pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-release-17.09">
6
7<title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
8
9<section xmlns="http://docbook.org/ns/docbook"
10 xmlns:xlink="http://www.w3.org/1999/xlink"
11 xmlns:xi="http://www.w3.org/2001/XInclude"
12 version="5.0"
13 xml:id="sec-release-17.09-highlights">
14
15<title>Highlights</title>
16
17<para>In addition to numerous new and upgraded packages, this release
18has the following highlights: </para>
19
20<itemizedlist>
21 <listitem>
22 <para>
23 The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10,
24 KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
25 </para>
26 </listitem>
27 <listitem>
28 <para>
29 The user handling now keeps track of deallocated UIDs/GIDs. When a user
30 or group is revived, this allows it to be allocated the UID/GID it had before.
31 A consequence is that UIDs and GIDs are no longer reused.
32 </para>
33 </listitem>
34 <listitem>
35 <para>
36 The module option <option>services.xserver.xrandrHeads</option> now
37 causes the first head specified in this list to be set as the primary
38 head. Apart from that, it's now possible to also set additional options
39 by using an attribute set, for example:
40<programlisting>
41{ services.xserver.xrandrHeads = [
42 "HDMI-0"
43 {
44 output = "DVI-0";
45 primary = true;
46 monitorConfig = ''
47 Option "Rotate" "right"
48 '';
49 }
50 ];
51}
52</programlisting>
53 This will set the <literal>DVI-0</literal> output to be the primary head,
54 even though <literal>HDMI-0</literal> is the first head in the list.
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 The handling of SSL in the <literal>services.nginx</literal> module has
60 been cleaned up, renaming the misnamed <literal>enableSSL</literal> to
61 <literal>onlySSL</literal> which reflects its original intention. This
62 is not to be used with the already existing <literal>forceSSL</literal>
63 which creates a second non-SSL virtual host redirecting to the SSL
64 virtual host. This by chance had worked earlier due to specific
65 implementation details. In case you had specified both please remove
66 the <literal>enableSSL</literal> option to keep the previous behaviour.
67 </para>
68 <para>
69 Another <literal>addSSL</literal> option has been introduced to configure
70 both a non-SSL virtual host and an SSL virtual host with the same
71 configuration.
72 </para>
73 <para>
74 Options to configure <literal>resolver</literal> options and
75 <literal>upstream</literal> blocks have been introduced. See their information
76 for further details.
77 </para>
78 <para>
79 The <literal>port</literal> option has been replaced by a more generic
80 <literal>listen</literal> option which makes it possible to specify
81 multiple addresses, ports and SSL configs dependant on the new SSL
82 handling mentioned above.
83 </para>
84 </listitem>
85</itemizedlist>
86
87</section>
88<section xmlns="http://docbook.org/ns/docbook"
89 xmlns:xlink="http://www.w3.org/1999/xlink"
90 xmlns:xi="http://www.w3.org/2001/XInclude"
91 version="5.0"
92 xml:id="sec-release-17.09-new-services">
93
94<title>New Services</title>
95
96<para>The following new services were added since the last release:</para>
97
98<itemizedlist>
99 <listitem><para><literal>config/fonts/fontconfig-penultimate.nix</literal></para></listitem>
100 <listitem><para><literal>config/fonts/fontconfig-ultimate.nix</literal></para></listitem>
101 <listitem><para><literal>config/terminfo.nix</literal></para></listitem>
102 <listitem><para><literal>hardware/sensor/iio.nix</literal></para></listitem>
103 <listitem><para><literal>hardware/nitrokey.nix</literal></para></listitem>
104 <listitem><para><literal>hardware/raid/hpsa.nix</literal></para></listitem>
105 <listitem><para><literal>programs/browserpass.nix</literal></para></listitem>
106 <listitem><para><literal>programs/gnupg.nix</literal></para></listitem>
107 <listitem><para><literal>programs/qt5ct.nix</literal></para></listitem>
108 <listitem><para><literal>programs/slock.nix</literal></para></listitem>
109 <listitem><para><literal>programs/thefuck.nix</literal></para></listitem>
110 <listitem><para><literal>security/auditd.nix</literal></para></listitem>
111 <listitem><para><literal>security/lock-kernel-modules.nix</literal></para></listitem>
112 <listitem><para><literal>service-managers/docker.nix</literal></para></listitem>
113 <listitem><para><literal>service-managers/trivial.nix</literal></para></listitem>
114 <listitem><para><literal>services/admin/salt/master.nix</literal></para></listitem>
115 <listitem><para><literal>services/admin/salt/minion.nix</literal></para></listitem>
116 <listitem><para><literal>services/audio/slimserver.nix</literal></para></listitem>
117 <listitem><para><literal>services/cluster/kubernetes/default.nix</literal></para></listitem>
118 <listitem><para><literal>services/cluster/kubernetes/dns.nix</literal></para></listitem>
119 <listitem><para><literal>services/cluster/kubernetes/dashboard.nix</literal></para></listitem>
120 <listitem><para><literal>services/continuous-integration/hail.nix</literal></para></listitem>
121 <listitem><para><literal>services/databases/clickhouse.nix</literal></para></listitem>
122 <listitem><para><literal>services/databases/postage.nix</literal></para></listitem>
123 <listitem><para><literal>services/desktops/gnome3/gnome-disks.nix</literal></para></listitem>
124 <listitem><para><literal>services/desktops/gnome3/gpaste.nix</literal></para></listitem>
125 <listitem><para><literal>services/logging/SystemdJournal2Gelf.nix</literal></para></listitem>
126 <listitem><para><literal>services/logging/heartbeat.nix</literal></para></listitem>
127 <listitem><para><literal>services/logging/journalwatch.nix</literal></para></listitem>
128 <listitem><para><literal>services/logging/syslogd.nix</literal></para></listitem>
129 <listitem><para><literal>services/mail/mailhog.nix</literal></para></listitem>
130 <listitem><para><literal>services/mail/nullmailer.nix</literal></para></listitem>
131 <listitem><para><literal>services/misc/airsonic.nix</literal></para></listitem>
132 <listitem><para><literal>services/misc/autorandr.nix</literal></para></listitem>
133 <listitem><para><literal>services/misc/exhibitor.nix</literal></para></listitem>
134 <listitem><para><literal>services/misc/fstrim.nix</literal></para></listitem>
135 <listitem><para><literal>services/misc/gollum.nix</literal></para></listitem>
136 <listitem><para><literal>services/misc/irkerd.nix</literal></para></listitem>
137 <listitem><para><literal>services/misc/jackett.nix</literal></para></listitem>
138 <listitem><para><literal>services/misc/radarr.nix</literal></para></listitem>
139 <listitem><para><literal>services/misc/snapper.nix</literal></para></listitem>
140 <listitem><para><literal>services/monitoring/osquery.nix</literal></para></listitem>
141 <listitem><para><literal>services/monitoring/prometheus/collectd-exporter.nix</literal></para></listitem>
142 <listitem><para><literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal></para></listitem>
143 <listitem><para><literal>services/network-filesystems/kbfs.nix</literal></para></listitem>
144 <listitem><para><literal>services/networking/dnscache.nix</literal></para></listitem>
145 <listitem><para><literal>services/networking/fireqos.nix</literal></para></listitem>
146 <listitem><para><literal>services/networking/iwd.nix</literal></para></listitem>
147 <listitem><para><literal>services/networking/keepalived/default.nix</literal></para></listitem>
148 <listitem><para><literal>services/networking/keybase.nix</literal></para></listitem>
149 <listitem><para><literal>services/networking/lldpd.nix</literal></para></listitem>
150 <listitem><para><literal>services/networking/matterbridge.nix</literal></para></listitem>
151 <listitem><para><literal>services/networking/squid.nix</literal></para></listitem>
152 <listitem><para><literal>services/networking/tinydns.nix</literal></para></listitem>
153 <listitem><para><literal>services/networking/xrdp.nix</literal></para></listitem>
154 <listitem><para><literal>services/security/shibboleth-sp.nix</literal></para></listitem>
155 <listitem><para><literal>services/security/sks.nix</literal></para></listitem>
156 <listitem><para><literal>services/security/sshguard.nix</literal></para></listitem>
157 <listitem><para><literal>services/security/torify.nix</literal></para></listitem>
158 <listitem><para><literal>services/security/usbguard.nix</literal></para></listitem>
159 <listitem><para><literal>services/security/vault.nix</literal></para></listitem>
160 <listitem><para><literal>services/system/earlyoom.nix</literal></para></listitem>
161 <listitem><para><literal>services/system/saslauthd.nix</literal></para></listitem>
162 <listitem><para><literal>services/web-apps/nexus.nix</literal></para></listitem>
163 <listitem><para><literal>services/web-apps/pgpkeyserver-lite.nix</literal></para></listitem>
164 <listitem><para><literal>services/web-apps/piwik.nix</literal></para></listitem>
165 <listitem><para><literal>services/web-servers/lighttpd/collectd.nix</literal></para></listitem>
166 <listitem><para><literal>services/web-servers/minio.nix</literal></para></listitem>
167 <listitem><para><literal>services/x11/display-managers/xpra.nix</literal></para></listitem>
168 <listitem><para><literal>services/x11/xautolock.nix</literal></para></listitem>
169 <listitem><para><literal>tasks/filesystems/bcachefs.nix</literal></para></listitem>
170 <listitem><para><literal>tasks/powertop.nix</literal></para></listitem>
171</itemizedlist>
172
173</section>
174<section xmlns="http://docbook.org/ns/docbook"
175 xmlns:xlink="http://www.w3.org/1999/xlink"
176 xmlns:xi="http://www.w3.org/2001/XInclude"
177 version="5.0"
178 xml:id="sec-release-17.09-incompatibilities">
179
180<title>Backward Incompatibilities</title>
181
182<para>When upgrading from a previous release, please be aware of the
183following incompatible changes:</para>
184
185<itemizedlist>
186 <listitem>
187 <para>
188 <emphasis role="strong">
189 In an Qemu-based virtualization environment, the network interface
190 names changed from i.e. <literal>enp0s3</literal> to
191 <literal>ens3</literal>.
192 </emphasis>
193 </para>
194 <para>
195 This is due to a kernel configuration change. The new naming
196 is consistent with those of other Linux distributions with
197 systemd. See
198 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link>
199 for more information.
200 </para>
201 <para>
202 A machine is affected if the <literal>virt-what</literal> tool
203 either returns <literal>qemu</literal> or
204 <literal>kvm</literal> <emphasis>and</emphasis> has
205 interface names used in any part of its NixOS configuration,
206 in particular if a static network configuration with
207 <literal>networking.interfaces</literal> is used.
208 </para>
209 <para>
210 Before rebooting affected machines, please ensure:
211 <itemizedlist>
212 <listitem>
213 <para>
214 Change the interface names in your NixOS configuration.
215 The first interface will be called <literal>ens3</literal>,
216 the second one <literal>ens8</literal> and starting from there
217 incremented by 1.
218 </para>
219 </listitem>
220 <listitem>
221 <para>
222 After changing the interface names, rebuild your system with
223 <literal>nixos-rebuild boot</literal> to activate the new
224 configuration after a reboot. If you switch to the new
225 configuration right away you might lose network connectivity!
226 If using <literal>nixops</literal>, deploy with
227 <literal>nixops deploy --force-reboot</literal>.
228 </para>
229 </listitem>
230 </itemizedlist>
231 </para>
232 </listitem>
233 <listitem>
234 <para>
235 The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
236 For <literal>stateVersion = "17.03"</literal> or lower the old behavior is preserved.
237 </para>
238 <itemizedlist>
239 <listitem>
240 <para>
241 The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
242 </para>
243 </listitem>
244 <listitem>
245 <para>
246 The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
247 </para>
248 </listitem>
249 <listitem>
250 <para>
251 The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
252 </para>
253 </listitem>
254 <listitem>
255 <para>
256 The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
257 </para>
258 </listitem>
259 <listitem>
260 <para>
261 Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
262 </para>
263 </listitem>
264 </itemizedlist>
265 </listitem>
266 <listitem>
267 <para>
268 The <literal>aiccu</literal> package was removed. This is due to SixXS
269 <link xlink:href="https://www.sixxs.net/main/"> sunsetting</link> its IPv6 tunnel.
270 </para>
271 </listitem>
272 <listitem>
273 <para>
274 The <literal>fanctl</literal> package and <literal>fan</literal> module
275 have been removed due to the developers not upstreaming their iproute2
276 patches and lagging with compatibility to recent iproute2 versions.
277 </para>
278 </listitem>
279 <listitem>
280 <para>
281 Top-level <literal>idea</literal> package collection was renamed.
282 All JetBrains IDEs are now at <literal>jetbrains</literal>.
283 </para>
284 </listitem>
285 <listitem>
286 <para>
287 <literal>flexget</literal>'s state database cannot be upgraded to its
288 new internal format, requiring removal of any existing
289 <literal>db-config.sqlite</literal> which will be automatically recreated.
290 </para>
291 </listitem>
292 <listitem>
293 <para>
294 The <literal>ipfs</literal> service now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
295<programlisting>
296dataDir=<valueOfDataDir>
297mv /var/lib/ipfs/.ipfs/* $dataDir
298rmdir /var/lib/ipfs/.ipfs
299</programlisting>
300 </para>
301 </listitem>
302 <listitem>
303 <para>
304 The <literal>caddy</literal> service was previously using an extra
305 <literal>.caddy</literal> directory in the data directory specified
306 with the <literal>dataDir</literal> option. The contents of the
307 <literal>.caddy</literal> directory are now expected to be in the
308 <literal>dataDir</literal>.
309 </para>
310 </listitem>
311 <listitem>
312 <para>
313 The <literal>ssh-agent</literal> user service is not started by default
314 anymore. Use <literal>programs.ssh.startAgent</literal> to enable it if
315 needed. There is also a new <literal>programs.gnupg.agent</literal>
316 module that creates a <literal>gpg-agent</literal> user service. It can
317 also serve as a SSH agent if <literal>enableSSHSupport</literal> is set.
318 </para>
319 </listitem>
320 <listitem>
321 <para>
322 The <literal>services.tinc.networks.<name>.listenAddress</literal>
323 option had a misleading name that did not correspond to its behavior. It
324 now correctly defines the ip to listen for incoming connections on. To
325 keep the previous behaviour, use
326 <literal>services.tinc.networks.<name>.bindToAddress</literal>
327 instead. Refer to the description of the options for more details.
328 </para>
329 </listitem>
330 <listitem>
331 <para>
332 <literal>tlsdate</literal> package and module were removed. This is due to the project
333 being dead and not building with openssl 1.1.
334 </para>
335 </listitem>
336 <listitem>
337 <para>
338 <literal>wvdial</literal> package and module were removed. This is due to the project
339 being dead and not building with openssl 1.1.
340 </para>
341 </listitem>
342 <listitem>
343 <para>
344 <literal>cc-wrapper</literal>'s setup-hook now exports a number of
345 environment variables corresponding to binutils binaries,
346 (e.g. <envar>LD</envar>, <envar>STRIP</envar>, <envar>RANLIB</envar>,
347 etc). This is done to prevent packages' build systems guessing, which is
348 harder to predict, especially when cross-compiling. However, some packages
349 have broken due to this—their build systems either not supporting, or
350 claiming to support without adequate testing, taking such environment
351 variables as parameters.
352 </para>
353 </listitem>
354 <listitem>
355 <para>
356 <literal>services.firefox.syncserver</literal> now runs by default as a
357 non-root user. To accomodate this change, the default sqlite database
358 location has also been changed. Migration should work automatically.
359 Refer to the description of the options for more details.
360 </para>
361 </listitem>
362 <listitem>
363 <para>
364 The <literal>compiz</literal> window manager and package was
365 removed. The system support had been broken for several years.
366 </para>
367 </listitem>
368 <listitem>
369 <para>
370 Touchpad support should now be enabled through
371 <literal>libinput</literal> as <literal>synaptics</literal> is
372 now deprecated. See the option
373 <literal>services.xserver.libinput.enable</literal>.
374 </para>
375 </listitem>
376 <listitem>
377 <para>
378 grsecurity/PaX support has been dropped, following upstream's
379 decision to cease free support. See
380 <link xlink:href="https://grsecurity.net/passing_the_baton.php">
381 upstream's announcement</link> for more information.
382 No complete replacement for grsecurity/PaX is available presently.
383 </para>
384 </listitem>
385 <listitem>
386 <para>
387 <literal>services.mysql</literal> now has declarative
388 configuration of databases and users with the <literal>ensureDatabases</literal> and
389 <literal>ensureUsers</literal> options.
390 </para>
391
392 <para>
393 These options will never delete existing databases and users,
394 especially not when the value of the options are changed.
395 </para>
396
397 <para>
398 The MySQL users will be identified using
399 <link xlink:href="https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/">
400 Unix socket authentication</link>. This authenticates the
401 Unix user with the same name only, and that without the need
402 for a password.
403 </para>
404
405 <para>
406 If you have previously created a MySQL <literal>root</literal>
407 user <emphasis>with a password</emphasis>, you will need to add
408 <literal>root</literal> user for unix socket authentication
409 before using the new options. This can be done by running the
410 following SQL script:
411
412<programlisting language="sql">
413CREATE USER 'root'@'%' IDENTIFIED BY '';
414GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
415FLUSH PRIVILEGES;
416
417-- Optionally, delete the password-authenticated user:
418-- DROP USER 'root'@'localhost';
419</programlisting>
420 </para>
421 </listitem>
422
423 <listitem>
424 <para>
425 <literal>services.mysqlBackup</literal> now works by default
426 without any user setup, including for users other than
427 <literal>mysql</literal>.
428 </para>
429
430 <para>
431 By default, the <literal>mysql</literal> user is no longer the
432 user which performs the backup. Instead a system account
433 <literal>mysqlbackup</literal> is used.
434 </para>
435
436 <para>
437 The <literal>mysqlBackup</literal> service is also now using
438 systemd timers instead of <literal>cron</literal>.
439 </para>
440
441 <para>
442 Therefore, the <literal>services.mysqlBackup.period</literal>
443 option no longer exists, and has been replaced with
444 <literal>services.mysqlBackup.calendar</literal>, which is in
445 the format of <link
446 xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
447 </para>
448
449 <para>
450 If you expect to be sent an e-mail when the backup fails,
451 consider using a script which monitors the systemd journal for
452 errors. Regretfully, at present there is no built-in
453 functionality for this.
454 </para>
455
456 <para>
457 You can check that backups still work by running
458 <command>systemctl start mysql-backup</command> then
459 <command>systemctl status mysql-backup</command>.
460 </para>
461 </listitem>
462
463 <listitem>
464 <para>
465 Templated systemd services e.g <literal>container@name</literal> are
466 now handled currectly when switching to a new configuration, resulting
467 in them being reloaded.
468 </para>
469 </listitem>
470
471 <listitem>
472 <para>Steam: the <literal>newStdcpp</literal> parameter
473 was removed and should not be needed anymore.</para>
474 </listitem>
475
476 <listitem>
477 <para>
478 Redis has been updated to version 4 which mandates a cluster
479 mass-restart, due to changes in the network handling, in order
480 to ensure compatibility with networks NATing traffic.
481 </para>
482 </listitem>
483</itemizedlist>
484
485</section>
486<section xmlns="http://docbook.org/ns/docbook"
487 xmlns:xlink="http://www.w3.org/1999/xlink"
488 xmlns:xi="http://www.w3.org/2001/XInclude"
489 version="5.0"
490 xml:id="sec-release-17.09-notable-changes">
491
492<title>Other Notable Changes</title>
493
494<itemizedlist>
495
496 <listitem>
497 <para>
498 Modules can now be disabled by using <link
499 xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules">
500 disabledModules</link>, allowing another to take it's place. This can be
501 used to import a set of modules from another channel while keeping the
502 rest of the system on a stable release.
503 </para>
504 </listitem>
505 <listitem>
506 <para>
507 Updated to FreeType 2.7.1, including a new TrueType engine.
508 The new engine replaces the Infinality engine which was the default in
509 NixOS. The default font rendering settings are now provided by
510 fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
511 are less invasive and provide rendering that is more consistent with
512 other systems and hopefully with each font designer's intent. Some
513 system-wide configuration has been removed from the Fontconfig NixOS
514 module where user Fontconfig settings are available.
515 </para>
516 </listitem>
517 <listitem>
518 <para>
519 ZFS/SPL have been updated to 0.7.0, <literal>zfsUnstable, splUnstable</literal>
520 have therefore been removed.
521 </para>
522 </listitem>
523 <listitem>
524 <para>
525 The <option>time.timeZone</option> option now allows the value
526 <literal>null</literal> in addition to timezone strings. This value
527 allows changing the timezone of a system imperatively using
528 <command>timedatectl set-timezone</command>. The default timezone
529 is still UTC.
530 </para>
531 </listitem>
532 <listitem>
533 <para>
534 Nixpkgs overlays may now be specified with a file as well as a directory. The
535 value of <literal><nixpkgs-overlays></literal> may be a file, and
536 <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
537 <filename>~/.config/nixpkgs/overlays</filename> directory.
538 </para>
539 <para>
540 See the overlays chapter of the Nixpkgs manual for more details.
541 </para>
542 </listitem>
543 <listitem>
544 <para>
545 Definitions for <filename>/etc/hosts</filename> can now be specified
546 declaratively with <literal>networking.hosts</literal>.
547 </para>
548 </listitem>
549 <listitem>
550 <para>
551 Two new options have been added to the installer loader, in addition
552 to the default having changed. The kernel log verbosity has been lowered
553 to the upstream default for the default options, in order to not spam
554 the console when e.g. joining a network.
555 </para>
556 <para>
557 This therefore leads to adding a new <literal>debug</literal> option
558 to set the log level to the previous verbose mode, to make debugging
559 easier, but still accessible easily.
560 </para>
561 <para>
562 Additionally a <literal>copytoram</literal> option has been added,
563 which makes it possible to remove the install medium after booting.
564 This allows tethering from your phone after booting from it.
565 </para>
566 </listitem>
567 <listitem>
568 <para>
569 <literal>services.gitlab-runner.configOptions</literal> has been added
570 to specify the configuration of gitlab-runners declaratively.
571 </para>
572 </listitem>
573 <listitem>
574 <para>
575 <literal>services.jenkins.plugins</literal> has been added
576 to install plugins easily, this can be generated with jenkinsPlugins2nix.
577 </para>
578 </listitem>
579 <listitem>
580 <para>
581 <literal>services.postfix.config</literal> has been added
582 to specify the main.cf with NixOS options. Additionally other options
583 have been added to the postfix module and has been improved further.
584 </para>
585 </listitem>
586 <listitem>
587 <para>
588 The GitLab package and module have been updated to the latest 10.0
589 release.
590 </para>
591 </listitem>
592 <listitem>
593 <para>
594 The <literal>systemd-boot</literal> boot loader now lists the NixOS
595 version, kernel version and build date of all bootable generations.
596 </para>
597 </listitem>
598 <listitem>
599 <para>
600 The dnscrypt-proxy service now defaults to using a random upstream resolver,
601 selected from the list of public non-logging resolvers with DNSSEC support.
602 Existing configurations can be migrated to this mode of operation by
603 omitting the <option>services.dnscrypt-proxy.resolverName</option> option
604 or setting it to <literal>"random"</literal>.
605 </para>
606 </listitem>
607
608</itemizedlist>
609
610</section>
611</section>