nixos/acme: Update release note, remove redundant requires

Merge remote-tracking branch 'remotes/upstream/master'

1 files changed, 222 insertions, 3 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index 37ac4ec028810..106612d059532 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -25,6 +25,13 @@
    </listitem>
    <listitem>
     <para>
+     Linux kernel is updated to branch 5.4 by default (from 4.19).
+     Users of Intel GPUs may prefer to explicitly set branch to 4.19 to avoid some regressions.
+     <programlisting>boot.kernelPackages = pkgs.linuxPackages_4_19;</programlisting>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
      Postgresql for NixOS service now defaults to v11.
     </para>
    </listitem>
@@ -52,7 +59,7 @@
    <listitem>
     <para>
       <command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness,
-      and adding a <option>--all</option> option which prints all options and their values.
+      and adding a <option>-r</option> option which prints all options and their values recursively.
     </para>
    </listitem>
    <listitem>
@@ -96,6 +103,13 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
     via <option>services.upower</option>.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     To use Geary you should enable <xref linkend="opt-programs.geary.enable"/> instead of
+     just adding it to <xref linkend="opt-environment.systemPackages"/>.
+     It was created so Geary could function properly outside of GNOME.
+    </para>
+   </listitem>
   </itemizedlist>
 
  </section>
@@ -126,7 +140,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    <listitem>
     <para>
      The <literal>dynamicHosts</literal> option has been removed from the
-     <link linkend="opt-networking.networkmanager.enable">networkd</link>
+     <link linkend="opt-networking.networkmanager.enable">NetworkManager</link>
      module. Allowing (multiple) regular users to override host entries
      affecting the whole system opens up a huge attack vector.
      There seem to be very rare cases where this might be useful.
@@ -170,6 +184,12 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    </listitem>
    <listitem>
     <para>
+     The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
+     There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
       The BEAM package set has been deleted. You will only find there the different interpreters.
       You should now use the different build tools coming with the languages with sandbox mode disabled.
     </para>
@@ -228,6 +248,23 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
    </listitem>
    <listitem>
     <para>
+     The <literal>roundcube</literal> module has been hardened.
+     <itemizedlist>
+      <listitem>
+       <para>
+        The password of the database is not written world readable in the store any more. If <literal>database.host</literal> is set to <literal>localhost</literal>, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option <literal>database.passwordFile</literal>, which should be set to the path of a file containing the password and readable by the user <literal>nginx</literal> only. The <literal>database.password</literal> option is insecure and deprecated. Usage of this option will print a warning.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+        A random <literal>des_key</literal> is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
+       </para>
+      </listitem>
+     </itemizedlist>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
      The packages <literal>openobex</literal> and <literal>obexftp</literal>
      are no longer installed when enabling Bluetooth via
      <option>hardware.bluetooth.enable</option>.
@@ -401,6 +438,183 @@ users.users.me =
      the type to <literal>either path (submodule ...)</literal>.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      The <link linkend="opt-services.buildkite-agent.enable">Buildkite Agent</link>
+      module and corresponding packages have been updated to 3.x.
+      While doing so, the following options have been changed:
+    </para>
+    <itemizedlist>
+      <listitem>
+       <para>
+         <literal>services.buildkite-agent.meta-data</literal> has been renamed to
+         <link linkend="opt-services.buildkite-agent.tags">services.buildkite-agent.tags</link>,
+         to match upstreams naming for 3.x.
+         Its type has also changed - it now accepts an attrset of strings.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+         The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> option
+         has been removed, as it's not necessary to deploy public keys to clone private
+         repositories.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+         <literal>services.buildkite-agent.openssh.privateKeyPath</literal>
+         has been renamed to
+         <link linkend="opt-services.buildkite-agent.privateSshKeyPath">buildkite-agent.privateSshKeyPath</link>,
+         as the whole <literal>openssh</literal> now only contained that single option.
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+         <link linkend="opt-services.buildkite-agent.shell">services.buildkite-agent.shell</link>
+         has been introduced, allowing to specify a custom shell to be used.
+       </para>
+      </listitem>
+    </itemizedlist>
+   </listitem>
+   <listitem>
+    <para>
+     The <literal>citrix_workspace_19_3_0</literal> package has been removed as
+     it will be EOLed within the lifespan of 20.03. For further information,
+     please refer to the <link xlink:href="https://www.citrix.com/de-de/support/product-lifecycle/milestones/receiver.html">support and maintenance information</link> from upstream.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <literal>gcc5</literal> and <literal>gfortran5</literal> packages have been removed.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <option>services.xserver.displayManager.auto</option> module has been removed.
+     It was only intended for use in internal NixOS tests, and gave the false impression
+     of it being a special display manager when it's actually LightDM.
+     Please use the <xref linkend="opt-services.xserver.displayManager.lightdm.autoLogin"/> options instead,
+     or any other display manager in NixOS as they all support auto-login. If you used this module specifically
+     because it permitted root auto-login you can override the lightdm-autologin pam module like:
+<programlisting>
+<link xlink:href="#opt-security.pam.services._name__.text">security.pam.services.lightdm-autologin.text</link> = lib.mkForce ''
+    auth     requisite pam_nologin.so
+    auth     required  pam_succeed_if.so quiet
+    auth     required  pam_permit.so
+
+    account  include   lightdm
+
+    password include   lightdm
+
+    session  include   lightdm
+'';
+</programlisting>
+     The difference is the:
+<programlisting>
+auth required pam_succeed_if.so quiet
+</programlisting>
+     line, where default it's:
+<programlisting>
+auth required pam_succeed_if.so uid >= 1000 quiet
+</programlisting>
+     not permitting users with uid's below 1000 (like root).
+     All other display managers in NixOS are configured like this.
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       There have been lots of improvements to the Mailman module.  As
+       a result,
+     </para>
+     <itemizedlist>
+       <listitem>
+         <para>
+           The <option>services.mailman.hyperkittyBaseUrl</option>
+           option has been renamed to <xref
+           linkend="opt-services.mailman.hyperkitty.baseUrl"/>.
+         </para>
+       </listitem>
+       <listitem>
+         <para>
+           The <option>services.mailman.hyperkittyApiKey</option>
+           option has been removed.  This is because having an option
+           for the Hyperkitty API key meant that the API key would be
+           stored in the world-readable Nix store, which was a
+           security vulnerability.  A new Hyperkitty API key will be
+           generated the first time the new Hyperkitty service is run,
+           and it will then be persisted outside of the Nix store.  To
+           continue using Hyperkitty, you must set <xref
+           linkend="opt-services.mailman.hyperkitty.enable"/> to
+           <literal>true</literal>.
+         </para>
+       </listitem>
+       <listitem>
+         <para>
+           Additionally, some Postfix configuration must now be set
+           manually instead of automatically by the Mailman module:
+<programlisting>
+<xref linkend="opt-services.postfix.relayDomains"/> = [ "hash:/var/lib/mailman/data/postfix_domains" ];
+<xref linkend="opt-services.postfix.config"/>.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+<xref linkend="opt-services.postfix.config"/>.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+</programlisting>
+           This is because some users may want to include other values
+           in these lists as well, and this was not possible if they
+           were set automatically by the Mailman module.  It would not
+           have been possible to just concatenate values from multiple
+           modules each setting the values they needed, because the
+           order of elements in the list is significant.
+         </para>
+       </listitem>
+     </itemizedlist>
+   </listitem>
+   <listitem>
+    <para>The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.</para>
+   </listitem>
+   <listitem>
+    <para>
+     The <option>networking.interfaces.*.preferTempAddress</option> option has
+     been replaced by <option>networking.interfaces.*.tempAddress</option>.
+     The new option allows better control of the IPv6 temporary addresses,
+     including completely disabling them for interfaces where they are not
+     needed.
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       Rspamd was updated to version 2.2. Read
+       <link xlink:href="https://rspamd.com/doc/migration.html#migration-to-rspamd-20">
+       the upstream migration notes</link> carefully. Please be especially
+       aware that some modules were removed and the default Bayes backend is
+       now Redis.
+     </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <literal>*psu</literal> versions of <package>oraclejdk8</package> have been removed
+     as they aren't provided by upstream anymore.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <option>services.dnscrypt-proxy</option> module has been removed
+     as it used the deprecated version of dnscrypt-proxy. We've added
+     <xref linkend="opt-services.dnscrypt-proxy2.enable"/> to use the supported version.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <literal>qesteidutil</literal> has been deprecated in favor of <literal>qdigidoc</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <package>sqldeveloper_18</package> has been removed as it's not maintained anymore,
+     <package>sqldeveloper</package> has been updated to version <literal>19.4</literal>.
+     Please note that this means that this means that the <package>oraclejdk</package> is now
+     required. For further information please read the
+     <link xlink:href="https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html">release notes</link>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -452,9 +666,14 @@ users.users.me =
      As well as this, the options <literal>security.acme.acceptTerms</literal> and either
      <literal>security.acme.email</literal> or <literal>security.acme.certs.&lt;name&gt;.email</literal>
      must be set in order to use the ACME module.
-     Certificates will be regenerated from new on the next renewal date. The credentials for simp-le are
+     Certificates will be regenerated anew on the next renewal date. The credentials for simp-le are
      preserved and thus it is possible to roll back to previous versions without breaking certificate
      generation.
+   </listitem>
+    <listitem>
+    <para>
+    It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
+    via <option>boot.initrd.luks.fido2Support</option>.
     </para>
    </listitem>
   </itemizedlist>