pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-release-18.09">
6 <title>Release 18.09 (“Jellyfish”, 2018/09/??)</title>
7
8 <section xmlns="http://docbook.org/ns/docbook"
9 xmlns:xlink="http://www.w3.org/1999/xlink"
10 xmlns:xi="http://www.w3.org/2001/XInclude"
11 version="5.0"
12 xml:id="sec-release-18.09-highlights">
13 <title>Highlights</title>
14
15 <para>
16 In addition to numerous new and upgraded packages, this release has the
17 following highlights:
18 </para>
19
20 <itemizedlist>
21 <listitem>
22 <para>
23 Support for wrapping binaries using <literal>firejail</literal> has been
24 added through <varname>programs.firejail.wrappedBinaries</varname>.
25 </para>
26 <para>
27 For example
28 </para>
29<programlisting>
30programs.firejail = {
31 enable = true;
32 wrappedBinaries = {
33 firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
34 mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
35 };
36};
37</programlisting>
38 <para>
39 This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail.
40 </para>
41 </listitem>
42 <listitem>
43 <para>
44 User channels are now in the default <literal>NIX_PATH</literal>, allowing
45 users to use their personal <command>nix-channel</command> defined
46 channels in <command>nix-build</command> and <command>nix-shell</command>
47 commands, as well as in imports like <code>import
48 <mychannel></code>.
49 </para>
50 <para>
51 For example
52 </para>
53<programlisting>
54$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
55$ nix-channel --update
56$ nix-build '<nixpkgsunstable>' -A gitFull
57$ nix run -f '<nixpkgsunstable>' gitFull
58$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
59</programlisting>
60 </listitem>
61 </itemizedlist>
62 </section>
63
64 <section xmlns="http://docbook.org/ns/docbook"
65 xmlns:xlink="http://www.w3.org/1999/xlink"
66 xmlns:xi="http://www.w3.org/2001/XInclude"
67 version="5.0"
68 xml:id="sec-release-18.09-new-services">
69 <title>New Services</title>
70
71 <para>
72 The following new services were added since the last release:
73 </para>
74
75 <itemizedlist>
76 <listitem>
77 <para>
78 The <varname>services.cassandra</varname> module has been reworked and
79 was rewritten from scratch. The service has succeeding tests for
80 the versions 2.1, 2.2, 3.0 and 3.11 of <link
81 xlink:href="https://cassandra.apache.org/">Apache Cassandra</link>.
82 </para>
83 </listitem>
84 <listitem>
85 <para>
86 There is a new <varname>services.foundationdb</varname> module for deploying
87 <link xlink:href="https://www.foundationdb.org">FoundationDB</link> clusters.
88 </para>
89 </listitem>
90 <listitem>
91 <para>
92 When enabled the <literal>iproute2</literal> will copy the files expected
93 by ip route (e.g., <filename>rt_tables</filename>) in
94 <filename>/run/iproute2</filename>. This allows to write aliases for
95 routing tables for instance.
96 </para>
97 </listitem>
98 <listitem>
99 <para>
100 <varname>services.strongswan-swanctl</varname>
101 is a modern replacement for <varname>services.strongswan</varname>.
102 You can use either one of them to setup IPsec VPNs but not both at the same time.
103 </para>
104 <para>
105 <varname>services.strongswan-swanctl</varname> uses the
106 <link xlink:href="https://wiki.strongswan.org/projects/strongswan/wiki/swanctl">swanctl</link>
107 command which uses the modern
108 <link xlink:href="https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md">vici</link>
109 <emphasis>Versatile IKE Configuration Interface</emphasis>.
110 The deprecated <literal>ipsec</literal> command used in <varname>services.strongswan</varname> is using the legacy
111 <link xlink:href="https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md">stroke configuration interface</link>.
112 </para>
113 </listitem>
114 <listitem>
115 <para>
116 The new <varname>services.elasticsearch-curator</varname> service
117 periodically curates or manages, your Elasticsearch indices and snapshots.
118 </para>
119 </listitem>
120 </itemizedlist>
121 </section>
122
123 <section xmlns="http://docbook.org/ns/docbook"
124 xmlns:xlink="http://www.w3.org/1999/xlink"
125 xmlns:xi="http://www.w3.org/2001/XInclude"
126 version="5.0"
127 xml:id="sec-release-18.09-incompatibilities">
128 <title>Backward Incompatibilities</title>
129
130 <para>
131 When upgrading from a previous release, please be aware of the following
132 incompatible changes:
133 </para>
134
135 <itemizedlist>
136 <listitem>
137 <para>
138 The deprecated <varname>services.cassandra</varname> module has
139 seen a complete rewrite. (See above.)
140 </para>
141 </listitem>
142 <listitem>
143 <para>
144 The minimum version of Nix required to evaluate Nixpkgs is now 2.0.
145 </para>
146 <itemizedlist>
147 <listitem>
148 <para>
149 For users of NixOS 18.03, NixOS 18.03 defaulted to Nix 2.0, but
150 supported using Nix 1.11 by setting <literal>nix.package =
151 pkgs.nix1;</literal>. If this option is set to a Nix 1.11 package, you
152 will need to either unset the option or upgrade it to Nix 2.0.
153 </para>
154 </listitem>
155 <listitem>
156 <para>
157 For users of NixOS 17.09, you will first need to upgrade Nix by setting
158 <literal>nix.package = pkgs.nixStable2;</literal> and run
159 <command>nixos-rebuild switch</command> as the <literal>root</literal>
160 user.
161 </para>
162 </listitem>
163 <listitem>
164 <para>
165 For users of a daemon-less Nix installation on Linux or macOS, you can
166 upgrade Nix by running <command>curl https://nixos.org/nix/install |
167 sh</command>, or prior to doing a channel update, running
168 <command>nix-env -iA nix</command>.
169 </para>
170 <para>
171 If you have already run a channel update and Nix is no longer able to
172 evaluate Nixpkgs, the error message printed should provide adequate
173 directions for upgrading Nix.
174 </para>
175 </listitem>
176 <listitem>
177 <para>
178 For users of the Nix daemon on macOS, you can upgrade Nix by running
179 <command>sudo -i sh -c 'nix-channel --update && nix-env -iA
180 nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl
181 start org.nixos.nix-daemon</command>.
182 </para>
183 </listitem>
184 </itemizedlist>
185 </listitem>
186 <listitem>
187 <para>
188 <literal>lib.strict</literal> is removed. Use
189 <literal>builtins.seq</literal> instead.
190 </para>
191 </listitem>
192 <listitem>
193 <para>
194 The <literal>clementine</literal> package points now to the free
195 derivation. <literal>clementineFree</literal> is removed now and
196 <literal>clementineUnfree</literal> points to the package which is bundled
197 with the unfree <literal>libspotify</literal> package.
198 </para>
199 </listitem>
200 <listitem>
201 <para>
202 The <literal>netcat</literal> package is now taken directly from OpenBSD's
203 <literal>libressl</literal>, instead of relying on Debian's fork. The new
204 version should be very close to the old version, but there are some minor
205 differences. Importantly, flags like -b, -q, -C, and -Z are no longer
206 accepted by the nc command.
207 </para>
208 </listitem>
209 <listitem>
210 <para>
211 The <varname>services.docker-registry.extraConfig</varname> object doesn't
212 contain environment variables anymore. Instead it needs to provide an
213 object structure that can be mapped onto the YAML configuration defined in
214 <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the
215 <varname>docker/distribution</varname> docs</link>.
216 </para>
217 </listitem>
218 <listitem>
219 <para>
220 <literal>gnucash</literal> has changed from version 2.4 to 3.x. If you've
221 been using <literal>gnucash</literal> (version 2.4) instead of
222 <literal>gnucash26</literal> (version 2.6) you must open your Gnucash data
223 file(s) with <literal>gnucash26</literal> and then save them to upgrade
224 the file format. Then you may use your data file(s) with Gnucash 3.x. See
225 the upgrade
226 <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
227 Gnucash 2.4 is still available under the attribute
228 <literal>gnucash24</literal>.
229 </para>
230 </listitem>
231 <listitem>
232 <para>
233 <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
234 Make sure the key file is accessible to the daemon.
235 </para>
236 </listitem>
237 <listitem>
238 <para>
239 <varname>dockerTools.buildImage</varname> now uses <literal>null</literal> as default value for <varname>tag</varname>,
240 which indicates that the nix output hash will be used as tag.
241 </para>
242 </listitem>
243 <listitem>
244 <para>
245 The ELK stack: <varname>elasticsearch</varname>, <varname>logstash</varname> and <varname>kibana</varname>
246 has been upgraded from 2.* to 6.3.*.
247 The 2.* versions have been <link xlink:href="https://www.elastic.co/support/eol">unsupported since last year</link>
248 so they have been removed. You can still use the 5.* versions under the names
249 <varname>elasticsearch5</varname>, <varname>logstash5</varname> and
250 <varname>kibana5</varname>.
251 </para>
252 <para>
253 The elastic beats:
254 <varname>filebeat</varname>, <varname>heartbeat</varname>,
255 <varname>metricbeat</varname> and <varname>packetbeat</varname>
256 have had the same treatment: they now target 6.3.* as well.
257 The 5.* versions are available under the names:
258 <varname>filebeat5</varname>, <varname>heartbeat5</varname>,
259 <varname>metricbeat5</varname> and <varname>packetbeat5</varname>
260 </para>
261 <para>
262 The ELK-6.3 stack now comes with
263 <link xlink:href="https://www.elastic.co/products/x-pack/open">X-Pack by default</link>.
264 Since X-Pack is licensed under the
265 <link xlink:href="https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt">Elastic License</link>
266 the ELK packages now have an unfree license. To use them you need to specify
267 <literal>allowUnfree = true;</literal> in your nixpkgs configuration.
268 </para>
269 <para>
270 Fortunately there is also a free variant of the ELK stack without X-Pack.
271 The packages are available under the names:
272 <varname>elasticsearch-oss</varname>, <varname>logstash-oss</varname> and
273 <varname>kibana-oss</varname>.
274 </para>
275 </listitem>
276 <listitem>
277 <para>
278 Options
279 <literal>boot.initrd.luks.devices.<replaceable>name</replaceable>.yubikey.ramfsMountPoint</literal>
280 <literal>boot.initrd.luks.devices.<replaceable>name</replaceable>.yubikey.storage.mountPoint</literal>
281 were removed. <literal>luksroot.nix</literal> module never supported more than one YubiKey at
282 a time anyway, hence those options never had any effect. You should be able to remove them
283 from your config without any issues.
284 </para>
285 </listitem>
286 </itemizedlist>
287 </section>
288
289 <section xmlns="http://docbook.org/ns/docbook"
290 xmlns:xlink="http://www.w3.org/1999/xlink"
291 xmlns:xi="http://www.w3.org/2001/XInclude"
292 version="5.0"
293 xml:id="sec-release-18.09-notable-changes">
294 <title>Other Notable Changes</title>
295
296 <itemizedlist>
297 <listitem>
298 <para>
299 <literal>dockerTools.pullImage</literal> relies on image digest instead of
300 image tag to download the image. The <literal>sha256</literal> of a pulled
301 image has to be updated.
302 </para>
303 </listitem>
304 <listitem>
305 <para>
306 <literal>lib.attrNamesToStr</literal> has been deprecated. Use more
307 specific concatenation (<literal>lib.concat(Map)StringsSep</literal>)
308 instead.
309 </para>
310 </listitem>
311 <listitem>
312 <para>
313 <literal>lib.addErrorContextToAttrs</literal> has been deprecated. Use
314 <literal>builtins.addErrorContext</literal> directly.
315 </para>
316 </listitem>
317 <listitem>
318 <para>
319 <literal>lib.showVal</literal> has been deprecated. Use
320 <literal>lib.traceSeqN</literal> instead.
321 </para>
322 </listitem>
323 <listitem>
324 <para>
325 <literal>lib.traceXMLVal</literal> has been deprecated. Use
326 <literal>lib.traceValFn builtins.toXml</literal> instead.
327 </para>
328 </listitem>
329 <listitem>
330 <para>
331 <literal>lib.traceXMLValMarked</literal> has been deprecated. Use
332 <literal>lib.traceValFn (x: str + builtins.toXML x)</literal> instead.
333 </para>
334 </listitem>
335 <listitem>
336 <para>
337 The <literal>pkgs</literal> argument to NixOS modules can now be set directly using <literal>nixpkgs.pkgs</literal>. Previously, only the <literal>system</literal>, <literal>config</literal> and <literal>overlays</literal> arguments could be used to influence <literal>pkgs</literal>.
338 </para>
339 </listitem>
340 <listitem>
341 <para>
342 A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
343 <programlisting>
344inherit (pkgs.nixos {
345 boot.loader.grub.enable = false;
346 fileSystems."/".device = "/dev/xvda1";
347}) toplevel kernel initialRamdisk manual;
348 </programlisting>
349
350 This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
351 </para>
352 </listitem>
353 <listitem>
354 <para>
355 <literal>lib.traceValIfNot</literal> has been deprecated. Use
356 <literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> instead.
357 </para>
358 </listitem>
359 <listitem>
360 <para>
361 <literal>lib.traceCallXml</literal> has been deprecated. Please complain
362 if you use the function regularly.
363 </para>
364 </listitem>
365 <listitem>
366 <para>
367 The attribute <literal>lib.nixpkgsVersion</literal> has been deprecated in
368 favor of <literal>lib.version</literal>. Please refer to the discussion in
369 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link>
370 for further reference.
371 </para>
372 </listitem>
373 <listitem>
374 <para>
375 <literal>lib.recursiveUpdateUntil</literal> was not acting according to its
376 specification. It has been fixed to act according to the docstring, and a
377 test has been added.
378 </para>
379 </listitem>
380 <listitem>
381 <para>
382 The module for <option>security.dhparams</option> has two new options now:
383 </para>
384 <variablelist>
385 <varlistentry>
386 <term>
387 <option>security.dhparams.stateless</option>
388 </term>
389 <listitem>
390 <para>
391 Puts the generated Diffie-Hellman parameters into the Nix store instead
392 of managing them in a stateful manner in
393 <filename class="directory">/var/lib/dhparams</filename>.
394 </para>
395 </listitem>
396 </varlistentry>
397 <varlistentry>
398 <term>
399 <option>security.dhparams.defaultBitSize</option>
400 </term>
401 <listitem>
402 <para>
403 The default bit size to use for the generated Diffie-Hellman
404 parameters.
405 </para>
406 </listitem>
407 </varlistentry>
408 </variablelist>
409 <note>
410 <para>
411 The path to the actual generated parameter files should now be queried
412 using
413 <literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
414 because it might be either in the Nix store or in a directory configured
415 by <option>security.dhparams.path</option>.
416 </para>
417 </note>
418 <note>
419 <title>For developers:</title>
420 <para>
421 Module implementers should not set a specific bit size in order to let
422 users configure it by themselves if they want to have a different bit
423 size than the default (2048).
424 </para>
425 <para>
426 An example usage of this would be:
427<programlisting>
428{ config, ... }:
429
430{
431 security.dhparams.params.myservice = {};
432 environment.etc."myservice.conf".text = ''
433 dhparams = ${config.security.dhparams.params.myservice.path}
434 '';
435}
436</programlisting>
437 </para>
438 </note>
439 </listitem>
440 <listitem>
441 <para>
442 <literal>networking.networkmanager.useDnsmasq</literal> has been
443 deprecated. Use <literal>networking.networkmanager.dns</literal> instead.
444 </para>
445 </listitem>
446 <listitem>
447 <para>
448 The option
449 <varname>services.kubernetes.apiserver.admissionControl</varname> was
450 renamed to
451 <varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>.
452 </para>
453 </listitem>
454 <listitem>
455 <para>
456 Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS)
457 Therefore; public service port for the dashboard has changed to 443
458 (container port 8443) and scheme to https.
459 </para>
460 </listitem>
461 <listitem>
462 <para>
463 The option <varname>services.kubernetes.apiserver.address</varname>
464 was renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>.
465 Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
466 </para>
467 </listitem>
468 <listitem>
469 <para>
470 The option <varname>services.kubernetes.apiserver.publicAddress</varname>
471 was not used and thus has been removed.
472 </para>
473 </listitem>
474 <listitem>
475 <para>
476 The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname>
477 was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>.
478 </para>
479 </listitem>
480 <listitem>
481 <para>
482 The Kubernetes Dashboard now has only minimal RBAC permissions by default.
483 If dashboard cluster-admin rights are desired,
484 set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true.
485 On existing clusters, in order for the revocation of privileges to take effect,
486 the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:
487 <literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal>
488 </para>
489 </listitem>
490 <listitem>
491 <para>
492 The <varname>programs.screen</varname> module provides allows to configure
493 <literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as
494 the config exists, but the package wasn't available. Since 18.09 <literal>pkgs.screen</literal>
495 will be added to <literal>environment.systemPackages</literal>.
496 </para>
497 </listitem>
498 <listitem>
499 <para>
500 The module <option>services.networking.hostapd</option> now uses WPA2 by default.
501 </para>
502 </listitem>
503 <listitem>
504 <para>
505 <varname>s6Dns</varname>, <varname>s6Networking</varname>,
506 <varname>s6LinuxUtils</varname> and <varname>s6PortableUtils</varname>
507 renamed to
508 <varname>s6-dns</varname>, <varname>s6-networking</varname>,
509 <varname>s6-linux-utils</varname> and <varname>s6-portable-utils</varname> respectively.
510 </para>
511 </listitem>
512 <listitem>
513 <para>
514 The module option <option>nix.useSandbox</option> is now defaulted to <literal>true</literal>.
515 </para>
516 </listitem>
517 <listitem>
518 <para>
519 The config activation script of <literal>nixos-rebuild</literal> now
520 <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemctl.html#Manager%20Lifecycle%20Commands">reloads</link>
521 all user units for each authenticated user.
522 </para>
523 </listitem>
524 <listitem>
525 <para>
526 The default display manager is now LightDM.
527 To use SLiM set <literal>services.xserver.displayManager.slim.enable</literal>
528 to <literal>true</literal>.
529 </para>
530 </listitem>
531 </itemizedlist>
532 </section>
533</section>