aland/nixpkgs-odroid-hc4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

Browse source 
https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>
This commit is contained in:
Anton Arapov 2021-04-03 12:58:10 +02:00 committed by Alan Daniels
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
nixos/doc/manual/from_md/release-notes/rl-1310.section.xml Normal file
View file

@ -0,0 +1,6 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-13.10">
<title>Release 13.10 (<quote>Aardvark</quote>, 2013/10/31)</title>
<para>
This is the first stable release branch of NixOS.
</para>
</section>

189
nixos/doc/manual/from_md/release-notes/rl-1404.section.xml Normal file
View file

@ -0,0 +1,189 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-14.04">
<title>Release 14.04 (<quote>Baboon</quote>, 2014/04/30)</title>
<para>
This is the second stable release branch of NixOS. In addition to
numerous new and upgraded packages and modules, this release has the
following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Installation on UEFI systems is now supported. See
<xref linkend="sec-installation" /> for details.
</para>
</listitem>
<listitem>
<para>
Systemd has been updated to version 212, which has
<link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous
improvements</link>. NixOS now automatically starts systemd user
instances when you log in. You can define global user units
through the <literal>systemd.unit.*</literal> options.
</para>
</listitem>
<listitem>
<para>
NixOS is now based on Glibc 2.19 and GCC 4.8.
</para>
</listitem>
<listitem>
<para>
The default Linux kernel has been updated to 3.12.
</para>
</listitem>
<listitem>
<para>
KDE has been updated to 4.12.
</para>
</listitem>
<listitem>
<para>
GNOME 3.10 experimental support has been added.
</para>
</listitem>
<listitem>
<para>
Nix has been updated to 1.7
(<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).
</para>
</listitem>
<listitem>
<para>
NixOS now supports fully declarative management of users and
groups. If you set <literal>users.mutableUsers</literal> to
<literal>false</literal>, then the contents of
<literal>/etc/passwd</literal> and <literal>/etc/group</literal>
will be
<link xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link>
to your NixOS configuration. For instance, if you remove a user
from <literal>users.extraUsers</literal> and run
<literal>nixos-rebuild</literal>, the user account will cease to
exist. Also, imperative commands for managing users and groups,
such as <literal>useradd</literal>, are no longer available. If
<literal>users.mutableUsers</literal> is <literal>true</literal>
(the default), then behaviour is unchanged from NixOS 13.10.
</para>
</listitem>
<listitem>
<para>
NixOS now has basic container support, meaning you can easily
run a NixOS instance as a container in a NixOS host system.
These containers are suitable for testing and experimentation
but not production use, since theyre not fully isolated from
the host. See <xref linkend="ch-containers" /> for details.
</para>
</listitem>
<listitem>
<para>
Systemd units provided by packages can now be overridden from
the NixOS configuration. For instance, if a package
<literal>foo</literal> provides systemd units, you can say:
</para>
<programlisting language="bash">
{
systemd.packages = [ pkgs.foo ];
}
</programlisting>
<para>
to enable those units. You can then set or override unit options
in the usual way, e.g.
</para>
<programlisting language="bash">
{
systemd.services.foo.wantedBy = [ &quot;multi-user.target&quot; ];
systemd.services.foo.serviceConfig.MemoryLimit = &quot;512M&quot;;
}
</programlisting>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
</listitem>
<listitem>
<para>
Nixpkgs no longer exposes unfree packages by default. If your
NixOS configuration requires unfree packages from Nixpkgs, you
need to enable support for them explicitly by setting:
</para>
<programlisting language="bash">
{
nixpkgs.config.allowUnfree = true;
}
</programlisting>
<para>
Otherwise, you get an error message such as:
</para>
<programlisting>
error: package nvidia-x11-331.49-3.12.17 in ‘…/nvidia-x11/default.nix:56
has an unfree license, refusing to evaluate
</programlisting>
</listitem>
<listitem>
<para>
The Adobe Flash player is no longer enabled by default in the
Firefox and Chromium wrappers. To enable it, you must set:
</para>
<programlisting language="bash">
{
nixpkgs.config.allowUnfree = true;
nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
}
</programlisting>
</listitem>
<listitem>
<para>
The firewall is now enabled by default. If you dont want this,
you need to disable it explicitly:
</para>
<programlisting language="bash">
{
networking.firewall.enable = false;
}
</programlisting>
</listitem>
<listitem>
<para>
The option <literal>boot.loader.grub.memtest86</literal> has
been renamed to
<literal>boot.loader.grub.memtest86.enable</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql55</literal> service has been merged into the
<literal>mysql</literal> service, which no longer sets a default
for the option <literal>services.mysql.package</literal>.
</para>
</listitem>
<listitem>
<para>
Package variants are now differentiated by suffixing the name,
rather than the version. For instance,
<literal>sqlite-3.8.4.3-interactive</literal> is now called
<literal>sqlite-interactive-3.8.4.3</literal>. This ensures that
<literal>nix-env -i sqlite</literal> is unambiguous, and that
<literal>nix-env -u</literal> wont <quote>upgrade</quote>
<literal>sqlite</literal> to
<literal>sqlite-interactive</literal> or vice versa. Notably,
this change affects the Firefox wrapper (which provides
plugins), as it is now called
<literal>firefox-wrapper</literal>. So when using
<literal>nix-env</literal>, you should do
<literal>nix-env -e firefox; nix-env -i firefox-wrapper</literal>
if you want to keep using the wrapper. This change does not
affect declarative package management, since attribute names
like <literal>pkgs.firefoxWrapper</literal> were already
unambiguous.
</para>
</listitem>
<listitem>
<para>
The symlink <literal>/etc/ca-bundle.crt</literal> is gone.
Programs should instead use the environment variable
<literal>OPENSSL_X509_CERT_FILE</literal> (which points to
<literal>/etc/ssl/certs/ca-bundle.crt</literal>).
</para>
</listitem>
</itemizedlist>
</section>

466
nixos/doc/manual/from_md/release-notes/rl-1412.section.xml Normal file
View file

@ -0,0 +1,466 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-14.12">
<title>Release 14.12 (<quote>Caterpillar</quote>, 2014/12/30)</title>
<para>
In addition to numerous new and upgraded packages, this release has
the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Systemd has been updated to version 217, which has numerous
<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg13957.html">Nix
has been updated to 1.8.</link>
</para>
</listitem>
<listitem>
<para>
NixOS is now based on Glibc 2.20.
</para>
</listitem>
<listitem>
<para>
KDE has been updated to 4.14.
</para>
</listitem>
<listitem>
<para>
The default Linux kernel has been updated to 3.14.
</para>
</listitem>
<listitem>
<para>
If <literal>users.mutableUsers</literal> is enabled (the
default), changes made to the declaration of a user or group
will be correctly realised when running
<literal>nixos-rebuild</literal>. For instance, removing a user
specification from <literal>configuration.nix</literal> will
cause the actual user account to be deleted. If
<literal>users.mutableUsers</literal> is disabled, it is no
longer necessary to specify UIDs or GIDs; if omitted, they are
allocated dynamically.
</para>
</listitem>
</itemizedlist>
<para>
Following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>atftpd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>bosun</literal>
</para>
</listitem>
<listitem>
<para>
<literal>bspwm</literal>
</para>
</listitem>
<listitem>
<para>
<literal>chronos</literal>
</para>
</listitem>
<listitem>
<para>
<literal>collectd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>consul</literal>
</para>
</listitem>
<listitem>
<para>
<literal>cpuminer-cryptonight</literal>
</para>
</listitem>
<listitem>
<para>
<literal>crashplan</literal>
</para>
</listitem>
<listitem>
<para>
<literal>dnscrypt-proxy</literal>
</para>
</listitem>
<listitem>
<para>
<literal>docker-registry</literal>
</para>
</listitem>
<listitem>
<para>
<literal>docker</literal>
</para>
</listitem>
<listitem>
<para>
<literal>etcd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>fail2ban</literal>
</para>
</listitem>
<listitem>
<para>
<literal>fcgiwrap</literal>
</para>
</listitem>
<listitem>
<para>
<literal>fleet</literal>
</para>
</listitem>
<listitem>
<para>
<literal>fluxbox</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gdm</literal>
</para>
</listitem>
<listitem>
<para>
<literal>geoclue2</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gitlab</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gitolite</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gnome3.gnome-documents</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gnome3.gnome-online-miners</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gnome3.gvfs</literal>
</para>
</listitem>
<listitem>
<para>
<literal>gnome3.seahorse</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hbase</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i2pd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>influxdb</literal>
</para>
</listitem>
<listitem>
<para>
<literal>kubernetes</literal>
</para>
</listitem>
<listitem>
<para>
<literal>liquidsoap</literal>
</para>
</listitem>
<listitem>
<para>
<literal>lxc</literal>
</para>
</listitem>
<listitem>
<para>
<literal>mailpile</literal>
</para>
</listitem>
<listitem>
<para>
<literal>mesos</literal>
</para>
</listitem>
<listitem>
<para>
<literal>mlmmj</literal>
</para>
</listitem>
<listitem>
<para>
<literal>monetdb</literal>
</para>
</listitem>
<listitem>
<para>
<literal>mopidy</literal>
</para>
</listitem>
<listitem>
<para>
<literal>neo4j</literal>
</para>
</listitem>
<listitem>
<para>
<literal>nsd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>openntpd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>opentsdb</literal>
</para>
</listitem>
<listitem>
<para>
<literal>openvswitch</literal>
</para>
</listitem>
<listitem>
<para>
<literal>parallels-guest</literal>
</para>
</listitem>
<listitem>
<para>
<literal>peerflix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>phd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>polipo</literal>
</para>
</listitem>
<listitem>
<para>
<literal>prosody</literal>
</para>
</listitem>
<listitem>
<para>
<literal>radicale</literal>
</para>
</listitem>
<listitem>
<para>
<literal>redmine</literal>
</para>
</listitem>
<listitem>
<para>
<literal>riemann</literal>
</para>
</listitem>
<listitem>
<para>
<literal>scollector</literal>
</para>
</listitem>
<listitem>
<para>
<literal>seeks</literal>
</para>
</listitem>
<listitem>
<para>
<literal>siproxd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>strongswan</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tcsd</literal>
</para>
</listitem>
<listitem>
<para>
<literal>teamspeak3</literal>
</para>
</listitem>
<listitem>
<para>
<literal>thermald</literal>
</para>
</listitem>
<listitem>
<para>
<literal>torque/mrom</literal>
</para>
</listitem>
<listitem>
<para>
<literal>torque/server</literal>
</para>
</listitem>
<listitem>
<para>
<literal>uhub</literal>
</para>
</listitem>
<listitem>
<para>
<literal>unifi</literal>
</para>
</listitem>
<listitem>
<para>
<literal>znc</literal>
</para>
</listitem>
<listitem>
<para>
<literal>zookeeper</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
The default version of Apache httpd is now 2.4. If you use the
<literal>extraConfig</literal> option to pass literal Apache
configuration text, you may need to update it — see
<link xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apaches
documentation</link> for details. If you wish to continue to use
httpd 2.2, add the following line to your NixOS configuration:
</para>
<programlisting language="bash">
{
services.httpd.package = pkgs.apacheHttpd_2_2;
}
</programlisting>
</listitem>
<listitem>
<para>
PHP 5.3 has been removed because it is no longer supported by
the PHP project. A
<link xlink:href="http://php.net/migration54">migration
guide</link> is available.
</para>
</listitem>
<listitem>
<para>
The host side of a container virtual Ethernet pair is now called
<literal>ve-container-name</literal> rather than
<literal>c-container-name</literal>.
</para>
</listitem>
<listitem>
<para>
GNOME 3.10 support has been dropped. The default GNOME version
is now 3.12.
</para>
</listitem>
<listitem>
<para>
VirtualBox has been upgraded to 4.3.20 release. Users may be
required to run <literal>rm -rf /tmp/.vbox*</literal>. The line
<literal>imports = [ &lt;nixpkgs/nixos/modules/programs/virtualbox.nix&gt; ]</literal>
is no longer necessary, use
<literal>services.virtualboxHost.enable = true</literal>
instead.
</para>
<para>
Also, hardening mode is now enabled by default, which means that
unless you want to use USB support, you no longer need to be a
member of the <literal>vboxusers</literal> group.
</para>
</listitem>
<listitem>
<para>
Chromium has been updated to 39.0.2171.65.
<literal>enablePepperPDF</literal> is now enabled by default.
<literal>chromium*Wrapper</literal> packages no longer exist,
because upstream removed NSAPI support.
<literal>chromium-stable</literal> has been renamed to
<literal>chromium</literal>.
</para>
</listitem>
<listitem>
<para>
Python packaging documentation is now part of nixpkgs manual. To
override the python packages available to a custom python you
now use <literal>pkgs.pythonFull.buildEnv.override</literal>
instead of <literal>pkgs.pythonFull.override</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>boot.resumeDevice = &quot;8:6&quot;</literal> is no
longer supported. Most users will want to leave it undefined,
which takes the swap partitions automatically. There is an
evaluation assertion to ensure that the string starts with a
slash.
</para>
</listitem>
<listitem>
<para>
The system-wide default timezone for NixOS installations changed
from <literal>CET</literal> to <literal>UTC</literal>. To choose
a different timezone for your system, configure
<literal>time.timeZone</literal> in
<literal>configuration.nix</literal>. A fairly complete list of
possible values for that setting is available at
<link xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">https://en.wikipedia.org/wiki/List_of_tz_database_time_zones</link>.
</para>
</listitem>
<listitem>
<para>
GNU screen has been updated to 4.2.1, which breaks the ability
to connect to sessions created by older versions of screen.
</para>
</listitem>
<listitem>
<para>
The Intel GPU driver was updated to the 3.x prerelease version
(used by most distributions) and supports DRI3 now.
</para>
</listitem>
</itemizedlist>
</section>

776
nixos/doc/manual/from_md/release-notes/rl-1509.section.xml Normal file
View file

@ -0,0 +1,776 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-15.09">
<title>Release 15.09 (<quote>Dingo</quote>, 2015/09/30)</title>
<para>
In addition to numerous new and upgraded packages, this release has
the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
The <link xlink:href="http://haskell.org/">Haskell</link>
packages infrastructure has been re-designed from the ground up
(&quot;Haskell NG&quot;). NixOS now distributes the latest
version of every single package registered on
<link xlink:href="http://hackage.haskell.org/">Hackage</link> --
well in excess of 8,000 Haskell packages. Detailed instructions
on how to use that infrastructure can be found in the
<link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
Guide to the Haskell Infrastructure</link>. Users migrating from
an earlier release may find helpful information below, in the
list of backwards-incompatible changes. Furthermore, we
distribute 51(!) additional Haskell package sets that provide
every single <link xlink:href="http://www.stackage.org/">LTS
Haskell</link> release since version 0.0 as well as the most
recent <link xlink:href="http://www.stackage.org/">Stackage
Nightly</link> snapshot. The announcement
<link xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">&quot;Full
Stackage Support in Nixpkgs&quot;</link> gives additional
details.
</para>
</listitem>
<listitem>
<para>
Nix has been updated to version 1.10, which among other
improvements enables cryptographic signatures on binary caches
for improved security.
</para>
</listitem>
<listitem>
<para>
You can now keep your NixOS system up to date automatically by
setting
</para>
</listitem>
</itemizedlist>
<programlisting language="bash">
{
system.autoUpgrade.enable = true;
}
</programlisting>
<para>
This will cause the system to periodically check for updates in your
current channel and run <literal>nixos-rebuild</literal>.
</para>
<itemizedlist>
<listitem>
<para>
This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.
</para>
</listitem>
<listitem>
<para>
GNOME has been upgraded to 3.16.
</para>
</listitem>
<listitem>
<para>
Xfce has been upgraded to 4.12.
</para>
</listitem>
<listitem>
<para>
KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and
Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.
</para>
</listitem>
<listitem>
<para>
E19 has been upgraded to 0.16.8.15.
</para>
</listitem>
</itemizedlist>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>services/mail/exim.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/apache-kafka.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/canto-daemon.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/confd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/devmon.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/gitit.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/ihaskell.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/mbpfan.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/mediatomb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/mwlib.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/parsoid.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/plex.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/ripple-rest.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/ripple-data-api.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/subsonic.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/sundtek.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/cadvisor.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/das_watchdog.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/grafana.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/riemann-tools.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/teamviewer.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/u9fs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/aiccu.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/asterisk.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/bird.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/charybdis.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/docker-registry-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/fan.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/firefox/sync-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/gateone.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/heyefi.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/i2p.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/lambdabot.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/mstpd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/nix-serve.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/nylon.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/racoon.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/skydns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/shout.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/softether.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/sslh.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/tinc.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/tlsdated.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/tox-bootstrapd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/tvheadend.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/zerotierone.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/scheduling/marathon.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/fprintd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/hologram.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/munge.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/system/cloud-init.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-servers/shellinabox.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-servers/uwsgi.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/unclutter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/display-managers/sddm.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/coredump.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/loader/loader.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/loader/generic-extlinux-compatible</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/networkd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/resolved.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/timesyncd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tasks/filesystems/exfat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tasks/filesystems/ntfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tasks/filesystems/vboxsf.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/virtualbox-host.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/vmware-guest.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/xen-dom0.nix</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>sshd</literal> no longer supports DSA and ECDSA host
keys by default. If you have existing systems with such host
keys and want to continue to use them, please set
</para>
</listitem>
</itemizedlist>
<programlisting language="bash">
{
system.stateVersion = &quot;14.12&quot;;
}
</programlisting>
<para>
The new option <literal>system.stateVersion</literal> ensures that
certain configuration changes that could break existing systems
(such as the <literal>sshd</literal> host key setting) will maintain
compatibility with the specified NixOS release. NixOps sets the
state version of existing deployments automatically.
</para>
<itemizedlist>
<listitem>
<para>
<literal>cron</literal> is no longer enabled by default, unless
you have a non-empty
<literal>services.cron.systemCronJobs</literal>. To force
<literal>cron</literal> to be enabled, set
<literal>services.cron.enable = true</literal>.
</para>
</listitem>
<listitem>
<para>
Nix now requires binary caches to be cryptographically signed.
If you have unsigned binary caches that you want to continue to
use, you should set
<literal>nix.requireSignedBinaryCaches = false</literal>.
</para>
</listitem>
<listitem>
<para>
Steam now doesn't need root rights to work. Instead of using
<literal>*-steam-chrootenv</literal>, you should now just run
<literal>steam</literal>. <literal>steamChrootEnv</literal>
package was renamed to <literal>steam</literal>, and old
<literal>steam</literal> package -- to
<literal>steamOriginal</literal>.
</para>
</listitem>
<listitem>
<para>
CMPlayer has been renamed to bomi upstream. Package
<literal>cmplayer</literal> was accordingly renamed to
<literal>bomi</literal>
</para>
</listitem>
<listitem>
<para>
Atom Shell has been renamed to Electron upstream. Package
<literal>atom-shell</literal> was accordingly renamed to
<literal>electron</literal>
</para>
</listitem>
<listitem>
<para>
Elm is not released on Hackage anymore. You should now use
<literal>elmPackages.elm</literal> which contains the latest Elm
platform.
</para>
</listitem>
<listitem>
<para>
The CUPS printing service has been updated to version
<literal>2.0.2</literal>. Furthermore its systemd service has
been renamed to <literal>cups.service</literal>.
</para>
<para>
Local printers are no longer shared or advertised by default.
This behavior can be changed by enabling
<literal>services.printing.defaultShared</literal> or
<literal>services.printing.browsing</literal> respectively.
</para>
</listitem>
<listitem>
<para>
The VirtualBox host and guest options have been named more
consistently. They can now found in
<literal>virtualisation.virtualbox.host.*</literal> instead of
<literal>services.virtualboxHost.*</literal> and
<literal>virtualisation.virtualbox.guest.*</literal> instead of
<literal>services.virtualboxGuest.*</literal>.
</para>
<para>
Also, there now is support for the <literal>vboxsf</literal>
file system using the <literal>fileSystems</literal>
configuration attribute. An example of how this can be used in a
configuration:
</para>
</listitem>
</itemizedlist>
<programlisting language="bash">
{
fileSystems.&quot;/shiny&quot; = {
device = &quot;myshinysharedfolder&quot;;
fsType = &quot;vboxsf&quot;;
};
}
</programlisting>
<itemizedlist spacing="compact">
<listitem>
<para>
&quot;<literal>nix-env -qa</literal>&quot; no longer discovers
Haskell packages by name. The only packages visible in the
global scope are <literal>ghc</literal>,
<literal>cabal-install</literal>, and <literal>stack</literal>,
but all other packages are hidden. The reason for this
inconvenience is the sheer size of the Haskell package set.
Name-based lookups are expensive, and most
<literal>nix-env -qa</literal> operations would become much
slower if we'd add the entire Hackage database into the top
level attribute set. Instead, the list of Haskell packages can
be displayed by running:
</para>
</listitem>
</itemizedlist>
<programlisting>
nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A haskellPackages
</programlisting>
<para>
Executable programs written in Haskell can be installed with:
</para>
<programlisting>
nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.pandoc
</programlisting>
<para>
Installing Haskell <emphasis>libraries</emphasis> this way, however,
is no longer supported. See the next item for more details.
</para>
<itemizedlist>
<listitem>
<para>
Previous versions of NixOS came with a feature called
<literal>ghc-wrapper</literal>, a small script that allowed GHC
to transparently pick up on libraries installed in the user's
profile. This feature has been deprecated;
<literal>ghc-wrapper</literal> was removed from the
distribution. The proper way to register Haskell libraries with
the compiler now is the
<literal>haskellPackages.ghcWithPackages</literal> function. The
<link xlink:href="https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure">User's
Guide to the Haskell Infrastructure</link> provides more
information about this subject.
</para>
</listitem>
<listitem>
<para>
All Haskell builds that have been generated with version 1.x of
the <literal>cabal2nix</literal> utility are now invalid and
need to be re-generated with a current version of
<literal>cabal2nix</literal> to function. The most recent
version of this tool can be installed by running
<literal>nix-env -i cabal2nix</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>haskellPackages</literal> set in Nixpkgs used to
have a function attribute called <literal>extension</literal>
that users could override in their
<literal>~/.nixpkgs/config.nix</literal> files to configure
additional attributes, etc. That function still exists, but it's
now called <literal>overrides</literal>.
</para>
</listitem>
<listitem>
<para>
The OpenBLAS library has been updated to version
<literal>0.2.14</literal>. Support for the
<literal>x86_64-darwin</literal> platform was added. Dynamic
architecture detection was enabled; OpenBLAS now selects
microarchitecture-optimized routines at runtime, so optimal
performance is achieved without the need to rebuild OpenBLAS
locally. OpenBLAS has replaced ATLAS in most packages which use
an optimized BLAS or LAPACK implementation.
</para>
</listitem>
<listitem>
<para>
The <literal>phpfpm</literal> is now using the default PHP
version (<literal>pkgs.php</literal>) instead of PHP 5.4
(<literal>pkgs.php54</literal>).
</para>
</listitem>
<listitem>
<para>
The <literal>locate</literal> service no longer indexes the Nix
store by default, preventing packages with potentially numerous
versions from cluttering the output. Indexing the store can be
activated by setting
<literal>services.locate.includeStore = true</literal>.
</para>
</listitem>
<listitem>
<para>
The Nix expression search path (<literal>NIX_PATH</literal>) no
longer contains <literal>/etc/nixos/nixpkgs</literal> by
default. You can override <literal>NIX_PATH</literal> by setting
<literal>nix.nixPath</literal>.
</para>
</listitem>
<listitem>
<para>
Python 2.6 has been marked as broken (as it no longer receives
security updates from upstream).
</para>
</listitem>
<listitem>
<para>
Any use of module arguments such as <literal>pkgs</literal> to
access library functions, or to define
<literal>imports</literal> attributes will now lead to an
infinite loop at the time of the evaluation.
</para>
<para>
In case of an infinite loop, use the
<literal>--show-trace</literal> command line argument and read
the line just above the error message.
</para>
<programlisting>
$ nixos-rebuild build --show-trace
while evaluating the module argument `pkgs' in &quot;/etc/nixos/my-module.nix&quot;:
infinite recursion encountered
</programlisting>
<para>
Any use of <literal>pkgs.lib</literal>, should be replaced by
<literal>lib</literal>, after adding it as argument of the
module. The following module
</para>
<programlisting language="bash">
{ config, pkgs, ... }:
with pkgs.lib;
{
options = {
foo = mkOption { … };
};
config = mkIf config.foo { … };
}
</programlisting>
<para>
should be modified to look like:
</para>
<programlisting language="bash">
{ config, pkgs, lib, ... }:
with lib;
{
options = {
foo = mkOption { option declaration };
};
config = mkIf config.foo { option definition };
}
</programlisting>
<para>
When <literal>pkgs</literal> is used to download other projects
to import their modules, and only in such cases, it should be
replaced by <literal>(import &lt;nixpkgs&gt; {})</literal>. The
following module
</para>
<programlisting language="bash">
{ config, pkgs, ... }:
let
myProject = pkgs.fetchurl {
src = url;
sha256 = hash;
};
in
{
imports = [ &quot;${myProject}/module.nix&quot; ];
}
</programlisting>
<para>
should be modified to look like:
</para>
<programlisting language="bash">
{ config, pkgs, ... }:
let
myProject = (import &lt;nixpkgs&gt; {}).fetchurl {
src = url;
sha256 = hash;
};
in
{
imports = [ &quot;${myProject}/module.nix&quot; ];
}
</programlisting>
</listitem>
</itemizedlist>
<para>
Other notable improvements:
</para>
<itemizedlist>
<listitem>
<para>
The nixos and nixpkgs channels were unified, so one
<emphasis>can</emphasis> use
<literal>nix-env -iA nixos.bash</literal> instead of
<literal>nix-env -iA nixos.pkgs.bash</literal>. See
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/2cd7c1f198">the
commit</link> for details.
</para>
</listitem>
<listitem>
<para>
Users running an SSH server who worry about the quality of their
<literal>/etc/ssh/moduli</literal> file with respect to the
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html">vulnerabilities
discovered in the Diffie-Hellman key exchange</link> can now
replace OpenSSH's default version with one they generated
themselves using the new
<literal>services.openssh.moduliFile</literal> option.
</para>
</listitem>
<listitem>
<para>
A newly packaged TeX Live 2015 is provided in
<literal>pkgs.texlive</literal>, split into 6500 nix packages.
For basic user documentation see
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1">the
source</link>. Beware of
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757">an
issue</link> when installing a too large package set. The plan
is to deprecate and maybe delete the original TeX packages until
the next release.
</para>
</listitem>
<listitem>
<para>
<literal>buildEnv.env</literal> on all Python interpreters is
now available for nix-shell interoperability.
</para>
</listitem>
</itemizedlist>
</section>

695
nixos/doc/manual/from_md/release-notes/rl-1603.section.xml Normal file
View file

@ -0,0 +1,695 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.03">
<title>Release 16.03 (<quote>Emu</quote>, 2016/03/31)</title>
<para>
In addition to numerous new and upgraded packages, this release has
the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Systemd 229, bringing
<link xlink:href="https://github.com/systemd/systemd/blob/v229/NEWS">numerous
improvements</link> over 217.
</para>
</listitem>
<listitem>
<para>
Linux 4.4 (was 3.18).
</para>
</listitem>
<listitem>
<para>
GCC 5.3 (was 4.9). Note that GCC 5
<link xlink:href="https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_dual_abi.html">changes
the C++ ABI in an incompatible way</link>; this may cause
problems if you try to link objects compiled with different
versions of GCC.
</para>
</listitem>
<listitem>
<para>
Glibc 2.23 (was 2.21).
</para>
</listitem>
<listitem>
<para>
Binutils 2.26 (was 2.23.1). See #909
</para>
</listitem>
<listitem>
<para>
Improved support for ensuring
<link xlink:href="https://reproducible-builds.org/">bitwise
reproducible builds</link>. For example,
<literal>stdenv</literal> now sets the environment variable
<literal>SOURCE_DATE_EPOCH</literal> to a deterministic value,
and Nix has
<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-1.11">gained
an option</link> to repeat a build a number of times to test
determinism. An ongoing project, the goal of exact
reproducibility is to allow binaries to be verified
independently (e.g., a user might only trust binaries that
appear in three independent binary caches).
</para>
</listitem>
<listitem>
<para>
Perl 5.22.
</para>
</listitem>
</itemizedlist>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>services/monitoring/longview.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/video/webcam/facetimehd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i18n/input-method/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i18n/input-method/fcitx.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i18n/input-method/ibus.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i18n/input-method/nabi.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>i18n/input-method/uim.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/fish.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/acme.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/audit.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/oath.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/hardware/irqbalance.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/dspam.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/opendkim.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/postsrsd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/rspamd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/rmilter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/autofs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/bepasty.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/calibre-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/cfdyndns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/gammu-smsd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/mathics.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/matrix-synapse.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/octoprint.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/hdaps.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/heapster.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/longview.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/netatalk.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/xtreemfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/autossh.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/dnschain.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/gale.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/miniupnpd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/namecoind.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/ostinato.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/pdnsd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/shairport-sync.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/supplicant.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/search/kibana.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/haka.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/physlock.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/pump.io.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/hardware/libinput.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/window-managers/windowlab.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/initrd-network.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/initrd-ssh.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/loader/loader.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/networkd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/resolved.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/lxd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/rkt.nix</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
We no longer produce graphical ISO images and VirtualBox images
for <literal>i686-linux</literal>. A minimal ISO image is still
provided.
</para>
</listitem>
<listitem>
<para>
Firefox and similar browsers are now <emphasis>wrapped by
default</emphasis>. The package and attribute names are plain
<literal>firefox</literal> or <literal>midori</literal>, etc.
Backward-compatibility attributes were set up, but note that
<literal>nix-env -u</literal> will <emphasis>not</emphasis>
update your current <literal>firefox-with-plugins</literal>; you
have to uninstall it and install <literal>firefox</literal>
instead.
</para>
</listitem>
<listitem>
<para>
<literal>wmiiSnap</literal> has been replaced with
<literal>wmii_hg</literal>, but
<literal>services.xserver.windowManager.wmii.enable</literal>
has been updated respectively so this only affects you if you
have explicitly installed <literal>wmiiSnap</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>jobs</literal> NixOS option has been removed. It served
as compatibility layer between Upstart jobs and SystemD
services. All services have been rewritten to use
<literal>systemd.services</literal>
</para>
</listitem>
<listitem>
<para>
<literal>wmiimenu</literal> is removed, as it has been removed
by the developers upstream. Use <literal>wimenu</literal> from
the <literal>wmii-hg</literal> package.
</para>
</listitem>
<listitem>
<para>
Gitit is no longer automatically added to the module list in
NixOS and as such there will not be any manual entries for it.
You will need to add an import statement to your NixOS
configuration in order to use it, e.g.
</para>
<programlisting language="bash">
{
imports = [ &lt;nixpkgs/nixos/modules/services/misc/gitit.nix&gt; ];
}
</programlisting>
<para>
will include the Gitit service configuration options.
</para>
</listitem>
<listitem>
<para>
<literal>nginx</literal> does not accept flags for enabling and
disabling modules anymore. Instead it accepts
<literal>modules</literal> argument, which is a list of modules
to be built in. All modules now reside in
<literal>nginxModules</literal> set. Example configuration:
</para>
<programlisting language="bash">
nginx.override {
modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>s3sync</literal> is removed, as it hasn't been
developed by upstream for 4 years and only runs with ruby 1.8.
For an actively-developer alternative look at
<literal>tarsnap</literal> and others.
</para>
</listitem>
<listitem>
<para>
<literal>ruby_1_8</literal> has been removed as it's not
supported from upstream anymore and probably contains security
issues.
</para>
</listitem>
<listitem>
<para>
<literal>tidy-html5</literal> package is removed. Upstream only
provided <literal>(lib)tidy5</literal> during development, and
now they went back to <literal>(lib)tidy</literal> to work as a
drop-in replacement of the original package that has been
unmaintained for years. You can (still) use the
<literal>html-tidy</literal> package, which got updated to a
stable release from this new upstream.
</para>
</listitem>
<listitem>
<para>
<literal>extraDeviceOptions</literal> argument is removed from
<literal>bumblebee</literal> package. Instead there are now two
separate arguments: <literal>extraNvidiaDeviceOptions</literal>
and <literal>extraNouveauDeviceOptions</literal> for setting
extra X11 options for nvidia and nouveau drivers, respectively.
</para>
</listitem>
<listitem>
<para>
The <literal>Ctrl+Alt+Backspace</literal> key combination no
longer kills the X server by default. There's a new option
<literal>services.xserver.enableCtrlAltBackspace</literal>
allowing to enable the combination again.
</para>
</listitem>
<listitem>
<para>
<literal>emacsPackagesNg</literal> now contains all packages
from the ELPA, MELPA, and MELPA Stable repositories.
</para>
</listitem>
<listitem>
<para>
Data directory for Postfix MTA server is moved from
<literal>/var/postfix</literal> to
<literal>/var/lib/postfix</literal>. Old configurations are
migrated automatically. <literal>service.postfix</literal>
module has also received many improvements, such as correct
directories' access rights, new <literal>aliasFiles</literal>
and <literal>mapFiles</literal> options and more.
</para>
</listitem>
<listitem>
<para>
Filesystem options should now be configured as a list of
strings, not a comma-separated string. The old style will
continue to work, but print a warning, until the 16.09 release.
An example of the new style:
</para>
<programlisting language="bash">
{
fileSystems.&quot;/example&quot; = {
device = &quot;/dev/sdc&quot;;
fsType = &quot;btrfs&quot;;
options = [ &quot;noatime&quot; &quot;compress=lzo&quot; &quot;space_cache&quot; &quot;autodefrag&quot; ];
};
}
</programlisting>
</listitem>
<listitem>
<para>
CUPS, installed by <literal>services.printing</literal> module,
now has its data directory in <literal>/var/lib/cups</literal>.
Old configurations from <literal>/etc/cups</literal> are moved
there automatically, but there might be problems. Also
configuration options
<literal>services.printing.cupsdConf</literal> and
<literal>services.printing.cupsdFilesConf</literal> were removed
because they had been allowing one to override configuration
variables required for CUPS to work at all on NixOS. For most
use cases, <literal>services.printing.extraConf</literal> and
new option <literal>services.printing.extraFilesConf</literal>
should be enough; if you encounter a situation when they are
not, please file a bug.
</para>
<para>
There are also Gutenprint improvements; in particular, a new
option <literal>services.printing.gutenprint</literal> is added
to enable automatic updating of Gutenprint PPMs; it's greatly
recommended to enable it instead of adding
<literal>gutenprint</literal> to the <literal>drivers</literal>
list.
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.vaapiDrivers</literal> has been
removed. Use
<literal>hardware.opengl.extraPackages{,32}</literal> instead.
You can also specify VDPAU drivers there.
</para>
</listitem>
<listitem>
<para>
<literal>programs.ibus</literal> moved to
<literal>i18n.inputMethod.ibus</literal>. The option
<literal>programs.ibus.plugins</literal> changed to
<literal>i18n.inputMethod.ibus.engines</literal> and the option
to enable ibus changed from
<literal>programs.ibus.enable</literal> to
<literal>i18n.inputMethod.enabled</literal>.
<literal>i18n.inputMethod.enabled</literal> should be set to the
used input method name, <literal>&quot;ibus&quot;</literal> for
ibus. An example of the new style:
</para>
<programlisting language="bash">
{
i18n.inputMethod.enabled = &quot;ibus&quot;;
i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];
}
</programlisting>
<para>
That is equivalent to the old version:
</para>
<programlisting language="bash">
{
programs.ibus.enable = true;
programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>services.udev.extraRules</literal> option now writes
rules to <literal>99-local.rules</literal> instead of
<literal>10-local.rules</literal>. This makes all the user rules
apply after others, so their results wouldn't be overriden by
anything else.
</para>
</listitem>
<listitem>
<para>
Large parts of the <literal>services.gitlab</literal> module has
been been rewritten. There are new configuration options
available. The <literal>stateDir</literal> option was renamned
to <literal>statePath</literal> and the
<literal>satellitesDir</literal> option was removed. Please
review the currently available options.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.nsd.zones.&lt;name&gt;.data</literal> no
longer interpret the dollar sign ($) as a shell variable, as
such it should not be escaped anymore. Thus the following zone
data:
</para>
<programlisting>
$ORIGIN example.com.
$TTL 1800
@ IN SOA ns1.vpn.nbp.name. admin.example.com. (
</programlisting>
<para>
Should modified to look like the actual file expected by nsd:
</para>
<programlisting>
$ORIGIN example.com.
$TTL 1800
@ IN SOA ns1.vpn.nbp.name. admin.example.com. (
</programlisting>
</listitem>
<listitem>
<para>
<literal>service.syncthing.dataDir</literal> options now has to
point to exact folder where syncthing is writing to. Example
configuration should look something like:
</para>
<programlisting language="bash">
{
services.syncthing = {
enable = true;
dataDir = &quot;/home/somebody/.syncthing&quot;;
user = &quot;somebody&quot;;
};
}
</programlisting>
</listitem>
<listitem>
<para>
<literal>networking.firewall.allowPing</literal> is now enabled
by default. Users are encouraged to configure an appropriate
rate limit for their machines using the Kernel interface at
<literal>/proc/sys/net/ipv4/icmp_ratelimit</literal> and
<literal>/proc/sys/net/ipv6/icmp/ratelimit</literal> or using
the firewall itself, i.e. by setting the NixOS option
<literal>networking.firewall.pingLimit</literal>.
</para>
</listitem>
<listitem>
<para>
Systems with some broadcom cards used to result into a generated
config that is no longer accepted. If you get errors like
</para>
<programlisting>
error: path /nix/store/*-broadcom-sta-* does not exist and cannot be created
</programlisting>
<para>
you should either re-run
<literal>nixos-generate-config</literal> or manually replace
<literal>&quot;${config.boot.kernelPackages.broadcom_sta}&quot;</literal>
by <literal>config.boot.kernelPackages.broadcom_sta</literal> in
your <literal>/etc/nixos/hardware-configuration.nix</literal>.
More discussion is on
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/12595">
the github issue</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>services.xserver.startGnuPGAgent</literal> option
has been removed. GnuPG 2.1.x changed the way the gpg-agent
works, and that new approach no longer requires (or even
supports) the &quot;start everything as a child of the
agent&quot; scheme we've implemented in NixOS for older
versions. To configure the gpg-agent for your X session, add the
following code to <literal>~/.bashrc</literal> or some file
thats sourced when your shell is started:
</para>
<programlisting>
GPG_TTY=$(tty)
export GPG_TTY
</programlisting>
<para>
If you want to use gpg-agent for SSH, too, add the following to
your session initialization (e.g.
<literal>displayManager.sessionCommands</literal>)
</para>
<programlisting>
gpg-connect-agent /bye
unset SSH_AGENT_PID
export SSH_AUTH_SOCK=&quot;''${HOME}/.gnupg/S.gpg-agent.ssh&quot;
</programlisting>
<para>
and make sure that
</para>
<programlisting>
enable-ssh-support
</programlisting>
<para>
is included in your <literal>~/.gnupg/gpg-agent.conf</literal>.
You will need to use <literal>ssh-add</literal> to re-add your
ssh keys. If gpgs automatic transformation of the private keys
to the new format fails, you will need to re-import your private
keyring as well:
</para>
<programlisting>
gpg --import ~/.gnupg/secring.gpg
</programlisting>
<para>
The <literal>gpg-agent(1)</literal> man page has more details
about this subject, i.e. in the &quot;EXAMPLES&quot; section.
</para>
</listitem>
</itemizedlist>
<para>
Other notable improvements:
</para>
<itemizedlist>
<listitem>
<para>
<literal>ejabberd</literal> module is brought back and now works
on NixOS.
</para>
</listitem>
<listitem>
<para>
Input method support was improved. New NixOS modules (fcitx,
nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and
table-other) and ibus engines (hangul and m17n) have been added.
</para>
</listitem>
</itemizedlist>
</section>

273
nixos/doc/manual/from_md/release-notes/rl-1609.section.xml Normal file
View file

@ -0,0 +1,273 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.09">
<title>Release 16.09 (<quote>Flounder</quote>, 2016/09/30)</title>
<para>
In addition to numerous new and upgraded packages, this release has
the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Many NixOS configurations and Nix packages now use significantly
less disk space, thanks to the
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
work on closure size reduction</link>. For example, the closure
size of a minimal NixOS container went down from ~424 MiB in
16.03 to ~212 MiB in 16.09, while the closure size of Firefox
went from ~651 MiB to ~259 MiB.
</para>
</listitem>
<listitem>
<para>
To improve security, packages are now
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
using various hardening features</link>. See the Nixpkgs manual
for more information.
</para>
</listitem>
<listitem>
<para>
Support for PXE netboot. See
<xref linkend="sec-booting-from-pxe" /> for documentation.
</para>
</listitem>
<listitem>
<para>
X.org server 1.18. If you use the <literal>ati_unfree</literal>
driver, 1.17 is still used due to an ABI incompatibility.
</para>
</listitem>
<listitem>
<para>
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231.
The default Linux kernel remains 4.4.
</para>
</listitem>
</itemizedlist>
<para>
The following new services were added since the last release:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>(this will get automatically generated at release time)</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
A large number of packages have been converted to use the
multiple outputs feature of Nix to greatly reduce the amount of
required disk space, as mentioned above. This may require
changes to any custom packages to make them build again; see the
relevant chapter in the Nixpkgs manual for more information.
(Additional caveat to packagers: some packaging conventions
related to multiple-output packages
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were
changed</link> late (August 2016) in the release cycle and
differ from the initial introduction of multiple outputs.)
</para>
</listitem>
<listitem>
<para>
Previous versions of Nixpkgs had support for all versions of the
LTS Haskell package set. That support has been dropped. The
previously provided <literal>haskell.packages.lts-x_y</literal>
package sets still exist in name to aviod breaking user code,
but these package sets don't actually contain the versions
mandated by the corresponding LTS release. Instead, our package
set it loosely based on the latest available LTS release, i.e.
LTS 7.x at the time of this writing. New releases of NixOS and
Nixpkgs will drop those old names entirely.
<link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
motivation for this change</link> has been discussed at length
on the <literal>nix-dev</literal> mailing list and in
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github
issue #14897</link>. Development strategies for Haskell hackers
who want to rely on Nix and NixOS have been described in
<link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
nix-dev article</link>.
</para>
</listitem>
<listitem>
<para>
Shell aliases for systemd sub-commands
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were
dropped</link>: <literal>start</literal>,
<literal>stop</literal>, <literal>restart</literal>,
<literal>status</literal>.
</para>
</listitem>
<listitem>
<para>
Redis now binds to 127.0.0.1 only instead of listening to all
network interfaces. This is the default behavior of Redis 3.2
</para>
</listitem>
<listitem>
<para>
<literal>/var/empty</literal> is now immutable. Activation
script runs <literal>chattr +i</literal> to forbid any
modifications inside the folder. See
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
the pull request</link> for what bugs this caused.
</para>
</listitem>
<listitem>
<para>
Gitlab's maintainance script <literal>gitlab-runner</literal>
was removed and split up into the more clearer
<literal>gitlab-run</literal> and <literal>gitlab-rake</literal>
scripts, because <literal>gitlab-runner</literal> is a component
of Gitlab CI.
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.libinput.accelProfile</literal>
default changed from <literal>flat</literal> to
<literal>adaptive</literal>, as per
<link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
official documentation</link>.
</para>
</listitem>
<listitem>
<para>
<literal>fonts.fontconfig.ultimate.rendering</literal> was
removed because our presets were obsolete for some time. New
presets are hardcoded into FreeType; you can select a preset via
<literal>fonts.fontconfig.ultimate.preset</literal>. You can
customize those presets via ordinary environment variables,
using <literal>environment.variables</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>audit</literal> service is no longer enabled by
default. Use <literal>security.audit.enable = true</literal> to
explicitly enable it.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.linuxPackages.virtualbox</literal> now contains
only the kernel modules instead of the VirtualBox user space
binaries. If you want to reference the user space binaries, you
have to use the new <literal>pkgs.virtualbox</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>goPackages</literal> was replaced with separated Go
applications in appropriate <literal>nixpkgs</literal>
categories. Each Go package uses its own dependency set. There's
also a new <literal>go2nix</literal> tool introduced to generate
a Go package definition from its Go source automatically.
</para>
</listitem>
<listitem>
<para>
<literal>services.mongodb.extraConfig</literal> configuration
format was changed to YAML.
</para>
</listitem>
<listitem>
<para>
PHP has been upgraded to 7.0
</para>
</listitem>
</itemizedlist>
<para>
Other notable improvements:
</para>
<itemizedlist>
<listitem>
<para>
Revamped grsecurity/PaX support. There is now only a single
general-purpose distribution kernel and the configuration
interface has been streamlined. Desktop users should be able to
simply set
</para>
<programlisting language="bash">
{
security.grsecurity.enable = true;
}
</programlisting>
<para>
to get a reasonably secure system without having to sacrifice
too much functionality.
</para>
</listitem>
<listitem>
<para>
Special filesystems, like <literal>/proc</literal>,
<literal>/run</literal> and others, now have the same mount
options as recommended by systemd and are unified across
different places in NixOS. Mount options are updated during
<literal>nixos-rebuild switch</literal> if possible. One benefit
from this is improved security — most such filesystems are now
mounted with <literal>noexec</literal>, <literal>nodev</literal>
and/or <literal>nosuid</literal> options.
</para>
</listitem>
<listitem>
<para>
The reverse path filter was interfering with DHCPv4 server
operation in the past. An exception for DHCPv4 and a new option
to log packets that were dropped due to the reverse path filter
was added
(<literal>networking.firewall.logReversePathDrops</literal>) for
easier debugging.
</para>
</listitem>
<listitem>
<para>
Containers configuration within
<literal>containers.&lt;name&gt;.config</literal> is
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
properly typed and checked</link>. In particular, partial
configurations are merged correctly.
</para>
</listitem>
<listitem>
<para>
The directory container setuid wrapper programs,
<literal>/var/setuid-wrappers</literal>,
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is
now updated atomically to prevent failures if the switch to a
new configuration is interrupted.</link>
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.startGnuPGAgent</literal> has been
removed due to GnuPG 2.1.x bump. See
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
how to achieve similar behavior</link>. You might need to
<literal>pkill gpg-agent</literal> after the upgrade to prevent
a stale agent being in the way.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
Declarative users could share the uid due to the bug in the
script handling conflict resolution. </link>
</para>
</listitem>
<listitem>
<para>
Gummi boot has been replaced using systemd-boot.
</para>
</listitem>
<listitem>
<para>
Hydra package and NixOS module were added for convenience.
</para>
</listitem>
</itemizedlist>
</section>

818
nixos/doc/manual/from_md/release-notes/rl-1703.section.xml Normal file
View file

@ -0,0 +1,818 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-17.03">
<title>Release 17.03 (<quote>Gorilla</quote>, 2017/03/31)</title>
<section xml:id="sec-release-17.03-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Nixpkgs is now extensible through overlays. See the
<link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
manual</link> for more information.
</para>
</listitem>
<listitem>
<para>
This release is based on Glibc 2.25, GCC 5.4.0 and systemd
232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
</para>
</listitem>
<listitem>
<para>
The default desktop environment now is KDE's Plasma 5. KDE 4
has been removed
</para>
</listitem>
<listitem>
<para>
The setuid wrapper functionality now supports setting
capabilities.
</para>
</listitem>
<listitem>
<para>
X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17 and
<literal>amdgpu-pro</literal> starts forcing 1.18.
</para>
</listitem>
<listitem>
<para>
Cross compilation has been rewritten. See the nixpkgs manual
for details. The most obvious breaking change is that in
derivations there is no <literal>.nativeDrv</literal> nor
<literal>.crossDrv</literal> are now cross by default, not
native.
</para>
</listitem>
<listitem>
<para>
The <literal>overridePackages</literal> function has been
rewritten to be replaced by
<link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>
</para>
</listitem>
<listitem>
<para>
Packages in nixpkgs can be marked as insecure through listed
vulnerabilities. See the
<link xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs
manual</link> for more information.
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 7.1
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.03-new-services">
<title>New Services</title>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>hardware/ckb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/mcelog.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/usb-wwan.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/video/capture/mwprocapture.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/adb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/chromium.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/gphoto2.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/java.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/mtr.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/oblogout.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/vim.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/wireshark.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/dhparams.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/audio/ympd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/computing/boinc/client.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/continuous-integration/buildbot/master.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/continuous-integration/buildbot/worker.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/continuous-integration/gitlab-runner.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/databases/riak-cs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/databases/stanchion.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/desktops/gnome3/gnome-terminal-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/editors/infinoted.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/hardware/illum.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/hardware/trezord.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/logging/journalbeat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/offlineimap.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/postgrey.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/couchpotato.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/docker-registry.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/errbot.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/geoip-updater.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/gogs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/leaps.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/nix-optimise.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/ssm-agent.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/sssd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/arbtt.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/netdata.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/alertmanager.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/blackbox-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/json-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/nginx-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/node-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/snmp-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/unifi-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/varnish-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/sysstat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/telegraf.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/vnstat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/cachefilesd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/glusterfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/ipfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/dante.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/dnscrypt-wrapper.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/fakeroute.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/flannel.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/htpdate.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/miredo.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/nftables.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/powerdns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/pdns-recursor.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/quagga.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/redsocks.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/wireguard.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/system/cgmanager.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/torrent/opentracker.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/atlassian/confluence.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/atlassian/crowd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/atlassian/jira.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/frab.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/nixbot.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/selfoss.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/quassel-webserver.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/unclutter-xfixes.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/urxvtd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>system/boot/systemd-nspawn.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/ecs-agent.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/lxcfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/openstack/keystone.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>virtualisation/openstack/glance.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
Derivations have no <literal>.nativeDrv</literal> nor
<literal>.crossDrv</literal> and are now cross by default, not
native.
</para>
</listitem>
<listitem>
<para>
<literal>stdenv.overrides</literal> is now expected to take
<literal>self</literal> and <literal>super</literal>
arguments. See <literal>lib.trivial.extends</literal> for what
those parameters represent.
</para>
</listitem>
<listitem>
<para>
<literal>ansible</literal> now defaults to ansible version 2
as version 1 has been removed due to a serious
<link xlink:href="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt">
vulnerability</link> unpatched by upstream.
</para>
</listitem>
<listitem>
<para>
<literal>gnome</literal> alias has been removed along with
<literal>gtk</literal>, <literal>gtkmm</literal> and several
others. Now you need to use versioned attributes, like
<literal>gnome3</literal>.
</para>
</listitem>
<listitem>
<para>
The attribute name of the Radicale daemon has been changed
from <literal>pythonPackages.radicale</literal> to
<literal>radicale</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>stripHash</literal> bash function in
<literal>stdenv</literal> changed according to its
documentation; it now outputs the stripped name to
<literal>stdout</literal> instead of putting it in the
variable <literal>strippedName</literal>.
</para>
</listitem>
<listitem>
<para>
PHP now scans for extra configuration .ini files in /etc/php.d
instead of /etc. This prevents accidentally loading non-PHP
.ini files that may be in /etc.
</para>
</listitem>
<listitem>
<para>
Two lone top-level dict dbs moved into
<literal>dictdDBs</literal>. This affects:
<literal>dictdWordnet</literal> which is now at
<literal>dictdDBs.wordnet</literal> and
<literal>dictdWiktionary</literal> which is now at
<literal>dictdDBs.wiktionary</literal>
</para>
</listitem>
<listitem>
<para>
Parsoid service now uses YAML configuration format.
<literal>service.parsoid.interwikis</literal> is now called
<literal>service.parsoid.wikis</literal> and is a list of
either API URLs or attribute sets as specified in parsoid's
documentation.
</para>
</listitem>
<listitem>
<para>
<literal>Ntpd</literal> was replaced by
<literal>systemd-timesyncd</literal> as the default service to
synchronize system time with a remote NTP server. The old
behavior can be restored by setting
<literal>services.ntp.enable</literal> to
<literal>true</literal>. Upstream time servers for all NTP
implementations are now configured using
<literal>networking.timeServers</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>service.nylon</literal> is now declared using named
instances. As an example:
</para>
<programlisting language="bash">
{
services.nylon = {
enable = true;
acceptInterface = &quot;br0&quot;;
bindInterface = &quot;tun1&quot;;
port = 5912;
};
}
</programlisting>
<para>
should be replaced with:
</para>
<programlisting language="bash">
{
services.nylon.myvpn = {
enable = true;
acceptInterface = &quot;br0&quot;;
bindInterface = &quot;tun1&quot;;
port = 5912;
};
}
</programlisting>
<para>
this enables you to declare a SOCKS proxy for each uplink.
</para>
</listitem>
<listitem>
<para>
<literal>overridePackages</literal> function no longer exists.
It is replaced by
<link xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>. For example, the following code:
</para>
<programlisting language="bash">
let
pkgs = import &lt;nixpkgs&gt; {};
in
pkgs.overridePackages (self: super: ...)
</programlisting>
<para>
should be replaced by:
</para>
<programlisting language="bash">
let
pkgs = import &lt;nixpkgs&gt; {};
in
import pkgs.path { overlays = [(self: super: ...)]; }
</programlisting>
</listitem>
<listitem>
<para>
Autoloading connection tracking helpers is now disabled by
default. This default was also changed in the Linux kernel and
is considered insecure if not configured properly in your
firewall. If you need connection tracking helpers (i.e. for
active FTP) please enable
<literal>networking.firewall.autoLoadConntrackHelpers</literal>
and tune
<literal>networking.firewall.connectionTrackingModules</literal>
to suit your needs.
</para>
</listitem>
<listitem>
<para>
<literal>local_recipient_maps</literal> is not set to empty
value by Postfix service. It's an insecure default as stated
by Postfix documentation. Those who want to retain this
setting need to set it via
<literal>services.postfix.extraConfig</literal>.
</para>
</listitem>
<listitem>
<para>
Iputils no longer provide ping6 and traceroute6. The
functionality of these tools has been integrated into ping and
traceroute respectively. To enforce an address family the new
flags <literal>-4</literal> and <literal>-6</literal> have
been added. One notable incompatibility is that specifying an
interface (for link-local IPv6 for instance) is no longer done
with the <literal>-I</literal> flag, but by encoding the
interface into the address
(<literal>ping fe80::1%eth0</literal>).
</para>
</listitem>
<listitem>
<para>
The socket handling of the <literal>services.rmilter</literal>
module has been fixed and refactored. As rmilter doesn't
support binding to more than one socket, the options
<literal>bindUnixSockets</literal> and
<literal>bindInetSockets</literal> have been replaced by
<literal>services.rmilter.bindSocket.*</literal>. The default
is still a unix socket in
<literal>/run/rmilter/rmilter.sock</literal>. Refer to the
options documentation for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>fetch*</literal> functions no longer support md5,
please use sha256 instead.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy module interface has been streamlined
around the <literal>extraArgs</literal> option. Where
possible, legacy option declarations are mapped to
<literal>extraArgs</literal> but will emit warnings. The
<literal>resolverList</literal> has been outright removed: to
use an unlisted resolver, use the
<literal>customResolver</literal> option.
</para>
</listitem>
<listitem>
<para>
torbrowser now stores local state under
<literal>~/.local/share/tor-browser</literal> by default. Any
browser profile data from the old location,
<literal>~/.torbrowser4</literal>, must be migrated manually.
</para>
</listitem>
<listitem>
<para>
The ihaskell, monetdb, offlineimap and sitecopy services have
been removed.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.03-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
Module type system have a new extensible option types feature
that allow to extend certain types, such as enum, through
multiple option declarations of the same option across
multiple modules.
</para>
</listitem>
<listitem>
<para>
<literal>jre</literal> now defaults to GTK UI by default. This
improves visual consistency and makes Java follow system font
style, improving the situation on HighDPI displays. This has a
cost of increased closure size; for server and other headless
workloads it's recommended to use
<literal>jre_headless</literal>.
</para>
</listitem>
<listitem>
<para>
Python 2.6 interpreter and package set have been removed.
</para>
</listitem>
<listitem>
<para>
The Python 2.7 interpreter does not use modules anymore.
Instead, all CPython interpreters now include the whole
standard library except for `tkinter`, which is available in
the Python package set.
</para>
</listitem>
<listitem>
<para>
Python 2.7, 3.5 and 3.6 are now built deterministically and
3.4 mostly. Minor modifications had to be made to the
interpreters in order to generate deterministic bytecode. This
has security implications and is relevant for those using
Python in a <literal>nix-shell</literal>. See the Nixpkgs
manual for details.
</para>
</listitem>
<listitem>
<para>
The Python package sets now use a fixed-point combinator and
the sets are available as attributes of the interpreters.
</para>
</listitem>
<listitem>
<para>
The Python function <literal>buildPythonPackage</literal> has
been improved and can be used to build from Setuptools source,
Flit source, and precompiled Wheels.
</para>
</listitem>
<listitem>
<para>
When adding new or updating current Python libraries, the
expressions should be put in separate files in
<literal>pkgs/development/python-modules</literal> and called
from <literal>python-packages.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service supports synchronizing the list of
public resolvers without working DNS resolution. This fixes
issues caused by the resolver list becoming outdated. It also
improves the viability of DNSCrypt only configurations.
</para>
</listitem>
<listitem>
<para>
Containers using bridged networking no longer lose their
connection after changes to the host networking.
</para>
</listitem>
<listitem>
<para>
ZFS supports pool auto scrubbing.
</para>
</listitem>
<listitem>
<para>
The bind DNS utilities (e.g. dig) have been split into their
own output and are now also available in
<literal>pkgs.dnsutils</literal> and it is no longer necessary
to pull in all of <literal>bind</literal> to use them.
</para>
</listitem>
<listitem>
<para>
Per-user configuration was moved from
<literal>~/.nixpkgs</literal> to
<literal>~/.config/nixpkgs</literal>. The former is still
valid for <literal>config.nix</literal> for backwards
compatibility.
</para>
</listitem>
</itemizedlist>
</section>
</section>

922
nixos/doc/manual/from_md/release-notes/rl-1709.section.xml Normal file
View file

@ -0,0 +1,922 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-17.09">
<title>Release 17.09 (<quote>Hummingbird</quote>, 2017/09/??)</title>
<section xml:id="sec-release-17.09-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
The GNOME version is now 3.24. KDE Plasma was upgraded to
5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
</para>
</listitem>
<listitem>
<para>
The user handling now keeps track of deallocated UIDs/GIDs.
When a user or group is revived, this allows it to be
allocated the UID/GID it had before. A consequence is that
UIDs and GIDs are no longer reused.
</para>
</listitem>
<listitem>
<para>
The module option
<literal>services.xserver.xrandrHeads</literal> now causes the
first head specified in this list to be set as the primary
head. Apart from that, it's now possible to also set
additional options by using an attribute set, for example:
</para>
<programlisting language="bash">
{ services.xserver.xrandrHeads = [
&quot;HDMI-0&quot;
{
output = &quot;DVI-0&quot;;
primary = true;
monitorConfig = ''
Option &quot;Rotate&quot; &quot;right&quot;
'';
}
];
}
</programlisting>
<para>
This will set the <literal>DVI-0</literal> output to be the
primary head, even though <literal>HDMI-0</literal> is the
first head in the list.
</para>
</listitem>
<listitem>
<para>
The handling of SSL in the <literal>services.nginx</literal>
module has been cleaned up, renaming the misnamed
<literal>enableSSL</literal> to <literal>onlySSL</literal>
which reflects its original intention. This is not to be used
with the already existing <literal>forceSSL</literal> which
creates a second non-SSL virtual host redirecting to the SSL
virtual host. This by chance had worked earlier due to
specific implementation details. In case you had specified
both please remove the <literal>enableSSL</literal> option to
keep the previous behaviour.
</para>
<para>
Another <literal>addSSL</literal> option has been introduced
to configure both a non-SSL virtual host and an SSL virtual
host with the same configuration.
</para>
<para>
Options to configure <literal>resolver</literal> options and
<literal>upstream</literal> blocks have been introduced. See
their information for further details.
</para>
<para>
The <literal>port</literal> option has been replaced by a more
generic <literal>listen</literal> option which makes it
possible to specify multiple addresses, ports and SSL configs
dependant on the new SSL handling mentioned above.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.09-new-services">
<title>New Services</title>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>config/fonts/fontconfig-penultimate.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>config/fonts/fontconfig-ultimate.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>config/terminfo.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/sensor/iio.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/nitrokey.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>hardware/raid/hpsa.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/browserpass.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/gnupg.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/qt5ct.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/slock.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>programs/thefuck.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/auditd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>security/lock-kernel-modules.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>service-managers/docker.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>service-managers/trivial.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/admin/salt/master.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/admin/salt/minion.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/audio/slimserver.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/cluster/kubernetes/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/cluster/kubernetes/dns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/cluster/kubernetes/dashboard.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/continuous-integration/hail.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/databases/clickhouse.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/databases/postage.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/desktops/gnome3/gnome-disks.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/desktops/gnome3/gpaste.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/logging/SystemdJournal2Gelf.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/logging/heartbeat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/logging/journalwatch.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/logging/syslogd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/mailhog.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/mail/nullmailer.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/airsonic.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/autorandr.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/exhibitor.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/fstrim.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/gollum.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/irkerd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/jackett.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/radarr.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/misc/snapper.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/osquery.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/collectd-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/network-filesystems/kbfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/dnscache.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/fireqos.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/iwd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/keepalived/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/keybase.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/lldpd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/matterbridge.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/squid.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/tinydns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/networking/xrdp.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/shibboleth-sp.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/sks.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/sshguard.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/torify.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/usbguard.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/security/vault.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/system/earlyoom.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/system/saslauthd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/nexus.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/pgpkeyserver-lite.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-apps/piwik.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-servers/lighttpd/collectd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/web-servers/minio.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/display-managers/xpra.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services/x11/xautolock.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tasks/filesystems/bcachefs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>tasks/powertop.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.09-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
<emphasis role="strong">In an Qemu-based virtualization
environment, the network interface names changed from i.e.
<literal>enp0s3</literal> to
<literal>ens3</literal>.</emphasis>
</para>
<para>
This is due to a kernel configuration change. The new naming
is consistent with those of other Linux distributions with
systemd. See
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link>
for more information.
</para>
<para>
A machine is affected if the <literal>virt-what</literal> tool
either returns <literal>qemu</literal> or
<literal>kvm</literal> <emphasis>and</emphasis> has interface
names used in any part of its NixOS configuration, in
particular if a static network configuration with
<literal>networking.interfaces</literal> is used.
</para>
<para>
Before rebooting affected machines, please ensure:
</para>
<itemizedlist>
<listitem>
<para>
Change the interface names in your NixOS configuration.
The first interface will be called
<literal>ens3</literal>, the second one
<literal>ens8</literal> and starting from there
incremented by 1.
</para>
</listitem>
<listitem>
<para>
After changing the interface names, rebuild your system
with <literal>nixos-rebuild boot</literal> to activate the
new configuration after a reboot. If you switch to the new
configuration right away you might lose network
connectivity! If using <literal>nixops</literal>, deploy
with <literal>nixops deploy --force-reboot</literal>.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The following changes apply if the
<literal>stateVersion</literal> is changed to 17.09 or higher.
For <literal>stateVersion = &quot;17.03&quot;</literal> or
lower the old behavior is preserved.
</para>
<itemizedlist>
<listitem>
<para>
The <literal>postgres</literal> default version was
changed from 9.5 to 9.6.
</para>
</listitem>
<listitem>
<para>
The <literal>postgres</literal> superuser name has changed
from <literal>root</literal> to
<literal>postgres</literal> to more closely follow what
other Linux distributions are doing.
</para>
</listitem>
<listitem>
<para>
The <literal>postgres</literal> default
<literal>dataDir</literal> has changed from
<literal>/var/db/postgres</literal> to
<literal>/var/lib/postgresql/$psqlSchema</literal> where
$psqlSchema is 9.6 for example.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql</literal> default
<literal>dataDir</literal> has changed from
<literal>/var/mysql</literal> to
<literal>/var/lib/mysql</literal>.
</para>
</listitem>
<listitem>
<para>
Radicale's default package has changed from 1.x to 2.x.
Instructions to migrate can be found
<link xlink:href="http://radicale.org/1to2/"> here
</link>. It is also possible to use the newer version by
setting the <literal>package</literal> to
<literal>radicale2</literal>, which is done automatically
when <literal>stateVersion</literal> is 17.09 or higher.
The <literal>extraArgs</literal> option has been added to
allow passing the data migration arguments specified in
the instructions; see the <literal>radicale.nix</literal>
NixOS test for an example migration.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>aiccu</literal> package was removed. This is due
to SixXS <link xlink:href="https://www.sixxs.net/main/">
sunsetting</link> its IPv6 tunnel.
</para>
</listitem>
<listitem>
<para>
The <literal>fanctl</literal> package and
<literal>fan</literal> module have been removed due to the
developers not upstreaming their iproute2 patches and lagging
with compatibility to recent iproute2 versions.
</para>
</listitem>
<listitem>
<para>
Top-level <literal>idea</literal> package collection was
renamed. All JetBrains IDEs are now at
<literal>jetbrains</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>flexget</literal>'s state database cannot be upgraded
to its new internal format, requiring removal of any existing
<literal>db-config.sqlite</literal> which will be
automatically recreated.
</para>
</listitem>
<listitem>
<para>
The <literal>ipfs</literal> service now doesn't ignore the
<literal>dataDir</literal> option anymore. If you've ever set
this option to anything other than the default you'll have to
either unset it (so the default gets used) or migrate the old
data manually with
</para>
<programlisting>
dataDir=&lt;valueOfDataDir&gt;
mv /var/lib/ipfs/.ipfs/* $dataDir
rmdir /var/lib/ipfs/.ipfs
</programlisting>
</listitem>
<listitem>
<para>
The <literal>caddy</literal> service was previously using an
extra <literal>.caddy</literal> directory in the data
directory specified with the <literal>dataDir</literal>
option. The contents of the <literal>.caddy</literal>
directory are now expected to be in the
<literal>dataDir</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>ssh-agent</literal> user service is not started
by default anymore. Use
<literal>programs.ssh.startAgent</literal> to enable it if
needed. There is also a new
<literal>programs.gnupg.agent</literal> module that creates a
<literal>gpg-agent</literal> user service. It can also serve
as a SSH agent if <literal>enableSSHSupport</literal> is set.
</para>
</listitem>
<listitem>
<para>
The
<literal>services.tinc.networks.&lt;name&gt;.listenAddress</literal>
option had a misleading name that did not correspond to its
behavior. It now correctly defines the ip to listen for
incoming connections on. To keep the previous behaviour, use
<literal>services.tinc.networks.&lt;name&gt;.bindToAddress</literal>
instead. Refer to the description of the options for more
details.
</para>
</listitem>
<listitem>
<para>
<literal>tlsdate</literal> package and module were removed.
This is due to the project being dead and not building with
openssl 1.1.
</para>
</listitem>
<listitem>
<para>
<literal>wvdial</literal> package and module were removed.
This is due to the project being dead and not building with
openssl 1.1.
</para>
</listitem>
<listitem>
<para>
<literal>cc-wrapper</literal>'s setup-hook now exports a
number of environment variables corresponding to binutils
binaries, (e.g. <literal>LD</literal>,
<literal>STRIP</literal>, <literal>RANLIB</literal>, etc).
This is done to prevent packages' build systems guessing,
which is harder to predict, especially when cross-compiling.
However, some packages have broken due to this—their build
systems either not supporting, or claiming to support without
adequate testing, taking such environment variables as
parameters.
</para>
</listitem>
<listitem>
<para>
<literal>services.firefox.syncserver</literal> now runs by
default as a non-root user. To accomodate this change, the
default sqlite database location has also been changed.
Migration should work automatically. Refer to the description
of the options for more details.
</para>
</listitem>
<listitem>
<para>
The <literal>compiz</literal> window manager and package was
removed. The system support had been broken for several years.
</para>
</listitem>
<listitem>
<para>
Touchpad support should now be enabled through
<literal>libinput</literal> as <literal>synaptics</literal> is
now deprecated. See the option
<literal>services.xserver.libinput.enable</literal>.
</para>
</listitem>
<listitem>
<para>
grsecurity/PaX support has been dropped, following upstream's
decision to cease free support. See
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
upstream's announcement</link> for more information. No
complete replacement for grsecurity/PaX is available
presently.
</para>
</listitem>
<listitem>
<para>
<literal>services.mysql</literal> now has declarative
configuration of databases and users with the
<literal>ensureDatabases</literal> and
<literal>ensureUsers</literal> options.
</para>
<para>
These options will never delete existing databases and users,
especially not when the value of the options are changed.
</para>
<para>
The MySQL users will be identified using
<link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/">
Unix socket authentication</link>. This authenticates the Unix
user with the same name only, and that without the need for a
password.
</para>
<para>
If you have previously created a MySQL <literal>root</literal>
user <emphasis>with a password</emphasis>, you will need to
add <literal>root</literal> user for unix socket
authentication before using the new options. This can be done
by running the following SQL script:
</para>
<programlisting language="SQL">
CREATE USER 'root'@'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
-- Optionally, delete the password-authenticated user:
-- DROP USER 'root'@'localhost';
</programlisting>
</listitem>
<listitem>
<para>
<literal>services.mysqlBackup</literal> now works by default
without any user setup, including for users other than
<literal>mysql</literal>.
</para>
<para>
By default, the <literal>mysql</literal> user is no longer the
user which performs the backup. Instead a system account
<literal>mysqlbackup</literal> is used.
</para>
<para>
The <literal>mysqlBackup</literal> service is also now using
systemd timers instead of <literal>cron</literal>.
</para>
<para>
Therefore, the <literal>services.mysqlBackup.period</literal>
option no longer exists, and has been replaced with
<literal>services.mysqlBackup.calendar</literal>, which is in
the format of
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
</para>
<para>
If you expect to be sent an e-mail when the backup fails,
consider using a script which monitors the systemd journal for
errors. Regretfully, at present there is no built-in
functionality for this.
</para>
<para>
You can check that backups still work by running
<literal>systemctl start mysql-backup</literal> then
<literal>systemctl status mysql-backup</literal>.
</para>
</listitem>
<listitem>
<para>
Templated systemd services e.g
<literal>container@name</literal> are now handled currectly
when switching to a new configuration, resulting in them being
reloaded.
</para>
</listitem>
<listitem>
<para>
Steam: the <literal>newStdcpp</literal> parameter was removed
and should not be needed anymore.
</para>
</listitem>
<listitem>
<para>
Redis has been updated to version 4 which mandates a cluster
mass-restart, due to changes in the network handling, in order
to ensure compatibility with networks NATing traffic.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-17.09-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
Modules can now be disabled by using
<link xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules">
disabledModules</link>, allowing another to take it's place.
This can be used to import a set of modules from another
channel while keeping the rest of the system on a stable
release.
</para>
</listitem>
<listitem>
<para>
Updated to FreeType 2.7.1, including a new TrueType engine.
The new engine replaces the Infinality engine which was the
default in NixOS. The default font rendering settings are now
provided by fontconfig-penultimate, replacing
fontconfig-ultimate; the new defaults are less invasive and
provide rendering that is more consistent with other systems
and hopefully with each font designer's intent. Some
system-wide configuration has been removed from the Fontconfig
NixOS module where user Fontconfig settings are available.
</para>
</listitem>
<listitem>
<para>
ZFS/SPL have been updated to 0.7.0,
<literal>zfsUnstable, splUnstable</literal> have therefore
been removed.
</para>
</listitem>
<listitem>
<para>
The <literal>time.timeZone</literal> option now allows the
value <literal>null</literal> in addition to timezone strings.
This value allows changing the timezone of a system
imperatively using
<literal>timedatectl set-timezone</literal>. The default
timezone is still UTC.
</para>
</listitem>
<listitem>
<para>
Nixpkgs overlays may now be specified with a file as well as a
directory. The value of
<literal>&lt;nixpkgs-overlays&gt;</literal> may be a file, and
<literal>~/.config/nixpkgs/overlays.nix</literal> can be used
instead of the <literal>~/.config/nixpkgs/overlays</literal>
directory.
</para>
<para>
See the overlays chapter of the Nixpkgs manual for more
details.
</para>
</listitem>
<listitem>
<para>
Definitions for <literal>/etc/hosts</literal> can now be
specified declaratively with
<literal>networking.hosts</literal>.
</para>
</listitem>
<listitem>
<para>
Two new options have been added to the installer loader, in
addition to the default having changed. The kernel log
verbosity has been lowered to the upstream default for the
default options, in order to not spam the console when e.g.
joining a network.
</para>
<para>
This therefore leads to adding a new <literal>debug</literal>
option to set the log level to the previous verbose mode, to
make debugging easier, but still accessible easily.
</para>
<para>
Additionally a <literal>copytoram</literal> option has been
added, which makes it possible to remove the install medium
after booting. This allows tethering from your phone after
booting from it.
</para>
</listitem>
<listitem>
<para>
<literal>services.gitlab-runner.configOptions</literal> has
been added to specify the configuration of gitlab-runners
declaratively.
</para>
</listitem>
<listitem>
<para>
<literal>services.jenkins.plugins</literal> has been added to
install plugins easily, this can be generated with
jenkinsPlugins2nix.
</para>
</listitem>
<listitem>
<para>
<literal>services.postfix.config</literal> has been added to
specify the main.cf with NixOS options. Additionally other
options have been added to the postfix module and has been
improved further.
</para>
</listitem>
<listitem>
<para>
The GitLab package and module have been updated to the latest
10.0 release.
</para>
</listitem>
<listitem>
<para>
The <literal>systemd-boot</literal> boot loader now lists the
NixOS version, kernel version and build date of all bootable
generations.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service now defaults to using a random
upstream resolver, selected from the list of public
non-logging resolvers with DNSSEC support. Existing
configurations can be migrated to this mode of operation by
omitting the
<literal>services.dnscrypt-proxy.resolverName</literal> option
or setting it to <literal>&quot;random&quot;</literal>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

879
nixos/doc/manual/from_md/release-notes/rl-1803.section.xml Normal file
View file

@ -0,0 +1,879 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-18.03">
<title>Release 18.03 (<quote>Impala</quote>, 2018/04/04)</title>
<section xml:id="sec-release-18.03-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
End of support is planned for end of October 2018, handing
over to 18.09.
</para>
</listitem>
<listitem>
<para>
Platform support: x86_64-linux and x86_64-darwin since release
time (the latter isn't NixOS, really). Binaries for
aarch64-linux are available, but no channel exists yet, as
it's waiting for some test fixes, etc.
</para>
</listitem>
<listitem>
<para>
Nix now defaults to 2.0; see its
<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.0">release
notes</link>.
</para>
</listitem>
<listitem>
<para>
Core version changes: linux: 4.9 -&gt; 4.14, glibc: 2.25 -&gt;
2.26, gcc: 6 -&gt; 7, systemd: 234 -&gt; 237.
</para>
</listitem>
<listitem>
<para>
Desktop version changes: gnome: 3.24 -&gt; 3.26, (KDE)
plasma-desktop: 5.10 -&gt; 5.12.
</para>
</listitem>
<listitem>
<para>
MariaDB 10.2, updated from 10.1, is now the default MySQL
implementation. While upgrading a few changes have been made
to the infrastructure involved:
</para>
<itemizedlist>
<listitem>
<para>
<literal>libmysql</literal> has been deprecated, please
use <literal>mysql.connector-c</literal> instead, a
compatibility passthru has been added to the MySQL
packages.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql57</literal> package has a new
<literal>static</literal> output containing the static
libraries including <literal>libmysqld.a</literal>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 7.2, updated from 7.1.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.03-new-services">
<title>New Services</title>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>./config/krb5/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./hardware/digitalbitbox.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./misc/label.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/ccache.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/criu.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/digitalbitbox/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/less.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/npm.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/plotinus.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/rootston.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/systemtap.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/sway.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/udevil.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/way-cooler.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/yabar.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/zsh/zsh-autoenv.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/backup/borgbackup.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/backup/crashplan-small-business.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/dleyna-renderer.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/dleyna-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/pipewire.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/gnome3/chrome-gnome-shell.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/gnome3/tracker-miners.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/fwupd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/interception-tools.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/u2f.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/usbmuxd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/mail/clamsmtp.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/mail/dkimproxy-out.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/mail/pfix-srsd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/gitea.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/home-assistant.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/ihaskell.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/logkeys.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/novacomd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/osrm.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/plexpy.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/pykms.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/tzupdate.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/monitoring/fusion-inventory.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/monitoring/prometheus/exporters.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/network-filesystems/beegfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/network-filesystems/davfs2.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/network-filesystems/openafs/client.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/network-filesystems/openafs/server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/network-filesystems/ceph.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/aria2.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/monero.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/nghttpx/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/nixops-dns.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/rxe.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/stunnel.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-apps/matomo.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-apps/restya-board.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-servers/mighttpd2.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/x11/fractalart.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./system/boot/binfmt.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./system/boot/grow-partition.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./tasks/filesystems/ecryptfs.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./virtualisation/hyperv-guest.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
<literal>sound.enable</literal> now defaults to false.
</para>
</listitem>
<listitem>
<para>
Dollar signs in options under
<literal>services.postfix</literal> are passed verbatim to
Postfix, which will interpret them as the beginning of a
parameter expression. This was already true for string-valued
options in the previous release, but not for list-valued
options. If you need to pass literal dollar signs through
Postfix, double them.
</para>
</listitem>
<listitem>
<para>
The <literal>postage</literal> package (for web-based
PostgreSQL administration) has been renamed to
<literal>pgmanage</literal>. The corresponding module has also
been renamed. To migrate please rename all
<literal>services.postage</literal> options to
<literal>services.pgmanage</literal>.
</para>
</listitem>
<listitem>
<para>
Package attributes starting with a digit have been prefixed
with an underscore sign. This is to avoid quoting in the
configuration and other issues with command-line tools like
<literal>nix-env</literal>. The change affects the following
packages:
</para>
<itemizedlist>
<listitem>
<para>
<literal>2048-in-terminal</literal>
<literal>_2048-in-terminal</literal>
</para>
</listitem>
<listitem>
<para>
<literal>90secondportraits</literal>
<literal>_90secondportraits</literal>
</para>
</listitem>
<listitem>
<para>
<literal>2bwm</literal><literal>_2bwm</literal>
</para>
</listitem>
<listitem>
<para>
<literal>389-ds-base</literal>
<literal>_389-ds-base</literal>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<emphasis role="strong">The OpenSSH service no longer enables
support for DSA keys by default, which could cause a system
lock out. Update your keys or, unfavorably, re-enable DSA
support manually.</emphasis>
</para>
<para>
DSA support was
<link xlink:href="https://www.openssh.com/legacy.html">deprecated
in OpenSSH 7.0</link>, due to it being too weak. To re-enable
support, add
<literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end
of your <literal>services.openssh.extraConfig</literal>.
</para>
<para>
After updating the keys to be stronger, anyone still on a
pre-17.03 version is safe to jump to 17.03, as vetted
<link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>openssh</literal> package now includes Kerberos
support by default; the
<literal>openssh_with_kerberos</literal> package is now a
deprecated alias. If you do not want Kerberos support, you can
do
<literal>openssh.override { withKerberos = false; }</literal>.
Note, this also applies to the <literal>openssh_hpn</literal>
package.
</para>
</listitem>
<listitem>
<para>
<literal>cc-wrapper</literal> has been split in two; there is
now also a <literal>bintools-wrapper</literal>. The most
commonly used files in <literal>nix-support</literal> are now
split between the two wrappers. Some commonly used ones, like
<literal>nix-support/dynamic-linker</literal>, are duplicated
for backwards compatability, even though they rightly belong
only in <literal>bintools-wrapper</literal>. Other more
obscure ones are just moved.
</para>
</listitem>
<listitem>
<para>
The propagation logic has been changed. The new logic, along
with new types of dependencies that go with, is thoroughly
documented in the &quot;Specifying dependencies&quot; section
of the &quot;Standard Environment&quot; chapter of the nixpkgs
manual. The old logic isn't but is easy to describe:
dependencies were propagated as the same type of dependency no
matter what. In practice, that means that many
<literal>propagatedNativeBuildInputs</literal> should instead
be <literal>propagatedBuildInputs</literal>. Thankfully, that
was and is the least used type of dependency. Also, it means
that some <literal>propagatedBuildInputs</literal> should
instead be <literal>depsTargetTargetPropagated</literal>.
Other types dependencies should be unaffected.
</para>
</listitem>
<listitem>
<para>
<literal>lib.addPassthru drv passthru</literal> is removed.
Use <literal>lib.extendDerivation true passthru drv</literal>
instead.
</para>
</listitem>
<listitem>
<para>
The <literal>memcached</literal> service no longer accept
dynamic socket paths via
<literal>services.memcached.socket</literal>. Unix sockets can
be still enabled by
<literal>services.memcached.enableUnixSocket</literal> and
will be accessible at
<literal>/run/memcached/memcached.sock</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>hardware.amdHybridGraphics.disable</literal>
option was removed for lack of a maintainer. If you still need
this module, you may wish to include a copy of it from an
older version of nixos in your imports.
</para>
</listitem>
<listitem>
<para>
The merging of config options for
<literal>services.postfix.config</literal> was buggy.
Previously, if other options in the Postfix module like
<literal>services.postfix.useSrs</literal> were set and the
user set config options that were also set by such options,
the resulting config wouldn't include all options that were
needed. They are now merged correctly. If config options need
to be overridden, <literal>lib.mkForce</literal> or
<literal>lib.mkOverride</literal> can be used.
</para>
</listitem>
<listitem>
<para>
The following changes apply if the
<literal>stateVersion</literal> is changed to 18.03 or higher.
For <literal>stateVersion = &quot;17.09&quot;</literal> or
lower the old behavior is preserved.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>matrix-synapse</literal> uses postgresql by
default instead of sqlite. Migration instructions can be
found
<link xlink:href="https://github.com/matrix-org/synapse/blob/master/docs/postgres.rst#porting-from-sqlite">
here </link>.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>jid</literal> package has been removed, due to
maintenance overhead of a go package having non-versioned
dependencies.
</para>
</listitem>
<listitem>
<para>
When using <literal>services.xserver.libinput</literal>
(enabled by default in GNOME), it now handles all input
devices, not just touchpads. As a result, you might need to
re-evaluate any custom Xorg configuration. In particular,
<literal>Option &quot;XkbRules&quot; &quot;base&quot;</literal>
may result in broken keyboard layout.
</para>
</listitem>
<listitem>
<para>
The <literal>attic</literal> package was removed. A maintained
fork called
<link xlink:href="https://www.borgbackup.org/">Borg</link>
should be used instead. Migration instructions can be found
<link xlink:href="http://borgbackup.readthedocs.io/en/stable/usage/upgrade.html#attic-and-borg-0-xx-to-borg-1-x">here</link>.
</para>
</listitem>
<listitem>
<para>
The Piwik analytics software was renamed to Matomo:
</para>
<itemizedlist>
<listitem>
<para>
The package <literal>pkgs.piwik</literal> was renamed to
<literal>pkgs.matomo</literal>.
</para>
</listitem>
<listitem>
<para>
The service <literal>services.piwik</literal> was renamed
to <literal>services.matomo</literal>.
</para>
</listitem>
<listitem>
<para>
The data directory <literal>/var/lib/piwik</literal> was
renamed to <literal>/var/lib/matomo</literal>. All files
will be moved automatically on first startup, but you
might need to adjust your backup scripts.
</para>
</listitem>
<listitem>
<para>
The default <literal>serverName</literal> for the nginx
configuration changed from
<literal>piwik.${config.networking.hostName}</literal> to
<literal>matomo.${config.networking.hostName}.${config.networking.domain}</literal>
if <literal>config.networking.domain</literal> is set,
<literal>matomo.${config.networking.hostName}</literal> if
it is not set. If you change your
<literal>serverName</literal>, remember you'll need to
update the <literal>trustedHosts[]</literal> array in
<literal>/var/lib/matomo/config/config.ini.php</literal>
as well.
</para>
</listitem>
<listitem>
<para>
The <literal>piwik</literal> user was renamed to
<literal>matomo</literal>. The service will adjust
ownership automatically for files in the data directory.
If you use unix socket authentication, remember to give
the new <literal>matomo</literal> user access to the
database and to change the <literal>username</literal> to
<literal>matomo</literal> in the
<literal>[database]</literal> section of
<literal>/var/lib/matomo/config/config.ini.php</literal>.
</para>
</listitem>
<listitem>
<para>
If you named your database `piwik`, you might want to
rename it to `matomo` to keep things clean, but this is
neither enforced nor required.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>nodejs-4_x</literal> is end-of-life.
<literal>nodejs-4_x</literal>,
<literal>nodejs-slim-4_x</literal> and
<literal>nodePackages_4_x</literal> are removed.
</para>
</listitem>
<listitem>
<para>
The <literal>pump.io</literal> NixOS module was removed. It is
now maintained as an
<link xlink:href="https://github.com/rvl/pump.io-nixos">external
module</link>.
</para>
</listitem>
<listitem>
<para>
The Prosody XMPP server has received a major update. The
following modules were renamed:
</para>
<itemizedlist>
<listitem>
<para>
<literal>services.prosody.modules.httpserver</literal> is
now <literal>services.prosody.modules.http_files</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.prosody.modules.console</literal> is now
<literal>services.prosody.modules.admin_telnet</literal>
</para>
</listitem>
</itemizedlist>
<para>
Many new modules are now core modules, most notably
<literal>services.prosody.modules.carbons</literal> and
<literal>services.prosody.modules.mam</literal>.
</para>
<para>
The better-performing <literal>libevent</literal> backend is
now enabled by default.
</para>
<para>
<literal>withCommunityModules</literal> now passes through the
modules to <literal>services.prosody.extraModules</literal>.
Use <literal>withOnlyInstalledCommunityModules</literal> for
modules that should not be enabled directly, e.g
<literal>lib_ldap</literal>.
</para>
</listitem>
<listitem>
<para>
All prometheus exporter modules are now defined as submodules.
The exporters are configured using
<literal>services.prometheus.exporters</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.03-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
ZNC option <literal>services.znc.mutable</literal> now
defaults to <literal>true</literal>. That means that old
configuration is not overwritten by default when update to the
znc options are made.
</para>
</listitem>
<listitem>
<para>
The option
<literal>networking.wireless.networks.&lt;name&gt;.auth</literal>
has been added for wireless networks with WPA-Enterprise
authentication. There is also a new
<literal>extraConfig</literal> option to directly configure
<literal>wpa_supplicant</literal> and
<literal>hidden</literal> to connect to hidden networks.
</para>
</listitem>
<listitem>
<para>
In the module
<literal>networking.interfaces.&lt;name&gt;</literal> the
following options have been removed:
</para>
<itemizedlist>
<listitem>
<para>
<literal>ipAddress</literal>
</para>
</listitem>
<listitem>
<para>
<literal>ipv6Address</literal>
</para>
</listitem>
<listitem>
<para>
<literal>prefixLength</literal>
</para>
</listitem>
<listitem>
<para>
<literal>ipv6PrefixLength</literal>
</para>
</listitem>
<listitem>
<para>
<literal>subnetMask</literal>
</para>
</listitem>
</itemizedlist>
<para>
To assign static addresses to an interface the options
<literal>ipv4.addresses</literal> and
<literal>ipv6.addresses</literal> should be used instead. The
options <literal>ip4</literal> and <literal>ip6</literal> have
been renamed to <literal>ipv4.addresses</literal>
<literal>ipv6.addresses</literal> respectively. The new
options <literal>ipv4.routes</literal> and
<literal>ipv6.routes</literal> have been added to set up
static routing.
</para>
</listitem>
<listitem>
<para>
The option <literal>services.logstash.listenAddress</literal>
is now <literal>127.0.0.1</literal> by default. Previously the
default behaviour was to listen on all interfaces.
</para>
</listitem>
<listitem>
<para>
<literal>services.btrfs.autoScrub</literal> has been added, to
periodically check btrfs filesystems for data corruption. If
there's a correct copy available, it will automatically repair
corrupted blocks.
</para>
</listitem>
<listitem>
<para>
<literal>displayManager.lightdm.greeters.gtk.clock-format.</literal>
has been added, the clock format string (as expected by
strftime, e.g. <literal>%H:%M</literal>) to use with the
lightdm gtk greeter panel.
</para>
<para>
If set to null the default clock format is used.
</para>
</listitem>
<listitem>
<para>
<literal>displayManager.lightdm.greeters.gtk.indicators</literal>
has been added, a list of allowed indicator modules to use
with the lightdm gtk greeter panel.
</para>
<para>
Built-in indicators include <literal>~a11y</literal>,
<literal>~language</literal>, <literal>~session</literal>,
<literal>~power</literal>, <literal>~clock</literal>,
<literal>~host</literal>, <literal>~spacer</literal>. Unity
indicators can be represented by short name (e.g.
<literal>sound</literal>, <literal>power</literal>), service
file name, or absolute path.
</para>
<para>
If set to <literal>null</literal> the default indicators are
used.
</para>
<para>
In order to have the previous default configuration add
</para>
<programlisting language="bash">
{
services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
&quot;~host&quot; &quot;~spacer&quot;
&quot;~clock&quot; &quot;~spacer&quot;
&quot;~session&quot;
&quot;~language&quot;
&quot;~a11y&quot;
&quot;~power&quot;
];
}
</programlisting>
<para>
to your <literal>configuration.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The NixOS test driver supports user services declared by
<literal>systemd.user.services</literal>. The methods
<literal>waitForUnit</literal>,
<literal>getUnitInfo</literal>, <literal>startJob</literal>
and <literal>stopJob</literal> provide an optional
<literal>$user</literal> argument for that purpose.
</para>
</listitem>
<listitem>
<para>
Enabling bash completion on NixOS,
<literal>programs.bash.enableCompletion</literal>, will now
also enable completion for the Nix command line tools by
installing the
<link xlink:href="https://github.com/hedning/nix-bash-completions">nix-bash-completions</link>
package.
</para>
</listitem>
<listitem>
<para>
The vim/kakoune plugin updater now reads from a CSV file:
check
<literal>pkgs/applications/editors/vim/plugins/vim-plugin-names</literal>
out to see the new format
</para>
</listitem>
</itemizedlist>
</section>
</section>

941
nixos/doc/manual/from_md/release-notes/rl-1809.section.xml Normal file
View file

@ -0,0 +1,941 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-18.09">
<title>Release 18.09 (<quote>Jellyfish</quote>, 2018/10/05)</title>
<section xml:id="sec-release-18.09-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following notable updates:
</para>
<itemizedlist>
<listitem>
<para>
End of support is planned for end of April 2019, handing over
to 19.03.
</para>
</listitem>
<listitem>
<para>
Platform support: x86_64-linux and x86_64-darwin as always.
Support for aarch64-linux is as with the previous releases,
not equivalent to the x86-64-linux release, but with efforts
to reach parity.
</para>
</listitem>
<listitem>
<para>
Nix has been updated to 2.1; see its
<link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.1">release
notes</link>.
</para>
</listitem>
<listitem>
<para>
Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 →
2.27, gcc: 7 (unchanged), systemd: 237 → 239.
</para>
</listitem>
<listitem>
<para>
Desktop version changes: gnome: 3.26 → 3.28, (KDE)
plasma-desktop: 5.12 → 5.13.
</para>
</listitem>
</itemizedlist>
<para>
Notable changes and additions for 18.09 include:
</para>
<itemizedlist>
<listitem>
<para>
Support for wrapping binaries using
<literal>firejail</literal> has been added through
<literal>programs.firejail.wrappedBinaries</literal>.
</para>
<para>
For example
</para>
<programlisting language="bash">
{
programs.firejail = {
enable = true;
wrappedBinaries = {
firefox = &quot;${lib.getBin pkgs.firefox}/bin/firefox&quot;;
mpv = &quot;${lib.getBin pkgs.mpv}/bin/mpv&quot;;
};
};
}
</programlisting>
<para>
This will place <literal>firefox</literal> and
<literal>mpv</literal> binaries in the global path wrapped by
firejail.
</para>
</listitem>
<listitem>
<para>
User channels are now in the default
<literal>NIX_PATH</literal>, allowing users to use their
personal <literal>nix-channel</literal> defined channels in
<literal>nix-build</literal> and <literal>nix-shell</literal>
commands, as well as in imports like
<literal>import &lt;mychannel&gt;</literal>.
</para>
<para>
For example
</para>
<programlisting>
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
$ nix-channel --update
$ nix-build '&lt;nixpkgsunstable&gt;' -A gitFull
$ nix run -f '&lt;nixpkgsunstable&gt;' gitFull
$ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
</programlisting>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.09-new-services">
<title>New Services</title>
<para>
A curated selection of new services that were added since the last
release:
</para>
<itemizedlist>
<listitem>
<para>
The <literal>services.cassandra</literal> module has been
reworked and was rewritten from scratch. The service has
succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of
<link xlink:href="https://cassandra.apache.org/">Apache
Cassandra</link>.
</para>
</listitem>
<listitem>
<para>
There is a new <literal>services.foundationdb</literal> module
for deploying
<link xlink:href="https://www.foundationdb.org">FoundationDB</link>
clusters.
</para>
</listitem>
<listitem>
<para>
When enabled the <literal>iproute2</literal> will copy the
files expected by ip route (e.g.,
<literal>rt_tables</literal>) in
<literal>/etc/iproute2</literal>. This allows to write aliases
for routing tables for instance.
</para>
</listitem>
<listitem>
<para>
<literal>services.strongswan-swanctl</literal> is a modern
replacement for <literal>services.strongswan</literal>. You
can use either one of them to setup IPsec VPNs but not both at
the same time.
</para>
<para>
<literal>services.strongswan-swanctl</literal> uses the
<link xlink:href="https://wiki.strongswan.org/projects/strongswan/wiki/swanctl">swanctl</link>
command which uses the modern
<link xlink:href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md">vici</link>
<emphasis>Versatile IKE Configuration Interface</emphasis>.
The deprecated <literal>ipsec</literal> command used in
<literal>services.strongswan</literal> is using the legacy
<link xlink:href="https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md">stroke
configuration interface</link>.
</para>
</listitem>
<listitem>
<para>
The new <literal>services.elasticsearch-curator</literal>
service periodically curates or manages, your Elasticsearch
indices and snapshots.
</para>
</listitem>
</itemizedlist>
<para>
Every new services:
</para>
<itemizedlist>
<listitem>
<para>
<literal>./config/xdg/autostart.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./config/xdg/icons.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./config/xdg/menus.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./config/xdg/mime.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./hardware/brightnessctl.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./hardware/onlykey.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./hardware/video/uvcvideo/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./misc/documentation.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/firejail.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/iftop.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/sedutil.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/singularity.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/xss-lock.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./programs/zsh/zsh-autosuggestions.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/admin/oxidized.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/backup/duplicati.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/backup/restic.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/backup/restic-rest-server.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/cluster/hadoop/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/databases/aerospike.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/databases/monetdb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/bamf.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/flatpak.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/desktops/zeitgeist.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/development/bloop.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/development/jupyter/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/lcd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/hardware/undervolt.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/clipmenu.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/gitweb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/serviio.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/safeeyes.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/sysprof.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/weechat.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/monitoring/datadog-agent.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/monitoring/incron.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/dnsdist.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/freeradius.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/hans.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/morty.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/ndppd.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/ocserv.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/owamp.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/quagga.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/shadowsocks.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/stubby.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/networking/zeronet.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/security/certmgr.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/security/cfssl.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/security/oauth2_proxy_nginx.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-apps/virtlyst.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-apps/youtrack.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-servers/hitch/default.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-servers/hydron.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-servers/meguca.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./services/web-servers/nginx/gitweb.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./virtualisation/kvmgt.nix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>./virtualisation/qemu-guest-agent.nix</literal>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.09-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
Some licenses that were incorrectly not marked as unfree now
are. This is the case for:
</para>
<itemizedlist>
<listitem>
<para>
cc-by-nc-sa-20: Creative Commons Attribution Non
Commercial Share Alike 2.0
</para>
</listitem>
<listitem>
<para>
cc-by-nc-sa-25: Creative Commons Attribution Non
Commercial Share Alike 2.5
</para>
</listitem>
<listitem>
<para>
cc-by-nc-sa-30: Creative Commons Attribution Non
Commercial Share Alike 3.0
</para>
</listitem>
<listitem>
<para>
cc-by-nc-sa-40: Creative Commons Attribution Non
Commercial Share Alike 4.0
</para>
</listitem>
<listitem>
<para>
cc-by-nd-30: Creative Commons Attribution-No Derivative
Works v3.00
</para>
</listitem>
<listitem>
<para>
msrla: Microsoft Research License Agreement
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The deprecated <literal>services.cassandra</literal> module
has seen a complete rewrite. (See above.)
</para>
</listitem>
<listitem>
<para>
<literal>lib.strict</literal> is removed. Use
<literal>builtins.seq</literal> instead.
</para>
</listitem>
<listitem>
<para>
The <literal>clementine</literal> package points now to the
free derivation. <literal>clementineFree</literal> is removed
now and <literal>clementineUnfree</literal> points to the
package which is bundled with the unfree
<literal>libspotify</literal> package.
</para>
</listitem>
<listitem>
<para>
The <literal>netcat</literal> package is now taken directly
from OpenBSD's <literal>libressl</literal>, instead of relying
on Debian's fork. The new version should be very close to the
old version, but there are some minor differences.
Importantly, flags like -b, -q, -C, and -Z are no longer
accepted by the nc command.
</para>
</listitem>
<listitem>
<para>
The <literal>services.docker-registry.extraConfig</literal>
object doesn't contain environment variables anymore. Instead
it needs to provide an object structure that can be mapped
onto the YAML configuration defined in
<link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the
<literal>docker/distribution</literal> docs</link>.
</para>
</listitem>
<listitem>
<para>
<literal>gnucash</literal> has changed from version 2.4 to
3.x. If you've been using <literal>gnucash</literal> (version
2.4) instead of <literal>gnucash26</literal> (version 2.6) you
must open your Gnucash data file(s) with
<literal>gnucash26</literal> and then save them to upgrade the
file format. Then you may use your data file(s) with Gnucash
3.x. See the upgrade
<link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
Gnucash 2.4 is still available under the attribute
<literal>gnucash24</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>services.munge</literal> now runs as user (and group)
<literal>munge</literal> instead of root. Make sure the key
file is accessible to the daemon.
</para>
</listitem>
<listitem>
<para>
<literal>dockerTools.buildImage</literal> now uses
<literal>null</literal> as default value for
<literal>tag</literal>, which indicates that the nix output
hash will be used as tag.
</para>
</listitem>
<listitem>
<para>
The ELK stack: <literal>elasticsearch</literal>,
<literal>logstash</literal> and <literal>kibana</literal> has
been upgraded from 2.* to 6.3.*. The 2.* versions have been
<link xlink:href="https://www.elastic.co/support/eol">unsupported
since last year</link> so they have been removed. You can
still use the 5.* versions under the names
<literal>elasticsearch5</literal>,
<literal>logstash5</literal> and <literal>kibana5</literal>.
</para>
<para>
The elastic beats: <literal>filebeat</literal>,
<literal>heartbeat</literal>, <literal>metricbeat</literal>
and <literal>packetbeat</literal> have had the same treatment:
they now target 6.3.* as well. The 5.* versions are available
under the names: <literal>filebeat5</literal>,
<literal>heartbeat5</literal>, <literal>metricbeat5</literal>
and <literal>packetbeat5</literal>
</para>
<para>
The ELK-6.3 stack now comes with
<link xlink:href="https://www.elastic.co/products/x-pack/open">X-Pack
by default</link>. Since X-Pack is licensed under the
<link xlink:href="https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt">Elastic
License</link> the ELK packages now have an unfree license. To
use them you need to specify
<literal>allowUnfree = true;</literal> in your nixpkgs
configuration.
</para>
<para>
Fortunately there is also a free variant of the ELK stack
without X-Pack. The packages are available under the names:
<literal>elasticsearch-oss</literal>,
<literal>logstash-oss</literal> and
<literal>kibana-oss</literal>.
</para>
</listitem>
<listitem>
<para>
Options
<literal>boot.initrd.luks.devices.name.yubikey.ramfsMountPoint</literal>
<literal>boot.initrd.luks.devices.name.yubikey.storage.mountPoint</literal>
were removed. <literal>luksroot.nix</literal> module never
supported more than one YubiKey at a time anyway, hence those
options never had any effect. You should be able to remove
them from your config without any issues.
</para>
</listitem>
<listitem>
<para>
<literal>stdenv.system</literal> and <literal>system</literal>
in nixpkgs now refer to the host platform instead of the build
platform. For native builds this is not change, let alone a
breaking one. For cross builds, it is a breaking change, and
<literal>stdenv.buildPlatform.system</literal> can be used
instead for the old behavior. They should be using that
anyways for clarity.
</para>
</listitem>
<listitem>
<para>
Groups <literal>kvm</literal> and <literal>render</literal>
are introduced now, as systemd requires them.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-18.09-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
<literal>dockerTools.pullImage</literal> relies on image
digest instead of image tag to download the image. The
<literal>sha256</literal> of a pulled image has to be updated.
</para>
</listitem>
<listitem>
<para>
<literal>lib.attrNamesToStr</literal> has been deprecated. Use
more specific concatenation
(<literal>lib.concat(Map)StringsSep</literal>) instead.
</para>
</listitem>
<listitem>
<para>
<literal>lib.addErrorContextToAttrs</literal> has been
deprecated. Use <literal>builtins.addErrorContext</literal>
directly.
</para>
</listitem>
<listitem>
<para>
<literal>lib.showVal</literal> has been deprecated. Use
<literal>lib.traceSeqN</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>lib.traceXMLVal</literal> has been deprecated. Use
<literal>lib.traceValFn builtins.toXml</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>lib.traceXMLValMarked</literal> has been deprecated.
Use
<literal>lib.traceValFn (x: str + builtins.toXML x)</literal>
instead.
</para>
</listitem>
<listitem>
<para>
The <literal>pkgs</literal> argument to NixOS modules can now
be set directly using <literal>nixpkgs.pkgs</literal>.
Previously, only the <literal>system</literal>,
<literal>config</literal> and <literal>overlays</literal>
arguments could be used to influence <literal>pkgs</literal>.
</para>
</listitem>
<listitem>
<para>
A NixOS system can now be constructed more easily based on a
preexisting invocation of Nixpkgs. For example:
</para>
<programlisting language="bash">
{
inherit (pkgs.nixos {
boot.loader.grub.enable = false;
fileSystems.&quot;/&quot;.device = &quot;/dev/xvda1&quot;;
}) toplevel kernel initialRamdisk manual;
}
</programlisting>
<para>
This benefits evaluation performance, lets you write Nixpkgs
packages that depend on NixOS images and is consistent with a
deployment architecture that would be centered around Nixpkgs
overlays.
</para>
</listitem>
<listitem>
<para>
<literal>lib.traceValIfNot</literal> has been deprecated. Use
<literal>if/then/else</literal> and
<literal>lib.traceValSeq</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>lib.traceCallXml</literal> has been deprecated.
Please complain if you use the function regularly.
</para>
</listitem>
<listitem>
<para>
The attribute <literal>lib.nixpkgsVersion</literal> has been
deprecated in favor of <literal>lib.version</literal>. Please
refer to the discussion in
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link>
for further reference.
</para>
</listitem>
<listitem>
<para>
<literal>lib.recursiveUpdateUntil</literal> was not acting
according to its specification. It has been fixed to act
according to the docstring, and a test has been added.
</para>
</listitem>
<listitem>
<para>
The module for <literal>security.dhparams</literal> has two
new options now:
</para>
<variablelist>
<varlistentry>
<term>
<literal>security.dhparams.stateless</literal>
</term>
<listitem>
<para>
Puts the generated Diffie-Hellman parameters into the
Nix store instead of managing them in a stateful manner
in <literal>/var/lib/dhparams</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<literal>security.dhparams.defaultBitSize</literal>
</term>
<listitem>
<para>
The default bit size to use for the generated
Diffie-Hellman parameters.
</para>
</listitem>
</varlistentry>
</variablelist>
<note>
<para>
The path to the actual generated parameter files should now
be queried using
<literal>config.security.dhparams.params.name.path</literal>
because it might be either in the Nix store or in a
directory configured by
<literal>security.dhparams.path</literal>.
</para>
</note>
<note>
<para>
<emphasis role="strong">For developers:</emphasis>
</para>
<para>
Module implementers should not set a specific bit size in
order to let users configure it by themselves if they want
to have a different bit size than the default (2048).
</para>
<para>
An example usage of this would be:
</para>
<programlisting language="bash">
{ config, ... }:
{
security.dhparams.params.myservice = {};
environment.etc.&quot;myservice.conf&quot;.text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
</programlisting>
</note>
</listitem>
<listitem>
<para>
<literal>networking.networkmanager.useDnsmasq</literal> has
been deprecated. Use
<literal>networking.networkmanager.dns</literal> instead.
</para>
</listitem>
<listitem>
<para>
The Kubernetes package has been bumped to major version 1.11.
Please consult the
<link xlink:href="https://github.com/kubernetes/kubernetes/blob/release-1.11/CHANGELOG-1.11.md">release
notes</link> for details on new features and api changes.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.kubernetes.apiserver.admissionControl</literal>
was renamed to
<literal>services.kubernetes.apiserver.enableAdmissionPlugins</literal>.
</para>
</listitem>
<listitem>
<para>
Recommended way to access the Kubernetes Dashboard is via
HTTPS (TLS) Therefore; public service port for the dashboard
has changed to 443 (container port 8443) and scheme to https.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.kubernetes.apiserver.address</literal> was
renamed to
<literal>services.kubernetes.apiserver.bindAddress</literal>.
Note that the default value has changed from 127.0.0.1 to
0.0.0.0.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.kubernetes.apiserver.publicAddress</literal>
was not used and thus has been removed.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.kubernetes.addons.dashboard.enableRBAC</literal>
was renamed to
<literal>services.kubernetes.addons.dashboard.rbac.enable</literal>.
</para>
</listitem>
<listitem>
<para>
The Kubernetes Dashboard now has only minimal RBAC permissions
by default. If dashboard cluster-admin rights are desired, set
<literal>services.kubernetes.addons.dashboard.rbac.clusterAdmin</literal>
to true. On existing clusters, in order for the revocation of
privileges to take effect, the current ClusterRoleBinding for
kubernetes-dashboard must be manually removed:
<literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal>
</para>
</listitem>
<listitem>
<para>
The <literal>programs.screen</literal> module provides allows
to configure <literal>/etc/screenrc</literal>, however the
module behaved fairly counterintuitive as the config exists,
but the package wasn't available. Since 18.09
<literal>pkgs.screen</literal> will be added to
<literal>environment.systemPackages</literal>.
</para>
</listitem>
<listitem>
<para>
The module <literal>services.networking.hostapd</literal> now
uses WPA2 by default.
</para>
</listitem>
<listitem>
<para>
<literal>s6Dns</literal>, <literal>s6Networking</literal>,
<literal>s6LinuxUtils</literal> and
<literal>s6PortableUtils</literal> renamed to
<literal>s6-dns</literal>, <literal>s6-networking</literal>,
<literal>s6-linux-utils</literal> and
<literal>s6-portable-utils</literal> respectively.
</para>
</listitem>
<listitem>
<para>
The module option <literal>nix.useSandbox</literal> is now
defaulted to <literal>true</literal>.
</para>
</listitem>
<listitem>
<para>
The config activation script of
<literal>nixos-rebuild</literal> now
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemctl.html#Manager%20Lifecycle%20Commands">reloads</link>
all user units for each authenticated user.
</para>
</listitem>
<listitem>
<para>
The default display manager is now LightDM. To use SLiM set
<literal>services.xserver.displayManager.slim.enable</literal>
to <literal>true</literal>.
</para>
</listitem>
<listitem>
<para>
NixOS option descriptions are now automatically broken up into
individual paragraphs if the text contains two consecutive
newlines, so it's no longer necessary to use
<literal>&lt;/para&gt;&lt;para&gt;</literal> to start a new
paragraph.
</para>
</listitem>
<listitem>
<para>
Top-level <literal>buildPlatform</literal>,
<literal>hostPlatform</literal>, and
<literal>targetPlatform</literal> in Nixpkgs are deprecated.
Please use their equivalents in <literal>stdenv</literal>
instead: <literal>stdenv.buildPlatform</literal>,
<literal>stdenv.hostPlatform</literal>, and
<literal>stdenv.targetPlatform</literal>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

790
nixos/doc/manual/from_md/release-notes/rl-1903.section.xml Normal file
View file

@ -0,0 +1,790 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.03">
<title>Release 19.03 (<quote>Koi</quote>, 2019/04/11)</title>
<section xml:id="sec-release-19.03-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
End of support is planned for end of October 2019, handing
over to 19.09.
</para>
</listitem>
<listitem>
<para>
The default Python 3 interpreter is now CPython 3.7 instead of
CPython 3.6.
</para>
</listitem>
<listitem>
<para>
Added the Pantheon desktop environment. It can be enabled
through
<literal>services.xserver.desktopManager.pantheon.enable</literal>.
</para>
<note>
<para>
By default,
<literal>services.xserver.desktopManager.pantheon</literal>
enables LightDM as a display manager, as pantheon's screen
locking implementation relies on it. Because of that it is
recommended to leave LightDM enabled. If you'd like to
disable it anyway, set
<literal>services.xserver.displayManager.lightdm.enable</literal>
to <literal>false</literal> and enable your preferred
display manager.
</para>
</note>
<para>
Also note that Pantheon's LightDM greeter is not enabled by
default, because it has numerous issues in NixOS and isn't
optimal for use here yet.
</para>
</listitem>
<listitem>
<para>
A major refactoring of the Kubernetes module has been
completed. Refactorings primarily focus on decoupling
components and enhancing security. Two-way TLS and RBAC has
been enabled by default for all components, which slightly
changes the way the module is configured. See:
<xref linkend="sec-kubernetes" /> for details.
</para>
</listitem>
<listitem>
<para>
There is now a set of <literal>confinement</literal> options
for <literal>systemd.services</literal>, which allows to
restrict services into a chroot 2 ed environment that only
contains the store paths from the runtime closure of the
service.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-19.03-new-services">
<title>New Services</title>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>./programs/nm-applet.nix</literal>
</para>
</listitem>
<listitem>
<para>
There is a new <literal>security.googleOsLogin</literal>
module for using
<link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS
Login</link> to manage SSH access to Google Compute Engine
instances, which supersedes the imperative and broken
<literal>google-accounts-daemon</literal> used in
<literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>./services/misc/beanstalkd.nix</literal>
</para>
</listitem>
<listitem>
<para>
There is a new <literal>services.cockroachdb</literal> module
for running CockroachDB databases. NixOS now ships with
CockroachDB 2.1.x as well, available on
<literal>x86_64-linux</literal> and
<literal>aarch64-linux</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>./security/duosec.nix</literal>
</para>
</listitem>
<listitem>
<para>
The <link xlink:href="https://duo.com/docs/duounix">PAM module
for Duo Security</link> has been enabled for use. One can
configure it using the <literal>security.duosec</literal>
options along with the corresponding PAM option in
<literal>security.pam.services.&lt;name?&gt;.duoSecurity.enable</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-19.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>
When upgrading from a previous release, please be aware of the
following incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
The minimum version of Nix required to evaluate Nixpkgs is now
2.0.
</para>
<itemizedlist>
<listitem>
<para>
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix
2.0, but supports using Nix 1.11 by setting
<literal>nix.package = pkgs.nix1;</literal>. If this
option is set to a Nix 1.11 package, you will need to
either unset the option or upgrade it to Nix 2.0.
</para>
</listitem>
<listitem>
<para>
For users of NixOS 17.09, you will first need to upgrade
Nix by setting
<literal>nix.package = pkgs.nixStable2;</literal> and run
<literal>nixos-rebuild switch</literal> as the
<literal>root</literal> user.
</para>
</listitem>
<listitem>
<para>
For users of a daemon-less Nix installation on Linux or
macOS, you can upgrade Nix by running
<literal>curl -L https://nixos.org/nix/install | sh</literal>,
or prior to doing a channel update, running
<literal>nix-env -iA nix</literal>. If you have already
run a channel update and Nix is no longer able to evaluate
Nixpkgs, the error message printed should provide adequate
directions for upgrading Nix.
</para>
</listitem>
<listitem>
<para>
For users of the Nix daemon on macOS, you can upgrade Nix
by running
<literal>sudo -i sh -c 'nix-channel --update &amp;&amp; nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon</literal>.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>buildPythonPackage</literal> function now sets
<literal>strictDeps = true</literal> to help distinguish
between native and non-native dependencies in order to improve
cross-compilation compatibility. Note however that this may
break user expressions.
</para>
</listitem>
<listitem>
<para>
The <literal>buildPythonPackage</literal> function now sets
<literal>LANG = C.UTF-8</literal> to enable Unicode support.
The <literal>glibcLocales</literal> package is no longer
needed as a build input.
</para>
</listitem>
<listitem>
<para>
The Syncthing state and configuration data has been moved from
<literal>services.syncthing.dataDir</literal> to the newly
defined <literal>services.syncthing.configDir</literal>, which
default to
<literal>/var/lib/syncthing/.config/syncthing</literal>. This
change makes possible to share synced directories using ACLs
without Syncthing resetting the permission on every start.
</para>
</listitem>
<listitem>
<para>
The <literal>ntp</literal> module now has sane default
restrictions. If you're relying on the previous defaults,
which permitted all queries and commands from all
firewall-permitted sources, you can set
<literal>services.ntp.restrictDefault</literal> and
<literal>services.ntp.restrictSource</literal> to
<literal>[]</literal>.
</para>
</listitem>
<listitem>
<para>
Package <literal>rabbitmq_server</literal> is renamed to
<literal>rabbitmq-server</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>light</literal> module no longer uses setuid
binaries, but udev rules. As a consequence users of that
module have to belong to the <literal>video</literal> group in
order to use the executable (i.e.
<literal>users.users.yourusername.extraGroups = [&quot;video&quot;];</literal>).
</para>
</listitem>
<listitem>
<para>
Buildbot now supports Python 3 and its packages have been
moved to <literal>pythonPackages</literal>. The options
<literal>services.buildbot-master.package</literal> and
<literal>services.buildbot-worker.package</literal> can be
used to select the Python 2 or 3 version of the package.
</para>
</listitem>
<listitem>
<para>
Options
<literal>services.znc.confOptions.networks.name.userName</literal>
and
<literal>services.znc.confOptions.networks.name.modulePackages</literal>
were removed. They were never used for anything and can
therefore safely be removed.
</para>
</listitem>
<listitem>
<para>
Package <literal>wasm</literal> has been renamed
<literal>proglodyte-wasm</literal>. The package
<literal>wasm</literal> will be pointed to
<literal>ocamlPackages.wasm</literal> in 19.09, so make sure
to update your configuration if you want to keep
<literal>proglodyte-wasm</literal>
</para>
</listitem>
<listitem>
<para>
When the <literal>nixpkgs.pkgs</literal> option is set, NixOS
will no longer ignore the <literal>nixpkgs.overlays</literal>
option. The old behavior can be recovered by setting
<literal>nixpkgs.overlays = lib.mkForce [];</literal>.
</para>
</listitem>
<listitem>
<para>
OpenSMTPD has been upgraded to version 6.4.0p1. This release
makes backwards-incompatible changes to the configuration file
format. See <literal>man smtpd.conf</literal> for more
information on the new file format.
</para>
</listitem>
<listitem>
<para>
The versioned <literal>postgresql</literal> have been renamed
to use underscore number seperators. For example,
<literal>postgresql96</literal> has been renamed to
<literal>postgresql_9_6</literal>.
</para>
</listitem>
<listitem>
<para>
Package <literal>consul-ui</literal> and passthrough
<literal>consul.ui</literal> have been removed. The package
<literal>consul</literal> now uses upstream releases that
vendor the UI into the binary. See
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
for details.
</para>
</listitem>
<listitem>
<para>
Slurm introduces the new option
<literal>services.slurm.stateSaveLocation</literal>, which is
now set to <literal>/var/spool/slurm</literal> by default
(instead of <literal>/var/spool</literal>). Make sure to move
all files to the new directory or to set the option
accordingly.
</para>
<para>
The slurmctld now runs as user <literal>slurm</literal>
instead of <literal>root</literal>. If you want to keep
slurmctld running as <literal>root</literal>, set
<literal>services.slurm.user = root</literal>.
</para>
<para>
The options <literal>services.slurm.nodeName</literal> and
<literal>services.slurm.partitionName</literal> are now sets
of strings to correctly reflect that fact that each of these
options can occour more than once in the configuration.
</para>
</listitem>
<listitem>
<para>
The <literal>solr</literal> package has been upgraded from
4.10.3 to 7.5.0 and has undergone some major changes. The
<literal>services.solr</literal> module has been updated to
reflect these changes. Please review
http://lucene.apache.org/solr/ carefully before upgrading.
</para>
</listitem>
<listitem>
<para>
Package <literal>ckb</literal> is renamed to
<literal>ckb-next</literal>, and options
<literal>hardware.ckb.*</literal> are renamed to
<literal>hardware.ckb-next.*</literal>.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.xserver.displayManager.job.logToFile</literal>
which was previously set to <literal>true</literal> when using
the display managers <literal>lightdm</literal>,
<literal>sddm</literal> or <literal>xpra</literal> has been
reset to the default value (<literal>false</literal>).
</para>
</listitem>
<listitem>
<para>
Network interface indiscriminate NixOS firewall options
(<literal>networking.firewall.allow*</literal>) are now
preserved when also setting interface specific rules such as
<literal>networking.firewall.interfaces.en0.allow*</literal>.
These rules continue to use the pseudo device
&quot;default&quot;
(<literal>networking.firewall.interfaces.default.*</literal>),
and assigning to this pseudo device will override the
(<literal>networking.firewall.allow*</literal>) options.
</para>
</listitem>
<listitem>
<para>
The <literal>nscd</literal> service now disables all caching
of <literal>passwd</literal> and <literal>group</literal>
databases by default. This was interferring with the correct
functioning of the <literal>libnss_systemd.so</literal> module
which is used by <literal>systemd</literal> to manage uids and
usernames in the presence of <literal>DynamicUser=</literal>
in systemd services. This was already the default behaviour in
presence of <literal>services.sssd.enable = true</literal>
because nscd caching would interfere with
<literal>sssd</literal> in unpredictable ways as well. Because
we're using nscd not for caching, but for convincing glibc to
find NSS modules in the nix store instead of an absolute path,
we have decided to disable caching globally now, as it's
usually not the behaviour the user wants and can lead to
surprising behaviour. Furthermore, negative caching of host
lookups is also disabled now by default. This should fix the
issue of dns lookups failing in the presence of an unreliable
network.
</para>
<para>
If the old behaviour is desired, this can be restored by
setting the <literal>services.nscd.config</literal> option
with the desired caching parameters.
</para>
<programlisting language="bash">
{
services.nscd.config =
''
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group no
shared group yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
'';
}
</programlisting>
<para>
See
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
for details.
</para>
</listitem>
<listitem>
<para>
GitLab Shell previously used the nix store paths for the
<literal>gitlab-shell</literal> command in its
<literal>authorized_keys</literal> file, which might stop
working after garbage collection. To circumvent that, we
regenerated that file on each startup. As
<literal>gitlab-shell</literal> has now been changed to use
<literal>/var/run/current-system/sw/bin/gitlab-shell</literal>,
this is not necessary anymore, but there might be leftover
lines with a nix store path. Regenerate the
<literal>authorized_keys</literal> file via
<literal>sudo -u git -H gitlab-rake gitlab:shell:setup</literal>
in that case.
</para>
</listitem>
<listitem>
<para>
The <literal>pam_unix</literal> account module is now loaded
with its control field set to <literal>required</literal>
instead of <literal>sufficient</literal>, so that later PAM
account modules that might do more extensive checks are being
executed. Previously, the whole account module verification
was exited prematurely in case a nss module provided the
account name to <literal>pam_unix</literal>. The LDAP and SSSD
NixOS modules already add their NSS modules when enabled. In
case your setup breaks due to some later PAM account module
previosuly shadowed, or failing NSS lookups, please file a
bug. You can get back the old behaviour by manually setting
<literal>security.pam.services.&lt;name?&gt;.text</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>pam_unix</literal> password module is now loaded
with its control field set to <literal>sufficient</literal>
instead of <literal>required</literal>, so that password
managed only by later PAM password modules are being executed.
Previously, for example, changing an LDAP account's password
through PAM was not possible: the whole password module
verification was exited prematurely by
<literal>pam_unix</literal>, preventing
<literal>pam_ldap</literal> to manage the password as it
should.
</para>
</listitem>
<listitem>
<para>
<literal>fish</literal> has been upgraded to 3.0. It comes
with a number of improvements and backwards incompatible
changes. See the <literal>fish</literal>
<link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release
notes</link> for more information.
</para>
</listitem>
<listitem>
<para>
The ibus-table input method has had a change in config format,
which causes all previous settings to be lost. See
<link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this
commit message</link> for details.
</para>
</listitem>
<listitem>
<para>
NixOS module system type <literal>types.optionSet</literal>
and <literal>lib.mkOption</literal> argument
<literal>options</literal> are deprecated. Use
<literal>types.submodule</literal> instead.
(<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
</para>
</listitem>
<listitem>
<para>
<literal>matrix-synapse</literal> has been updated to version
0.99. It will
<link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no
longer generate a self-signed certificate on first
launch</link> and will be
<link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the
last version to accept self-signed certificates</link>. As
such, it is now recommended to use a proper certificate
verified by a root CA (for example Let's Encrypt). The new
<link linkend="module-services-matrix">manual chapter on
Matrix</link> contains a working example of using nginx as a
reverse proxy in front of <literal>matrix-synapse</literal>,
using Let's Encrypt certificates.
</para>
</listitem>
<listitem>
<para>
<literal>mailutils</literal> now works by default when
<literal>sendmail</literal> is not in a setuid wrapper. As a
consequence, the <literal>sendmailPath</literal> argument,
having lost its main use, has been removed.
</para>
</listitem>
<listitem>
<para>
<literal>graylog</literal> has been upgraded from version 2.*
to 3.*. Some setups making use of extraConfig (especially
those exposing Graylog via reverse proxies) need to be updated
as upstream removed/replaced some settings. See
<link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading
Graylog</link> for details.
</para>
</listitem>
<listitem>
<para>
The option <literal>users.ldap.bind.password</literal> was
renamed to <literal>users.ldap.bind.passwordFile</literal>,
and needs to be readable by the <literal>nslcd</literal> user.
Same applies to the new
<literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
</para>
</listitem>
<listitem>
<para>
<literal>nodejs-6_x</literal> is end-of-life.
<literal>nodejs-6_x</literal>,
<literal>nodejs-slim-6_x</literal> and
<literal>nodePackages_6_x</literal> are removed.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-19.03-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
The <literal>services.matomo</literal> module gained the
option <literal>services.matomo.package</literal> which
determines the used Matomo version.
</para>
<para>
The Matomo module now also comes with the systemd service
<literal>matomo-archive-processing.service</literal> and a
timer that automatically triggers archive processing every
hour. This means that you can safely
<link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
disable browser triggers for Matomo archiving </link> at
<literal>Administration &gt; System &gt; General Settings</literal>.
</para>
<para>
Additionally, you can enable to
<link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
delete old visitor logs </link> at
<literal>Administration &gt; System &gt; Privacy</literal>,
but make sure that you run
<literal>systemctl start matomo-archive-processing.service</literal>
at least once without errors if you have already collected
data before, so that the reports get archived before the
source data gets deleted.
</para>
</listitem>
<listitem>
<para>
<literal>composableDerivation</literal> along with supporting
library functions has been removed.
</para>
</listitem>
<listitem>
<para>
The deprecated <literal>truecrypt</literal> package has been
removed and <literal>truecrypt</literal> attribute is now an
alias for <literal>veracrypt</literal>. VeraCrypt is
backward-compatible with TrueCrypt volumes. Note that
<literal>cryptsetup</literal> also supports loading TrueCrypt
volumes.
</para>
</listitem>
<listitem>
<para>
The Kubernetes DNS addons, kube-dns, has been replaced with
CoreDNS. This change is made in accordance with Kubernetes
making CoreDNS the official default starting from
<link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes
v1.11</link>. Please beware that upgrading DNS-addon on
existing clusters might induce minor downtime while the
DNS-addon terminates and re-initializes. Also note that the
DNS-service now runs with 2 pod replicas by default. The
desired number of replicas can be configured using:
<literal>services.kubernetes.addons.dns.replicas</literal>.
</para>
</listitem>
<listitem>
<para>
The quassel-webserver package and module was removed from
nixpkgs due to the lack of maintainers.
</para>
</listitem>
<listitem>
<para>
The manual gained a <link linkend="module-services-matrix">
new chapter on self-hosting <literal>matrix-synapse</literal>
and <literal>riot-web</literal> </link>, the most prevalent
server and client implementations for the
<link xlink:href="https://matrix.org/">Matrix</link> federated
communication network.
</para>
</listitem>
<listitem>
<para>
The astah-community package was removed from nixpkgs due to it
being discontinued and the downloads not being available
anymore.
</para>
</listitem>
<listitem>
<para>
The httpd service now saves log files with a .log file
extension by default for easier integration with the logrotate
service.
</para>
</listitem>
<listitem>
<para>
The owncloud server packages and httpd subservice module were
removed from nixpkgs due to the lack of maintainers.
</para>
</listitem>
<listitem>
<para>
It is possible now to uze ZRAM devices as general purpose
ephemeral block devices, not only as swap. Using more than 1
device as ZRAM swap is no longer recommended, but is still
possible by setting <literal>zramSwap.swapDevices</literal>
explicitly.
</para>
<para>
ZRAM algorithm can be changed now.
</para>
<para>
Changes to ZRAM algorithm are applied during
<literal>nixos-rebuild switch</literal>, so make sure you have
enough swap space on disk to survive ZRAM device rebuild.
Alternatively, use
<literal>nixos-rebuild boot; reboot</literal>.
</para>
</listitem>
<listitem>
<para>
Flat volumes are now disabled by default in
<literal>hardware.pulseaudio</literal>. This has been done to
prevent applications, which are unaware of this feature,
setting their volumes to 100% on startup causing harm to your
audio hardware and potentially your ears.
</para>
<note>
<para>
With this change application specific volumes are relative
to the master volume which can be adjusted independently,
whereas before they were absolute; meaning that in effect,
it scaled the device-volume with the volume of the loudest
application.
</para>
</note>
</listitem>
<listitem>
<para>
The
<link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link>
module now supports
<link xlink:href="options.html#opt-services.ndppd.enable">all
config options</link> provided by the current upstream version
as service options. Additionally the <literal>ndppd</literal>
package doesn't contain the systemd unit configuration from
upstream anymore, the unit is completely configured by the
NixOS module now.
</para>
</listitem>
<listitem>
<para>
New installs of NixOS will default to the Redmine 4.x series
unless otherwise specified in
<literal>services.redmine.package</literal> while existing
installs of NixOS will default to the Redmine 3.x series.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="options.html#opt-services.grafana.enable">Grafana
module</link> now supports declarative
<link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource
and dashboard</link> provisioning.
</para>
</listitem>
<listitem>
<para>
The use of insecure ports on kubernetes has been deprecated.
Thus options:
<literal>services.kubernetes.apiserver.port</literal> and
<literal>services.kubernetes.controllerManager.port</literal>
has been renamed to <literal>.insecurePort</literal>, and
default of both options has changed to 0 (disabled).
</para>
</listitem>
<listitem>
<para>
Note that the default value of
<literal>services.kubernetes.apiserver.bindAddress</literal>
has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver
to be accessible from outside the master node itself. If the
apiserver insecurePort is enabled, it is strongly recommended
to only bind on the loopback interface. See:
<literal>services.kubernetes.apiserver.insecurebindAddress</literal>.
</para>
</listitem>
<listitem>
<para>
The option
<literal>services.kubernetes.apiserver.allowPrivileged</literal>
and
<literal>services.kubernetes.kubelet.allowPrivileged</literal>
now defaults to false. Disallowing privileged containers on
the cluster.
</para>
</listitem>
<listitem>
<para>
The kubernetes module does no longer add the kubernetes
package to <literal>environment.systemPackages</literal>
implicitly.
</para>
</listitem>
<listitem>
<para>
The <literal>intel</literal> driver has been removed from the
default list of
<link xlink:href="options.html#opt-services.xserver.videoDrivers">X.org
video drivers</link>. The <literal>modesetting</literal>
driver should take over automatically, it is better maintained
upstream and has less problems with advanced X11 features.
This can lead to a change in the output names used by
<literal>xrandr</literal>. Some performance regressions on
some GPU models might happen. Some OpenCL and VA-API
applications might also break (Beignet seems to provide OpenCL
support with <literal>modesetting</literal> driver, too).
Kernel mode setting API does not support backlight control, so
<literal>xbacklight</literal> tool will not work; backlight
level can be controlled directly via <literal>/sys/</literal>
or with <literal>brightnessctl</literal>. Users who need this
functionality more than multi-output XRandR are advised to add
`intel` to `videoDrivers` and report an issue (or provide
additional details in an existing one)
</para>
</listitem>
<listitem>
<para>
Openmpi has been updated to version 4.0.0, which removes some
deprecated MPI-1 symbols. This may break some older
applications that still rely on those symbols. An upgrade
guide can be found
<link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
</para>
<para>
The nginx package now relies on OpenSSL 1.1 and supports TLS
1.3 by default. You can set the protocols used by the nginx
service using
<link xlink:href="options.html#opt-services.nginx.sslProtocols">services.nginx.sslProtocols</link>.
</para>
</listitem>
<listitem>
<para>
A new subcommand <literal>nixos-rebuild edit</literal> was
added.
</para>
</listitem>
</itemizedlist>
</section>
</section>

1197
nixos/doc/manual/from_md/release-notes/rl-1909.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

1497
nixos/doc/manual/from_md/release-notes/rl-2003.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

2210
nixos/doc/manual/from_md/release-notes/rl-2009.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

1567
nixos/doc/manual/from_md/release-notes/rl-2105.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

2092
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

2808
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml Normal file
View file

File diff suppressed because it is too large Load diff

144
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml Normal file
View file

@ -0,0 +1,144 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.11">
<title>Release 22.11 (“Raccoon”, 2022.11/??)</title>
<para>
Support is planned until the end of June 2023, handing over to
23.05.
</para>
<section xml:id="sec-release-22.11-highlights">
<title>Highlights</title>
<para>
In addition to numerous new and upgraded packages, this release
has the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
During cross-compilation, tests are now executed if the test
suite can be executed by the build platform. This is the case
when doing “native” cross-compilation where the build and host
platforms are largely the same, but the nixpkgs cross
compilation infrastructure is used, e.g.
<literal>pkgsStatic</literal> and <literal>pkgsLLVM</literal>.
Another possibility is that the build platform is a superset
of the host platform, e.g. when cross-compiling from
<literal>x86_64-unknown-linux</literal> to
<literal>i686-unknown-linux</literal>. The predicate gating
test suite execution is the newly added
<literal>canExecute</literal> predicate: You can e.g. check if
<literal>stdenv.buildPlatform</literal> can execute binaries
built for <literal>stdenv.hostPlatform</literal> (i.e.
produced by <literal>stdenv.cc</literal>) by evaluating
<literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>.
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 8.1, updated from 8.0.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-new-services">
<title>New Services</title>
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://github.com/jollheef/appvm">appvm</link>,
Nix based app VMs. Available as
<link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://dragonflydb.io/">dragonflydb</link>,
a modern replacement for Redis and Memcached. Available as
<link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>,
a hardware True Random Number Generator dongle. Available as
<link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>,
a daemon to add virtual proxy devices that mirror a physical
input device but persist even if the underlying hardware is
hot-plugged. Available as
<link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-incompatibilities">
<title>Backward Incompatibilities</title>
<itemizedlist>
<listitem>
<para>
The <literal>isCompatible</literal> predicate checking CPU
compatibility is no longer exposed by the platform sets
generated using <literal>lib.systems.elaborate</literal>. In
most cases you will want to use the new
<literal>canExecute</literal> predicate instead which also
considers the kernel / syscall interface. It is briefly
described in the releases
<link linkend="sec-release-22.11-highlights">highlights
section</link>.
<literal>lib.systems.parse.isCompatible</literal> still
exists, but has changed semantically: Architectures with
differing endianness modes are <emphasis>no longer considered
compatible</emphasis>.
</para>
</listitem>
<listitem>
<para>
The <literal>isPowerPC</literal> predicate, found on
<literal>platform</literal> attrsets
(<literal>hostPlatform</literal>,
<literal>buildPlatform</literal>,
<literal>targetPlatform</literal>, etc) has been removed in
order to reduce confusion. The predicate was was defined such
that it matches only the 32-bit big-endian members of the
POWER/PowerPC family, despite having a name which would imply
a broader set of systems. If you were using this predicate,
you can replace <literal>foo.isPowerPC</literal> with
<literal>(with foo; isPower &amp;&amp; is32bit &amp;&amp; isBigEndian)</literal>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>
A new module was added for the Saleae Logic device family,
providing the options
<literal>hardware.saleae-logic.enable</literal> and
<literal>hardware.saleae-logic.package</literal>.
</para>
</listitem>
<listitem>
<para>
Matrix Synapse now requires entries in the
<literal>state_group_edges</literal> table to be unique, in
order to prevent accidentally introducing duplicate
information (for example, because a database backup was
restored multiple times). If your Synapse database already has
duplicate rows in this table, this could fail with an error
and require manual remediation.
</para>
</listitem>
<listitem>
<para>
memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2.
It is now the upstream version from https://www.memtest.org/,
as coreboots fork is no longer available.
</para>
</listitem>
</itemizedlist>
</section>
</section>