pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.03">
2 <title>Release 19.03 (<quote>Koi</quote>, 2019/04/11)</title>
3 <section xml:id="sec-release-19.03-highlights">
4 <title>Highlights</title>
5 <para>
6 In addition to numerous new and upgraded packages, this release
7 has the following highlights:
8 </para>
9 <itemizedlist>
10 <listitem>
11 <para>
12 End of support is planned for end of October 2019, handing
13 over to 19.09.
14 </para>
15 </listitem>
16 <listitem>
17 <para>
18 The default Python 3 interpreter is now CPython 3.7 instead of
19 CPython 3.6.
20 </para>
21 </listitem>
22 <listitem>
23 <para>
24 Added the Pantheon desktop environment. It can be enabled
25 through
26 <literal>services.xserver.desktopManager.pantheon.enable</literal>.
27 </para>
28 <note>
29 <para>
30 By default,
31 <literal>services.xserver.desktopManager.pantheon</literal>
32 enables LightDM as a display manager, as pantheon's screen
33 locking implementation relies on it. Because of that it is
34 recommended to leave LightDM enabled. If you'd like to
35 disable it anyway, set
36 <literal>services.xserver.displayManager.lightdm.enable</literal>
37 to <literal>false</literal> and enable your preferred
38 display manager.
39 </para>
40 </note>
41 <para>
42 Also note that Pantheon's LightDM greeter is not enabled by
43 default, because it has numerous issues in NixOS and isn't
44 optimal for use here yet.
45 </para>
46 </listitem>
47 <listitem>
48 <para>
49 A major refactoring of the Kubernetes module has been
50 completed. Refactorings primarily focus on decoupling
51 components and enhancing security. Two-way TLS and RBAC has
52 been enabled by default for all components, which slightly
53 changes the way the module is configured. See:
54 <xref linkend="sec-kubernetes" /> for details.
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 There is now a set of <literal>confinement</literal> options
60 for <literal>systemd.services</literal>, which allows to
61 restrict services into a chroot 2 ed environment that only
62 contains the store paths from the runtime closure of the
63 service.
64 </para>
65 </listitem>
66 </itemizedlist>
67 </section>
68 <section xml:id="sec-release-19.03-new-services">
69 <title>New Services</title>
70 <para>
71 The following new services were added since the last release:
72 </para>
73 <itemizedlist>
74 <listitem>
75 <para>
76 <literal>./programs/nm-applet.nix</literal>
77 </para>
78 </listitem>
79 <listitem>
80 <para>
81 There is a new <literal>security.googleOsLogin</literal>
82 module for using
83 <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS
84 Login</link> to manage SSH access to Google Compute Engine
85 instances, which supersedes the imperative and broken
86 <literal>google-accounts-daemon</literal> used in
87 <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
88 </para>
89 </listitem>
90 <listitem>
91 <para>
92 <literal>./services/misc/beanstalkd.nix</literal>
93 </para>
94 </listitem>
95 <listitem>
96 <para>
97 There is a new <literal>services.cockroachdb</literal> module
98 for running CockroachDB databases. NixOS now ships with
99 CockroachDB 2.1.x as well, available on
100 <literal>x86_64-linux</literal> and
101 <literal>aarch64-linux</literal>.
102 </para>
103 </listitem>
104 <listitem>
105 <para>
106 <literal>./security/duosec.nix</literal>
107 </para>
108 </listitem>
109 <listitem>
110 <para>
111 The <link xlink:href="https://duo.com/docs/duounix">PAM module
112 for Duo Security</link> has been enabled for use. One can
113 configure it using the <literal>security.duosec</literal>
114 options along with the corresponding PAM option in
115 <literal>security.pam.services.<name?>.duoSecurity.enable</literal>.
116 </para>
117 </listitem>
118 </itemizedlist>
119 </section>
120 <section xml:id="sec-release-19.03-incompatibilities">
121 <title>Backward Incompatibilities</title>
122 <para>
123 When upgrading from a previous release, please be aware of the
124 following incompatible changes:
125 </para>
126 <itemizedlist>
127 <listitem>
128 <para>
129 The minimum version of Nix required to evaluate Nixpkgs is now
130 2.0.
131 </para>
132 <itemizedlist>
133 <listitem>
134 <para>
135 For users of NixOS 18.03 and 19.03, NixOS defaults to Nix
136 2.0, but supports using Nix 1.11 by setting
137 <literal>nix.package = pkgs.nix1;</literal>. If this
138 option is set to a Nix 1.11 package, you will need to
139 either unset the option or upgrade it to Nix 2.0.
140 </para>
141 </listitem>
142 <listitem>
143 <para>
144 For users of NixOS 17.09, you will first need to upgrade
145 Nix by setting
146 <literal>nix.package = pkgs.nixStable2;</literal> and run
147 <literal>nixos-rebuild switch</literal> as the
148 <literal>root</literal> user.
149 </para>
150 </listitem>
151 <listitem>
152 <para>
153 For users of a daemon-less Nix installation on Linux or
154 macOS, you can upgrade Nix by running
155 <literal>curl -L https://nixos.org/nix/install | sh</literal>,
156 or prior to doing a channel update, running
157 <literal>nix-env -iA nix</literal>. If you have already
158 run a channel update and Nix is no longer able to evaluate
159 Nixpkgs, the error message printed should provide adequate
160 directions for upgrading Nix.
161 </para>
162 </listitem>
163 <listitem>
164 <para>
165 For users of the Nix daemon on macOS, you can upgrade Nix
166 by running
167 <literal>sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon</literal>.
168 </para>
169 </listitem>
170 </itemizedlist>
171 </listitem>
172 <listitem>
173 <para>
174 The <literal>buildPythonPackage</literal> function now sets
175 <literal>strictDeps = true</literal> to help distinguish
176 between native and non-native dependencies in order to improve
177 cross-compilation compatibility. Note however that this may
178 break user expressions.
179 </para>
180 </listitem>
181 <listitem>
182 <para>
183 The <literal>buildPythonPackage</literal> function now sets
184 <literal>LANG = C.UTF-8</literal> to enable Unicode support.
185 The <literal>glibcLocales</literal> package is no longer
186 needed as a build input.
187 </para>
188 </listitem>
189 <listitem>
190 <para>
191 The Syncthing state and configuration data has been moved from
192 <literal>services.syncthing.dataDir</literal> to the newly
193 defined <literal>services.syncthing.configDir</literal>, which
194 default to
195 <literal>/var/lib/syncthing/.config/syncthing</literal>. This
196 change makes possible to share synced directories using ACLs
197 without Syncthing resetting the permission on every start.
198 </para>
199 </listitem>
200 <listitem>
201 <para>
202 The <literal>ntp</literal> module now has sane default
203 restrictions. If you're relying on the previous defaults,
204 which permitted all queries and commands from all
205 firewall-permitted sources, you can set
206 <literal>services.ntp.restrictDefault</literal> and
207 <literal>services.ntp.restrictSource</literal> to
208 <literal>[]</literal>.
209 </para>
210 </listitem>
211 <listitem>
212 <para>
213 Package <literal>rabbitmq_server</literal> is renamed to
214 <literal>rabbitmq-server</literal>.
215 </para>
216 </listitem>
217 <listitem>
218 <para>
219 The <literal>light</literal> module no longer uses setuid
220 binaries, but udev rules. As a consequence users of that
221 module have to belong to the <literal>video</literal> group in
222 order to use the executable (i.e.
223 <literal>users.users.yourusername.extraGroups = ["video"];</literal>).
224 </para>
225 </listitem>
226 <listitem>
227 <para>
228 Buildbot now supports Python 3 and its packages have been
229 moved to <literal>pythonPackages</literal>. The options
230 <literal>services.buildbot-master.package</literal> and
231 <literal>services.buildbot-worker.package</literal> can be
232 used to select the Python 2 or 3 version of the package.
233 </para>
234 </listitem>
235 <listitem>
236 <para>
237 Options
238 <literal>services.znc.confOptions.networks.name.userName</literal>
239 and
240 <literal>services.znc.confOptions.networks.name.modulePackages</literal>
241 were removed. They were never used for anything and can
242 therefore safely be removed.
243 </para>
244 </listitem>
245 <listitem>
246 <para>
247 Package <literal>wasm</literal> has been renamed
248 <literal>proglodyte-wasm</literal>. The package
249 <literal>wasm</literal> will be pointed to
250 <literal>ocamlPackages.wasm</literal> in 19.09, so make sure
251 to update your configuration if you want to keep
252 <literal>proglodyte-wasm</literal>
253 </para>
254 </listitem>
255 <listitem>
256 <para>
257 When the <literal>nixpkgs.pkgs</literal> option is set, NixOS
258 will no longer ignore the <literal>nixpkgs.overlays</literal>
259 option. The old behavior can be recovered by setting
260 <literal>nixpkgs.overlays = lib.mkForce [];</literal>.
261 </para>
262 </listitem>
263 <listitem>
264 <para>
265 OpenSMTPD has been upgraded to version 6.4.0p1. This release
266 makes backwards-incompatible changes to the configuration file
267 format. See <literal>man smtpd.conf</literal> for more
268 information on the new file format.
269 </para>
270 </listitem>
271 <listitem>
272 <para>
273 The versioned <literal>postgresql</literal> have been renamed
274 to use underscore number seperators. For example,
275 <literal>postgresql96</literal> has been renamed to
276 <literal>postgresql_9_6</literal>.
277 </para>
278 </listitem>
279 <listitem>
280 <para>
281 Package <literal>consul-ui</literal> and passthrough
282 <literal>consul.ui</literal> have been removed. The package
283 <literal>consul</literal> now uses upstream releases that
284 vendor the UI into the binary. See
285 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
286 for details.
287 </para>
288 </listitem>
289 <listitem>
290 <para>
291 Slurm introduces the new option
292 <literal>services.slurm.stateSaveLocation</literal>, which is
293 now set to <literal>/var/spool/slurm</literal> by default
294 (instead of <literal>/var/spool</literal>). Make sure to move
295 all files to the new directory or to set the option
296 accordingly.
297 </para>
298 <para>
299 The slurmctld now runs as user <literal>slurm</literal>
300 instead of <literal>root</literal>. If you want to keep
301 slurmctld running as <literal>root</literal>, set
302 <literal>services.slurm.user = root</literal>.
303 </para>
304 <para>
305 The options <literal>services.slurm.nodeName</literal> and
306 <literal>services.slurm.partitionName</literal> are now sets
307 of strings to correctly reflect that fact that each of these
308 options can occour more than once in the configuration.
309 </para>
310 </listitem>
311 <listitem>
312 <para>
313 The <literal>solr</literal> package has been upgraded from
314 4.10.3 to 7.5.0 and has undergone some major changes. The
315 <literal>services.solr</literal> module has been updated to
316 reflect these changes. Please review
317 http://lucene.apache.org/solr/ carefully before upgrading.
318 </para>
319 </listitem>
320 <listitem>
321 <para>
322 Package <literal>ckb</literal> is renamed to
323 <literal>ckb-next</literal>, and options
324 <literal>hardware.ckb.*</literal> are renamed to
325 <literal>hardware.ckb-next.*</literal>.
326 </para>
327 </listitem>
328 <listitem>
329 <para>
330 The option
331 <literal>services.xserver.displayManager.job.logToFile</literal>
332 which was previously set to <literal>true</literal> when using
333 the display managers <literal>lightdm</literal>,
334 <literal>sddm</literal> or <literal>xpra</literal> has been
335 reset to the default value (<literal>false</literal>).
336 </para>
337 </listitem>
338 <listitem>
339 <para>
340 Network interface indiscriminate NixOS firewall options
341 (<literal>networking.firewall.allow*</literal>) are now
342 preserved when also setting interface specific rules such as
343 <literal>networking.firewall.interfaces.en0.allow*</literal>.
344 These rules continue to use the pseudo device
345 "default"
346 (<literal>networking.firewall.interfaces.default.*</literal>),
347 and assigning to this pseudo device will override the
348 (<literal>networking.firewall.allow*</literal>) options.
349 </para>
350 </listitem>
351 <listitem>
352 <para>
353 The <literal>nscd</literal> service now disables all caching
354 of <literal>passwd</literal> and <literal>group</literal>
355 databases by default. This was interferring with the correct
356 functioning of the <literal>libnss_systemd.so</literal> module
357 which is used by <literal>systemd</literal> to manage uids and
358 usernames in the presence of <literal>DynamicUser=</literal>
359 in systemd services. This was already the default behaviour in
360 presence of <literal>services.sssd.enable = true</literal>
361 because nscd caching would interfere with
362 <literal>sssd</literal> in unpredictable ways as well. Because
363 we're using nscd not for caching, but for convincing glibc to
364 find NSS modules in the nix store instead of an absolute path,
365 we have decided to disable caching globally now, as it's
366 usually not the behaviour the user wants and can lead to
367 surprising behaviour. Furthermore, negative caching of host
368 lookups is also disabled now by default. This should fix the
369 issue of dns lookups failing in the presence of an unreliable
370 network.
371 </para>
372 <para>
373 If the old behaviour is desired, this can be restored by
374 setting the <literal>services.nscd.config</literal> option
375 with the desired caching parameters.
376 </para>
377 <programlisting language="bash">
378{
379 services.nscd.config =
380 ''
381 server-user nscd
382 threads 1
383 paranoia no
384 debug-level 0
385
386 enable-cache passwd yes
387 positive-time-to-live passwd 600
388 negative-time-to-live passwd 20
389 suggested-size passwd 211
390 check-files passwd yes
391 persistent passwd no
392 shared passwd yes
393
394 enable-cache group yes
395 positive-time-to-live group 3600
396 negative-time-to-live group 60
397 suggested-size group 211
398 check-files group yes
399 persistent group no
400 shared group yes
401
402 enable-cache hosts yes
403 positive-time-to-live hosts 600
404 negative-time-to-live hosts 5
405 suggested-size hosts 211
406 check-files hosts yes
407 persistent hosts no
408 shared hosts yes
409 '';
410}
411</programlisting>
412 <para>
413 See
414 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
415 for details.
416 </para>
417 </listitem>
418 <listitem>
419 <para>
420 GitLab Shell previously used the nix store paths for the
421 <literal>gitlab-shell</literal> command in its
422 <literal>authorized_keys</literal> file, which might stop
423 working after garbage collection. To circumvent that, we
424 regenerated that file on each startup. As
425 <literal>gitlab-shell</literal> has now been changed to use
426 <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>,
427 this is not necessary anymore, but there might be leftover
428 lines with a nix store path. Regenerate the
429 <literal>authorized_keys</literal> file via
430 <literal>sudo -u git -H gitlab-rake gitlab:shell:setup</literal>
431 in that case.
432 </para>
433 </listitem>
434 <listitem>
435 <para>
436 The <literal>pam_unix</literal> account module is now loaded
437 with its control field set to <literal>required</literal>
438 instead of <literal>sufficient</literal>, so that later PAM
439 account modules that might do more extensive checks are being
440 executed. Previously, the whole account module verification
441 was exited prematurely in case a nss module provided the
442 account name to <literal>pam_unix</literal>. The LDAP and SSSD
443 NixOS modules already add their NSS modules when enabled. In
444 case your setup breaks due to some later PAM account module
445 previosuly shadowed, or failing NSS lookups, please file a
446 bug. You can get back the old behaviour by manually setting
447 <literal>security.pam.services.<name?>.text</literal>.
448 </para>
449 </listitem>
450 <listitem>
451 <para>
452 The <literal>pam_unix</literal> password module is now loaded
453 with its control field set to <literal>sufficient</literal>
454 instead of <literal>required</literal>, so that password
455 managed only by later PAM password modules are being executed.
456 Previously, for example, changing an LDAP account's password
457 through PAM was not possible: the whole password module
458 verification was exited prematurely by
459 <literal>pam_unix</literal>, preventing
460 <literal>pam_ldap</literal> to manage the password as it
461 should.
462 </para>
463 </listitem>
464 <listitem>
465 <para>
466 <literal>fish</literal> has been upgraded to 3.0. It comes
467 with a number of improvements and backwards incompatible
468 changes. See the <literal>fish</literal>
469 <link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release
470 notes</link> for more information.
471 </para>
472 </listitem>
473 <listitem>
474 <para>
475 The ibus-table input method has had a change in config format,
476 which causes all previous settings to be lost. See
477 <link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this
478 commit message</link> for details.
479 </para>
480 </listitem>
481 <listitem>
482 <para>
483 NixOS module system type <literal>types.optionSet</literal>
484 and <literal>lib.mkOption</literal> argument
485 <literal>options</literal> are deprecated. Use
486 <literal>types.submodule</literal> instead.
487 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
488 </para>
489 </listitem>
490 <listitem>
491 <para>
492 <literal>matrix-synapse</literal> has been updated to version
493 0.99. It will
494 <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no
495 longer generate a self-signed certificate on first
496 launch</link> and will be
497 <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the
498 last version to accept self-signed certificates</link>. As
499 such, it is now recommended to use a proper certificate
500 verified by a root CA (for example Let's Encrypt). The new
501 <link linkend="module-services-matrix">manual chapter on
502 Matrix</link> contains a working example of using nginx as a
503 reverse proxy in front of <literal>matrix-synapse</literal>,
504 using Let's Encrypt certificates.
505 </para>
506 </listitem>
507 <listitem>
508 <para>
509 <literal>mailutils</literal> now works by default when
510 <literal>sendmail</literal> is not in a setuid wrapper. As a
511 consequence, the <literal>sendmailPath</literal> argument,
512 having lost its main use, has been removed.
513 </para>
514 </listitem>
515 <listitem>
516 <para>
517 <literal>graylog</literal> has been upgraded from version 2.*
518 to 3.*. Some setups making use of extraConfig (especially
519 those exposing Graylog via reverse proxies) need to be updated
520 as upstream removed/replaced some settings. See
521 <link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading
522 Graylog</link> for details.
523 </para>
524 </listitem>
525 <listitem>
526 <para>
527 The option <literal>users.ldap.bind.password</literal> was
528 renamed to <literal>users.ldap.bind.passwordFile</literal>,
529 and needs to be readable by the <literal>nslcd</literal> user.
530 Same applies to the new
531 <literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
532 </para>
533 </listitem>
534 <listitem>
535 <para>
536 <literal>nodejs-6_x</literal> is end-of-life.
537 <literal>nodejs-6_x</literal>,
538 <literal>nodejs-slim-6_x</literal> and
539 <literal>nodePackages_6_x</literal> are removed.
540 </para>
541 </listitem>
542 </itemizedlist>
543 </section>
544 <section xml:id="sec-release-19.03-notable-changes">
545 <title>Other Notable Changes</title>
546 <itemizedlist>
547 <listitem>
548 <para>
549 The <literal>services.matomo</literal> module gained the
550 option <literal>services.matomo.package</literal> which
551 determines the used Matomo version.
552 </para>
553 <para>
554 The Matomo module now also comes with the systemd service
555 <literal>matomo-archive-processing.service</literal> and a
556 timer that automatically triggers archive processing every
557 hour. This means that you can safely
558 <link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
559 disable browser triggers for Matomo archiving </link> at
560 <literal>Administration > System > General Settings</literal>.
561 </para>
562 <para>
563 Additionally, you can enable to
564 <link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
565 delete old visitor logs </link> at
566 <literal>Administration > System > Privacy</literal>,
567 but make sure that you run
568 <literal>systemctl start matomo-archive-processing.service</literal>
569 at least once without errors if you have already collected
570 data before, so that the reports get archived before the
571 source data gets deleted.
572 </para>
573 </listitem>
574 <listitem>
575 <para>
576 <literal>composableDerivation</literal> along with supporting
577 library functions has been removed.
578 </para>
579 </listitem>
580 <listitem>
581 <para>
582 The deprecated <literal>truecrypt</literal> package has been
583 removed and <literal>truecrypt</literal> attribute is now an
584 alias for <literal>veracrypt</literal>. VeraCrypt is
585 backward-compatible with TrueCrypt volumes. Note that
586 <literal>cryptsetup</literal> also supports loading TrueCrypt
587 volumes.
588 </para>
589 </listitem>
590 <listitem>
591 <para>
592 The Kubernetes DNS addons, kube-dns, has been replaced with
593 CoreDNS. This change is made in accordance with Kubernetes
594 making CoreDNS the official default starting from
595 <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes
596 v1.11</link>. Please beware that upgrading DNS-addon on
597 existing clusters might induce minor downtime while the
598 DNS-addon terminates and re-initializes. Also note that the
599 DNS-service now runs with 2 pod replicas by default. The
600 desired number of replicas can be configured using:
601 <literal>services.kubernetes.addons.dns.replicas</literal>.
602 </para>
603 </listitem>
604 <listitem>
605 <para>
606 The quassel-webserver package and module was removed from
607 nixpkgs due to the lack of maintainers.
608 </para>
609 </listitem>
610 <listitem>
611 <para>
612 The manual gained a <link linkend="module-services-matrix">
613 new chapter on self-hosting <literal>matrix-synapse</literal>
614 and <literal>riot-web</literal> </link>, the most prevalent
615 server and client implementations for the
616 <link xlink:href="https://matrix.org/">Matrix</link> federated
617 communication network.
618 </para>
619 </listitem>
620 <listitem>
621 <para>
622 The astah-community package was removed from nixpkgs due to it
623 being discontinued and the downloads not being available
624 anymore.
625 </para>
626 </listitem>
627 <listitem>
628 <para>
629 The httpd service now saves log files with a .log file
630 extension by default for easier integration with the logrotate
631 service.
632 </para>
633 </listitem>
634 <listitem>
635 <para>
636 The owncloud server packages and httpd subservice module were
637 removed from nixpkgs due to the lack of maintainers.
638 </para>
639 </listitem>
640 <listitem>
641 <para>
642 It is possible now to uze ZRAM devices as general purpose
643 ephemeral block devices, not only as swap. Using more than 1
644 device as ZRAM swap is no longer recommended, but is still
645 possible by setting <literal>zramSwap.swapDevices</literal>
646 explicitly.
647 </para>
648 <para>
649 ZRAM algorithm can be changed now.
650 </para>
651 <para>
652 Changes to ZRAM algorithm are applied during
653 <literal>nixos-rebuild switch</literal>, so make sure you have
654 enough swap space on disk to survive ZRAM device rebuild.
655 Alternatively, use
656 <literal>nixos-rebuild boot; reboot</literal>.
657 </para>
658 </listitem>
659 <listitem>
660 <para>
661 Flat volumes are now disabled by default in
662 <literal>hardware.pulseaudio</literal>. This has been done to
663 prevent applications, which are unaware of this feature,
664 setting their volumes to 100% on startup causing harm to your
665 audio hardware and potentially your ears.
666 </para>
667 <note>
668 <para>
669 With this change application specific volumes are relative
670 to the master volume which can be adjusted independently,
671 whereas before they were absolute; meaning that in effect,
672 it scaled the device-volume with the volume of the loudest
673 application.
674 </para>
675 </note>
676 </listitem>
677 <listitem>
678 <para>
679 The
680 <link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link>
681 module now supports
682 <link xlink:href="options.html#opt-services.ndppd.enable">all
683 config options</link> provided by the current upstream version
684 as service options. Additionally the <literal>ndppd</literal>
685 package doesn't contain the systemd unit configuration from
686 upstream anymore, the unit is completely configured by the
687 NixOS module now.
688 </para>
689 </listitem>
690 <listitem>
691 <para>
692 New installs of NixOS will default to the Redmine 4.x series
693 unless otherwise specified in
694 <literal>services.redmine.package</literal> while existing
695 installs of NixOS will default to the Redmine 3.x series.
696 </para>
697 </listitem>
698 <listitem>
699 <para>
700 The
701 <link xlink:href="options.html#opt-services.grafana.enable">Grafana
702 module</link> now supports declarative
703 <link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource
704 and dashboard</link> provisioning.
705 </para>
706 </listitem>
707 <listitem>
708 <para>
709 The use of insecure ports on kubernetes has been deprecated.
710 Thus options:
711 <literal>services.kubernetes.apiserver.port</literal> and
712 <literal>services.kubernetes.controllerManager.port</literal>
713 has been renamed to <literal>.insecurePort</literal>, and
714 default of both options has changed to 0 (disabled).
715 </para>
716 </listitem>
717 <listitem>
718 <para>
719 Note that the default value of
720 <literal>services.kubernetes.apiserver.bindAddress</literal>
721 has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver
722 to be accessible from outside the master node itself. If the
723 apiserver insecurePort is enabled, it is strongly recommended
724 to only bind on the loopback interface. See:
725 <literal>services.kubernetes.apiserver.insecurebindAddress</literal>.
726 </para>
727 </listitem>
728 <listitem>
729 <para>
730 The option
731 <literal>services.kubernetes.apiserver.allowPrivileged</literal>
732 and
733 <literal>services.kubernetes.kubelet.allowPrivileged</literal>
734 now defaults to false. Disallowing privileged containers on
735 the cluster.
736 </para>
737 </listitem>
738 <listitem>
739 <para>
740 The kubernetes module does no longer add the kubernetes
741 package to <literal>environment.systemPackages</literal>
742 implicitly.
743 </para>
744 </listitem>
745 <listitem>
746 <para>
747 The <literal>intel</literal> driver has been removed from the
748 default list of
749 <link xlink:href="options.html#opt-services.xserver.videoDrivers">X.org
750 video drivers</link>. The <literal>modesetting</literal>
751 driver should take over automatically, it is better maintained
752 upstream and has less problems with advanced X11 features.
753 This can lead to a change in the output names used by
754 <literal>xrandr</literal>. Some performance regressions on
755 some GPU models might happen. Some OpenCL and VA-API
756 applications might also break (Beignet seems to provide OpenCL
757 support with <literal>modesetting</literal> driver, too).
758 Kernel mode setting API does not support backlight control, so
759 <literal>xbacklight</literal> tool will not work; backlight
760 level can be controlled directly via <literal>/sys/</literal>
761 or with <literal>brightnessctl</literal>. Users who need this
762 functionality more than multi-output XRandR are advised to add
763 `intel` to `videoDrivers` and report an issue (or provide
764 additional details in an existing one)
765 </para>
766 </listitem>
767 <listitem>
768 <para>
769 Openmpi has been updated to version 4.0.0, which removes some
770 deprecated MPI-1 symbols. This may break some older
771 applications that still rely on those symbols. An upgrade
772 guide can be found
773 <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
774 </para>
775 <para>
776 The nginx package now relies on OpenSSL 1.1 and supports TLS
777 1.3 by default. You can set the protocols used by the nginx
778 service using
779 <link xlink:href="options.html#opt-services.nginx.sslProtocols">services.nginx.sslProtocols</link>.
780 </para>
781 </listitem>
782 <listitem>
783 <para>
784 A new subcommand <literal>nixos-rebuild edit</literal> was
785 added.
786 </para>
787 </listitem>
788 </itemizedlist>
789 </section>
790</section>