diff options
Diffstat (limited to 'nixos/doc/manual')
12 files changed, 1057 insertions, 713 deletions
diff --git a/nixos/doc/manual/development/option-def.section.md b/nixos/doc/manual/development/option-def.section.md index 91b24cd4a3a16..22cf38873cf07 100644 --- a/nixos/doc/manual/development/option-def.section.md +++ b/nixos/doc/manual/development/option-def.section.md @@ -59,17 +59,35 @@ config = { ## Setting Priorities {#sec-option-definitions-setting-priorities .unnumbered} A module can override the definitions of an option in other modules by -setting a *priority*. All option definitions that do not have the lowest +setting an *override priority*. All option definitions that do not have the lowest priority value are discarded. By default, option definitions have -priority 1000. You can specify an explicit priority by using -`mkOverride`, e.g. +priority 100 and option defaults have priority 1500. +You can specify an explicit priority by using `mkOverride`, e.g. ```nix services.openssh.enable = mkOverride 10 false; ``` This definition causes all other definitions with priorities above 10 to -be discarded. The function `mkForce` is equal to `mkOverride 50`. +be discarded. The function `mkForce` is equal to `mkOverride 50`, and +`mkDefault` is equal to `mkOverride 1000`. + +## Ordering Definitions {#sec-option-definitions-ordering .unnumbered} + +It is also possible to influence the order in which the definitions for an option are +merged by setting an *order priority* with `mkOrder`. The default order priority is 1000. +The functions `mkBefore` and `mkAfter` are equal to `mkOrder 500` and `mkOrder 1500`, respectively. +As an example, + +```nix +hardware.firmware = mkBefore [ myFirmware ]; +``` + +This definition ensures that `myFirmware` comes before other unordered +definitions in the final list value of `hardware.firmware`. + +Note that this is different from [override priorities](#sec-option-definitions-setting-priorities): +setting an order does not affect whether the definition is included or not. ## Merging Configurations {#sec-option-definitions-merging .unnumbered} diff --git a/nixos/doc/manual/from_md/development/option-def.section.xml b/nixos/doc/manual/from_md/development/option-def.section.xml index 8c9ef181affd2..3c1a979e70f33 100644 --- a/nixos/doc/manual/from_md/development/option-def.section.xml +++ b/nixos/doc/manual/from_md/development/option-def.section.xml @@ -66,11 +66,11 @@ config = { <title>Setting Priorities</title> <para> A module can override the definitions of an option in other - modules by setting a <emphasis>priority</emphasis>. All option - definitions that do not have the lowest priority value are - discarded. By default, option definitions have priority 1000. You - can specify an explicit priority by using - <literal>mkOverride</literal>, e.g. + modules by setting an <emphasis>override priority</emphasis>. All + option definitions that do not have the lowest priority value are + discarded. By default, option definitions have priority 100 and + option defaults have priority 1500. You can specify an explicit + priority by using <literal>mkOverride</literal>, e.g. </para> <programlisting language="bash"> services.openssh.enable = mkOverride 10 false; @@ -78,7 +78,35 @@ services.openssh.enable = mkOverride 10 false; <para> This definition causes all other definitions with priorities above 10 to be discarded. The function <literal>mkForce</literal> is - equal to <literal>mkOverride 50</literal>. + equal to <literal>mkOverride 50</literal>, and + <literal>mkDefault</literal> is equal to + <literal>mkOverride 1000</literal>. + </para> + </section> + <section xml:id="sec-option-definitions-ordering"> + <title>Ordering Definitions</title> + <para> + It is also possible to influence the order in which the + definitions for an option are merged by setting an <emphasis>order + priority</emphasis> with <literal>mkOrder</literal>. The default + order priority is 1000. The functions <literal>mkBefore</literal> + and <literal>mkAfter</literal> are equal to + <literal>mkOrder 500</literal> and + <literal>mkOrder 1500</literal>, respectively. As an example, + </para> + <programlisting language="bash"> +hardware.firmware = mkBefore [ myFirmware ]; +</programlisting> + <para> + This definition ensures that <literal>myFirmware</literal> comes + before other unordered definitions in the final list value of + <literal>hardware.firmware</literal>. + </para> + <para> + Note that this is different from + <link linkend="sec-option-definitions-setting-priorities">override + priorities</link>: setting an order does not affect whether the + definition is included or not. </para> </section> <section xml:id="sec-option-definitions-merging"> diff --git a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml index 024a24379dd6d..35309a7aa3266 100644 --- a/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml +++ b/nixos/doc/manual/from_md/installation/installing-from-other-distro.section.xml @@ -211,7 +211,7 @@ $ sudo groupdel nixbld Generate your NixOS configuration: </para> <programlisting> -$ sudo `which nixos-generate-config` --root / +$ sudo `which nixos-generate-config` </programlisting> <para> Note that this will place the generated configuration files in diff --git a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml index 11fe1d317ccdd..f6aedc800aca5 100644 --- a/nixos/doc/manual/from_md/installation/upgrading.chapter.xml +++ b/nixos/doc/manual/from_md/installation/upgrading.chapter.xml @@ -12,7 +12,7 @@ <listitem> <para> <emphasis>Stable channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>. + <link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.11</literal></link>. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), @@ -33,7 +33,7 @@ <listitem> <para> <emphasis>Small channels</emphasis>, such as - <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link> + <link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.11-small</literal></link> or <link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>. These are identical to the stable and unstable channels @@ -60,8 +60,8 @@ <para> When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For - instance, if you installed from a 22.05 ISO, you will be subscribed - to the <literal>nixos-22.05</literal> channel. To see which NixOS + instance, if you installed from a 22.11 ISO, you will be subscribed + to the <literal>nixos-22.11</literal> channel. To see which NixOS channel you’re subscribed to, run the following as root: </para> <programlisting> @@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable </programlisting> <para> (Be sure to include the <literal>nixos</literal> parameter at the - end.) For instance, to use the NixOS 22.05 stable channel: + end.) For instance, to use the NixOS 22.11 stable channel: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos </programlisting> <para> If you have a server, you may want to use the <quote>small</quote> channel instead: </para> <programlisting> -# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos </programlisting> <para> And if you want to live on the bleeding edge: @@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true; also specify a channel explicitly, e.g. </para> <programlisting language="bash"> -system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; </programlisting> </section> </chapter> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index b7790c99a91e5..688f0f47676c9 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -1435,7 +1435,7 @@ Superuser created successfully. <para> The default GNAT version has been changed: The <literal>gnat</literal> attribute now points to - <literal>gnat11</literal> instead of <literal>gnat9</literal>. + <literal>gnat12</literal> instead of <literal>gnat9</literal>. </para> </listitem> <listitem> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 3ab35fe84bbfa..b47808dc20873 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -1,497 +1,300 @@ <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.11"> - <title>Release 22.11 (“Raccoon”, 2022.11/??)</title> + <title>Release 22.11 (“Raccoon”, 2022.11/30)</title> <para> - Support is planned until the end of June 2023, handing over to - 23.05. + The NixOS release team is happy to announce a new version of NixOS + 22.11. NixOS is a Linux distribution, whose set of packages can also + be used on other Linux systems and macOS. + </para> + <para> + This release is supported until the end of June 2023, handing over + to NixOS 23.05. + </para> + <para> + To upgrade to the latest release follow the + <link linkend="sec-upgrading">upgrade chapter</link>. </para> <section xml:id="sec-release-22.11-highlights"> <title>Highlights</title> <para> In addition to numerous new and upgraded packages, this release - has the following highlights: + includes the following highlights: </para> <itemizedlist> <listitem> <para> - GNOME has been upgraded to 43. Please take a look at their - <link xlink:href="https://release.gnome.org/43/">Release - Notes</link> for details. - </para> - </listitem> - <listitem> - <para> - During cross-compilation, tests are now executed if the test - suite can be executed by the build platform. This is the case - when doing “native” cross-compilation where the build and host - platforms are largely the same, but the nixpkgs’ cross - compilation infrastructure is used, e.g. - <literal>pkgsStatic</literal> and <literal>pkgsLLVM</literal>. - Another possibility is that the build platform is a superset - of the host platform, e.g. when cross-compiling from - <literal>x86_64-unknown-linux</literal> to - <literal>i686-unknown-linux</literal>. The predicate gating - test suite execution is the newly added - <literal>canExecute</literal> predicate: You can e.g. check if - <literal>stdenv.buildPlatform</literal> can execute binaries - built for <literal>stdenv.hostPlatform</literal> (i.e. - produced by <literal>stdenv.cc</literal>) by evaluating - <literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>. - </para> - </listitem> - <listitem> - <para> - The <literal>nixpkgs.hostPlatform</literal> and - <literal>nixpkgs.buildPlatform</literal> options have been - added. These cover and override the - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - options. - </para> - <itemizedlist spacing="compact"> - <listitem> - <para> - <literal>hostPlatform</literal> is the platform or - <quote><literal>system</literal></quote> string of the - NixOS system described by the configuration. - </para> - </listitem> - <listitem> - <para> - <literal>buildPlatform</literal> is the platform that is - responsible for building the NixOS configuration. It - defaults to the <literal>hostPlatform</literal>, for a - non-cross build configuration. To cross compile, set - <literal>buildPlatform</literal> to a different value. - </para> - </listitem> - </itemizedlist> - <para> - The new options convey the same information, but with fewer - options, and following the Nixpkgs terminology. - </para> - <para> - The existing options - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - have not been formally deprecated, to allow for evaluation of - the change and to allow for a transition period so that in - time the ecosystem can switch without breaking compatibility - with any supported NixOS release. - </para> - </listitem> - <listitem> - <para> - <literal>emacs</literal> enables native compilation which - means: + Software that uses the <literal>crypt</literal> password + hashing API is now using the implementation provided by + <link xlink:href="https://github.com/besser82/libxcrypt"><literal>libxcrypt</literal></link> + instead of glibc’s, which enables support for more secure + algorithms. </para> <itemizedlist spacing="compact"> <listitem> <para> - emacs packages from nixpkgs, builtin or not, will do - native compilation ahead of time so you can enjoy the - benefit of native compilation without compiling them on - you machine; + Support for algorithms that <literal>libxcrypt</literal> + <link xlink:href="https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41">does + not consider strong</link> are + <emphasis role="strong">deprecated</emphasis> as of this + release, and will be removed in NixOS 23.05. </para> </listitem> <listitem> <para> - emacs packages from somewhere else, e.g. - <literal>package-install</literal>, will do asynchronously - deferred native compilation. If you do not want this, - maybe to avoid CPU consumption for compilation, you can - use - <literal>(setq native-comp-deferred-compilation nil)</literal> - to disable it while still enjoy the benefit of native - compilation for packages from nixpkgs. + This includes system login passwords. Given this, we + <emphasis role="strong">strongly encourage</emphasis> all + users to update their system passwords, as you will be + unable to login if password hashes are not migrated by the + time their support is removed. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + When using + <literal>users.users.<name>.hashedPassword</literal> + to configure user passwords, run + <literal>mkpasswd</literal>, and use the yescrypt hash + that is provided as the new value. + </para> + </listitem> + <listitem> + <para> + On the other hand, for interactively configured user + passwords, simply re-set the passwords for all users + with <literal>passwd</literal>. + </para> + </listitem> + <listitem> + <para> + This release introduces warnings for the use of + deprecated hash algorithms for both methods of + configuring passwords. To make sure you migrated + correctly, run + <literal>nixos-rebuild switch</literal>. + </para> + </listitem> + </itemizedlist> </listitem> </itemizedlist> </listitem> <listitem> <para> - <literal>nixos-generate-config</literal> now generates - configurations that can be built in pure mode. This is - achieved by setting the new - <literal>nixpkgs.hostPlatform</literal> option. - </para> - <para> - You may have to unset the <literal>system</literal> parameter - in <literal>lib.nixosSystem</literal>, or similarly remove - definitions of the - <literal>nixpkgs.{system,localSystem,crossSystem}</literal> - options. - </para> - <para> - Alternatively, you can remove the - <literal>hostPlatform</literal> line and use NixOS like you - would in NixOS 22.05 and earlier. + The NixOS documentation is now generated from markdown. While + docbook is still part of the documentation build process, it’s + a big step towards the full migration. </para> </listitem> <listitem> <para> - PHP now defaults to PHP 8.1, updated from 8.0. + <literal>aarch64-linux</literal> is now included in the + <literal>nixos-22.11</literal> and + <literal>nixos-22.11-small</literal> channels. This means that + when those channel update, both + <literal>x86_64-linux</literal> and + <literal>aarch64-linux</literal> will be available in the + binary cache. </para> </listitem> <listitem> <para> - PHP is now built <literal>NTS</literal> (Non-Thread Safe) - style by default, for Apache and <literal>mod_php</literal> - usage we still enable <literal>ZTS</literal> (Zend Thread - Safe). This has been a common practice for a long time in - other distributions. + <literal>aarch64-linux</literal> ISOs are now available on the + <link xlink:href="https://nixos.org/download.html">downloads + page</link>. </para> </listitem> <listitem> <para> - PHP 8.2.0 RC 6 is available. + <literal>nsncd</literal> is now available as a replacement of + <literal>nscd</literal>. </para> - </listitem> - <listitem> <para> - <literal>protonup</literal> has been aliased to and replaced - by <literal>protonup-ng</literal> due to upstream not - maintaining it. + <literal>nscd</literal> is responsible for resolving + hostnames, users and more in NixOS and has been a long + standing source of bugs, such as sporadic network freezes. </para> - </listitem> - <listitem> <para> - Perl has been updated to 5.36, and its core module - <literal>HTTP::Tiny</literal> was patched to verify SSL/TLS - certificates by default. + More context in this + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/135888">issue</link>. </para> - </listitem> - <listitem> <para> - Improved performances of - <literal>lib.closePropagation</literal> which was previously - quadratic. This is used in e.g. - <literal>ghcWithPackages</literal>. Please see backward - incompatibilities notes below. + Help us test the new implementation by setting + <literal>services.nscd.enableNsncd</literal> to + <literal>true</literal>. </para> - </listitem> - <listitem> <para> - Cinnamon has been updated to 5.4. While at it, the cinnamon - module now defaults to blueman as bluetooth manager and - slick-greeter as lightdm greeter to match upstream. + We plan to use <literal>nsncd</literal> by default in NixOS + 23.05. </para> </listitem> <listitem> <para> - OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. + Linode cloud images are now supported by importing + <literal>${modulesPath}/virtualisation/linode-image.nix</literal> + and accessing <literal>system.build.linodeImage</literal> on + the output. </para> </listitem> <listitem> <para> - An image configuration and generator has been added for Linode - images, largely based on the present GCE configuration and - image. + <literal>hardware.nvidia</literal> has a new option, + <literal>hardware.nvidia.open</literal>, that can be used to + enable the usage of NVIDIA’s open-source kernel driver. Note + that the driver’s support for GeForce and Workstation GPUs is + still alpha quality, see + <link xlink:href="https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/">the + release announcement</link> for more information. </para> </listitem> <listitem> <para> - <literal>hardware.nvidia</literal> has a new option - <literal>open</literal> that can be used to opt in the - opensource version of NVIDIA kernel driver. Note that the - driver’s support for GeForce and Workstation GPUs is still - alpha quality, see - <link xlink:href="https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/">NVIDIA - Releases Open-Source GPU Kernel Modules</link> for the - official announcement. + The <literal>emacs</literal> package now makes use of native + compilation which means: </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Emacs packages from Nixpkgs, builtin or not, will do + native compilation ahead of time so you can enjoy the + benefit of native compilation without compiling them on + you machine; + </para> + </listitem> + <listitem> + <para> + Emacs packages from somewhere else, e.g. + <literal>package-install</literal>, will perform + asynchronously deferred native compilation. If you do not + want this, maybe to avoid CPU consumption for compilation, + you can use + <literal>(setq native-comp-deferred-compilation nil)</literal> + to disable it while still benefiting from native + compilation for packages from Nixpkgs. + </para> + </listitem> + </itemizedlist> </listitem> </itemizedlist> </section> - <section xml:id="sec-release-22.11-new-services"> - <title>New Services</title> + <section xml:id="sec-release-22.11-internal"> + <title>Internal changes</title> <itemizedlist> <listitem> <para> - <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, - Nix based app VMs. Available as - <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/maxbrunet/automatic-timezoned">automatic-timezoned</link>. - a Linux daemon to automatically update the system timezone - based on location. Available as - <link linkend="opt-services.automatic-timezoned.enable">services.automatic-timezoned</link>. - </para> - </listitem> - <listitem> - <para> - [xray] (https://github.com/XTLS/Xray-core), a fully compatible - v2ray-core replacement. Features XTLS, which when enabled on - server and client, brings UDP FullCone NAT to proxy setups. - Available as - <link xlink:href="options.html#opt-services.xray.enable">services.xray</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>, - a self-hostable sync server for Firefox. Available as - <link xlink:href="options.html#opt-services.firefox-syncserver.enable">services.firefox-syncserver</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://dragonflydb.io/">dragonflydb</link>, - a modern replacement for Redis and Memcached. Available as - <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://komga.org/">Komga</link>, a free and - open source comics/mangas media server. Available as - <link linkend="opt-services.komga.enable">services.komga</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://tandoor.dev">Tandoor Recipes</link>, - a self-hosted multi-tenant recipe collection. Available as - <link xlink:href="options.html#opt-services.tandoor-recipes.enable">services.tandoor-recipes</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://hbase.apache.org/">HBase - cluster</link>, a distributed, scalable, big data store. - Available as - <link xlink:href="options.html#opt-services.hadoop.hbase.enable">services.hadoop.hbase</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/edneville/please">Please</link>, - a Sudo clone written in Rust. Available as - <link linkend="opt-security.please.enable">security.please</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>, - an SMS alerting tool for the Prometheus Alertmanager. - Available as - <link linkend="opt-services.prometheus.sachet.enable">services.prometheus.sachet</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, - a hardware True Random Number Generator dongle. Available as - <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/prymitive/kthxbye">kthxbye</link>, - an alert acknowledgement management daemon for Prometheus - Alertmanager. Available as - <link xlink:href="options.html#opt-services.kthxbye.enable">services.kthxbye</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/jtroo/kanata">kanata</link>, - a tool to improve keyboard comfort and usability with advanced - customization. Available as - <link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/prymitive/karma">karma</link>, - an alert dashboard for Prometheus Alertmanager. Available as - <link xlink:href="options.html#opt-services.karma.enable">services.karma</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://languagetool.org/">languagetool</link>, - a multilingual grammar, style, and spell checker. Available as - <link xlink:href="options.html#opt-services.languagetool.enable">services.languagetool</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master">OpenRGB</link>, - a FOSS tool for controlling RGB lighting. Available as - <link xlink:href="options.html#opt-services-hardware-openrgb-enable">services.hardware.openrgb.enable</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.getoutline.com/">Outline</link>, - a wiki and knowledge base similar to Notion. Available as - <link linkend="opt-services.outline.enable">services.outline</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push - notification service. Available as - <link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link> - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>, - a simple and extensible webmail. Available as - <link linkend="opt-services.alps.enable">services.alps</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, - an SSH tarpit. Available as - <link linkend="opt-services.endlessh.enable">services.endlessh</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, - an SSH tarpit that exposes Prometheus metrics. Available as - <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. + Haskell <literal>ghcWithPackages</literal> is now up to 15 + times faster to evaluate, thanks to changing + <literal>lib.closePropagation</literal> from a quadratic to + linear complexity. Please see backward incompatibilities notes + below. + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/194391">https://github.com/NixOS/nixpkgs/pull/194391</link> </para> </listitem> <listitem> <para> - <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>, - a simple object storage server for geodistributed deployments, - alternative to MinIO. Available as - <link linkend="opt-services.garage.enable">services.garage</link>. + For cross-compilation targets that can also run on the + building machine, we now run tests. This, for example, is the + case for the <literal>pkgsStatic</literal> and + <literal>pkgsLLVM</literal> package sets or i686 packages on + <literal>x86_64</literal> machines. </para> </listitem> <listitem> <para> - <link xlink:href="https://netbird.io">netbird</link>, a zero - configuration VPN. Available as - <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, - a daemon to add virtual proxy devices that mirror a physical - input device but persist even if the underlying hardware is - hot-plugged. Available as - <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://schleuder.org/">schleuder</link>, a - mailing list manager with PGP support. Enable using - <link linkend="opt-services.schleuder.enable">services.schleuder</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.dolibarr.org/">Dolibarr</link>, - an enterprise resource planning and customer relationship - manager. Enable using - <link linkend="opt-services.dolibarr.enable">services.dolibarr</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://freshrss.org/">FreshRSS</link>, a - free, self-hostable RSS feed aggregator. Available as - <link linkend="opt-services.freshrss.enable">services.freshrss</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://www.expressvpn.com">expressvpn</link>, - the CLI client for ExpressVPN. Available as - <link linkend="opt-services.expressvpn.enable">services.expressvpn</link>. + To simplify cross-compilation in NixOS, this release + introduces the <literal>nixpkgs.hostPlatform</literal> and + <literal>nixpkgs.buildPlatform</literal> options. These cover + and override the + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + options. </para> - </listitem> - <listitem> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>hostPlatform</literal> is the platform or + <quote><literal>system</literal></quote> string of the + NixOS system described by the configuration. + </para> + </listitem> + <listitem> + <para> + <literal>buildPlatform</literal> is the platform that is + responsible for building the NixOS configuration. It + defaults to the <literal>hostPlatform</literal>, for a + non-cross build configuration. To cross compile, set + <literal>buildPlatform</literal> to a different value. + </para> + </listitem> + </itemizedlist> <para> - <link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>, - a small and easy HTTP server based on thttpd. Available as - <link linkend="opt-services.merecat.enable">services.merecat</link> + The new options convey the same information, but with fewer + options, and following the Nixpkgs terminology. </para> - </listitem> - <listitem> <para> - <link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>, - IMAP/SMTP autodiscover server. Available as - <link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>. - </para> - </listitem> - <listitem> - <para> - <link xlink:href="https://github.com/tmate-io/tmate-ssh-server">tmate-ssh-server</link>, - server side part of - <link xlink:href="https://tmate.io/">tmate</link>. Available - as - <link linkend="opt-services.tmate-ssh-server.enable">services.tmate-ssh-server</link>. + The existing options + <literal>nixpkgs.{system,localSystem,crossSystem}</literal> + have not been formally deprecated, to allow for evaluation of + the change and to allow for a transition period so that in + time the ecosystem can switch without breaking compatibility + with any supported NixOS release. </para> </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-version-updates"> + <title>Notable version updates</title> + <itemizedlist> <listitem> <para> - <link xlink:href="https://www.grafana.com/oss/tempo/">Grafana - Tempo</link>, a distributed tracing store. Available as - <link linkend="opt-services.tempo.enable">services.tempo</link>. + Nix has been upgraded from v2.8.1 to v2.11.0. For more + information, please see the release notes for + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html">2.9</link>, + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html">2.10</link> + and + <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html">2.11</link>. </para> </listitem> <listitem> <para> - <link xlink:href="https://www.ausweisapp.bund.de/">AusweisApp2</link>, - the authentication software for the German ID card. Available - as - <link linkend="opt-programs.ausweisapp.enable">programs.ausweisapp</link>. + OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/zalando/patroni">Patroni</link>, - a template for PostgreSQL HA with ZooKeeper, etcd or Consul. - Available as - <link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>. + GNOME has been upgraded to version 43. Please see the + <link xlink:href="https://release.gnome.org/43/">release + notes</link> for details. </para> </listitem> <listitem> <para> - <link xlink:href="https://github.com/prometheus-community/ipmi_exporter">Prometheus - IPMI exporter</link>, an IPMI exporter for Prometheus. - Available as - <link linkend="opt-services.prometheus.exporters.ipmi.enable">services.prometheus.exporters.ipmi</link>. + KDE Plasma has been upgraded from v5.24 to v5.26. Please see + the release notes for + <link xlink:href="https://kde.org/announcements/plasma/5/5.25.0/">v5.25</link> + and + <link xlink:href="https://kde.org/announcements/plasma/5/5.26.0/">v5.26</link> + for more details on the included changes. </para> </listitem> <listitem> <para> - <link xlink:href="https://writefreely.org">WriteFreely</link>, - a simple blogging platform with ActivityPub support. Available - as - <link xlink:href="options.html#opt-services.writefreely.enable">services.writefreely</link>. + Cinnamon has been updated to 5.4, and the Cinnamon module now + defaults to Blueman as the Bluetooth manager and slick-greeter + as the LightDM greeter, to match upstream. </para> </listitem> <listitem> <para> - <link xlink:href="https://listmonk.app">Listmonk</link>, a - self-hosted newsletter manager. Enable using - <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. + PHP now defaults to PHP 8.1, updated from 8.0. </para> </listitem> <listitem> <para> - <link xlink:href="https://uptime.kuma.pet/">Uptime - Kuma</link>, a fancy self-hosted monitoring tool. Available as - <link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>. + Perl has been updated to 5.36, and its core module + <literal>HTTP::Tiny</literal> was patched to verify SSL/TLS + certificates by default. </para> </listitem> <listitem> <para> - <link xlink:href="https://mepo.milesalan.com">Mepo</link>, a - fast, simple, hackable OSM map viewer for mobile and desktop - Linux. Available as - <link linkend="opt-programs.mepo.enable">programs.mepo.enable</link>. + Python now defaults to 3.10, updated from 3.9. </para> </listitem> </itemizedlist> @@ -511,10 +314,7 @@ generated using <literal>lib.systems.elaborate</literal>. In most cases you will want to use the new <literal>canExecute</literal> predicate instead which also - considers the kernel / syscall interface. It is briefly - described in the release’s - <link linkend="sec-release-22.11-highlights">highlights - section</link>. + takes the kernel / syscall interface into account. <literal>lib.systems.parse.isCompatible</literal> still exists, but has changed semantically: Architectures with differing endianness modes are <emphasis>no longer considered @@ -529,20 +329,28 @@ upgrade guide</link> and <link xlink:href="https://ngrok.com/docs/ngrok-agent/changelog">changelog</link>. Notably, breaking changes are that the config file format has - changed and support for single hypen arguments was dropped. + changed and support for single hyphen arguments was dropped. </para> </listitem> <listitem> <para> - <literal>i18n.supportedLocales</literal> is now by default - only generated with the locales set in - <literal>i18n.defaultLocale</literal> and - <literal>i18n.extraLocaleSettings</literal>. This got - partially copied over from the minimal profile and reduces the - final system size by up to 200MB. If you require all locales - installed set the option to - <literal>[ "all" ]</literal>. + <literal>i18n.supportedLocales</literal> is now only generated + with the locales set in <literal>i18n.defaultLocale</literal> + and <literal>i18n.extraLocaleSettings</literal>. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This reduces the final system closure size by up to 200MB. + </para> + </listitem> + <listitem> + <para> + If you require all locales installed, set the option to + <literal>[ "all" ]</literal>. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> @@ -596,7 +404,7 @@ <literal>ssh-keygen -A</literal> as they are insecure. Also, <literal>SetEnv</literal> directives in <literal>ssh_config</literal> and - <literal>sshd_config</literal> are now first-match-wins + <literal>sshd_config</literal> are now first-match-wins. </para> </listitem> <listitem> @@ -640,17 +448,17 @@ </listitem> <listitem> <para> - The <literal>openssl</literal>-extension for the PHP - interpreter used by Nextcloud is built against OpenSSL 1.1 if + The OpenSSL extension for the PHP interpreter used by + Nextcloud is built against OpenSSL 1.1 if <xref linkend="opt-system.stateVersion" /> is below <literal>22.11</literal>. This is to make sure that people using <link xlink:href="https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html">server-side - encryption</link> don’t loose access to their files. + encryption</link> don’t lose access to their files. </para> <para> - In any other case it’s safe to use OpenSSL 3 for PHP’s openssl - extension. This can be done by setting + In any other case, it’s safe to use OpenSSL 3 for PHP’s + OpenSSL extension. This can be done by setting <xref linkend="opt-services.nextcloud.enableBrokenCiphersForSSE" /> to <literal>false</literal>. </para> @@ -701,6 +509,14 @@ </listitem> <listitem> <para> + <literal>kanidm</literal> has been updated to 1.1.0-alpha.10 + and now requires a TLS certificate and key. It will always + start <literal>https</literal> and-–-if enabled-–-an LDAPS + server and no HTTP and LDAP server anymore. + </para> + </listitem> + <listitem> + <para> riak package removed along with <literal>services.riak</literal> module, due to lack of maintainer to update the package. @@ -953,7 +769,7 @@ </listitem> <listitem> <para> - <literal>k3s</literal> no longer supports docker as runtime + <literal>k3s</literal> no longer supports Docker as runtime due to upstream dropping support. </para> </listitem> @@ -1026,7 +842,7 @@ signald -d /var/lib/signald/db \ <para> <literal>stylua</literal> no longer accepts <literal>lua52Support</literal> and - <literal>luauSupport</literal> overrides, use + <literal>luauSupport</literal> overrides. Use <literal>features</literal> instead, which defaults to <literal>[ "lua54" "luau" ]</literal>. </para> @@ -1082,9 +898,25 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <itemizedlist> <listitem> <para> + PHP is now built in <literal>NTS</literal> (Non-Thread Safe) + mode by default. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + For Apache and <literal>mod_php</literal> usage, we enable + <literal>ZTS</literal> (Zend Thread Safe) mode. This has + been a common practice for a long time in other + distributions. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> <literal>firefox</literal>, <literal>thunderbird</literal> and - <literal>librewolf</literal> come with enabled Wayland support - by default. The <literal>firefox-wayland</literal>, + <literal>librewolf</literal> now come with Wayland support by + default. The <literal>firefox-wayland</literal>, <literal>firefox-esr-wayland</literal>, <literal>thunderbird-wayland</literal> and <literal>librewolf-wayland</literal> attributes are obsolete @@ -1103,7 +935,8 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <para> Configuring multiple GitHub runners is now possible through <literal>services.github-runners.<name></literal>. The - option <literal>services.github-runner</literal> remains. + options under <literal>services.github-runner</literal> + remain, to configure a single runner. </para> </listitem> <listitem> @@ -1118,29 +951,39 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - A new module was added for the Saleae Logic device family, - providing the options + A new module was added to provide hardware support for the + Saleae Logic device family, providing the options <literal>hardware.saleae-logic.enable</literal> and <literal>hardware.saleae-logic.package</literal>. </para> </listitem> <listitem> <para> - ZFS module will not allow hibernation by default, this is a - safety measure to prevent data loss cases like the ones - described at - <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> - and - <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. - Use the <literal>boot.zfs.allowHibernation</literal> option to - configure this behaviour. + ZFS module will no longer allow hibernation by default. </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + This is a safety measure to prevent data loss cases like + the ones described at + <link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link> + and + <link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>. + </para> + </listitem> + <listitem> + <para> + Use the <literal>boot.zfs.allowHibernation</literal> + option to configure this behaviour. + </para> + </listitem> + </itemizedlist> </listitem> <listitem> <para> - <literal>mastodon</literal> now automatically removes remote - media attachments older than 30 days. This is configurable - through <literal>services.mastodon.mediaAutoRemove</literal>. + Mastodon now automatically removes remote media attachments + older than 30 days. This is configurable through + <literal>services.mastodon.mediaAutoRemove</literal>. </para> </listitem> <listitem> @@ -1152,9 +995,9 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - Neo4j was updated from version 3 to version 4. See this + Neo4j was updated from version 3 to version 4. See upstream’s <link xlink:href="https://neo4j.com/docs/upgrade-migration-guide/current/">migration - guide</link> on how to migrate your Neo4j instance. + guide</link> for information on how to migrate your instance. </para> </listitem> <listitem> @@ -1187,8 +1030,8 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <literal>prismlauncher</literal>, a fork by the rest of the maintainers. For more details, see <link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the - pull request that made this change</link> and - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this + PR that made this change</link> and + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">the issue detailing the vulnerability</link>. Users with existing installations should rename <literal>~/.local/share/polymc</literal> to @@ -1209,8 +1052,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - The <literal>services.matrix-synapse</literal> systemd unit - has been hardened. + Synapse’s systemd unit has been hardened. </para> </listitem> <listitem> @@ -1282,9 +1124,9 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <listitem> <para> Previously, the options - <xref linkend="opt-services.grafana.provision.datasources" /> + <link linkend="opt-services.grafana.provision.datasources">services.grafana.provision.datasources</link> and - <xref linkend="opt-services.grafana.provision.dashboards" /> + <link linkend="opt-services.grafana.provision.dashboards">services.grafana.provision.dashboards</link> expected lists of datasources or dashboards for the <link xlink:href="https://grafana.com/docs/grafana/latest/administration/provisioning/">declarative provisioning</link>. @@ -1297,14 +1139,14 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <para> <emphasis role="strong">datasources</emphasis>, please rename your declarations to - <xref linkend="opt-services.grafana.provision.datasources.settings.datasources" />. + <link linkend="opt-services.grafana.provision.datasources.settings.datasources">services.grafana.provision.datasources.settings.datasources</link>. </para> </listitem> <listitem> <para> <emphasis role="strong">dashboards</emphasis>, please rename your declarations to - <xref linkend="opt-services.grafana.provision.dashboards.settings.providers" />. + <link linkend="opt-services.grafana.provision.dashboards.settings.providers">services.grafana.provision.dashboards.settings.providers</link>. </para> </listitem> </itemizedlist> @@ -1317,9 +1159,9 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ It’s possible to declare the <literal>apiVersion</literal> of your dashboards and datasources by - <xref linkend="opt-services.grafana.provision.datasources.settings.apiVersion" /> + <link linkend="opt-services.grafana.provision.datasources.settings.apiVersion">services.grafana.provision.datasources.settings.apiVersion</link> (or - <xref linkend="opt-services.grafana.provision.dashboards.settings.apiVersion" />). + <link linkend="opt-services.grafana.provision.dashboards.settings.apiVersion">services.grafana.provision.dashboards.settings.apiVersion</link>). </para> </listitem> <listitem> @@ -1327,9 +1169,9 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ Instead of declaring datasources and dashboards in pure Nix, it’s also possible to specify configuration files (or directories) with YAML instead using - <xref linkend="opt-services.grafana.provision.datasources.path" /> + <link linkend="opt-services.grafana.provision.datasources.path">services.grafana.provision.datasources.path</link> (or - <xref linkend="opt-services.grafana.provision.dashboards.path" />. + <link linkend="opt-services.grafana.provision.dashboards.path">services.grafana.provision.dashboards.path</link>. This is useful when having provisioning files from non-NixOS Grafana instances that you also want to deploy to NixOS. @@ -1344,9 +1186,9 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - <xref linkend="opt-services.grafana.provision.notifiers" /> + <link linkend="opt-services.grafana.provision.notifiers">services.grafana.provision.notifiers</link> is not affected by this change because this feature is - deprecated by Grafana and will probably removed in + deprecated by Grafana and will probably be removed in Grafana 10. It’s recommended to use <literal>services.grafana.provision.alerting.contactPoints</literal> instead. @@ -1367,7 +1209,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - Matrix Synapse now requires entries in the + Synapse now requires entries in the <literal>state_group_edges</literal> table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was @@ -1394,9 +1236,17 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - <literal>dockerTools.buildImage</literal> deprecates the - misunderstood <literal>contents</literal> parameter, in favor - of <literal>copyToRoot</literal>. Use + The <literal>netlify-cli</literal> package has been updated + from 6.13.2 to 12.2.4, see the + <link xlink:href="https://github.com/netlify/cli/releases">changelog</link> + for more details. + </para> + </listitem> + <listitem> + <para> + <literal>dockerTools.buildImage</literal>’s + <literal>contents</literal> parameter has been deprecated in + favor of <literal>copyToRoot</literal>. Use <literal>copyToRoot = buildEnv { ... };</literal> or similar if you intend to add packages to <literal>/bin</literal>. </para> @@ -1449,9 +1299,16 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - The redis module now persists each instance’s configuration + The Redis module now persists each instance’s configuration file in the state directory, in order to support some more - advanced use cases like sentinel. + advanced use cases like Sentinel. + </para> + </listitem> + <listitem> + <para> + <literal>protonup</literal> has been aliased to and replaced + by <literal>protonup-ng</literal> due to upstream not + maintaining it. </para> </listitem> <listitem> @@ -1489,7 +1346,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - For <literal>system.stateVersion</literal> being + If <literal>system.stateVersion</literal> is <emphasis role="strong">>=22.11</emphasis>, Nextcloud 25 will be installed by default. For older versions, Nextcloud 24 will be installed. @@ -1497,7 +1354,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - Please ensure that you only upgrade on major release at a + Please ensure that you only upgrade one major release at a time! Nextcloud doesn’t support upgrades across multiple versions, i.e. an upgrade from <emphasis role="strong">23</emphasis> to @@ -1510,24 +1367,6 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - Add udev rules for the Teensy family of microcontrollers. - </para> - </listitem> - <listitem> - <para> - The Qt QML disk cache is now disabled by default. This fixes a - long-standing issue where updating Qt/KDE apps would sometimes - cause them to crash or behave strangely without explanation. - Those concerned about the small (~10%) performance hit to - application startup can re-enable the cache (and expose - themselves to gremlins) by setting the envrionment variable - <literal>QML_FORCE_DISK_CACHE</literal> to - <literal>1</literal> using e.g. the - <literal>environment.sessionVariables</literal> NixOS option. - </para> - </listitem> - <listitem> - <para> systemd-oomd is enabled by default. Depending on which systemd units have <literal>ManagedOOMSwap=kill</literal> or <literal>ManagedOOMMemoryPressure=kill</literal>, systemd-oomd @@ -1559,14 +1398,8 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - There is a new module for AMD SEV CPU functionality, which - grants access to the hardware. - </para> - </listitem> - <listitem> - <para> - The Wordpress module got support for installing language packs - through + The Wordpress module now has support for installing language + packs through a new option, <literal>services.wordpress.sites.<site>.languages</literal>. </para> </listitem> @@ -1584,12 +1417,12 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - PowerDNS has been updated from <literal>4.6.x</literal> to - <literal>4.7.x</literal>. Please be sure to review the + PowerDNS has been updated from v4.6.2 to v4.7.2. Please be + sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master">Upgrade Notes</link> provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature - comes with a mandatory schema change for the gsql database + comes with a mandatory schema change for the GSQL database backends, which has to be manually applied. </para> </listitem> @@ -1601,21 +1434,19 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ service and a systemd unit. The option <literal>services.xserver.desktopManager.xfce.thunarPlugins</literal> has been renamed to - <literal>programs.thunar.plugins</literal>, and in a future - release it may be removed. + <literal>programs.thunar.plugins</literal>, and may be removed + in a future release. </para> </listitem> <listitem> <para> - There is a new module for the <literal>xfconf</literal> - program (the Xfce configuration storage system), which has a - dbus service. + There is a new module for <literal>xfconf</literal> (the Xfce + configuration storage system), which has a dbus service. </para> </listitem> <listitem> <para> - The Mastodon package got upgraded from the major version 3 to - 4. See the + The Mastodon package has been upgraded to v4.0.0. See the <link xlink:href="https://github.com/mastodon/mastodon/releases/tag/v4.0.0">v4.0.0 release notes</link> for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, @@ -1624,8 +1455,8 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ </listitem> <listitem> <para> - The <literal>nomad</literal> package now defaults to 1.3, - which no longer has a downgrade path to releases 1.2 or older. + The <literal>nomad</literal> package now defaults to v1.3, + which no longer has a downgrade path to v1.2 or older. </para> </listitem> <listitem> @@ -1644,7 +1475,7 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <para> <literal>boot.kernel.sysctl</literal> is defined as a freeformType and adds a custom merge option for - <quote>net.core.rmem_max</quote> (taking the highest value + <literal>net.core.rmem_max</literal> (taking the highest value defined to avoid conflicts between 2 services trying to set that value). </para> @@ -1676,6 +1507,335 @@ services.github-runner.serviceOverrides.SupplementaryGroups = [ <literal>picom</literal> to quit instead. </para> </listitem> + <listitem> + <para> + <literal>haskellPackages.callHackage</literal> is not always + invalidated if <literal>all-cabal-hashes</literal> changes, + leading to less rebuilds of haskell dependencies. + </para> + </listitem> + <listitem> + <para> + <literal>haskellPackages.callHackage</literal> and + <literal>haskellPackages.callCabal2nix</literal> (and related + functions) no longer keep a reference to the + <literal>cabal2nix</literal> call used to generate them. As a + result, they will be garbage collected more often. + </para> + </listitem> + </itemizedlist> + </section> + <section xml:id="sec-release-22.11-new-services"> + <title>New Services</title> + <itemizedlist> + <listitem> + <para> + <link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>, + a simple and extensible webmail. Available as + <link linkend="opt-services.alps.enable">services.alps</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jollheef/appvm">appvm</link>, + Nix based app VMs. Available as + <link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.ausweisapp.bund.de/">AusweisApp2</link>, + the authentication software for the German ID card. Available + as + <link linkend="opt-programs.ausweisapp.enable">programs.ausweisapp</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/maxbrunet/automatic-timezoned">automatic-timezoned</link>. + a Linux daemon to automatically update the system timezone + based on location. Available as + <link linkend="opt-services.automatic-timezoned.enable">services.automatic-timezoned</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.dolibarr.org/">Dolibarr</link>, + an enterprise resource planning and customer relationship + manager. Enable using + <link linkend="opt-services.dolibarr.enable">services.dolibarr</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://dragonflydb.io/">dragonflydb</link>, + a modern replacement for Redis and Memcached. Available as + <link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/shizunge/endlessh-go">endlessh-go</link>, + an SSH tarpit that exposes Prometheus metrics. Available as + <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/skeeto/endlessh">endlessh</link>, + an SSH tarpit. Available as + <link linkend="opt-services.endlessh.enable">services.endlessh</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://evcc.io">EVCC</link> is an EV charge + controller with PV integration. It supports a multitude of + chargers, meters, vehicle APIs and more and ties that together + with a well-tested backend and a lightweight web frontend. + Available as + <link linkend="opt-services.evcc.enable">services.evcc</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.expressvpn.com">expressvpn</link>, + the CLI client for ExpressVPN. Available as + <link linkend="opt-services.expressvpn.enable">services.expressvpn</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://freshrss.org/">FreshRSS</link>, a + free, self-hostable RSS feed aggregator. Available as + <link linkend="opt-services.freshrss.enable">services.freshrss</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>, + a simple object storage server for geodistributed deployments, + alternative to MinIO. Available as + <link linkend="opt-services.garage.enable">services.garage</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>, + IMAP/SMTP autodiscover server. Available as + <link linkend="opt-services.go-autoconfig.enable">services.go-autoconfig</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.grafana.com/oss/tempo/">Grafana + Tempo</link>, a distributed tracing store. Available as + <link linkend="opt-services.tempo.enable">services.tempo</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://hbase.apache.org/">HBase + cluster</link>, a distributed, scalable, big data store. + Available as + <link xlink:href="options.html#opt-services.hadoop.hbase.enable">services.hadoop.hbase</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/leetronics/infnoise">infnoise</link>, + a hardware True Random Number Generator dongle. Available as + <link xlink:href="options.html#opt-services.infnoise.enable">services.infnoise</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/jtroo/kanata">kanata</link>, + a tool to improve keyboard comfort and usability with advanced + customization. Available as + <link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prymitive/karma">karma</link>, + an alert dashboard for Prometheus Alertmanager. Available as + <link xlink:href="options.html#opt-services.karma.enable">services.karma</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://komga.org/">Komga</link>, a free and + open source comics/mangas media server. Available as + <link linkend="opt-services.komga.enable">services.komga</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prymitive/kthxbye">kthxbye</link>, + an alert acknowledgement management daemon for Prometheus + Alertmanager. Available as + <link xlink:href="options.html#opt-services.kthxbye.enable">services.kthxbye</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://languagetool.org/">languagetool</link>, + a multilingual grammar, style, and spell checker. Available as + <link xlink:href="options.html#opt-services.languagetool.enable">services.languagetool</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://listmonk.app">Listmonk</link>, a + self-hosted newsletter manager. Enable using + <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://mepo.milesalan.com">Mepo</link>, a + fast, simple, hackable OSM map viewer for mobile and desktop + Linux. Available as + <link linkend="opt-programs.mepo.enable">programs.mepo.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>, + a small and easy HTTP server based on thttpd. Available as + <link linkend="opt-services.merecat.enable">services.merecat</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://netbird.io">netbird</link>, a zero + configuration VPN. Available as + <link xlink:href="options.html#opt-services.netbird.enable">services.netbird</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push + notification service. Available as + <link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link> + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master">OpenRGB</link>, + a FOSS tool for controlling RGB lighting. Available as + <link xlink:href="options.html#opt-services.hardware.openrgb.enable">services.hardware.openrgb.enable</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://www.getoutline.com/">Outline</link>, + a wiki and knowledge base similar to Notion. Available as + <link linkend="opt-services.outline.enable">services.outline</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/zalando/patroni">Patroni</link>, + a template for PostgreSQL HA with ZooKeeper, etcd or Consul. + Available as + <link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/aiberia/persistent-evdev">persistent-evdev</link>, + a daemon to add virtual proxy devices that mirror a physical + input device but persist even if the underlying hardware is + hot-plugged. Available as + <link linkend="opt-services.persistent-evdev.enable">services.persistent-evdev</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/edneville/please">Please</link>, + a Sudo clone written in Rust. Available as + <link linkend="opt-security.please.enable">security.please</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/prometheus-community/ipmi_exporter">Prometheus + IPMI exporter</link>, an IPMI exporter for Prometheus. + Available as + <link linkend="opt-services.prometheus.exporters.ipmi.enable">services.prometheus.exporters.ipmi</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/messagebird/sachet/">Sachet</link>, + an SMS alerting tool for the Prometheus Alertmanager. + Available as + <link linkend="opt-services.prometheus.sachet.enable">services.prometheus.sachet</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://schleuder.org/">schleuder</link>, a + mailing list manager with PGP support. Enable using + <link linkend="opt-services.schleuder.enable">services.schleuder</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>, + a self-hostable sync server for Firefox. Available as + <link xlink:href="options.html#opt-services.firefox-syncserver.enable">services.firefox-syncserver</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://tandoor.dev">Tandoor Recipes</link>, + a self-hosted multi-tenant recipe collection. Available as + <link xlink:href="options.html#opt-services.tandoor-recipes.enable">services.tandoor-recipes</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="http://www.litech.org/tayga/">TAYGA</link>, + an out-of-kernel stateless NAT64 implementation. Available as + <link linkend="opt-services.tayga.enable">services.tayga</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/tmate-io/tmate-ssh-server">tmate-ssh-server</link>, + server side part of + <link xlink:href="https://tmate.io/">tmate</link>. Available + as + <link linkend="opt-services.tmate-ssh-server.enable">services.tmate-ssh-server</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://uptime.kuma.pet/">Uptime + Kuma</link>, a fancy self-hosted monitoring tool. Available as + <link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://writefreely.org">WriteFreely</link>, + a simple blogging platform with ActivityPub support. Available + as + <link xlink:href="options.html#opt-services.writefreely.enable">services.writefreely</link>. + </para> + </listitem> + <listitem> + <para> + <link xlink:href="https://github.com/XTLS/Xray-core">xray</link>, + a fully compatible v2ray-core replacement. Features XTLS, + which when enabled on server and client, brings UDP FullCone + NAT to proxy setups. Available as + <link xlink:href="options.html#opt-services.xray.enable">services.xray</link>. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index 51dafd38c1ac2..0fd0382998c20 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -13,7 +13,9 @@ <itemizedlist spacing="compact"> <listitem> <para> - Create the first release note entry in this section! + Cinnamon has been updated to 5.6, see + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204">the + pull request</link> for what is changed. </para> </listitem> </itemizedlist> @@ -23,27 +25,134 @@ <itemizedlist spacing="compact"> <listitem> <para> - Create the first release note entry in this section! + <link xlink:href="https://github.com/junegunn/fzf">fzf</link>, + a command line fuzzyfinder. Available as + <link linkend="opt-programs.fzf.fuzzyCompletion">programs.fzf</link>. </para> </listitem> </itemizedlist> </section> <section xml:id="sec-release-23.05-incompatibilities"> <title>Backward Incompatibilities</title> - <itemizedlist spacing="compact"> + <itemizedlist> + <listitem> + <para> + <literal>carnix</literal> and <literal>cratesIO</literal> has + been removed due to being unmaintained, use alternatives such + as + <link xlink:href="https://github.com/nix-community/naersk">naersk</link> + and + <link xlink:href="https://github.com/kolloch/crate2nix">crate2nix</link> + instead. + </para> + </listitem> + <listitem> + <para> + The EC2 image module no longer fetches instance metadata in + stage-1. This results in a significantly smaller initramfs, + since network drivers no longer need to be included, and + faster boots, since metadata fetching can happen in parallel + with startup of other services. This breaks services which + rely on metadata being present by the time stage-2 is entered. + Anything which reads EC2 metadata from + <literal>/etc/ec2-metadata</literal> should now have an + <literal>after</literal> dependency on + <literal>fetch-ec2-metadata.service</literal> + </para> + </listitem> + <listitem> + <para> + <literal>services.sourcehut.dispatch</literal> and the + corresponding package + (<literal>sourcehut.dispatchsrht</literal>) have been removed + due to + <link xlink:href="https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/">upstream + deprecation</link>. + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and automatically + mounted ext3-formatted instance store devices and partitions + in stage-1 (initramfs), storing <literal>/tmp</literal> on the + first discovered device. This behaviour, which only catered to + very specific use cases and could not be disabled, has been + removed. Users relying on this should provide their own + implementation, and probably use ext4 and perform the mount in + stage-2. + </para> + </listitem> + <listitem> + <para> + The EC2 image module previously detected and activated + swap-formatted instance store devices and partitions in + stage-1 (initramfs). This behaviour has been removed. Users + relying on this should provide their own implementation. + </para> + </listitem> <listitem> <para> - Create the first release note entry in this section! + Qt 5.12 and 5.14 have been removed, as the corresponding + branches have been EOL upstream for a long time. This affected + under 10 packages in nixpkgs, largely unmaintained upstream as + well, however, out-of-tree package expressions may need to be + updated manually. + </para> + </listitem> + <listitem> + <para> + The <literal>nix.readOnlyStore</literal> option has been + renamed to <literal>boot.readOnlyNixStore</literal> to clarify + that it configures the NixOS boot process, not the Nix daemon. </para> </listitem> </itemizedlist> </section> <section xml:id="sec-release-23.05-notable-changes"> <title>Other Notable Changes</title> - <itemizedlist spacing="compact"> + <itemizedlist> + <listitem> + <para> + The module for the application firewall + <literal>opensnitch</literal> got the ability to configure + rules. Available as + <link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link> + </para> + </listitem> + <listitem> + <para> + <literal>services.mastodon</literal> gained a tootctl wrapped + named <literal>mastodon-tootctl</literal> similar to + <literal>nextcloud-occ</literal> which can be executed from + any user and switches to the configured mastodon user with + sudo and sources the environment variables. + </para> + </listitem> + <listitem> + <para> + A new <literal>virtualisation.rosetta</literal> module was + added to allow running <literal>x86_64</literal> binaries + through + <link xlink:href="https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment">Rosetta</link> + inside virtualised NixOS guests on Apple silicon. This feature + works by default with the + <link xlink:href="https://docs.getutm.app/">UTM</link> + virtualisation + <link xlink:href="https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm">package</link>. + </para> + </listitem> + <listitem> + <para> + Resilio sync secret keys can now be provided using a secrets + file at runtime, preventing these secrets from ending up in + the Nix store. + </para> + </listitem> <listitem> <para> - Create the first release note entry in this section! + The <literal>unifi-poller</literal> package and corresponding + NixOS module have been renamed to <literal>unpoller</literal> + to match upstream. </para> </listitem> </itemizedlist> diff --git a/nixos/doc/manual/installation/installing-from-other-distro.section.md b/nixos/doc/manual/installation/installing-from-other-distro.section.md index fa8806f791d52..b9ccf1415179e 100644 --- a/nixos/doc/manual/installation/installing-from-other-distro.section.md +++ b/nixos/doc/manual/installation/installing-from-other-distro.section.md @@ -148,7 +148,7 @@ The first steps to all these are the same: Generate your NixOS configuration: ```ShellSession - $ sudo `which nixos-generate-config` --root / + $ sudo `which nixos-generate-config` ``` Note that this will place the generated configuration files in diff --git a/nixos/doc/manual/installation/upgrading.chapter.md b/nixos/doc/manual/installation/upgrading.chapter.md index 2644979bc9db2..249bcd97cec84 100644 --- a/nixos/doc/manual/installation/upgrading.chapter.md +++ b/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05). +- *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -19,7 +19,7 @@ passed and all packages have been built. These channels are: radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small) +- *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.05-small) or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated @@ -38,8 +38,8 @@ newest supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 22.05 ISO, you will be subscribed to -the `nixos-22.05` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 22.11 ISO, you will be subscribed to +the `nixos-22.11` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession @@ -54,16 +54,16 @@ To switch to a different NixOS channel, do ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 22.05 stable channel: +use the NixOS 22.11 stable channel: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos +# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos ``` And if you want to live on the bleeding edge: @@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. ```nix -system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05; +system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; ``` diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 5cb3731071f32..1ff2e826c6018 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -427,7 +427,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `services.ddclient.password` option was removed, and replaced with `services.ddclient.passwordFile`. -- The default GNAT version has been changed: The `gnat` attribute now points to `gnat11` +- The default GNAT version has been changed: The `gnat` attribute now points to `gnat12` instead of `gnat9`. - `retroArchCores` has been removed. This means that using `nixpkgs.config.retroarch` to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: `retroarch.override { cores = with libretro; [ citra snes9x ]; };`. Also, `retroarchFull` derivation is available for those who want to have all RetroArch cores available. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 81aef68a716f3..cbede784f069a 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -1,167 +1,87 @@ -# Release 22.11 (“Raccoon”, 2022.11/??) {#sec-release-22.11} +# Release 22.11 (“Raccoon”, 2022.11/30) {#sec-release-22.11} -Support is planned until the end of June 2023, handing over to 23.05. +The NixOS release team is happy to announce a new version of NixOS 22.11. NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS. -## Highlights {#sec-release-22.11-highlights} - -In addition to numerous new and upgraded packages, this release has the following highlights: - -- GNOME has been upgraded to 43. Please take a look at their [Release - Notes](https://release.gnome.org/43/) for details. - -- During cross-compilation, tests are now executed if the test suite can be executed - by the build platform. This is the case when doing “native” cross-compilation - where the build and host platforms are largely the same, but the nixpkgs' cross - compilation infrastructure is used, e.g. `pkgsStatic` and `pkgsLLVM`. Another - possibility is that the build platform is a superset of the host platform, e.g. when - cross-compiling from `x86_64-unknown-linux` to `i686-unknown-linux`. - The predicate gating test suite execution is the newly added `canExecute` - predicate: You can e.g. check if `stdenv.buildPlatform` can execute binaries - built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating - `stdenv.buildPlatform.canExecute stdenv.hostPlatform`. - -- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added. - These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. - - - `hostPlatform` is the platform or "`system`" string of the NixOS system - described by the configuration. - - `buildPlatform` is the platform that is responsible for building the NixOS - configuration. It defaults to the `hostPlatform`, for a non-cross - build configuration. To cross compile, set `buildPlatform` to a different - value. - - The new options convey the same information, but with fewer options, and - following the Nixpkgs terminology. - - The existing options `nixpkgs.{system,localSystem,crossSystem}` have not - been formally deprecated, to allow for evaluation of the change and to allow - for a transition period so that in time the ecosystem can switch without - breaking compatibility with any supported NixOS release. - -- `emacs` enables native compilation which means: - - emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine; - - emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs. - -- `nixos-generate-config` now generates configurations that can be built in pure - mode. This is achieved by setting the new `nixpkgs.hostPlatform` option. - - You may have to unset the `system` parameter in `lib.nixosSystem`, or similarly - remove definitions of the `nixpkgs.{system,localSystem,crossSystem}` options. - - Alternatively, you can remove the `hostPlatform` line and use NixOS like you - would in NixOS 22.05 and earlier. - -- PHP now defaults to PHP 8.1, updated from 8.0. - -- PHP is now built `NTS` (Non-Thread Safe) style by default, for Apache and - `mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a - common practice for a long time in other distributions. - -- PHP 8.2.0 RC 6 is available. - -- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - -- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. - -- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below. - -- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to - blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. - -- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. - -- An image configuration and generator has been added for Linode images, largely based on the present GCE configuration and image. - -- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement. - -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> - -## New Services {#sec-release-22.11-new-services} - -- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). - -- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable). +This release is supported until the end of June 2023, handing over to NixOS 23.05. -- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). +To upgrade to the latest release follow the [upgrade chapter](#sec-upgrading). -- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). - -- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). - -- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable). - -- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable). - -- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable). - -- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable) +## Highlights {#sec-release-22.11-highlights} -- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable). +In addition to numerous new and upgraded packages, this release includes the following highlights: -- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. - Available as [services.infnoise](options.html#opt-services.infnoise.enable). +- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms. + - Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05. + - This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed. + - When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value. + - On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`. + - This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`. -- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable) +- The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it's a big step towards the full migration. -- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. - Available as [services.kanata](options.html#opt-services.kanata.enable). +- `aarch64-linux` is now included in the `nixos-22.11` and `nixos-22.11-small` channels. This means that when those channel update, both `x86_64-linux` and `aarch64-linux` will be available in the binary cache. -- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable) +- `aarch64-linux` ISOs are now available on the [downloads page](https://nixos.org/download.html). -- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. - Available as [services.languagetool](options.html#opt-services.languagetool.enable). +- `nsncd` is now available as a replacement of `nscd`. -- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services-hardware-openrgb-enable). + `nscd` is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes. -- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable). + More context in this [issue](https://github.com/NixOS/nixpkgs/issues/135888). -- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable) + Help us test the new implementation by setting `services.nscd.enableNsncd` to `true`. -- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). + We plan to use `nsncd` by default in NixOS 23.05. -- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). +- Linode cloud images are now supported by importing `${modulesPath}/virtualisation/linode-image.nix` and accessing `system.build.linodeImage` on the output. -- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). +- `hardware.nvidia` has a new option, `hardware.nvidia.open`, that can be used to enable the usage of NVIDIA's open-source kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [the release announcement](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for more information. -- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). +- The `emacs` package now makes use of native compilation which means: + - Emacs packages from Nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine; + - Emacs packages from somewhere else, e.g. `package-install`, will perform asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still benefiting from native compilation for packages from Nixpkgs. -- [netbird](https://netbird.io), a zero configuration VPN. - Available as [services.netbird](options.html#opt-services.netbird.enable). +## Internal changes {#sec-release-22.11-internal} -- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). +- Haskell `ghcWithPackages` is now up to 15 times faster to evaluate, thanks to changing `lib.closePropagation` from a quadratic to linear complexity. Please see backward incompatibilities notes below. <https://github.com/NixOS/nixpkgs/pull/194391> -- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). +- For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the `pkgsStatic` and `pkgsLLVM` package sets or i686 packages on `x86_64` machines. -- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable). +- To simplify cross-compilation in NixOS, this release introduces the `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options. These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. -- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable). - -- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). + - `hostPlatform` is the platform or "`system`" string of the NixOS system + described by the configuration. + - `buildPlatform` is the platform that is responsible for building the NixOS + configuration. It defaults to the `hostPlatform`, for a non-cross + build configuration. To cross compile, set `buildPlatform` to a different + value. -- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable) + The new options convey the same information, but with fewer options, and + following the Nixpkgs terminology. -- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable). + The existing options `nixpkgs.{system,localSystem,crossSystem}` have not + been formally deprecated, to allow for evaluation of the change and to allow + for a transition period so that in time the ecosystem can switch without + breaking compatibility with any supported NixOS release. -- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable). +## Notable version updates {#sec-release-22.11-version-updates} -- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable). +- Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for [2.9](https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html), [2.10](https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html) and [2.11](https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html). -- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable). +- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. -- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. -Available as [services.patroni](options.html#opt-services.patroni.enable). +- GNOME has been upgraded to version 43. Please see the [release notes](https://release.gnome.org/43/) for details. -- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable). +- KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes. -- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable). +- Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to + Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream. -- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). - -- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable). +- PHP now defaults to PHP 8.1, updated from 8.0. -- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable). +- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. -<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> +- Python now defaults to 3.10, updated from 3.9. ## Backward Incompatibilities {#sec-release-22.11-incompatibilities} @@ -170,18 +90,17 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `isCompatible` predicate checking CPU compatibility is no longer exposed by the platform sets generated using `lib.systems.elaborate`. In most cases you will want to use the new `canExecute` predicate instead which also - considers the kernel / syscall interface. It is briefly described in the - release's [highlights section](#sec-release-22.11-highlights). + takes the kernel / syscall interface into account. `lib.systems.parse.isCompatible` still exists, but has changed semantically: Architectures with differing endianness modes are *no longer considered compatible*. - `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3) and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has - changed and support for single hypen arguments was dropped. + changed and support for single hyphen arguments was dropped. -- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`. - This got partially copied over from the minimal profile and reduces the final system size by up to 200MB. - If you require all locales installed set the option to ``[ "all" ]``. +- `i18n.supportedLocales` is now only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`. + - This reduces the final system closure size by up to 200MB. + - If you require all locales installed, set the option to ``[ "all" ]``. - Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have been removed. Please convert any uses to @@ -193,7 +112,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings. -- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins +- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins. - `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. @@ -206,11 +125,11 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. -- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if +- The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) - don't loose access to their files. + don't lose access to their files. - In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting + In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. - The `coq` package and versioned variants starting at `coq_8_14` no @@ -229,6 +148,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. Users who still wish to remain using GTK can do so by using `emacs-gtk`. +- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start `https` and-–-if enabled-–-an LDAPS server and no HTTP and LDAP server anymore. + - riak package removed along with `services.riak` module, due to lack of maintainer to update the package. - ppd files in `pkgs.cups-drv-rastertosag-gdi` are now gzipped. If you refer to such a ppd file with its path (e.g. via [hardware.printers.ensurePrinters](options.html#opt-hardware.printers.ensurePrinters)) you will need to append `.gz` to the path. @@ -294,7 +215,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `zrepl` package has been updated from 0.5.0 to 0.6.0. See the [changelog](https://zrepl.github.io/changelog.html) for details. -- `k3s` no longer supports docker as runtime due to upstream dropping support. +- `k3s` no longer supports Docker as runtime due to upstream dropping support. - `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process. @@ -318,7 +239,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). For further information, please read the upstream changelogs. -- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`. +- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides. Use `features` instead, which defaults to `[ "lua54" "luau" ]`. - `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`. @@ -343,23 +264,29 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). ## Other Notable Changes {#sec-release-22.11-notable-changes} -- `firefox`, `thunderbird` and `librewolf` come with enabled Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute. +- PHP is now built in `NTS` (Non-Thread Safe) mode by default. + - For Apache and `mod_php` usage, we enable `ZTS` (Zend Thread Safe) mode. This has been a + common practice for a long time in other distributions. + +- `firefox`, `thunderbird` and `librewolf` now come with Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute. - The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details. -- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The option `services.github-runner` remains. +- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The options under `services.github-runner` remain, to configure a single runner. - `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details. -- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. +- A new module was added to provide hardware support for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. -- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour. +- ZFS module will no longer allow hibernation by default. + - This is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). + - Use the `boot.zfs.allowHibernation` option to configure this behaviour. -- `mastodon` now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`. +- Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`. - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default. -- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. +- Neo4j was updated from version 3 to version 4. See upstream's [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) for information on how to migrate your instance. - The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark. @@ -369,9 +296,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `polymc` package has been removed due to a rogue maintainer. It has been replaced by `prismlauncher`, a fork by the rest of the maintainers. For more - details, see [the pull request that made this - change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue - detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460). + details, see [the PR that made this change](https://github.com/NixOS/nixpkgs/pull/196624) and + [the issue detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460). Users with existing installations should rename `~/.local/share/polymc` to `~/.local/share/PrismLauncher`. The main config file's path has also moved from `~/.local/share/polymc/polymc.cfg` to @@ -379,7 +305,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details. -- The `services.matrix-synapse` systemd unit has been hardened. +- Synapse's systemd unit has been hardened. - The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: - The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that @@ -414,43 +340,45 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). Alternatively you can also set all your values from `extraOptions` to `systemd.services.grafana.environment`, make sure you don't forget to add the `GF_` prefix though! - - Previously, the options [](#opt-services.grafana.provision.datasources) and - [](#opt-services.grafana.provision.dashboards) expected lists of datasources + - Previously, the options [services.grafana.provision.datasources](#opt-services.grafana.provision.datasources) and + [services.grafana.provision.dashboards](#opt-services.grafana.provision.dashboards) expected lists of datasources or dashboards for the [declarative provisioning](https://grafana.com/docs/grafana/latest/administration/provisioning/). To declare lists of - - **datasources**, please rename your declarations to [](#opt-services.grafana.provision.datasources.settings.datasources). - - **dashboards**, please rename your declarations to [](#opt-services.grafana.provision.dashboards.settings.providers). + - **datasources**, please rename your declarations to [services.grafana.provision.datasources.settings.datasources](#opt-services.grafana.provision.datasources.settings.datasources). + - **dashboards**, please rename your declarations to [services.grafana.provision.dashboards.settings.providers](#opt-services.grafana.provision.dashboards.settings.providers). This change was made to support more features for that: - It's possible to declare the `apiVersion` of your dashboards and datasources - by [](#opt-services.grafana.provision.datasources.settings.apiVersion) (or - [](#opt-services.grafana.provision.dashboards.settings.apiVersion)). + by [services.grafana.provision.datasources.settings.apiVersion](#opt-services.grafana.provision.datasources.settings.apiVersion) (or + [services.grafana.provision.dashboards.settings.apiVersion](#opt-services.grafana.provision.dashboards.settings.apiVersion)). - Instead of declaring datasources and dashboards in pure Nix, it's also possible to specify configuration files (or directories) with YAML instead using - [](#opt-services.grafana.provision.datasources.path) (or - [](#opt-services.grafana.provision.dashboards.path). This is useful when having + [services.grafana.provision.datasources.path](#opt-services.grafana.provision.datasources.path) (or + [services.grafana.provision.dashboards.path](#opt-services.grafana.provision.dashboards.path). This is useful when having provisioning files from non-NixOS Grafana instances that you also want to deploy to NixOS. __Note:__ secrets from these files will be leaked into the store unless you use a [**file**-provider or env-var](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider) for secrets! - - [](#opt-services.grafana.provision.notifiers) is not affected by this change because - this feature is deprecated by Grafana and will probably removed in Grafana 10. + - [services.grafana.provision.notifiers](#opt-services.grafana.provision.notifiers) is not affected by this change because + this feature is deprecated by Grafana and will probably be removed in Grafana 10. It's recommended to use `services.grafana.provision.alerting.contactPoints` instead. - The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively. -- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. +- Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details. - The `guake` package has been updated from 3.6.3 to 3.9.0, see the [changelog](https://github.com/Guake/guake/releases) for more details. -- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`. +- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details. + +- `dockerTools.buildImage`'s `contents` parameter has been deprecated in favor of `copyToRoot`. Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`. - The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field. @@ -461,7 +389,9 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `documentation.nixos.options.allowDocBook` option was added to ease the transition to CommonMark option documentation. Setting this option to `false` causes an error for every option included in the manual that uses DocBook documentation; it defaults to `true` to preserve the previous behavior and will be removed once the transition to CommonMark is complete. -- The redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like sentinel. +- The Redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like Sentinel. + +- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it. @@ -470,22 +400,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). for Nextcloud in NixOS: - For Nextcloud **>=24**, the default PHP version is 8.1. - Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d). - - For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions, + - If `system.stateVersion` is **>=22.11**, Nextcloud 25 will be installed by default. For older versions, Nextcloud 24 will be installed. - - Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support + - Please ensure that you only upgrade one major release at a time! Nextcloud doesn't support upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible when upgrading to **24** first. -- Add udev rules for the Teensy family of microcontrollers. - -- The Qt QML disk cache is now disabled by default. This fixes a - long-standing issue where updating Qt/KDE apps would sometimes cause - them to crash or behave strangely without explanation. Those concerned - about the small (~10%) performance hit to application startup can - re-enable the cache (and expose themselves to gremlins) by setting the - envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the - `environment.sessionVariables` NixOS option. - - systemd-oomd is enabled by default. Depending on which systemd units have `ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will SIGKILL all the processes under the appropriate descendant cgroups when the @@ -499,25 +419,23 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. -- There is a new module for AMD SEV CPU functionality, which grants access to the hardware. - -- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`. +- The Wordpress module now has support for installing language packs through a new option, `services.wordpress.sites.<site>.languages`. - The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment. -- PowerDNS has been updated from `4.6.x` to `4.7.x`. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied. +- PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied. -- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. +- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and may be removed in a future release. -- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. +- There is a new module for `xfconf` (the Xfce configuration storage system), which has a dbus service. -- The Mastodon package got upgraded from the major version 3 to 4. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended. +- The Mastodon package has been upgraded to v4.0.0. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended. -- The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older. +- The `nomad` package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older. - The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies. -- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for "net.core.rmem_max" (taking the highest value defined to avoid conflicts between 2 services trying to set that value). +- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for `net.core.rmem_max` (taking the highest value defined to avoid conflicts between 2 services trying to set that value). - The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it. @@ -525,4 +443,94 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead. +- `haskellPackages.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies. + +- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often. + +<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> + +## New Services {#sec-release-22.11-new-services} + +- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable). + +- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable). + +- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable). + +- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable). + +- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable). + +- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable). + +- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). + +- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable). + +- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable). + +- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable). + +- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable). + +- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable). + +- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable). + +- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable). + +- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable). + +- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. Available as [services.infnoise](options.html#opt-services.infnoise.enable). + +- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. Available as [services.kanata](options.html#opt-services.kanata.enable). + +- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable) + +- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable). + +- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable) + +- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. Available as [services.languagetool](options.html#opt-services.languagetool.enable). + +- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). + +- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable). + +- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable) + +- [netbird](https://netbird.io), a zero configuration VPN. Available as [services.netbird](options.html#opt-services.netbird.enable). + +- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable) + +- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services.hardware.openrgb.enable). + +- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable). + +- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as [services.patroni](options.html#opt-services.patroni.enable). + +- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable). + +- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable). + +- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable). + +- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable). + +- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable). + +- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable). + +- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable). + +- [TAYGA](http://www.litech.org/tayga/), an out-of-kernel stateless NAT64 implementation. Available as [services.tayga](#opt-services.tayga.enable). + +- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable). + +- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable). + +- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable). + +- [xray](https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable). + <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 5bc6c8614895e..39550d44733ad 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -8,22 +8,43 @@ In addition to numerous new and upgraded packages, this release has the followin <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- Create the first release note entry in this section! +- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed. ## New Services {#sec-release-23.05-new-services} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- Create the first release note entry in this section! +- [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion). ## Backward Incompatibilities {#sec-release-23.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- Create the first release note entry in this section! +- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. + +- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. + This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` + +- `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/). + +- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. + +- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. + +- Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually. + +- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon. ## Other Notable Changes {#sec-release-23.05-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> -- Create the first release note entry in this section! +- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules) + +- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. + +- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). + +- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. + +- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. |