with the corresponding PAM + option in + <option>security.pam.services.<name?>.duoSecurity.enable</option>. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.03-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + The minimum version of Nix required to evaluate Nixpkgs is now 2.0. + </para> + <itemizedlist> + <listitem> + <para> + For users of NixOS 18.03 and 19.03, NixOS defaults to Nix 2.0, but + supports using Nix 1.11 by setting <literal>nix.package = + pkgs.nix1;</literal>. If this option is set to a Nix 1.11 package, you + will need to either unset the option or upgrade it to Nix 2.0. + </para> + </listitem> + <listitem> + <para> + For users of NixOS 17.09, you will first need to upgrade Nix by setting + <literal>nix.package = pkgs.nixStable2;</literal> and run + <command>nixos-rebuild switch</command> as the <literal>root</literal> + user. + </para> + </listitem> + <listitem> + <para> + For users of a daemon-less Nix installation on Linux or macOS, you can + upgrade Nix by running <command>curl https://nixos.org/nix/install | + sh</command>, or prior to doing a channel update, running + <command>nix-env -iA nix</command>. + </para> + <para> + If you have already run a channel update and Nix is no longer able to + evaluate Nixpkgs, the error message printed should provide adequate + directions for upgrading Nix. + </para> + </listitem> + <listitem> + <para> + For users of the Nix daemon on macOS, you can upgrade Nix by running + <command>sudo -i sh -c 'nix-channel --update && nix-env -iA + nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl + start org.nixos.nix-daemon</command>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <varname>buildPythonPackage</varname> function now sets + <varname>strictDeps = true</varname> to help distinguish between native + and non-native dependencies in order to improve cross-compilation + compatibility. Note however that this may break user expressions. + </para> + </listitem> + <listitem> + <para> + The <varname>buildPythonPackage</varname> function now sets <varname>LANG + = C.UTF-8</varname> to enable Unicode support. The + <varname>glibcLocales</varname> package is no longer needed as a build + input. + </para> + </listitem> + <listitem> + <para> + The Syncthing state and configuration data has been moved from + <varname>services.syncthing.dataDir</varname> to the newly defined + <varname>services.syncthing.configDir</varname>, which default to + <literal>/var/lib/syncthing/.config/syncthing</literal>. This change makes + possible to share synced directories using ACLs without Syncthing + resetting the permission on every start. + </para> + </listitem> + <listitem> + <para> + The <literal>ntp</literal> module now has sane default restrictions. If + you're relying on the previous defaults, which permitted all queries and + commands from all firewall-permitted sources, you can set + <varname>services.ntp.restrictDefault</varname> and + <varname>services.ntp.restrictSource</varname> to <literal>[]</literal>. + </para> + </listitem> + <listitem> + <para> + Package <varname>rabbitmq_server</varname> is renamed to + <varname>rabbitmq-server</varname>. + </para> + </listitem> + <listitem> + <para> + The <literal>light</literal> module no longer uses setuid binaries, but + udev rules. As a consequence users of that module have to belong to the + <literal>video</literal> group in order to use the executable (i.e. + <literal>users.users.yourusername.extraGroups = ["video"];</literal>). + </para> + </listitem> + <listitem> + <para> + Buildbot now supports Python 3 and its packages have been moved to + <literal>pythonPackages</literal>. The options + <option>services.buildbot-master.package</option> and + <option>services.buildbot-worker.package</option> can be used to select + the Python 2 or 3 version of the package. + </para> + </listitem> + <listitem> + <para> + Options + <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.userName</literal> + and + <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.modulePackages</literal> + were removed. They were never used for anything and can therefore safely + be removed. + </para> + </listitem> + <listitem> + <para> + Package <literal>wasm</literal> has been renamed + <literal>proglodyte-wasm</literal>. The package <literal>wasm</literal> + will be pointed to <literal>ocamlPackages.wasm</literal> in 19.09, so make + sure to update your configuration if you want to keep + <literal>proglodyte-wasm</literal> + </para> + </listitem> + <listitem> + <para> + When the <literal>nixpkgs.pkgs</literal> option is set, NixOS will no + longer ignore the <literal>nixpkgs.overlays</literal> option. The old + behavior can be recovered by setting <literal>nixpkgs.overlays = + lib.mkForce [];</literal>. + </para> + </listitem> + <listitem> + <para> + OpenSMTPD has been upgraded to version 6.4.0p1. This release makes + backwards-incompatible changes to the configuration file format. See + <command>man smtpd.conf</command> for more information on the new file + format. + </para> + </listitem> + <listitem> + <para> + The versioned <varname>postgresql</varname> have been renamed to use + underscore number seperators. For example, <varname>postgresql96</varname> + has been renamed to <varname>postgresql_9_6</varname>. + </para> + </listitem> + <listitem> + <para> + Package <literal>consul-ui</literal> and passthrough + <literal>consul.ui</literal> have been removed. The package + <literal>consul</literal> now uses upstream releases that vendor the UI + into the binary. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link> + for details. + </para> + </listitem> + <listitem> + <para> + Slurm introduces the new option + <literal>services.slurm.stateSaveLocation</literal>, which is now set to + <literal>/var/spool/slurm</literal> by default (instead of + <literal>/var/spool</literal>). Make sure to move all files to the new + directory or to set the option accordingly. + </para> + <para> + The slurmctld now runs as user <literal>slurm</literal> instead of + <literal>root</literal>. If you want to keep slurmctld running as + <literal>root</literal>, set <literal>services.slurm.user = + root</literal>. + </para> + <para> + The options <literal>services.slurm.nodeName</literal> and + <literal>services.slurm.partitionName</literal> are now sets of strings to + correctly reflect that fact that each of these options can occour more + than once in the configuration. + </para> + </listitem> + <listitem> + <para> + The <literal>solr</literal> package has been upgraded from 4.10.3 to 7.5.0 + and has undergone some major changes. The <literal>services.solr</literal> + module has been updated to reflect these changes. Please review + http://lucene.apache.org/solr/ carefully before upgrading. + </para> + </listitem> + <listitem> + <para> + Package <literal>ckb</literal> is renamed to <literal>ckb-next</literal>, + and options <literal>hardware.ckb.*</literal> are renamed to + <literal>hardware.ckb-next.*</literal>. + </para> + </listitem> + <listitem> + <para> + The option + <literal>services.xserver.displayManager.job.logToFile</literal> which was + previously set to <literal>true</literal> when using the display managers + <literal>lightdm</literal>, <literal>sddm</literal> or + <literal>xpra</literal> has been reset to the default value + (<literal>false</literal>). + </para> + </listitem> + <listitem> + <para> + Network interface indiscriminate NixOS firewall options + (<literal>networking.firewall.allow*</literal>) are now preserved when + also setting interface specific rules such as + <literal>networking.firewall.interfaces.en0.allow*</literal>. These rules + continue to use the pseudo device "default" + (<literal>networking.firewall.interfaces.default.*</literal>), and + assigning to this pseudo device will override the + (<literal>networking.firewall.allow*</literal>) options. + </para> + </listitem> + <listitem> + <para> + The <literal>nscd</literal> service now disables all caching of + <literal>passwd</literal> and <literal>group</literal> databases by + default. This was interferring with the correct functioning of the + <literal>libnss_systemd.so</literal> module which is used by + <literal>systemd</literal> to manage uids and usernames in the presence of + <literal>DynamicUser=</literal> in systemd services. This was already the + default behaviour in presence of <literal>services.sssd.enable = + true</literal> because nscd caching would interfere with + <literal>sssd</literal> in unpredictable ways as well. Because we're using + nscd not for caching, but for convincing glibc to find NSS modules in the + nix store instead of an absolute path, we have decided to disable caching + globally now, as it's usually not the behaviour the user wants and can + lead to surprising behaviour. Furthermore, negative caching of host + lookups is also disabled now by default. This should fix the issue of dns + lookups failing in the presence of an unreliable network. + </para> + <para> + If the old behaviour is desired, this can be restored by setting the + <literal>services.nscd.config</literal> option with the desired caching + parameters. +<programlisting> + services.nscd.config = + '' + server-user nscd + threads 1 + paranoia no + debug-level 0 + + enable-cache passwd yes + positive-time-to-live passwd 600 + negative-time-to-live passwd 20 + suggested-size passwd 211 + check-files passwd yes + persistent passwd no + shared passwd yes + + enable-cache group yes + positive-time-to-live group 3600 + negative-time-to-live group 60 + suggested-size group 211 + check-files group yes + persistent group no + shared group yes + + enable-cache hosts yes + positive-time-to-live hosts 600 + negative-time-to-live hosts 5 + suggested-size hosts 211 + check-files hosts yes + persistent hosts no + shared hosts yes + ''; + </programlisting> + See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link> + for details. + </para> + </listitem> + <listitem> + <para> + GitLab Shell previously used the nix store paths for the + <literal>gitlab-shell</literal> command in its + <literal>authorized_keys</literal> file, which might stop working after + garbage collection. To circumvent that, we regenerated that file on each + startup. As <literal>gitlab-shell</literal> has now been changed to use + <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is + not necessary anymore, but there might be leftover lines with a nix store + path. Regenerate the <literal>authorized_keys</literal> file via + <command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that + case. + </para> + </listitem> + <listitem> + <para> + The <literal>pam_unix</literal> account module is now loaded with its + control field set to <literal>required</literal> instead of + <literal>sufficient</literal>, so that later PAM account modules that + might do more extensive checks are being executed. Previously, the whole + account module verification was exited prematurely in case a nss module + provided the account name to <literal>pam_unix</literal>. The LDAP and + SSSD NixOS modules already add their NSS modules when enabled. In case + your setup breaks due to some later PAM account module previosuly + shadowed, or failing NSS lookups, please file a bug. You can get back the + old behaviour by manually setting <literal> +<![CDATA[security.pam.services.<name?>.text]]> + </literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>pam_unix</literal> password module is now loaded with its + control field set to <literal>sufficient</literal> instead of + <literal>required</literal>, so that password managed only by later PAM + password modules are being executed. Previously, for example, changing an + LDAP account's password through PAM was not possible: the whole password + module verification was exited prematurely by <literal>pam_unix</literal>, + preventing <literal>pam_ldap</literal> to manage the password as it + should. + </para> + </listitem> + <listitem> + <para> + <literal>fish</literal> has been upgraded to 3.0. It comes with a number + of improvements and backwards incompatible changes. See the + <literal>fish</literal> + <link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release + notes</link> for more information. + </para> + </listitem> + <listitem> + <para> + The ibus-table input method has had a change in config format, which + causes all previous settings to be lost. See + <link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this + commit message</link> for details. + </para> + </listitem> + <listitem> + <para> + NixOS module system type <literal>types.optionSet</literal> and + <literal>lib.mkOption</literal> argument <literal>options</literal> are + deprecated. Use <literal>types.submodule</literal> instead. + (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>) + </para> + </listitem> + <listitem> + <para> + <literal>matrix-synapse</literal> has been updated to version 0.99. It + will <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no + longer generate a self-signed certificate on first launch</link> and will + be + <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the + last version to accept self-signed certificates</link>. As such, it is now + recommended to use a proper certificate verified by a root CA (for example + Let's Encrypt). The new <link linkend="module-services-matrix">manual + chapter on Matrix</link> contains a working example of using nginx as a + reverse proxy in front of <literal>matrix-synapse</literal>, using Let's + Encrypt certificates. + </para> + </listitem> + <listitem> + <para> + <literal>mailutils</literal> now works by default when + <literal>sendmail</literal> is not in a setuid wrapper. As a consequence, + the <literal>sendmailPath</literal> argument, having lost its main use, + has been removed. + </para> + </listitem> + <listitem> + <para> + <literal>graylog</literal> has been upgraded from version 2.* to 3.*. Some + setups making use of extraConfig (especially those exposing Graylog via + reverse proxies) need to be updated as upstream removed/replaced some + settings. See + <link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading + Graylog</link> for details. + </para> + </listitem> + <listitem> + <para> + The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>, + and needs to be readable by the <literal>nslcd</literal> user. + Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option. + </para> + </listitem> + <listitem> + <para> + <literal>nodejs-6_x</literal> is end-of-life. + <literal>nodejs-6_x</literal>, <literal>nodejs-slim-6_x</literal> and + <literal>nodePackages_6_x</literal> are removed. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.03-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + The <option>services.matomo</option> module gained the option + <option>services.matomo.package</option> which determines the used Matomo + version. + </para> + <para> + The Matomo module now also comes with the systemd service + <literal>matomo-archive-processing.service</literal> and a timer that + automatically triggers archive processing every hour. This means that you + can safely + <link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour"> + disable browser triggers for Matomo archiving </link> at + <literal>Administration > System > General Settings</literal>. + </para> + <para> + Additionally, you can enable to + <link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs"> + delete old visitor logs </link> at <literal>Administration > System > + Privacy</literal>, but make sure that you run <literal>systemctl start + matomo-archive-processing.service</literal> at least once without errors + if you have already collected data before, so that the reports get + archived before the source data gets deleted. + </para> + </listitem> + <listitem> + <para> + <literal>composableDerivation</literal> along with supporting library + functions has been removed. + </para> + </listitem> + <listitem> + <para> + The deprecated <literal>truecrypt</literal> package has been removed and + <literal>truecrypt</literal> attribute is now an alias for + <literal>veracrypt</literal>. VeraCrypt is backward-compatible with + TrueCrypt volumes. Note that <literal>cryptsetup</literal> also supports + loading TrueCrypt volumes. + </para> + </listitem> + <listitem> + <para> + The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This + change is made in accordance with Kubernetes making CoreDNS the official + default starting from + <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes + v1.11</link>. Please beware that upgrading DNS-addon on existing clusters + might induce minor downtime while the DNS-addon terminates and + re-initializes. Also note that the DNS-service now runs with 2 pod + replicas by default. The desired number of replicas can be configured + using: <option>services.kubernetes.addons.dns.replicas</option>. + </para> + </listitem> + <listitem> + <para> + The quassel-webserver package and module was removed from nixpkgs due to + the lack of maintainers. + </para> + </listitem> + <listitem> + <para> + The manual gained a <link linkend="module-services-matrix"> new chapter on + self-hosting <literal>matrix-synapse</literal> and + <literal>riot-web</literal> </link>, the most prevalent server and client + implementations for the + <link xlink:href="https://matrix.org/">Matrix</link> federated + communication network. + </para> + </listitem> + <listitem> + <para> + The astah-community package was removed from nixpkgs due to it being + discontinued and the downloads not being available anymore. + </para> + </listitem> + <listitem> + <para> + The httpd service now saves log files with a .log file extension by + default for easier integration with the logrotate service. + </para> + </listitem> + <listitem> + <para> + The owncloud server packages and httpd subservice module were removed from + nixpkgs due to the lack of maintainers. + </para> + </listitem> + <listitem> + <para> + It is possible now to uze ZRAM devices as general purpose ephemeral block + devices, not only as swap. Using more than 1 device as ZRAM swap is no + longer recommended, but is still possible by setting + <literal>zramSwap.swapDevices</literal> explicitly. + </para> + <para> + ZRAM algorithm can be changed now. + </para> + <para> + Changes to ZRAM algorithm are applied during <literal>nixos-rebuild + switch</literal>, so make sure you have enough swap space on disk to + survive ZRAM device rebuild. Alternatively, use <literal>nixos-rebuild + boot; reboot</literal>. + </para> + </listitem> + <listitem> + <para> + Flat volumes are now disabled by default in + <literal>hardware.pulseaudio</literal>. This has been done to prevent + applications, which are unaware of this feature, setting their volumes to + 100% on startup causing harm to your audio hardware and potentially your + ears. + </para> + <note> + <para> + With this change application specific volumes are relative to the master + volume which can be adjusted independently, whereas before they were + absolute; meaning that in effect, it scaled the device-volume with the + volume of the loudest application. + </para> + </note> + </listitem> + <listitem> + <para> + The + <link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link> + module now supports <link linkend="opt-services.ndppd.enable">all config + options</link> provided by the current upstream version as service + options. Additionally the <literal>ndppd</literal> package doesn't contain + the systemd unit configuration from upstream anymore, the unit is + completely configured by the NixOS module now. + </para> + </listitem> + <listitem> + <para> + New installs of NixOS will default to the Redmine 4.x series unless + otherwise specified in <literal>services.redmine.package</literal> while + existing installs of NixOS will default to the Redmine 3.x series. + </para> + </listitem> + <listitem> + <para> + The <link linkend="opt-services.grafana.enable">Grafana module</link> now + supports declarative + <link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource + and dashboard</link> provisioning. + </para> + </listitem> + <listitem> + <para> + The use of insecure ports on kubernetes has been deprecated. Thus options: + <varname>services.kubernetes.apiserver.port</varname> and + <varname>services.kubernetes.controllerManager.port</varname> has been + renamed to <varname>.insecurePort</varname>, and default of both options + has changed to 0 (disabled). + </para> + </listitem> + <listitem> + <para> + Note that the default value of + <varname>services.kubernetes.apiserver.bindAddress</varname> has changed + from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from + outside the master node itself. If the apiserver insecurePort is enabled, + it is strongly recommended to only bind on the loopback interface. See: + <varname>services.kubernetes.apiserver.insecurebindAddress</varname>. + </para> + </listitem> + <listitem> + <para> + The option + <varname>services.kubernetes.apiserver.allowPrivileged</varname> and + <varname>services.kubernetes.kubelet.allowPrivileged</varname> now + defaults to false. Disallowing privileged containers on the cluster. + </para> + </listitem> + <listitem> + <para> + The kubernetes module does no longer add the kubernetes package to + <varname>environment.systemPackages</varname> implicitly. + </para> + </listitem> + <listitem> + <para> + The <literal>intel</literal> driver has been removed from the default list + of <link linkend="opt-services.xserver.videoDrivers">X.org video + drivers</link>. The <literal>modesetting</literal> driver should take over + automatically, it is better maintained upstream and has less problems with + advanced X11 features. This can lead to a change in the output names used + by <literal>xrandr</literal>. Some performance regressions on some GPU + models might happen. Some OpenCL and VA-API applications might also break + (Beignet seems to provide OpenCL support with + <literal>modesetting</literal> driver, too). Kernel mode setting API does + not support backlight control, so <literal>xbacklight</literal> tool will + not work; backlight level can be controlled directly via + <literal>/sys/</literal> or with <literal>brightnessctl</literal>. Users + who need this functionality more than multi-output XRandR are advised to + add `intel` to `videoDrivers` and report an issue (or provide additional + details in an existing one) + </para> + </listitem> + <listitem> + <para> + Openmpi has been updated to version 4.0.0, which removes some deprecated + MPI-1 symbols. This may break some older applications that still rely on + those symbols. An upgrade guide can be found + <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>. + </para> + <para> + The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by + default. You can set the protocols used by the nginx service using + <xref linkend="opt-services.nginx.sslProtocols"/>. + </para> + </listitem> + <listitem> + <para> + A new subcommand <command>nixos-rebuild edit</command> was added. + </para> + </listitem> + </itemizedlist> + </section> +</section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml new file mode 100644 index 000000000000..36bea28530be --- /dev/null +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-1909.xml @@ -0,0 +1,561 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.09"> + <title>Release 19.09 (“Loris”, 2019/09/??)</title> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.09-highlights"> + <title>Highlights</title> + + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + + <itemizedlist> + <listitem> + <para> + End of support is planned for end of April 2020, handing over to 20.03. + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.3, updated from 7.2. + </para> + </listitem> + <listitem> + <para> + PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release. + </para> + </listitem> + <listitem> + <para> + The binfmt module is now easier to use. Additional systems can + be added through <option>boot.binfmt.emulatedSystems</option>. + For instance, <literal>boot.binfmt.emulatedSystems = [ + "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> will + set up binfmt interpreters for each of those listed systems. + </para> + </listitem> + <listitem> + <para> + The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root. + To gain root privileges use <literal>sudo -i</literal> without a password. + </para> + </listitem> + <listitem> + <para> + We've updated to Xfce 4.14, which brings a new module <option>services.xserver.desktopManager.xfce4-14</option>. + If you'd like to upgrade, please switch from the <option>services.xserver.desktopManager.xfce</option> module as it + will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support + <option>thunarPlugins</option> and it isn't recommended to use <option>services.xserver.desktopManager.xfce</option> + and <option>services.xserver.desktopManager.xfce4-14</option> simultaneously or to downgrade from Xfce 4.14 after upgrading. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.09-new-services"> + <title>New Services</title> + + <para> + The following new services were added since the last release: + </para> + + <itemizedlist> + <listitem> + <para> + <literal>./programs/dwm-status.nix</literal> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.09-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> + <listitem> + <para> + Buildbot no longer supports Python 2, as support was dropped upstream in + version 2.0.0. Configurations may need to be modified to make them + compatible with Python 3. + </para> + </listitem> + <listitem> + <para> + PostgreSQL now uses + <filename class="directory">/run/postgresql</filename> as its socket + directory instead of <filename class="directory">/tmp</filename>. So + if you run an application like eg. Nextcloud, where you need to use + the Unix socket path as the database host name, you need to change it + accordingly. + </para> + </listitem> + <listitem> + <para> + The options <option>services.prometheus.alertmanager.user</option> and + <option>services.prometheus.alertmanager.group</option> have been removed + because the alertmanager service is now using systemd's <link + xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html"> + DynamicUser mechanism</link> which obviates these options. + </para> + </listitem> + <listitem> + <para> + The NetworkManager systemd unit was renamed back from network-manager.service to + NetworkManager.service for better compatibility with other applications expecting this name. + The same applies to ModemManager where modem-manager.service is now called ModemManager.service again. + </para> + </listitem> + <listitem> + <para> + The <option>services.nzbget.configFile</option> and <option>services.nzbget.openFirewall</option> + options were removed as they are managed internally by the nzbget. The + <option>services.nzbget.dataDir</option> option hadn't actually been used by + the module for some time and so was removed as cleanup. + </para> + </listitem> + <listitem> + <para> + The <option>services.mysql.pidDir</option> option was removed, as it was only used by the wordpress + apache-httpd service to wait for mysql to have started up. + This can be accomplished by either describing a dependency on mysql.service (preferred) + or waiting for the (hardcoded) <filename>/run/mysqld/mysql.sock</filename> file to appear. + </para> + </listitem> + <listitem> + <para> + The <option>services.emby.enable</option> module has been removed, see + <option>services.jellyfin.enable</option> instead for a free software fork of Emby. + + See the Jellyfin documentation: + <link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/"> + Migrating from Emby to Jellyfin + </link> + </para> + </listitem> + <listitem> + <para> + IPv6 Privacy Extensions are now enabled by default for undeclared + interfaces. The previous behaviour was quite misleading — even though + the default value for + <option>networking.interfaces.*.preferTempAddress</option> was + <literal>true</literal>, undeclared interfaces would not prefer temporary + addresses. Now, interfaces not mentioned in the config will prefer + temporary addresses. EUI64 addresses can still be set as preferred by + explicitly setting the option to <literal>false</literal> for the + interface in question. + </para> + </listitem> + <listitem> + <para> + Since Bittorrent Sync was superseded by Resilio Sync in 2016, the + <literal>bittorrentSync</literal>, <literal>bittorrentSync14</literal>, + and <literal>bittorrentSync16</literal> packages have been removed in + favor of <literal>resilio-sync</literal>. + </para> + <para> + The corresponding module, <option>services.btsync</option> has been + replaced by the <option>services.resilio</option> module. + </para> + </listitem> + <listitem> + <para> + The httpd service no longer attempts to start the postgresql service. If you have come to depend + on this behaviour then you can preserve the behavior with the following configuration: + <literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal> + </para> + <para> + The option <option>services.httpd.extraSubservices</option> has been + marked as deprecated. You may still use this feature, but it will be + removed in a future release of NixOS. You are encouraged to convert any + httpd subservices you may have written to a full NixOS module. + </para> + <para> + Most of the httpd subservices packaged with NixOS have been replaced with + full NixOS modules including LimeSurvey, WordPress, and Zabbix. These + modules can be enabled using the <option>services.limesurvey.enable</option>, + <option>services.mediawiki.enable</option>, <option>services.wordpress.enable</option>, + and <option>services.zabbixWeb.enable</option> options. + </para> + </listitem> + <listitem> + <para> + The option <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</option> + was renamed to <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</option> + (capital <literal>L</literal>). This follows + <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c"> + upstreams renaming + </link> of the setting. + </para> + </listitem> + <listitem> + <para> + As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works + with our systemd version without manual intervention. + </para> + <para> + Whenever the usage of the module is detected the evaluation will fail with a message + explaining why and how to deal with the situation. + </para> + <para> + A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal> + has been introduced to disable the eval failure and to acknowledge the notice was received and read. + If you plan on using the feature please note that it might break with subsequent updates. + </para> + <para> + Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block + devices provided by the autoLuks module. Not doing this might render the system in a + state where it doesn't boot anymore. + </para> + <para> + If you are actively using the <literal>autoLuks</literal> module please let us know in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>. + </para> + </listitem> + <listitem> + <para> + The setopt declarations will be evaluated at the end of <literal>/etc/zshrc</literal>, so any code in <xref linkend="opt-programs.zsh.interactiveShellInit" />, + <xref linkend="opt-programs.zsh.loginShellInit" /> and <xref linkend="opt-programs.zsh.promptInit" /> may break if it relies on those options being set. + </para> + </listitem> + <listitem> + <para> + The <literal>prometheus-nginx-exporter</literal> package now uses the offical exporter provided by NGINX Inc. + Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, + have a look at the <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official repo</link>. + </para> + </listitem> + <listitem> + <para> + The <literal>shibboleth-sp</literal> package has been updated to version 3. + It is largely backward compatible, for further information refer to the + <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release notes</link> + and <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade guide</link>. + </para> + <para> + Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped. + </para> + </listitem> + <listitem> + <para> + By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled. + Exporters that need a real user, now run under a seperate user and group which follow the pattern <literal><exporter-name>-exporter</literal>, instead of the previous default <literal>nobody</literal> and <literal>nogroup</literal>. + Only some exporters are affected by the latter, namely the exporters <literal>dovecot</literal>, <literal>node</literal>, <literal>postfix</literal> and <literal>varnish</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>ibus-qt</literal> package is not installed by default anymore when <xref linkend="opt-i18n.inputMethod.enabled" /> is set to <literal>ibus</literal>. + If IBus support in Qt 4.x applications is required, add the <literal>ibus-qt</literal> package to your <xref linkend="opt-environment.systemPackages" /> manually. + </para> + </listitem> + <listitem> + <para> + The CUPS Printing service now uses socket-based activation by + default, only starting when needed. The previous behavior can + be restored by setting + <option>services.cups.startWhenNeeded</option> to + <literal>false</literal>. + </para> + </listitem> + <listitem> + <para> + The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + Squid 3 has been removed and the <option>squid</option> derivation now refers to Squid 4. + </para> + </listitem> + <listitem> + <para> + The <option>services.pdns-recursor.extraConfig</option> option has been replaced by + <option>services.pdns-recursor.settings</option>. The new option allows setting extra + configuration while being better type-checked and mergeable. + </para> + </listitem> + <listitem> + <para> + No service depends on <literal>keys.target</literal> anymore which is a systemd + target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded. + Instead, <literal><key-name>-key.service</literal> should be used to define + a dependency of a key in a service. The full issue behind the <literal>keys.target</literal> + dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>. + </para> + <para> + The following services are affected by this: + <itemizedlist> + <listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem> + <listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem> + </itemizedlist> + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-19.09-notable-changes"> + <title>Other Notable Changes</title> + + <itemizedlist> + <listitem> + <para> + The <option>documentation</option> module gained an option named + <option>documentation.nixos.includeAllModules</option> which makes the + generated <citerefentry> + <refentrytitle>configuration.nix</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> manual page include all options + from all NixOS modules included in a given + <literal>configuration.nix</literal> configuration file. Currently, it is + set to <literal>false</literal> by default as enabling it frequently + prevents evaluation. But the plan is to eventually have it set to + <literal>true</literal> by default. Please set it to + <literal>true</literal> now in your <literal>configuration.nix</literal> + and fix all the bugs it uncovers. + </para> + </listitem> + <listitem> + <para> + The <literal>vlc</literal> package gained support for Chromecast + streaming, enabled by default. TCP port 8010 must be open for it to work, + so something like <literal>networking.firewall.allowedTCPPorts = [ 8010 + ];</literal> may be required in your configuration. Also consider enabling + <link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback"> + Accelerated Video Playback</link> for better transcoding performance. + </para> + </listitem> + <listitem> + <para> + The following changes apply if the <literal>stateVersion</literal> is + changed to 19.09 or higher. For <literal>stateVersion = "19.03"</literal> + or lower the old behavior is preserved. + </para> + <itemizedlist> + <listitem> + <para> + <literal>solr.package</literal> defaults to + <literal>pkgs.solr_8</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal> + which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>mysql</literal> service now runs as <literal>mysql</literal> + user. Previously, systemd did execute it as root, and mysql dropped privileges + itself. + This includes <literal>ExecStartPre=</literal> and + <literal>ExecStartPost=</literal> phases. + To accomplish that, runtime and data directory setup was delegated to + RuntimeDirectory and tmpfiles. + </para> + </listitem> + <listitem> + <para> + With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal> + service is no longer using <literal>DynamicUser=yes</literal>. In order for the + upgrade to work we rely on an activation script to move the state from the old + to the new directory. The older directory (prior <literal>19.09</literal>) was + <literal>/var/lib/private/systemd/timesync</literal>. + </para> + <para> + As long as the <literal>system.config.stateVersion</literal> is below + <literal>19.09</literal> the state folder will migrated to its proper location + (<literal>/var/lib/systemd/timesync</literal>), if required. + </para> + </listitem> + <listitem> + <para> + The package <literal>avahi</literal> is now built to look up service + definitions from <literal>/etc/avahi/services</literal> instead of its + output directory in the nix store. Accordingly the module + <option>avahi</option> now supports custom service definitions via + <option>services.avahi.extraServiceFiles</option>, which are then placed + in the aforementioned directory. See <citerefentry> + <refentrytitle>avahi.service</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> for more information on custom service definitions. + </para> + </listitem> + <listitem> + <para> + Since version 0.1.19, <literal>cargo-vendor</literal> honors package + includes that are specified in the <filename>Cargo.toml</filename> + file of Rust crates. <literal>rustPlatform.buildRustPackage</literal> uses + <literal>cargo-vendor</literal> to collect and build dependent crates. + Since this change in <literal>cargo-vendor</literal> changes the set of + vendored files for most Rust packages, the hash that use used to verify + the dependencies, <literal>cargoSha256</literal>, also changes. + </para> + <para> + The <literal>cargoSha256</literal> hashes of all in-tree derivations that + use <literal>buildRustPackage</literal> have been updated to reflect this + change. However, third-party derivations that use + <literal>buildRustPackage</literal> may have to be updated as well. + </para> + </listitem> + <listitem> + <para> + The <literal>consul</literal> package was upgraded past version <literal>1.5</literal>, + so its deprecated legacy UI is no longer available. + </para> + </listitem> + <listitem> + <para> + The default resample-method for PulseAudio has been changed from the upstream default <literal>speex-float-1</literal> + to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this + so you'll need to set <option>hardware.pulseaudio.daemon.config.resample-method</option> back to <literal>speex-float-1</literal>. + </para> + </listitem> + <listitem> + <para> + The <literal>phabricator</literal> package and associated <literal>httpd.extraSubservice</literal>, as well as the + <literal>phd</literal> service have been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>mercurial</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>trac</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs because it was unmaintained. + </para> + </listitem> + <listitem> + <para> + The <literal>foswiki</literal> package and associated <literal>httpd.extraSubservice</literal> have been removed + from nixpkgs due to lack of maintainer. + </para> + </listitem> + <listitem> + <para> + The <literal>tomcat-connector</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs. + </para> + </listitem> + <listitem> + <para> + It's now possible to change configuration in + <link linkend="opt-services.nextcloud.enable">services.nextcloud</link> after the initial deploy + since all config parameters are persisted in an additional config file generated by the module. + Previously core configuration like database parameters were set using their imperative + installer after creating <literal>/var/lib/nextcloud</literal>. + </para> + </listitem> + <listitem> + <para> + There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with + arguments flipped. When mapping function body spans many lines (or has nested + <literal>map</literal>s), it is often hard to follow which list is modified. + </para> + <para> + Previous solution to this problem was either to use <literal>lib.flip map</literal> + idiom or extract that anonymous mapping function to a named one. Both can still be used + but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>. + </para> + <para> + The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via + <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to + <literal>/etc/sysctl.d/60-nixos.conf</literal>, as + <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> + recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a + two-digit number and a dash to simplify the ordering of the files. + </para> + </listitem> + <listitem> + <para> + We now install the sysctl snippets shipped with systemd. + <itemizedlist> + <para>This enables:</para> + <listitem> + <para>Loose reverse path filtering</para> + </listitem> + <listitem> + <para>Source route filtering</para> + </listitem> + <listitem> + <para> + <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat) + </para> + </listitem> + </itemizedlist> + + This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>. + These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>, + and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> + (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>). + </para> + </listitem> + <listitem> + <para> + Coredumps are now acquired by <literal>systemd-coredump</literal> by default. + <literal>systemd-coredump</literal> behaviour can still be modified via + <option>systemd.coredump.extraConfig</option>. + To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal> + in the working directory), without piping it through <literal>systemd-coredump</literal>, set + <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>. + </para> + </listitem> + <listitem> + <para> + <literal>systemd.packages</literal> option now also supports generators and + shutdown scripts. Old <literal>systemd.generator-packages</literal> option has + been removed. + </para> + </listitem> + <listitem> + <para> + The <literal>rmilter</literal> package was removed with associated module and options due deprecation by upstream developer. + Use <literal>rspamd</literal> in proxy mode instead. + </para> + </listitem> + <listitem> + <para> + systemd cgroup accounting via the + <link linkend="opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link> + option is now enabled by default. It now also enables the more recent Block IO and IP accounting + features. + </para> + </listitem> + </itemizedlist> + </section> +</section> |