diff options
Diffstat (limited to 'nixpkgs/nixos/doc')
24 files changed, 1659 insertions, 294 deletions
diff --git a/nixpkgs/nixos/doc/manual/README b/nixpkgs/nixos/doc/manual/README index 587f6275197a..120c127d7af2 100644 --- a/nixpkgs/nixos/doc/manual/README +++ b/nixpkgs/nixos/doc/manual/README @@ -1,12 +1,3 @@ -To build the manual, you need Nix installed on your system (no need -for NixOS). To install Nix, follow the instructions at +Moved to: ./contributing-to-this-manual.xml. Link: - https://nixos.org/nix/download.html - -When you have Nix on your system, in the root directory of the project -(i.e., `nixpkgs`), run: - - nix-build nixos/release.nix -A manual.x86_64-linux - -When this command successfully finishes, it will tell you where the -manual got generated. +https://nixos.org/manual/nixos/unstable/#chap-contributing diff --git a/nixpkgs/nixos/doc/manual/administration/service-mgmt.xml b/nixpkgs/nixos/doc/manual/administration/service-mgmt.xml index 1c5d48a5bcf0..863b0d47f6c7 100644 --- a/nixpkgs/nixos/doc/manual/administration/service-mgmt.xml +++ b/nixpkgs/nixos/doc/manual/administration/service-mgmt.xml @@ -6,7 +6,7 @@ <title>Service Management</title> <para> In NixOS, all system services are started and monitored using the systemd - program. Systemd is the “init” process of the system (i.e. PID 1), the + program. systemd is the “init” process of the system (i.e. PID 1), the parent of all other processes. It manages a set of so-called “units”, which can be things like system services (programs), but also mount points, swap files, devices, targets (groups of units) and more. Units can have @@ -16,10 +16,17 @@ dependencies of this unit cause all system services to be started, file systems to be mounted, swap files to be activated, and so on. </para> - <para> - The command <command>systemctl</command> is the main way to interact with - <command>systemd</command>. Without any arguments, it shows the status of - active units: + <section xml:id="sect-nixos-systemd-general"> + <title>Interacting with a running systemd</title> + <para> + The command <command>systemctl</command> is the main way to interact with + <command>systemd</command>. The following paragraphs demonstrate ways to + interact with any OS running systemd as init system. NixOS is of no + exception. The <link xlink:href="#sect-nixos-systemd-nixos">next section + </link> explains NixOS specific things worth knowing. + </para> + <para> + Without any arguments, <literal>systmctl</literal> the status of active units: <screen> <prompt>$ </prompt>systemctl -.mount loaded active mounted / @@ -28,10 +35,10 @@ sshd.service loaded active running SSH Daemon graphical.target loaded active active Graphical Interface <replaceable>...</replaceable> </screen> - </para> - <para> - You can ask for detailed status information about a unit, for instance, the - PostgreSQL database service: + </para> + <para> + You can ask for detailed status information about a unit, for instance, the + PostgreSQL database service: <screen> <prompt>$ </prompt>systemctl status postgresql.service postgresql.service - PostgreSQL Server @@ -62,11 +69,72 @@ Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server. <prompt># </prompt>systemctl start postgresql.service <prompt># </prompt>systemctl restart postgresql.service </screen> - These operations are synchronous: they wait until the service has finished - starting or stopping (or has failed). Starting a unit will cause the - dependencies of that unit to be started as well (if necessary). - </para> -<!-- - cgroups: each service and user session is a cgroup + These operations are synchronous: they wait until the service has finished + starting or stopping (or has failed). Starting a unit will cause the + dependencies of that unit to be started as well (if necessary). + </para> + <!-- TODO: document cgroups, draft: + each service and user session is a cgroup -- cgroup resource management --> + - cgroup resource management --> + </section> + <section xml:id="sect-nixos-systemd-nixos"> + <title>systemd in NixOS</title> + <para> + Packages in Nixpkgs sometimes provide systemd units with them, usually in + e.g <literal>#pkg-out#/lib/systemd/</literal>. Putting such a package in + <literal>environment.systemPackages</literal> doesn't make the service + available to users or the system. + </para> + <para> + In order to enable a systemd <emphasis>system</emphasis> service with + provided upstream package, use (e.g): +<programlisting> +<xref linkend="opt-systemd.packages"/> = [ pkgs.packagekit ]; +</programlisting> + </para> + <para> + Usually NixOS modules written by the community do the above, plus take care of + other details. If a module was written for a service you are interested in, + you'd probably need only to use + <literal>services.#name#.enable = true;</literal>. These services are defined + in Nixpkgs' + <link xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/modules"> + <literal>nixos/modules/</literal> directory </link>. In case the service is + simple enough, the above method should work, and start the service on boot. + </para> + <para> + <emphasis>User</emphasis> systemd services on the other hand, should be + treated differently. Given a package that has a systemd unit file at + <literal>#pkg-out#/lib/systemd/user/</literal>, using + <xref linkend="opt-systemd.packages"/> will make you able to start the service via + <literal>systemctl --user start</literal>, but it won't start automatically on login. + <!-- TODO: Document why systemd.packages doesn't work for user services or fix this. + https://github.com/NixOS/nixpkgs/blob/2cd6594a8710a801038af2b72348658f732ce84a/nixos/modules/system/boot/systemd-lib.nix#L177-L198 + + This has been talked over at https://discourse.nixos.org/t/how-to-enable-upstream-systemd-user-services-declaratively/7649/5 + --> + However, You can imperatively enable it by adding the package's attribute to + <link linkend="opt-environment.systemPackages"> + <literal>systemd.packages</literal></link> and then do this (e.g): +<screen> +<prompt>$ </prompt>mkdir -p ~/.config/systemd/user/default.target.wants +<prompt>$ </prompt>ln -s /run/current-system/sw/lib/systemd/user/syncthing.service ~/.config/systemd/user/default.target.wants/ +<prompt>$ </prompt>systemctl --user daemon-reload +<prompt>$ </prompt>systemctl --user enable syncthing.service +</screen> + If you are interested in a timer file, use <literal>timers.target.wants</literal> + instead of <literal>default.target.wants</literal> in the 1st and 2nd command. + </para> + <para> + Using <literal>systemctl --user enable syncthing.service</literal> instead of + the above, will work, but it'll use the absolute path of + <literal>syncthing.service</literal> for the symlink, and this path is in + <literal>/nix/store/.../lib/systemd/user/</literal>. Hence + <link xlink:href="#sec-nix-gc">garbage collection</link> will remove that file + and you will wind up with a broken symlink in your systemd configuration, which + in turn will not make the service / timer start on login. + </para> + </section> </chapter> + diff --git a/nixpkgs/nixos/doc/manual/configuration/configuration.xml b/nixpkgs/nixos/doc/manual/configuration/configuration.xml index 6eb8f50bacac..6949189b8883 100644 --- a/nixpkgs/nixos/doc/manual/configuration/configuration.xml +++ b/nixpkgs/nixos/doc/manual/configuration/configuration.xml @@ -18,10 +18,12 @@ <xi:include href="user-mgmt.xml" /> <xi:include href="file-systems.xml" /> <xi:include href="x-windows.xml" /> + <xi:include href="wayland.xml" /> <xi:include href="gpu-accel.xml" /> <xi:include href="xfce.xml" /> <xi:include href="networking.xml" /> <xi:include href="linux-kernel.xml" /> + <xi:include href="subversion.xml" /> <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" /> <xi:include href="profiles.xml" /> <xi:include href="kubernetes.xml" /> diff --git a/nixpkgs/nixos/doc/manual/configuration/gpu-accel.xml b/nixpkgs/nixos/doc/manual/configuration/gpu-accel.xml index 95ee13f4796e..3695a5ff445a 100644 --- a/nixpkgs/nixos/doc/manual/configuration/gpu-accel.xml +++ b/nixpkgs/nixos/doc/manual/configuration/gpu-accel.xml @@ -65,16 +65,16 @@ Platform Vendor Advanced Micro Devices, Inc.</screen> <title>AMD</title> <para> - Modern AMD <link - xlink:href="https://en.wikipedia.org/wiki/Graphics_Core_Next">Graphics - Core Next</link> (GCN) GPUs are supported through the - <package>rocm-opencl-icd</package> package. Adding this package to - <xref linkend="opt-hardware.opengl.extraPackages"/> enables OpenCL - support: - - <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ - rocm-opencl-icd -];</programlisting> + Modern AMD <link + xlink:href="https://en.wikipedia.org/wiki/Graphics_Core_Next">Graphics + Core Next</link> (GCN) GPUs are supported through the + <package>rocm-opencl-icd</package> package. Adding this package to + <xref linkend="opt-hardware.opengl.extraPackages"/> enables OpenCL + support: + + <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ + rocm-opencl-icd + ];</programlisting> </para> </section> @@ -100,9 +100,9 @@ Platform Vendor Advanced Micro Devices, Inc.</screen> support. For example, for Gen8 and later GPUs, the following configuration can be used: - <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ - intel-compute-runtime -];</programlisting> + <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ + intel-compute-runtime + ];</programlisting> </para> </section> @@ -173,31 +173,31 @@ GPU1: <title>AMD</title> <para> - Modern AMD <link - xlink:href="https://en.wikipedia.org/wiki/Graphics_Core_Next">Graphics - Core Next</link> (GCN) GPUs are supported through either radv, which is - part of <package>mesa</package>, or the <package>amdvlk</package> package. - Adding the <package>amdvlk</package> package to - <xref linkend="opt-hardware.opengl.extraPackages"/> makes both drivers - available for applications and lets them choose. A specific driver can - be forced as follows: - - <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ - pkgs.<package>amdvlk</package> -]; - -# To enable Vulkan support for 32-bit applications, also add: -<xref linkend="opt-hardware.opengl.extraPackages32"/> = [ - pkgs.driversi686Linux.<package>amdvlk</package> -]; - -# For amdvlk -<xref linkend="opt-environment.variables"/>.VK_ICD_FILENAMES = - "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; -# For radv -<xref linkend="opt-environment.variables"/>.VK_ICD_FILENAMES = - "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json"; -</programlisting> + Modern AMD <link + xlink:href="https://en.wikipedia.org/wiki/Graphics_Core_Next">Graphics + Core Next</link> (GCN) GPUs are supported through either radv, which is + part of <package>mesa</package>, or the <package>amdvlk</package> package. + Adding the <package>amdvlk</package> package to + <xref linkend="opt-hardware.opengl.extraPackages"/> makes both drivers + available for applications and lets them choose. A specific driver can + be forced as follows: + + <programlisting><xref linkend="opt-hardware.opengl.extraPackages"/> = [ + pkgs.<package>amdvlk</package> + ]; + + # To enable Vulkan support for 32-bit applications, also add: + <xref linkend="opt-hardware.opengl.extraPackages32"/> = [ + pkgs.driversi686Linux.<package>amdvlk</package> + ]; + + # For amdvlk + <xref linkend="opt-environment.variables"/>.VK_ICD_FILENAMES = + "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; + # For radv + <xref linkend="opt-environment.variables"/>.VK_ICD_FILENAMES = + "/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json"; + </programlisting> </para> </section> </section> diff --git a/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml b/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml index dc83fc837e2a..4a51754cc7ae 100644 --- a/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml +++ b/nixpkgs/nixos/doc/manual/configuration/profiles/hardened.xml @@ -7,7 +7,7 @@ <para> A profile with most (vanilla) hardening options enabled by default, - potentially at the cost of features and performance. + potentially at the cost of stability, features and performance. </para> <para> @@ -21,4 +21,12 @@ xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix"> profile source</literal> for further detail on which settings are altered. </para> + <warning> + <para> + This profile enables options that are known to affect system + stability. If you experience any stability issues when using the + profile, try disabling it. If you report an issue and use this + profile, always mention that you do. + </para> + </warning> </section> diff --git a/nixpkgs/nixos/doc/manual/configuration/subversion.xml b/nixpkgs/nixos/doc/manual/configuration/subversion.xml new file mode 100644 index 000000000000..940d63cc4e6d --- /dev/null +++ b/nixpkgs/nixos/doc/manual/configuration/subversion.xml @@ -0,0 +1,140 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="module-services-subversion"> + <title>Subversion</title> + + <para> + <link xlink:href="https://subversion.apache.org/">Subversion</link> + is a centralized version-control system. It can use a <link + xlink:href="http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.choosing">variety + of protocols</link> for communication between client and server. + </para> + <section xml:id="module-services-subversion-apache-httpd"> + <title>Subversion inside Apache HTTP</title> + + <para> + This section focuses on configuring a web-based server on top of + the Apache HTTP server, which uses + <link xlink:href="http://www.webdav.org/">WebDAV</link>/<link + xlink:href="http://www.webdav.org/deltav/WWW10/deltav-intro.htm">DeltaV</link> + for communication. + </para> + + <para>For more information on the general setup, please refer to + the <link + xlink:href="http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd">the + appropriate section of the Subversion book</link>. + </para> + + <para>To configure, include in + <literal>/etc/nixos/configuration.nix</literal> code to activate + Apache HTTP, setting <xref linkend="opt-services.httpd.adminAddr" /> + appropriately: + </para> + + <para> +<programlisting> + services.httpd.enable = true; + services.httpd.adminAddr = ...; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +</programlisting> + </para> + + <para>For a simple Subversion server with basic authentication, + configure the Subversion module for Apache as follows, setting + <literal>hostName</literal> and <literal>documentRoot</literal> + appropriately, and <literal>SVNParentPath</literal> to the parent + directory of the repositories, + <literal>AuthzSVNAccessFile</literal> to the location of the + <code>.authz</code> file describing access permission, and + <literal>AuthUserFile</literal> to the password file. + </para> + <para> +<programlisting> +services.httpd.extraModules = [ + # note that order is *super* important here + { name = "dav_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_dav_svn.so"; } + { name = "authz_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_authz_svn.so"; } + ]; + services.httpd.virtualHosts = { + "svn" = { + hostName = HOSTNAME; + documentRoot = DOCUMENTROOT; + locations."/svn".extraConfig = '' + DAV svn + SVNParentPath REPO_PARENT + AuthzSVNAccessFile ACCESS_FILE + AuthName "SVN Repositories" + AuthType Basic + AuthUserFile PASSWORD_FILE + Require valid-user + ''; + } +</programlisting> + </para> + + <para> + The key <code>"svn"</code> is just a symbolic name identifying the + virtual host. The <code>"/svn"</code> in + <code>locations."/svn".extraConfig</code> is the path underneath + which the repositories will be served. + </para> + + <para><link + xlink:href="https://wiki.archlinux.org/index.php/Subversion">This + page</link> explains how to set up the Subversion configuration + itself. This boils down to the following: + </para> + <para> + Underneath <literal>REPO_PARENT</literal> repositories can be set up + as follows: + </para> + <para> +<screen> +<prompt>$ </prompt> svn create REPO_NAME +</screen> + </para> + <para>Repository files need to be accessible by + <literal>wwwrun</literal>: + </para> + <para> +<screen> +<prompt>$ </prompt> chown -R wwwrun:wwwrun REPO_PARENT +</screen> + </para> + <para> + The password file <literal>PASSWORD_FILE</literal> can be created as follows: + </para> + <para> +<screen> +<prompt>$ </prompt> htpasswd -cs PASSWORD_FILE USER_NAME +</screen> + </para> + <para> + Additional users can be set up similarly, omitting the + <code>c</code> flag: + </para> + <para> +<screen> +<prompt>$ </prompt> htpasswd -s PASSWORD_FILE USER_NAME +</screen> + </para> + <para> + The file describing access permissions + <literal>ACCESS_FILE</literal> will look something like + the following: + </para> + <para> +<programlisting> +[/] +* = r + +[REPO_NAME:/] +USER_NAME = rw +</programlisting> + </para> + <para>The Subversion repositories will be accessible as <code>http://HOSTNAME/svn/REPO_NAME</code>.</para> + </section> +</chapter> diff --git a/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml index cbec83814c9a..e83e7b75ef54 100644 --- a/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml +++ b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml @@ -38,7 +38,7 @@ assigned by setting the user's <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link> option. A hashed password can be generated using <command>mkpasswd -m - sha-512</command> after installing the <literal>mkpasswd</literal> package. + sha-512</command>. </para> <para> A user ID (uid) is assigned automatically. You can also specify a uid diff --git a/nixpkgs/nixos/doc/manual/configuration/wayland.xml b/nixpkgs/nixos/doc/manual/configuration/wayland.xml new file mode 100644 index 000000000000..231c219cf081 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/configuration/wayland.xml @@ -0,0 +1,23 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-wayland"> + <title>Wayland</title> + + <para> + While X11 (see <xref linkend="sec-x11"/>) is still the primary display + technology on NixOS, Wayland support is steadily improving. + Where X11 separates the X Server and the window manager, on Wayland those + are combined: a Wayland Compositor is like an X11 window manager, but also + embeds the Wayland 'Server' functionality. This means it is sufficient to + install a Wayland Compositor such as <package>sway</package> without + separately enabling a Wayland server: +<programlisting> +<xref linkend="opt-programs.sway.enable"/> = true; +</programlisting> + This installs the <package>sway</package> compositor along with some + essential utilities. Now you can start <package>sway</package> from the TTY + console. + </para> +</chapter> diff --git a/nixpkgs/nixos/doc/manual/contributing-to-this-manual.xml b/nixpkgs/nixos/doc/manual/contributing-to-this-manual.xml new file mode 100644 index 000000000000..935dd66bc141 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/contributing-to-this-manual.xml @@ -0,0 +1,22 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xml:id="chap-contributing"> + <title>Contributing to this documentation</title> + <para> + The DocBook sources of NixOS' manual are in the <filename +xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual"> +nixos/doc/manual</filename> subdirectory of the <link +xlink:href="https://github.com/NixOS/nixpkgs">Nixpkgs</link> repository. + </para> + <para> + You can quickly check your edits with the following: + </para> +<screen> +<prompt>$ </prompt>cd /path/to/nixpkgs +<prompt>$ </prompt>nix-build nixos/release.nix -A manual.x86_64-linux +</screen> + <para> + If the build succeeds, the manual will be in + <filename>./result/share/doc/nixos/index.html</filename>. + </para> +</chapter> diff --git a/nixpkgs/nixos/doc/manual/default.nix b/nixpkgs/nixos/doc/manual/default.nix index 6ca75f869f45..af7a2e08220c 100644 --- a/nixpkgs/nixos/doc/manual/default.nix +++ b/nixpkgs/nixos/doc/manual/default.nix @@ -63,6 +63,7 @@ let "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" "--param xref.with.number.and.title 1" "--param toc.section.depth 0" + "--param generate.consistent.ids 1" "--stringparam admon.style ''" "--stringparam callout.graphics.extension .svg" "--stringparam current.docid manual" diff --git a/nixpkgs/nixos/doc/manual/development/building-nixos.xml b/nixpkgs/nixos/doc/manual/development/building-nixos.xml index 56a596baed00..d58b6354d1d3 100644 --- a/nixpkgs/nixos/doc/manual/development/building-nixos.xml +++ b/nixpkgs/nixos/doc/manual/development/building-nixos.xml @@ -24,4 +24,10 @@ <screen> <prompt># </prompt>mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen> </para> + <para> + If you want to customize your NixOS CD in more detail, or generate other kinds + of images, you might want to check out <link + xlink:href="https://github.com/nix-community/nixos-generators">nixos-generators</link>. This can also be a good starting point when you want to use Nix to build a + 'minimal' image that doesn't include a NixOS installation. + </para> </chapter> diff --git a/nixpkgs/nixos/doc/manual/development/meta-attributes.xml b/nixpkgs/nixos/doc/manual/development/meta-attributes.xml index c626ef30e9d5..c40be0a50c36 100644 --- a/nixpkgs/nixos/doc/manual/development/meta-attributes.xml +++ b/nixpkgs/nixos/doc/manual/development/meta-attributes.xml @@ -57,7 +57,7 @@ linkend="ch-configuration"/>. Changes to a module documentation have to be checked to not break building the NixOS manual: </para> -<screen><prompt>$ </prompt>nix-build nixos/release.nix -A manual</screen> +<screen><prompt>$ </prompt>nix-build nixos/release.nix -A manual.x86_64-linux</screen> </callout> </calloutlist> </section> diff --git a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml index a11a9382764d..a6044d5f89e8 100644 --- a/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml +++ b/nixpkgs/nixos/doc/manual/development/running-nixos-tests-interactively.xml @@ -9,7 +9,7 @@ The test itself can be run interactively. This is particularly useful when developing or debugging a test: <screen> -<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver +<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driverInteractive <prompt>$ </prompt>./result/bin/nixos-test-driver starting VDE switch for network 1 <prompt>></prompt> @@ -30,7 +30,7 @@ starting VDE switch for network 1 <para> To just start and experiment with the VMs, run: <screen> -<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver +<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driverInteractive <prompt>$ </prompt>./result/bin/nixos-run-vms </screen> The script <command>nixos-run-vms</command> starts the virtual machines diff --git a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml index f10a7d658879..43f69b923d14 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -161,6 +161,13 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> existing systems without the help of a rescue USB drive or similar. </para> </warning> + <note> + <para> + On some distributions there are separate PATHS for programs intended only for root. + In order for the installation to succeed, you might have to use <literal>PATH="$PATH:/usr/sbin:/sbin"</literal> + in the following command. + </para> + </note> <screen><prompt>$ </prompt>sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt</screen> <para> Again, please refer to the <literal>nixos-install</literal> step in diff --git a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml index 1cffeed48079..4957b700946e 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.xml @@ -83,7 +83,7 @@ VirtualBox settings (Machine / Settings / Shared Folders, then click on the "Add" icon). Add the following to the <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do - not add <literal>"nofail"</literal>, the system will no boot properly. The + not add <literal>"nofail"</literal>, the system will not boot properly. The same goes for disabling <literal>rngd</literal> which is normally used to get randomness but this does not work in virtual machines. </para> diff --git a/nixpkgs/nixos/doc/manual/installation/installing.xml b/nixpkgs/nixos/doc/manual/installation/installing.xml index 6df1d8303483..bedeb7ccfa8e 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing.xml @@ -480,13 +480,8 @@ Retype new UNIX password: ***</screen> <prompt>$ </prompt>passwd eelco</screen> </para> <para> - You may also want to install some software. For instance, -<screen> -<prompt>$ </prompt>nix-env -qaP \*</screen> - shows what packages are available, and -<screen> -<prompt>$ </prompt>nix-env -f '<nixpkgs>' -iA w3m</screen> - installs the <literal>w3m</literal> browser. + You may also want to install some software. This will be covered + in <xref linkend="sec-package-management" />. </para> </listitem> </orderedlist> diff --git a/nixpkgs/nixos/doc/manual/installation/upgrading.xml b/nixpkgs/nixos/doc/manual/installation/upgrading.xml index 08780051d5f6..15ba5db9a37b 100644 --- a/nixpkgs/nixos/doc/manual/installation/upgrading.xml +++ b/nixpkgs/nixos/doc/manual/installation/upgrading.xml @@ -14,7 +14,7 @@ <para> <emphasis>Stable channels</emphasis>, such as <literal - xlink:href="https://nixos.org/channels/nixos-20.03">nixos-20.03</literal>. + xlink:href="https://nixos.org/channels/nixos-20.09">nixos-20.09</literal>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not from @@ -38,7 +38,7 @@ <para> <emphasis>Small channels</emphasis>, such as <literal - xlink:href="https://nixos.org/channels/nixos-20.03-small">nixos-20.03-small</literal> + xlink:href="https://nixos.org/channels/nixos-20.09-small">nixos-20.09-small</literal> or <literal xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. @@ -63,8 +63,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For instance, if you - installed from a 20.03 ISO, you will be subscribed to the - <literal>nixos-20.03</literal> channel. To see which NixOS channel you’re + installed from a 20.09 ISO, you will be subscribed to the + <literal>nixos-20.09</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: <screen> <prompt># </prompt>nix-channel --list | grep nixos @@ -75,13 +75,13 @@ nixos https://nixos.org/channels/nixos-unstable <prompt># </prompt>nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos </screen> (Be sure to include the <literal>nixos</literal> parameter at the end.) For - instance, to use the NixOS 20.03 stable channel: + instance, to use the NixOS 20.09 stable channel: <screen> -<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.03 nixos +<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09 nixos </screen> If you have a server, you may want to use the “small” channel instead: <screen> -<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.03-small nixos +<prompt># </prompt>nix-channel --add https://nixos.org/channels/nixos-20.09-small nixos </screen> And if you want to live on the bleeding edge: <screen> @@ -132,7 +132,7 @@ nixos https://nixos.org/channels/nixos-unstable kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. <programlisting> -<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.03; +<xref linkend="opt-system.autoUpgrade.channel"/> = https://nixos.org/channels/nixos-20.09; </programlisting> </para> </section> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-install.xml b/nixpkgs/nixos/doc/manual/man-nixos-install.xml index b205e2309687..91542d37cbd5 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-install.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-install.xml @@ -50,6 +50,12 @@ </arg> <arg> + <group choice='req'> + <arg choice='plain'><option>--impure</option></arg> + </group> + </arg> + + <arg> <arg choice='plain'> <option>--channel</option> </arg> @@ -102,6 +108,12 @@ <arg> <arg choice='plain'> + <option>--keep-going</option> + </arg> + </arg> + + <arg> + <arg choice='plain'> <option>--help</option> </arg> </arg> @@ -297,6 +309,17 @@ </varlistentry> <varlistentry> <term> + <option>--keep-going</option> + </term> + <listitem> + <para> + Causes Nix to continue building derivations as far as possible + in the face of failed builds. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> <option>--help</option> </term> <listitem> diff --git a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml index 1fd3a1c56648..d0ff81c1dbb3 100644 --- a/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml +++ b/nixpkgs/nixos/doc/manual/man-nixos-rebuild.xml @@ -120,6 +120,11 @@ </arg> <arg> <group choice='req'> + <arg choice='plain'><option>--impure</option></arg> + </group> + </arg> + <arg> + <group choice='req'> <arg choice='plain'><option>--max-jobs</option></arg> <arg choice='plain'><option>-j</option></arg> </group> @@ -564,7 +569,7 @@ In addition, <command>nixos-rebuild</command> accepts various Nix-related flags, including <option>--max-jobs</option> / <option>-j</option>, <option>--show-trace</option>, <option>--keep-failed</option>, - <option>--keep-going</option> and <option>--verbose</option> / + <option>--keep-going</option>, <option>--impure</option>, and <option>--verbose</option> / <option>-v</option>. See the Nix manual for details. </para> </refsection> diff --git a/nixpkgs/nixos/doc/manual/manual.xml b/nixpkgs/nixos/doc/manual/manual.xml index 18a67a2dd941..db9e7313831d 100644 --- a/nixpkgs/nixos/doc/manual/manual.xml +++ b/nixpkgs/nixos/doc/manual/manual.xml @@ -19,5 +19,6 @@ <xi:include href="./generated/options-db.xml" xpointer="configuration-variable-list" /> </appendix> + <xi:include href="contributing-to-this-manual.xml" /> <xi:include href="release-notes/release-notes.xml" /> </book> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml index 87f122856194..2331375c2c22 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2003.xml @@ -650,7 +650,7 @@ See https://github.com/NixOS/nixpkgs/pull/71684 for details. <listitem> <para> <literal>boot.extraTTYs</literal> renamed to - <link linkend="opt-console.extraTTYs">console.extraTTYs</link> + <literal>console.extraTTYs</literal>. </para> </listitem> </itemizedlist> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml index 511276bcaab3..3da8080958ee 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml @@ -3,8 +3,11 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-20.09"> - <title>Release 20.09 (“Nightingale”, 2020.09/??)</title> + <title>Release 20.09 (“Nightingale”, 2020.10/27)</title> + <para> + Support is planned until the end of April 2021, handing over to 21.03. + </para> <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" @@ -13,82 +16,611 @@ <title>Highlights</title> <para> - In addition to numerous new and upgraded packages, this release has the + In addition to 7349 new, 14442 updated, and 8181 removed packages, this release has the following highlights: </para> <itemizedlist> <listitem> <para> - Support is planned until the end of April 2021, handing over to 21.03. - </para> - </listitem> - <listitem> - <para>GNOME desktop environment was upgraded to 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link>.</para> - </listitem> - <listitem> - <para> - The Cinnamon desktop environment (v4.6) has been added. <varname>services.xserver.desktopManager.cinnamon.enable = true;</varname> to try it out! - Remember that, with any new feature it's possible you could run into issues, so please send all support requests to <link xlink:href="https://github.com/NixOS/nixpkgs/issues">github.com/NixOS/nixpkgs</link> to notify the maintainers. - </para> - </listitem> - <listitem> - <para> - Quickly configure a complete, private, self-hosted video - conferencing solution with the new Jitsi Meet module. - </para> - </listitem> - <listitem> - <para> - <package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module. - Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module. - </para> - </listitem> - <listitem> - <para> - We now distribute a GNOME ISO. - </para> + Core version changes: + </para> + <itemizedlist> + <listitem> + <para> + gcc: 9.2.0 -> 9.3.0 + </para> + </listitem> + <listitem> + <para> + glibc: 2.30 -> 2.31 + </para> + </listitem> + <listitem> + <para> + linux: still defaults to 5.4.x, all supported kernels available + </para> + </listitem> + <listitem> + <para> + mesa: 19.3.5 -> 20.1.7 + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Desktop Environments: + </para> + <itemizedlist> + <listitem> + <para> + plasma5: 5.17.5 -> 5.18.5 + </para> + </listitem> + <listitem> + <para> + kdeApplications: 19.12.3 -> 20.08.1 + </para> + </listitem> + <listitem> + <para> + gnome3: 3.34 -> 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link> + </para> + </listitem> + <listitem> + <para> + cinnamon: added at 4.6 + </para> + </listitem> + <listitem> + <para> + NixOS now distributes an official <link xlink:href="https://nixos.org/download.html#nixos-iso">GNOME ISO</link> + </para> + </listitem> + </itemizedlist> </listitem> + <listitem> <para> - PHP now defaults to PHP 7.4, updated from 7.3. + Programming Languages and Frameworks: </para> + <itemizedlist> + + <listitem> + <para> + Agda ecosystem was heavily reworked (see more details below) + </para> + </listitem> + <listitem> + <para> + PHP now defaults to PHP 7.4, updated from 7.3 + </para> + </listitem> + <listitem> + <para> + PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release + </para> + </listitem> + <listitem> + <para> + Python 3 now defaults to Python 3.8 instead of 3.7 + </para> + </listitem> + <listitem> + <para> + Python 3.5 reached its upstream EOL at the end of September 2020: it + has been removed from the list of available packages + </para> + </listitem> + </itemizedlist> </listitem> + <listitem> <para> - PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release. + Databases and Service Monitoring: </para> + <itemizedlist> + <listitem> + <para> + MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Please read the related upgrade instructions under <link linkend="sec-release-20.09-incompatibilities">backwards incompatibilities</link> before upgrading. + </para> + </listitem> + <listitem> + <para> + Zabbix now defaults to 5.0, updated from 4.4. Please read related sections under <link linkend="sec-release-20.09-incompatibilities">backwards compatibilities</link> before upgrading. + </para> + </listitem> + </itemizedlist> </listitem> + <listitem> <para> - Python 3 now defaults to Python 3.8 instead of 3.7. - </para> + Major module changes: + </para> + <itemizedlist> + <listitem> + <para> + Quickly configure a complete, private, self-hosted video + conferencing solution with the new Jitsi Meet module. + </para> + </listitem> + <listitem> + <para> + Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> + and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have + been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> + in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should + make use of these new options instead. + </para> + </listitem> + <listitem> + <para> + There is a new module for Podman (<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line. + </para> + </listitem> + <listitem> + <para> + The new <varname>virtualisation.containers</varname> module manages configuration shared by the CRI-O and Podman modules. + </para> + </listitem> + <listitem> + <para> + Declarative Docker containers are renamed from <varname>docker-containers</varname> to <varname>virtualisation.oci-containers.containers</varname>. + This is to make it possible to use <literal>podman</literal> instead of <literal>docker</literal>. + </para> + </listitem> + <listitem> + <para> + The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link> + has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities + like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of + the NixOS configuration: since this can be expensive when a large number of packages are installed, the + feature is disabled by default. + </para> + </listitem> + <listitem> + <para> + <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities. + </para> + </listitem> + <listitem> + <para> + The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds. + </para> + </listitem> + <listitem> + <para> + Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the <link xlink:href="https://sourceforge.net/projects/g15daemon/">g15daemon project</link>. + </para> + </listitem> + <listitem> + <para> + The GRUB module gained support for basic password protection, which + allows to restrict non-default entries in the boot menu to one or more + users. The users and passwords are defined via the option + <option>boot.loader.grub.users</option>. + Note: Password support is only available in GRUB version 2. + </para> + </listitem> + </itemizedlist> </listitem> + <listitem> <para> - Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> - and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have - been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> - in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should - make use of these new options instead. + NixOS module changes: </para> + <itemizedlist> + <listitem> + <para> + The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them. + </para> + </listitem> + <listitem> + <para> + Following its deprecation in 20.03, the Perl NixOS test driver has been removed. + All remaining tests have been ported to the Python test framework. + Code outside nixpkgs using <filename>make-test.nix</filename> or + <filename>testing.nix</filename> needs to be ported to + <filename>make-test-python.nix</filename> and + <filename>testing-python.nix</filename> respectively. + </para> + </listitem> + <listitem> + <para> + Subordinate GID and UID mappings are now set up automatically for all normal users. + This will make container tools like Podman work as non-root users out of the box. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> - There is a new module for Podman(<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line. + Starting with this release, the hydra-build-result + <literal>nixos-<replaceable>YY.MM</replaceable></literal> + branches no longer exist in the <link + xlink:href="https://github.com/nixos/nixpkgs-channels">deprecated + nixpkgs-channels repository</link>. These branches are now in + <link xlink:href="https://github.com/nixos/nixpkgs">the main nixpkgs + repository</link>. </para> </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-20.09-new-services"> + <title>New Services</title> + + <para> + In addition to 1119 new, 118 updated, and 476 removed options; 61 new modules were added since the last release: + </para> + + <itemizedlist> <listitem> <para> - The new <varname>virtualisation.containers</varname> module manages configuration shared by the CRI-O and Podman modules. - </para> + Hardware: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-hardware.system76.firmware-daemon.enable" /> adds easy support of system76 firmware + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-hardware.uinput.enable" /> loads uinput kernel module + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-hardware.video.hidpi.enable" /> enable good defaults for HiDPI displays + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-hardware.wooting.enable" /> support for Wooting keyboards + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-hardware.xpadneo.enable" /> xpadneo driver for Xbox One wireless controllers + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Programs: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-programs.hamster.enable" /> enable hamster time tracking + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-programs.steam.enable" /> adds easy enablement of steam and related system configuration + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Security: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-security.doas.enable" /> alternative to sudo, allows non-root users to execute commands as root + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-security.tpm2.enable" /> add Trusted Platform Module 2 support + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + System: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-boot.initrd.network.openvpn.enable" /> start an OpenVPN client during initrd boot + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + Virtualization: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-boot.enableContainers" /> use nixos-containers + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-virtualisation.oci-containers.containers" /> run OCI (Docker) containers + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-virtualisation.podman.enable" /> daemonless container engine + </para> + </listitem> + </itemizedlist> </listitem> + <listitem> <para> - Declarative Docker containers are renamed from <varname>docker-containers</varname> to <varname>virtualisation.oci-containers.containers</varname>. - This is to make it possible to use <literal>podman</literal> instead of <literal>docker</literal>. - </para> + Services: + </para> + <itemizedlist> + <listitem> + <para> + <xref linkend="opt-services.ankisyncd.enable" /> Anki sync server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.bazarr.enable" /> Subtitle manager for Sonarr and Radarr + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.biboumi.enable" /> Biboumi XMPP gateway to IRC + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.blockbook-frontend" /> Blockbook-frontend, a service for the Trezor wallet + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.cage.enable" /> Wayland cage service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.convos.enable" /> IRC daemon, which can be accessed throught the browser + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.engelsystem.enable" /> Tool for coordinating volunteers and shifts on large events + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.espanso.enable" /> text-expander written in rust + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.foldingathome.enable" /> Folding@home client + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.gerrit.enable" /> Web-based team code collaboration tool + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.go-neb.enable" /> Matrix bot + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.hardware.xow.enable" /> xow as a systemd service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.hercules-ci-agent.enable" /> Hercules CI build agent + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.jicofo.enable" /> Jitsi Conference Focus, component of Jitsi Meet + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.jirafeau.enable" /> A web file repository + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.jitsi-meet.enable" /> Secure, simple and scalable video conferences + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.jitsi-videobridge.enable" /> Jitsi Videobridge, a WebRTC compatible router + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.jupyterhub.enable" /> Jupyterhub development server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.k3s.enable" /> Lightweight Kubernetes distribution + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.magic-wormhole-mailbox-server.enable" /> Magic Wormhole Mailbox Server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.malcontent.enable" /> Parental Control support + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.matrix-appservice-discord.enable" /> Matrix and Discord bridge + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.mautrix-telegram.enable" /> Matrix-Telegram puppeting/relaybot bridge + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.mirakurun.enable" /> Japanese DTV Tuner Server Service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.molly-brown.enable" /> Molly-Brown Gemini server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.mullvad-vpn.enable" /> Mullvad VPN daemon + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.ncdns.enable" /> Namecoin to DNS bridge + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.nextdns.enable" /> NextDNS to DoH Proxy service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.nix-store-gcs-proxy" /> Google storage bucket to be used as a nix store + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.onedrive.enable" /> OneDrive sync service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.pinnwand.enable" /> Pastebin-like service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.pixiecore.enable" /> Manage network booting of machines + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.privacyidea.enable" /> Privacy authentication server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.quorum.enable" /> Quorum blockchain daemon + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.robustirc-bridge.enable" /> RobustIRC bridge + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.rss-bridge.enable" /> Generate RSS and Atom feeds + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.rtorrent.enable" /> rTorrent service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.smartdns.enable" /> SmartDNS DNS server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.sogo.enable" /> SOGo groupware + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.teeworlds.enable" /> Teeworlds game server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.torque.mom.enable" /> torque computing node + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.torque.server.enable" /> torque server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.tuptime.enable" /> A total uptime service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.urserver.enable" /> X11 remote server + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.wasabibackend.enable" /> Wasabi backend service + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.yubikey-agent.enable" /> Yubikey agent + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.zigbee2mqtt.enable" /> Zigbee to MQTT bridge + </para> + </listitem> + </itemizedlist> </listitem> + + </itemizedlist> + + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-20.09-incompatibilities"> + <title>Backward Incompatibilities</title> + + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + + <itemizedlist> <listitem> <para> MariaDB has been updated to 10.4, MariaDB Galera to 26.4. @@ -138,36 +670,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead. </para> </listitem> - <listitem> - <para> - The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link> - has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities - like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of - the NixOS configuration: since this can be expensive when a large number of packages are installed, the - feature is disabled by default. - </para> - </listitem> - <listitem> - <para> - <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities. - </para> - </listitem> - <listitem> - <para> - Subordinate GID and UID mappings are now set up automatically for all normal users. - This will make container tools like Podman work as non-root users out of the box. - </para> - </listitem> - <listitem> - <para> - The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds. - </para> - </listitem> - <listitem> - <para> - Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project. - </para> - </listitem> + <listitem> <para> Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through @@ -202,72 +705,18 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; </programlisting> </para> </listitem> - <listitem> - <para> - The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them. - </para> - </listitem> - <listitem> - <para> - The GRUB module gained support for basic password protection, which - allows to restrict non-default entries in the boot menu to one or more - users. The users and passwords are defined via the option - <option>boot.loader.grub.users</option>. - Note: Password support is only avaiable in GRUB version 2. - </para> - </listitem> - <listitem> - <para> - Following its deprecation in 20.03, the Perl NixOS test driver has been removed. - All remaining tests have been ported to the Python test framework. - Code outside nixpkgs using <filename>make-test.nix</filename> or - <filename>testing.nix</filename> needs to be ported to - <filename>make-test-python.nix</filename> and - <filename>testing-python.nix</filename> respectively. - </para> - </listitem> - </itemizedlist> - </section> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-new-services"> - <title>New Services</title> - <para> - The following new services were added since the last release: - </para> - - <itemizedlist> <listitem> <para> - There is a new <xref linkend="opt-security.doas.enable"/> module that provides <command>doas</command>, a lighter alternative to <command>sudo</command> with many of the same features. + <package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module. + Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module. </para> - </listitem> - <listitem> + </listitem> + <listitem> <para> - <link xlink:href="https://hercules-ci.com">Hercules CI</link> Agent is a specialized build agent for projects built with Nix. See the <link xlink:href="https://nixos.org/nixos/options.html#services.hercules-ci-agent">options</link> and <link xlink:href="https://docs.hercules-ci.com/hercules-ci/getting-started/#deploy-agent">setup</link>. + The <link linkend="opt-services.matrix-synapse.enable">matrix-synapse</link> module no longer includes optional dependencies by default, they have to be added through the <link linkend="opt-services.matrix-synapse.plugins">plugins</link> option. </para> </listitem> - </itemizedlist> - - </section> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-incompatibilities"> - <title>Backward Incompatibilities</title> - - <para> - When upgrading from a previous release, please be aware of the following - incompatible changes: - </para> - - <itemizedlist> <listitem> <para> <literal>buildGoModule</literal> now internally creates a vendor directory @@ -289,7 +738,7 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation: <programlisting>{ services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { - phantomJsSupport = false; + phantomJsSupport = true; }); }</programlisting> </para> @@ -440,12 +889,23 @@ php.override { <listitem> <para> Nginx web server now starting with additional sandbox/hardening options. By default, write access - to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, + to <literal>/var/log/nginx</literal> and <literal>/var/cache/nginx</literal> is allowed. To allow writing to other folders, use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> <programlisting> systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; </programlisting> </para> + <para> + Nginx is also started with the systemd option <literal>ProtectHome = mkDefault true;</literal> + which forbids it to read anything from <literal>/home</literal>, <literal>/root</literal> + and <literal>/run/user</literal> (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome docs</link> + for details). + If you require serving files from home directories, you may choose to set e.g. +<programlisting> +systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; +</programlisting> + </para> </listitem> <listitem> <para> @@ -578,8 +1038,8 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <listitem> <para> In addition to the hostname, the fully qualified domain name (FQDN), - which consists of <literal>${cfg.hostName}</literal> and - <literal>${cfg.domain}</literal> is now added to + which consists of <literal>${networking.hostName}</literal> and + <literal>${networking.domain}</literal> is now added to <literal>/etc/hosts</literal>, to allow local FQDN resolution, as used by the <literal>hostname --fqdn</literal> command and other applications that try to determine the FQDN. These new entries take precedence over entries @@ -594,11 +1054,15 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <listitem> <para> The hostname (<literal>networking.hostName</literal>) must now be a valid - DNS label (see RFC 1035) and as such must not contain the domain part. - This means that the hostname must start with a letter, end with a letter + DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part. + This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. + If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname + (<literal>uname --nodename</literal>) the option + <literal>boot.kernel.sysctl."kernel.hostname"</literal> + can be used as a workaround (but be aware of the 64 character limit). </para> </listitem> <listitem> @@ -628,6 +1092,13 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>. </para> </listitem> + <listitem> + <para> + <literal>sslh</literal> has been updated to version + <literal>1.21</literal>. The <literal>ssl</literal> probe must be + renamed to <literal>tls</literal> in <xref linkend="opt-services.sslh.appendConfig"/>. + </para> + </listitem> <listitem> <para> Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must @@ -834,6 +1305,51 @@ CREATE ROLE postgres LOGIN SUPERUSER; functionally redundent. </para> </listitem> + <listitem> + <para> + The <literal>hardware.nvidia.optimus_prime.enable</literal> service has been renamed to + <literal>hardware.nvidia.prime.sync.enable</literal> and has many new enhancements. + Related nvidia prime settings may have also changed. + </para> + </listitem> + <listitem> + <para> + The package <package>nextcloud17</package> has been removed and <package>nextcloud18</package> was marked as insecure + since both of them will <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html"> + will be EOL (end of life) within the lifetime of 20.09</link>. + </para> + <para> + It's necessary to upgrade to <package>nextcloud19</package>: + <itemizedlist> + <listitem> + <para> + From <package>nextcloud17</package>, you have to upgrade to <package>nextcloud18</package> first as + Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible + by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud18</package>. + </para> + </listitem> + <listitem> + <para> + From <package>nextcloud18</package>, it's possible to directly upgrade to <package>nextcloud19</package> + by setting <xref linkend="opt-services.nextcloud.package" /> to <package>nextcloud19</package>. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + The GNOME desktop manager no longer default installs <package>gnome3.epiphany</package>. + It was chosen to do this as it has a usability breaking issue (see issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>) + that makes it unsuitable to be a default app. + </para> + </listitem> + <listitem> + <para> + If you want to manage the configuration of <package>wpa_supplicant</package> outside of NixOS you must ensure that none of <xref linkend="opt-networking.wireless.networks" />, <xref linkend="opt-networking.wireless.extraConfig" /> or <xref linkend="opt-networking.wireless.userControlled.enable" /> is being used or <literal>true</literal>. + Using any of those options will cause <package>wpa_supplicant</package> to be started with a NixOS generated configuration file instead of your own. + </para> + </listitem> </itemizedlist> </section> @@ -1048,6 +1564,8 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; <package>nextcloud18</package> before upgrading to <package>nextcloud19</package> since Nextcloud doesn't support upgrades across multiple major versions. </para> + </listitem> + <listitem> <para> The <literal>nixos-run-vms</literal> script now deletes the previous run machines states on test startup. You can use the @@ -1063,8 +1581,10 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; </listitem> <listitem> <para> - The <literal>fontconfig</literal> module stopped generating fontconfig 2.10.x config and cache. - Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore. + The <literal>fontconfig</literal> module stopped generating config and cache files for fontconfig 2.10.x, the <filename>/etc/fonts/fonts.conf</filename> now belongs to the latest fontconfig, just like on other Linux distributions, and we will <link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no longer</link> be versioning the config directories. + </para> + <para> + Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t been used in any Nixpkgs package for years now. </para> </listitem> <listitem> @@ -1089,30 +1609,30 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; <para> Agda has been heavily reworked. <itemizedlist> - <listitem> - <para> - <literal>agda.mkDerivation</literal> has been heavily changed and - is now located at <package>agdaPackages.mkDerivation</package>. - </para> - </listitem> - <listitem> - <para> - New top-level packages <package>agda</package> and - <literal>agda.withPackages</literal> have been added, the second - of which sets up agda with access to chosen libraries. - </para> - </listitem> - <listitem> - <para> - All agda libraries now live under - <literal>agdaPackages</literal>. - </para> - </listitem> - <listitem> - <para> - Many broken libraries have been removed. - </para> - </listitem> + <listitem> + <para> + <literal>agda.mkDerivation</literal> has been heavily changed and + is now located at <package>agdaPackages.mkDerivation</package>. + </para> + </listitem> + <listitem> + <para> + New top-level packages <package>agda</package> and + <literal>agda.withPackages</literal> have been added, the second + of which sets up agda with access to chosen libraries. + </para> + </listitem> + <listitem> + <para> + All agda libraries now live under + <literal>agdaPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Many broken libraries have been removed. + </para> + </listitem> </itemizedlist> See the <link xlink:href="https://nixos.org/nixpkgs/manual/#agda">new @@ -1125,7 +1645,7 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; nixpkgs. It was a work in progress to package the <link xlink:href="https://www.deepin.org/en/dde/">Deepin Desktop Environment (DDE)</link>, including libraries, tools and applications, and it was still - missing a service to lauch the desktop environment. It has shown + missing a service to launch the desktop environment. It has shown to no longer be a feasible goal due to reasons discussed in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue #94870</link>. The package <literal>netease-cloud-music</literal> has also been @@ -1154,5 +1674,147 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; </para> </listitem> </itemizedlist> + <itemizedlist> + <listitem> + <para> + For AMD GPUs, Vulkan can now be used by adding <literal>amdvlk</literal> + to <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + <listitem> + <para> + Similarly, still for AMD GPUs, the ROCm OpenCL stack can now be used by adding + <literal>rocm-opencl-icd</literal> to + <literal>hardware.opengl.extraPackages</literal>. + </para> + </listitem> + </itemizedlist> + </section> + + <section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-release-20.09-contributions"> + <title>Contributions</title> + <para> + I, Jonathan Ringer, would like to thank the following individuals for their work on nixpkgs. This release could not be done without the hard work of the NixOS community. There were 31282 contributions across 1313 contributors. + </para> + <orderedlist> + <para> + Top contributors to NixOS/Nixpkgs from the 20.03 release to the 20.09 release: + </para> + <listitem> + <para> + 2288 Mario Rodas + </para> + </listitem> + <listitem> + <para> + 1837 Frederik Rietdijk + </para> + </listitem> + <listitem> + <para> + 946 Jörg Thalheim + </para> + </listitem> + <listitem> + <para> + 925 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 687 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 651 Jan Tojnar + </para> + </listitem> + <listitem> + <para> + 622 Daniël de Kok + </para> + </listitem> + <listitem> + <para> + 605 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 597 Florian Klink + </para> + </listitem> + <listitem> + <para> + 528 José Romildo Malaquias + </para> + </listitem> + </orderedlist> + + <orderedlist> + <para> + Top contributors to stabilizing this release (Zero Hydra Failures period): + </para> + <listitem> + <para> + 281 volth + </para> + </listitem> + <listitem> + <para> + 101 Robert Scott + </para> + </listitem> + <listitem> + <para> + 86 Tim Steinbach + </para> + </listitem> + <listitem> + <para> + 76 WORLDofPEACE + </para> + </listitem> + <listitem> + <para> + 49 Maximilian Bosch + </para> + </listitem> + <listitem> + <para> + 42 Thomas Tuegel + </para> + </listitem> + <listitem> + <para> + 37 Doron Behar + </para> + </listitem> + <listitem> + <para> + 36 Vladimír Čunát + </para> + </listitem> + <listitem> + <para> + 27 Jonathan Ringer + </para> + </listitem> + <listitem> + <para> + 27 Maciej Krüger + </para> + </listitem> + </orderedlist> + + <para> + I, Jonathan Ringer, would also like to personally thank @WORLDofPEACE for their help in mentoring me on the release process. Special thanks also goes to Thomas Tuegel for helping immensely with stabilizing Qt, KDE, and Plasma5; I would also like to thank Robert Scott for his numerous fixes and pull request reviews. + </para> + </section> </section> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2103.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2103.xml index eccf2b69dad9..432de831cb67 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2103.xml @@ -23,6 +23,22 @@ Support is planned until the end of October 2021, handing over to 21.09. </para> </listitem> + <listitem> + <para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finnally</link> + packaged, along with a rewrite to the Nix expressions, allowing users to + override the features upstream supports selecting to compile or not to. + Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code> + now point to an externally wrapped by default derivations, that allow you to + also add `extraPythonPackages` to the Python interpreter used by GNURadio. + Missing environmental variables needed for operational GUI were also added + (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#7547</link>). + </para> + </listitem> </itemizedlist> </section> @@ -39,7 +55,24 @@ <itemizedlist> <listitem> - <para /> + <para> + <link xlink:href="https://www.keycloak.org/">Keycloak</link>, + an open source identity and access management server with + support for <link + xlink:href="https://openid.net/connect/">OpenID Connect</link>, + <link xlink:href="https://oauth.net/2/">OAUTH 2.0</link> and + <link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML + 2.0</link>. + </para> + <para> + See the <link linkend="module-services-keycloak">Keycloak + section of the NixOS manual</link> for more information. + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-services.samba-wsdd.enable" /> Web Services Dynamic Discovery host daemon + </para> </listitem> </itemizedlist> @@ -58,8 +91,249 @@ </para> <itemizedlist> + <listitem> + <para> + <literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>. + </para> + </listitem> + <listitem> + <para> + If the <varname>services.dbus</varname> module is enabled, then + the user D-Bus session is now always socket activated. The + associated options <varname>services.dbus.socketActivated</varname> + and <varname>services.xserver.startDbusSession</varname> have + therefore been removed and you will receive a warning if + they are present in your configuration. This change makes the + user D-Bus session available also for non-graphical logins. + </para> + </listitem> + <listitem> + <para> + <literal>rubyMinimal</literal> was removed due to being unused and + unusable. The default ruby interpreter includes JIT support, which makes + it reference it's compiler. Since JIT support is probably needed by some + Gems, it was decided to enable this feature with all cc references by + default, and allow to build a Ruby derivation without references to cc, + by setting <literal>jitSupport = false;</literal> in an overlay. See + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link> + for more info. + </para> + </listitem> + <listitem> + <para> + Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use. + + WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>! + </para> + </listitem> + <listitem> + <para> + The option <option>fonts.enableFontDir</option> has been renamed to + <xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory + has also been changed to <literal>/run/current-system/sw/share/X11/fonts</literal>, + for consistency with other X11 resources. + </para> + </listitem> + <listitem> + <para> + A number of options have been renamed in the kicad interface. <literal>oceSupport</literal> + has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed + to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to + <literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to + <literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer + provides default argument values since these are provided by + <literal>kicad/default.nix</literal>. + </para> + </listitem> + <listitem> + <para> + The socket for the <literal>pdns-recursor</literal> module was moved from <literal>/var/lib/pdns-recursor</literal> + to <literal>/run/pdns-recursor</literal> to match upstream. + </para> + </listitem> + <listitem> + <para> + Paperwork was updated to version 2. The on-disk format slightly changed, + and it is not possible to downgrade from Paperwork 2 back to Paperwork + 1.3. Back your documents up before upgrading. See <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details. + </para> + </listitem> + <listitem> + <para> + PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please + be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link> + provided by upstream before upgrading. Worth specifically noting is that the service now runs + entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal> + and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from + <literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>. + </para> + </listitem> + <listitem> + <para> + xfsprogs was update from 4.19 to 5.10. It now enables reflink support by default on filesystem creation. + Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. + If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them + with <literal>mkfs.xfs -m reflink=0</literal>. + </para> + </listitem> + <listitem> + <para> + <package>btc1</package> has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + <package>cpp_ethereum</package> (aleth) has been abandoned upstream, and removed. + </para> + </listitem> + <listitem> + <para> + <package>riak-cs</package> package removed along with <varname>services.riak-cs</varname> module. + </para> + </listitem> + <listitem> + <para> + <package>stanchion</package> package removed along with <varname>services.stanchion</varname> module. + </para> + </listitem> + <listitem> + <para> + <package>mutt</package> has been updated to a new major version (2.x), which comes with + some backward incompatible changes that are described in the + <link xlink:href="http://www.mutt.org/relnotes/2.0/">release notes for Mutt 2.0</link>. + </para> + </listitem> + <listitem> + <para> + <literal>vim</literal> switched to Python 3, dropping all Python 2 support. + </para> + </listitem> + <listitem> + <para> + <link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link> + previously did nothing, but has been fixed. However its default has been + changed to <literal>false</literal> to preserve the existing default + behaviour. If you have this explicitly set to <literal>true</literal>, + please note that your non-root pools will now be forcibly imported. + </para> + </listitem> + <listitem> + <para> + <package>openafs</package> now points to <package>openafs_1_8</package>, + which is the new stable release. OpenAFS 1.6 was removed. + </para> + </listitem> + <listitem> + <para> + The <literal>openldap</literal> module now has support for OLC-style + configuration, users of the <literal>configDir</literal> option may wish + to migrate. If you continue to use <literal>configDir</literal>, ensure that + <literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>. + </para> + <para> + As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal> + are removed. To help with migration, you can convert your <literal>slapd.conf</literal> + file to OLC configuration with the following script (find the location of this + configuration file by running <literal>systemctl status openldap</literal>, it is the + <literal>-f</literal> option. + </para> + <programlisting> + TMPDIR=$(mktemp -d) + slaptest -f /path/to/slapd.conf $TMPDIR + slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' + </programlisting> + <para> + This will dump your current configuration in LDIF format, which should be + straightforward to convert into Nix settings. This does not show your schema + configuration, as this is unnecessarily verbose for users of the default schemas + and <literal>slaptest</literal> is buggy with schemas directly in the config file. + </para> + </listitem> + <listitem> + <para> + Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance + metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and + restarting the instance will now cause it to fetch and apply the new user data. + </para> + <warning> + <para> + Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read + from this directory are guarded to only run if the files they want to manipulate do not already exist, and so + will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is + only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from + user data if they do not exist in <literal>/etc/ssh</literal>. + </para> + </warning> + </listitem> + <listitem> + <para> + The <literal>rspamd</literal> services is now sandboxed. It is run as + a dynamic user instead of root, so secrets and other files may have to + be moved or their permissions may have to be fixed. The sockets are now + located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>. + </para> + </listitem> + <listitem> + <para> + Enabling the Tor client no longer silently also enables and + configures Privoxy, and the + <varname>services.tor.client.privoxy.enable</varname> option has + been removed. To enable Privoxy, and to configure it to use + Tor's faster port, use the following configuration: + </para> + <programlisting> + <xref linkend="opt-services.privoxy.enable" /> = true; + <xref linkend="opt-services.privoxy.enableTor" /> = true; + </programlisting> + </listitem> <listitem> - <para /> + <para> + The options <literal>services.slurm.dbdserver.storagePass</literal> + and <literal>services.slurm.dbdserver.configFile</literal> have been removed. + Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password. + Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service. + This avoids that the password gets exposed in the nix store. + </para> + </listitem> + <listitem> + <para> + The <literal>wafHook</literal> hook does not wrap Python anymore. + Packages depending on <literal>wafHook</literal> need to include any Python into their <literal>nativeBuildInputs</literal>. + </para> + </listitem> + <listitem> + <para> + Starting with version 1.7.0, the project formerly named <literal>CodiMD</literal> + is now named <literal>HedgeDoc</literal>. + New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. + Based on <xref linkend="opt-system.stateVersion" />, existing installations will continue to work. + </para> + </listitem> + <listitem> + <para> + The prometheus json exporter is now managed by the prometheus community. Together with additional features + some backwards incompatibilities were introduced. + Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the + endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's + <literal>/probe</literal> endpoint. + In the prometheus scrape configuration the scrape target might look like this: + <programlisting> +http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint + </programlisting> + </para> + <para> + Existing configuration for the exporter needs to be updated, but can partially be re-used. + Documentation is available in the upstream repository and a small example for NixOS is available + in the corresponding NixOS test. + </para> + <para> + These changes also affect <xref linkend="opt-services.prometheus.exporters.rspamd.enable" />, which is + just a preconfigured instance of the json exporter. + </para> + <para> + For more information, take a look at the <link xlink:href="https://github.com/prometheus-community/json_exporter"> + official documentation</link> of the json_exporter. + </para> </listitem> </itemizedlist> </section> @@ -73,7 +347,144 @@ <itemizedlist> <listitem> - <para /> + <para> + The Mailman NixOS module (<literal>services.mailman</literal>) has a new + option <xref linkend="opt-services.mailman.enablePostfix" />, defaulting + to true, that controls integration with Postfix. + </para> + <para> + If this option is disabled, default MTA config becomes not set and you + should set the options in <literal>services.mailman.settings.mta</literal> + according to the desired configuration as described in + <link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman documentation</link>. + </para> + </listitem> + <listitem> + <para> + The default-version of <literal>nextcloud</literal> is <package>nextcloud20</package>. + Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal> + across multiple major versions! This means that it's e.g. not possible to upgrade + from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy. + </para> + <para> + The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" /> + to <package>nextcloud20</package>. + </para> + </listitem> + <listitem> + <para> + The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces. + </para> + </listitem> + <listitem> + <para> + NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details. + </para> + <para> + All services should use <xref linkend="opt-systemd.services._name_.startLimitIntervalSec" /> or <literal>StartLimitIntervalSec</literal> in <xref linkend="opt-systemd.services._name_.unitConfig" /> instead. + </para> + </listitem> + <listitem> + <para> + The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues. + </para> + + <para> + It is now possible to enable a local UNIX control socket for unbound by setting the <xref linkend="opt-services.unbound.localControlSocketPath" /> + option. + </para> + + <para> + Previously we just applied a very minimal set of restrictions and + trusted unbound to properly drop root privs and capabilities. + </para> + + <para> + As of this we are (for the most part) just using the upstream + example unit file for unbound. The main difference is that we start + unbound as <literal>unbound</literal> user with the required capabilities instead of + letting unbound do the chroot & uid/gid changes. + </para> + + <para> + The upstream unit configuration this is based on is a lot stricter with + all kinds of permissions then our previous variant. It also came with + the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also + using the <literal>unbound-with-systemd</literal> package here. Unbound will start up, + read the configuration files and start listening on the configured ports + before systemd will declare the unit <literal>active (running)</literal>. + This will likely help with startup order and the occasional race condition during system + activation where the DNS service is started but not yet ready to answer + queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal> + are now be able to use unbound when those targets have been reached. + </para> + + <para> + Aditionally to the much stricter runtime environmet the + <literal>/dev/urandom</literal> mount lines we previously had in the code (that would + randomly failed during the stop-phase) have been removed as systemd will take care of those for us. + </para> + + <para> + The <literal>preStart</literal> script is now only required if we enabled the trust + anchor updates (which are still enabled by default). + </para> + + <para> + Another benefit of the refactoring is that we can now issue reloads via + either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the + running configuration without taking the daemon offline. A prerequisite + of this was that unbound configuration is available on a well known path + on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the + default in the CLI tooling which in turn enables us to use + <literal>unbound-control</literal> without passing a custom configuration location. + </para> + </listitem> + <listitem> + <para> + The <literal>services.dnscrypt-proxy2</literal> module now takes the upstream's example configuration and updates it with the user's settings. + + An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. + </para> + </listitem> + <listitem> + <para> + NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). + See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link> + for details on why this is desirable, and how it impacts containers. + </para> + <para> + If you want to run containers with a runtime that does not yet support cgroupsv2, + you can switch back to the old behaviour by setting + <xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>; + and rebooting. + </para> + </listitem> + <listitem> + <para> + PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. + See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>. + </para> + + <para> + GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing + logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link> + for more information. + </para> + </listitem> + <listitem> + <para> + The <package>zookeeper</package> package does not provide + <literal>zooInspector.sh</literal> anymore, as that "contrib" has + been dropped from upstream releases. + </para> + </listitem> + <listitem> + <para> + <xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>. + Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. + The option's description was incorrect regarding ownership management and has been simplified greatly. + </para> </listitem> </itemizedlist> </section> diff --git a/nixpkgs/nixos/doc/varlistentry-fixer.rb b/nixpkgs/nixos/doc/varlistentry-fixer.rb index 6c7cc1e6439b..02168016b554 100755 --- a/nixpkgs/nixos/doc/varlistentry-fixer.rb +++ b/nixpkgs/nixos/doc/varlistentry-fixer.rb @@ -15,8 +15,8 @@ require "rexml/document" include REXML if ARGV.length < 1 then - $stderr.puts "Needs a filename." - exit 1 + $stderr.puts "Needs a filename." + exit 1 end filename = ARGV.shift @@ -51,17 +51,17 @@ $touched = false # Generates: --optionnamevalue # ^^ ^^ doc.elements.each("//varlistentry/term") do |term| - ["varname", "function", "option", "replaceable"].each do |prev_name| - term.elements.each(prev_name) do |el| - if el.next_element and - el.next_element.name == "replaceable" and - el.next_sibling_node.class == Element - then - $touched = true - term.insert_after(el, Text.new(" ")) - end - end - end + ["varname", "function", "option", "replaceable"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end end @@ -75,17 +75,17 @@ end # Generates: -Ipath # ^^ doc.elements.each("//cmdsynopsis/arg") do |term| - ["option", "replaceable"].each do |prev_name| - term.elements.each(prev_name) do |el| - if el.next_element and - el.next_element.name == "replaceable" and - el.next_sibling_node.class == Element - then - $touched = true - term.insert_after(el, Text.new(" ")) - end - end - end + ["option", "replaceable"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end end # <cmdsynopsis> @@ -104,21 +104,21 @@ end # Generates: [{--profile-name | -p }name] # ^^^^ doc.elements.each("//cmdsynopsis/arg") do |term| - ["group"].each do |prev_name| - term.elements.each(prev_name) do |el| - if el.next_element and - el.next_element.name == "replaceable" and - el.next_sibling_node.class == Element - then - $touched = true - term.insert_after(el, Text.new(" ")) - end - end - end + ["group"].each do |prev_name| + term.elements.each(prev_name) do |el| + if el.next_element and + el.next_element.name == "replaceable" and + el.next_sibling_node.class == Element + then + $touched = true + term.insert_after(el, Text.new(" ")) + end + end + end end if $touched then - doc.context[:attribute_quote] = :quote - doc.write(output: File.open(filename, "w")) + doc.context[:attribute_quote] = :quote + doc.write(output: File.open(filename, "w")) end |