pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.09">
2 <title>Release 19.09 (<quote>Loris</quote>, 2019/10/09)</title>
3 <section xml:id="sec-release-19.09-highlights">
4 <title>Highlights</title>
5 <para>
6 In addition to numerous new and upgraded packages, this release
7 has the following highlights:
8 </para>
9 <itemizedlist>
10 <listitem>
11 <para>
12 End of support is planned for end of April 2020, handing over
13 to 20.03.
14 </para>
15 </listitem>
16 <listitem>
17 <para>
18 Nix has been updated to 2.3; see its
19 <link xlink:href="https://nixos.org/nix/manual/#ssec-relnotes-2.3">release
20 notes</link>.
21 </para>
22 </listitem>
23 <listitem>
24 <para>
25 Core version changes:
26 </para>
27 <para>
28 systemd: 239 -> 243
29 </para>
30 <para>
31 gcc: 7 -> 8
32 </para>
33 <para>
34 glibc: 2.27 (unchanged)
35 </para>
36 <para>
37 linux: 4.19 LTS (unchanged)
38 </para>
39 <para>
40 openssl: 1.0 -> 1.1
41 </para>
42 </listitem>
43 <listitem>
44 <para>
45 Desktop version changes:
46 </para>
47 <para>
48 plasma5: 5.14 -> 5.16
49 </para>
50 <para>
51 gnome3: 3.30 -> 3.32
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 PHP now defaults to PHP 7.3, updated from 7.2.
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 PHP 7.1 is no longer supported due to upstream not supporting
62 this version for the entire lifecycle of the 19.09 release.
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 The binfmt module is now easier to use. Additional systems can
68 be added through
69 <literal>boot.binfmt.emulatedSystems</literal>. For instance,
70 <literal>boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal>
71 will set up binfmt interpreters for each of those listed
72 systems.
73 </para>
74 </listitem>
75 <listitem>
76 <para>
77 The installer now uses a less privileged
78 <literal>nixos</literal> user whereas before we logged in as
79 root. To gain root privileges use <literal>sudo -i</literal>
80 without a password.
81 </para>
82 </listitem>
83 <listitem>
84 <para>
85 We've updated to Xfce 4.14, which brings a new module
86 <literal>services.xserver.desktopManager.xfce4-14</literal>.
87 If you'd like to upgrade, please switch from the
88 <literal>services.xserver.desktopManager.xfce</literal> module
89 as it will be deprecated in a future release. They're
90 incompatibilities with the current Xfce module; it doesn't
91 support <literal>thunarPlugins</literal> and it isn't
92 recommended to use
93 <literal>services.xserver.desktopManager.xfce</literal> and
94 <literal>services.xserver.desktopManager.xfce4-14</literal>
95 simultaneously or to downgrade from Xfce 4.14 after upgrading.
96 </para>
97 </listitem>
98 <listitem>
99 <para>
100 The GNOME 3 desktop manager module sports an interface to
101 enable/disable core services, applications, and optional GNOME
102 packages like games.
103 </para>
104 <itemizedlist>
105 <listitem>
106 <para>
107 <literal>services.gnome3.core-os-services.enable</literal>
108 </para>
109 </listitem>
110 <listitem>
111 <para>
112 <literal>services.gnome3.core-shell.enable</literal>
113 </para>
114 </listitem>
115 <listitem>
116 <para>
117 <literal>services.gnome3.core-utilities.enable</literal>
118 </para>
119 </listitem>
120 <listitem>
121 <para>
122 <literal>services.gnome3.games.enable</literal>
123 </para>
124 </listitem>
125 </itemizedlist>
126 <para>
127 With these options we hope to give users finer grained control
128 over their systems. Prior to this change you'd either have to
129 manually disable options or use
130 <literal>environment.gnome3.excludePackages</literal> which
131 only excluded the optional applications.
132 <literal>environment.gnome3.excludePackages</literal> is now
133 unguarded, it can exclude any package installed with
134 <literal>environment.systemPackages</literal> in the GNOME 3
135 module.
136 </para>
137 </listitem>
138 <listitem>
139 <para>
140 Orthogonal to the previous changes to the GNOME 3 desktop
141 manager module, we've updated all default services and
142 applications to match as close as possible to a default
143 reference GNOME 3 experience.
144 </para>
145 <para>
146 <emphasis role="strong">The following changes were enacted in
147 <literal>services.gnome3.core-utilities.enable</literal></emphasis>
148 </para>
149 <itemizedlist>
150 <listitem>
151 <para>
152 <literal>accerciser</literal>
153 </para>
154 </listitem>
155 <listitem>
156 <para>
157 <literal>dconf-editor</literal>
158 </para>
159 </listitem>
160 <listitem>
161 <para>
162 <literal>evolution</literal>
163 </para>
164 </listitem>
165 <listitem>
166 <para>
167 <literal>gnome-documents</literal>
168 </para>
169 </listitem>
170 <listitem>
171 <para>
172 <literal>gnome-nettool</literal>
173 </para>
174 </listitem>
175 <listitem>
176 <para>
177 <literal>gnome-power-manager</literal>
178 </para>
179 </listitem>
180 <listitem>
181 <para>
182 <literal>gnome-todo</literal>
183 </para>
184 </listitem>
185 <listitem>
186 <para>
187 <literal>gnome-tweaks</literal>
188 </para>
189 </listitem>
190 <listitem>
191 <para>
192 <literal>gnome-usage</literal>
193 </para>
194 </listitem>
195 <listitem>
196 <para>
197 <literal>gucharmap</literal>
198 </para>
199 </listitem>
200 <listitem>
201 <para>
202 <literal>nautilus-sendto</literal>
203 </para>
204 </listitem>
205 <listitem>
206 <para>
207 <literal>vinagre</literal>
208 </para>
209 </listitem>
210 <listitem>
211 <para>
212 <literal>cheese</literal>
213 </para>
214 </listitem>
215 <listitem>
216 <para>
217 <literal>geary</literal>
218 </para>
219 </listitem>
220 </itemizedlist>
221 <para>
222 <emphasis role="strong">The following changes were enacted in
223 <literal>services.gnome3.core-shell.enable</literal></emphasis>
224 </para>
225 <itemizedlist>
226 <listitem>
227 <para>
228 <literal>gnome-color-manager</literal>
229 </para>
230 </listitem>
231 <listitem>
232 <para>
233 <literal>orca</literal>
234 </para>
235 </listitem>
236 <listitem>
237 <para>
238 <literal>services.avahi.enable</literal>
239 </para>
240 </listitem>
241 </itemizedlist>
242 </listitem>
243 </itemizedlist>
244 </section>
245 <section xml:id="sec-release-19.09-new-services">
246 <title>New Services</title>
247 <para>
248 The following new services were added since the last release:
249 </para>
250 <itemizedlist>
251 <listitem>
252 <para>
253 <literal>./programs/dwm-status.nix</literal>
254 </para>
255 </listitem>
256 <listitem>
257 <para>
258 The new <literal>hardware.printers</literal> module allows to
259 declaratively configure CUPS printers via the
260 <literal>ensurePrinters</literal> and
261 <literal>ensureDefaultPrinter</literal> options.
262 <literal>ensurePrinters</literal> will never delete existing
263 printers, but will make sure that the given printers are
264 configured as declared.
265 </para>
266 </listitem>
267 <listitem>
268 <para>
269 There is a new
270 <link xlink:href="options.html#opt-services.system-config-printer.enable">services.system-config-printer.enable</link>
271 and
272 <link xlink:href="options.html#opt-programs.system-config-printer.enable">programs.system-config-printer.enable</link>
273 module for the program of the same name. If you previously had
274 <literal>system-config-printer</literal> enabled through some
275 other means you should migrate to using one of these modules.
276 </para>
277 <itemizedlist>
278 <listitem>
279 <para>
280 <literal>services.xserver.desktopManager.plasma5</literal>
281 </para>
282 </listitem>
283 <listitem>
284 <para>
285 <literal>services.xserver.desktopManager.gnome3</literal>
286 </para>
287 </listitem>
288 <listitem>
289 <para>
290 <literal>services.xserver.desktopManager.pantheon</literal>
291 </para>
292 </listitem>
293 <listitem>
294 <para>
295 <literal>services.xserver.desktopManager.mate</literal>
296 Note Mate uses
297 <literal>programs.system-config-printer</literal> as it
298 doesn't use it as a service, but its graphical interface
299 directly.
300 </para>
301 </listitem>
302 </itemizedlist>
303 </listitem>
304 <listitem>
305 <para>
306 <link xlink:href="options.html#opt-services.blueman.enable">services.blueman.enable</link>
307 has been added. If you previously had blueman installed via
308 <literal>environment.systemPackages</literal> please migrate
309 to using the NixOS module, as this would result in an
310 insufficiently configured blueman.
311 </para>
312 </listitem>
313 </itemizedlist>
314 </section>
315 <section xml:id="sec-release-19.09-incompatibilities">
316 <title>Backward Incompatibilities</title>
317 <para>
318 When upgrading from a previous release, please be aware of the
319 following incompatible changes:
320 </para>
321 <itemizedlist>
322 <listitem>
323 <para>
324 Buildbot no longer supports Python 2, as support was dropped
325 upstream in version 2.0.0. Configurations may need to be
326 modified to make them compatible with Python 3.
327 </para>
328 </listitem>
329 <listitem>
330 <para>
331 PostgreSQL now uses <literal>/run/postgresql</literal> as its
332 socket directory instead of <literal>/tmp</literal>. So if you
333 run an application like eg. Nextcloud, where you need to use
334 the Unix socket path as the database host name, you need to
335 change it accordingly.
336 </para>
337 </listitem>
338 <listitem>
339 <para>
340 PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle
341 and has been removed.
342 </para>
343 </listitem>
344 <listitem>
345 <para>
346 The options
347 <literal>services.prometheus.alertmanager.user</literal> and
348 <literal>services.prometheus.alertmanager.group</literal> have
349 been removed because the alertmanager service is now using
350 systemd's
351 <link xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
352 DynamicUser mechanism</link> which obviates these options.
353 </para>
354 </listitem>
355 <listitem>
356 <para>
357 The NetworkManager systemd unit was renamed back from
358 network-manager.service to NetworkManager.service for better
359 compatibility with other applications expecting this name. The
360 same applies to ModemManager where modem-manager.service is
361 now called ModemManager.service again.
362 </para>
363 </listitem>
364 <listitem>
365 <para>
366 The <literal>services.nzbget.configFile</literal> and
367 <literal>services.nzbget.openFirewall</literal> options were
368 removed as they are managed internally by the nzbget. The
369 <literal>services.nzbget.dataDir</literal> option hadn't
370 actually been used by the module for some time and so was
371 removed as cleanup.
372 </para>
373 </listitem>
374 <listitem>
375 <para>
376 The <literal>services.mysql.pidDir</literal> option was
377 removed, as it was only used by the wordpress apache-httpd
378 service to wait for mysql to have started up. This can be
379 accomplished by either describing a dependency on
380 mysql.service (preferred) or waiting for the (hardcoded)
381 <literal>/run/mysqld/mysql.sock</literal> file to appear.
382 </para>
383 </listitem>
384 <listitem>
385 <para>
386 The <literal>services.emby.enable</literal> module has been
387 removed, see <literal>services.jellyfin.enable</literal>
388 instead for a free software fork of Emby. See the Jellyfin
389 documentation:
390 <link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
391 Migrating from Emby to Jellyfin </link>
392 </para>
393 </listitem>
394 <listitem>
395 <para>
396 IPv6 Privacy Extensions are now enabled by default for
397 undeclared interfaces. The previous behaviour was quite
398 misleading — even though the default value for
399 <literal>networking.interfaces.*.preferTempAddress</literal>
400 was <literal>true</literal>, undeclared interfaces would not
401 prefer temporary addresses. Now, interfaces not mentioned in
402 the config will prefer temporary addresses. EUI64 addresses
403 can still be set as preferred by explicitly setting the option
404 to <literal>false</literal> for the interface in question.
405 </para>
406 </listitem>
407 <listitem>
408 <para>
409 Since Bittorrent Sync was superseded by Resilio Sync in 2016,
410 the <literal>bittorrentSync</literal>,
411 <literal>bittorrentSync14</literal>, and
412 <literal>bittorrentSync16</literal> packages have been removed
413 in favor of <literal>resilio-sync</literal>.
414 </para>
415 <para>
416 The corresponding module, <literal>services.btsync</literal>
417 has been replaced by the <literal>services.resilio</literal>
418 module.
419 </para>
420 </listitem>
421 <listitem>
422 <para>
423 The httpd service no longer attempts to start the postgresql
424 service. If you have come to depend on this behaviour then you
425 can preserve the behavior with the following configuration:
426 <literal>systemd.services.httpd.after = [ "postgresql.service" ];</literal>
427 </para>
428 <para>
429 The option <literal>services.httpd.extraSubservices</literal>
430 has been marked as deprecated. You may still use this feature,
431 but it will be removed in a future release of NixOS. You are
432 encouraged to convert any httpd subservices you may have
433 written to a full NixOS module.
434 </para>
435 <para>
436 Most of the httpd subservices packaged with NixOS have been
437 replaced with full NixOS modules including LimeSurvey,
438 WordPress, and Zabbix. These modules can be enabled using the
439 <literal>services.limesurvey.enable</literal>,
440 <literal>services.mediawiki.enable</literal>,
441 <literal>services.wordpress.enable</literal>, and
442 <literal>services.zabbixWeb.enable</literal> options.
443 </para>
444 </listitem>
445 <listitem>
446 <para>
447 The option
448 <literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</literal>
449 was renamed to
450 <literal>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</literal>
451 (capital <literal>L</literal>). This follows
452 <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
453 upstreams renaming </link> of the setting.
454 </para>
455 </listitem>
456 <listitem>
457 <para>
458 As of this release the NixOps feature
459 <literal>autoLuks</literal> is deprecated. It no longer works
460 with our systemd version without manual intervention.
461 </para>
462 <para>
463 Whenever the usage of the module is detected the evaluation
464 will fail with a message explaining why and how to deal with
465 the situation.
466 </para>
467 <para>
468 A new knob named
469 <literal>nixops.enableDeprecatedAutoLuks</literal> has been
470 introduced to disable the eval failure and to acknowledge the
471 notice was received and read. If you plan on using the feature
472 please note that it might break with subsequent updates.
473 </para>
474 <para>
475 Make sure you set the <literal>_netdev</literal> option for
476 each of the file systems referring to block devices provided
477 by the autoLuks module. Not doing this might render the system
478 in a state where it doesn't boot anymore.
479 </para>
480 <para>
481 If you are actively using the <literal>autoLuks</literal>
482 module please let us know in
483 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue
484 #62211</link>.
485 </para>
486 </listitem>
487 <listitem>
488 <para>
489 The setopt declarations will be evaluated at the end of
490 <literal>/etc/zshrc</literal>, so any code in
491 <link xlink:href="options.html#opt-programs.zsh.interactiveShellInit">programs.zsh.interactiveShellInit</link>,
492 <link xlink:href="options.html#opt-programs.zsh.loginShellInit">programs.zsh.loginShellInit</link>
493 and
494 <link xlink:href="options.html#opt-programs.zsh.promptInit">programs.zsh.promptInit</link>
495 may break if it relies on those options being set.
496 </para>
497 </listitem>
498 <listitem>
499 <para>
500 The <literal>prometheus-nginx-exporter</literal> package now
501 uses the offical exporter provided by NGINX Inc. Its metrics
502 are differently structured and are incompatible to the old
503 ones. For information about the metrics, have a look at the
504 <link xlink:href="https://github.com/nginxinc/nginx-prometheus-exporter">official
505 repo</link>.
506 </para>
507 </listitem>
508 <listitem>
509 <para>
510 The <literal>shibboleth-sp</literal> package has been updated
511 to version 3. It is largely backward compatible, for further
512 information refer to the
513 <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes">release
514 notes</link> and
515 <link xlink:href="https://wiki.shibboleth.net/confluence/display/SP3/UpgradingFromV2">upgrade
516 guide</link>.
517 </para>
518 <para>
519 Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has
520 been dropped.
521 </para>
522 </listitem>
523 <listitem>
524 <para>
525 By default, prometheus exporters are now run with
526 <literal>DynamicUser</literal> enabled. Exporters that need a
527 real user, now run under a seperate user and group which
528 follow the pattern
529 <literal><exporter-name>-exporter</literal>, instead of
530 the previous default <literal>nobody</literal> and
531 <literal>nogroup</literal>. Only some exporters are affected
532 by the latter, namely the exporters
533 <literal>dovecot</literal>, <literal>node</literal>,
534 <literal>postfix</literal> and <literal>varnish</literal>.
535 </para>
536 </listitem>
537 <listitem>
538 <para>
539 The <literal>ibus-qt</literal> package is not installed by
540 default anymore when
541 <link xlink:href="options.html#opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link>
542 is set to <literal>ibus</literal>. If IBus support in Qt 4.x
543 applications is required, add the <literal>ibus-qt</literal>
544 package to your
545 <link xlink:href="options.html#opt-environment.systemPackages">environment.systemPackages</link>
546 manually.
547 </para>
548 </listitem>
549 <listitem>
550 <para>
551 The CUPS Printing service now uses socket-based activation by
552 default, only starting when needed. The previous behavior can
553 be restored by setting
554 <literal>services.cups.startWhenNeeded</literal> to
555 <literal>false</literal>.
556 </para>
557 </listitem>
558 <listitem>
559 <para>
560 The <literal>services.systemhealth</literal> module has been
561 removed from nixpkgs due to lack of maintainer.
562 </para>
563 </listitem>
564 <listitem>
565 <para>
566 The <literal>services.mantisbt</literal> module has been
567 removed from nixpkgs due to lack of maintainer.
568 </para>
569 </listitem>
570 <listitem>
571 <para>
572 Squid 3 has been removed and the <literal>squid</literal>
573 derivation now refers to Squid 4.
574 </para>
575 </listitem>
576 <listitem>
577 <para>
578 The <literal>services.pdns-recursor.extraConfig</literal>
579 option has been replaced by
580 <literal>services.pdns-recursor.settings</literal>. The new
581 option allows setting extra configuration while being better
582 type-checked and mergeable.
583 </para>
584 </listitem>
585 <listitem>
586 <para>
587 No service depends on <literal>keys.target</literal> anymore
588 which is a systemd target that indicates if all
589 <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps
590 keys</link> were successfully uploaded. Instead,
591 <literal><key-name>-key.service</literal> should be used
592 to define a dependency of a key in a service. The full issue
593 behind the <literal>keys.target</literal> dependency is
594 described at
595 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
596 </para>
597 <para>
598 The following services are affected by this:
599 </para>
600 <itemizedlist>
601 <listitem>
602 <para>
603 <link xlink:href="options.html#opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link>
604 </para>
605 </listitem>
606 <listitem>
607 <para>
608 <link xlink:href="options.html#opt-services.nsd.enable"><literal>services.nsd</literal></link>
609 </para>
610 </listitem>
611 <listitem>
612 <para>
613 <link xlink:href="options.html#opt-services.softether.enable"><literal>services.softether</literal></link>
614 </para>
615 </listitem>
616 <listitem>
617 <para>
618 <link xlink:href="options.html#opt-services.strongswan.enable"><literal>services.strongswan</literal></link>
619 </para>
620 </listitem>
621 <listitem>
622 <para>
623 <link xlink:href="options.html#opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link>
624 </para>
625 </listitem>
626 <listitem>
627 <para>
628 <link xlink:href="options.html#opt-services.httpd.enable"><literal>services.httpd</literal></link>
629 </para>
630 </listitem>
631 </itemizedlist>
632 </listitem>
633 <listitem>
634 <para>
635 The <literal>security.acme.directory</literal> option has been
636 replaced by a read-only
637 <literal>security.acme.certs.<cert>.directory</literal>
638 option for each certificate you define. This will be a
639 subdirectory of <literal>/var/lib/acme</literal>. You can use
640 this read-only option to figure out where the certificates are
641 stored for a specific certificate. For example, the
642 <literal>services.nginx.virtualhosts.<name>.enableACME</literal>
643 option will use this directory option to find the certs for
644 the virtual host.
645 </para>
646 <para>
647 <literal>security.acme.preDelay</literal> and
648 <literal>security.acme.activationDelay</literal> options have
649 been removed. To execute a service before certificates are
650 provisioned or renewed add a
651 <literal>RequiredBy=acme-${cert}.service</literal> to any
652 service.
653 </para>
654 <para>
655 Furthermore, the acme module will not automatically add a
656 dependency on <literal>lighttpd.service</literal> anymore. If
657 you are using certficates provided by letsencrypt for
658 lighttpd, then you should depend on the certificate service
659 <literal>acme-${cert}.service></literal> manually.
660 </para>
661 <para>
662 For nginx, the dependencies are still automatically managed
663 when
664 <literal>services.nginx.virtualhosts.<name>.enableACME</literal>
665 is enabled just like before. What changed is that nginx now
666 directly depends on the specific certificates that it needs,
667 instead of depending on the catch-all
668 <literal>acme-certificates.target</literal>. This target unit
669 was also removed from the codebase. This will mean nginx will
670 no longer depend on certificates it isn't explicitly managing
671 and fixes a bug with certificate renewal ordering racing with
672 nginx restarting which could lead to nginx getting in a broken
673 state as described at
674 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
675 </para>
676 </listitem>
677 <listitem>
678 <para>
679 The old deprecated <literal>emacs</literal> package sets have
680 been dropped. What used to be called
681 <literal>emacsPackagesNg</literal> is now simply called
682 <literal>emacsPackages</literal>.
683 </para>
684 </listitem>
685 <listitem>
686 <para>
687 <literal>services.xserver.desktopManager.xterm</literal> is
688 now disabled by default if <literal>stateVersion</literal> is
689 19.09 or higher. Previously the xterm desktopManager was
690 enabled when xserver was enabled, but it isn't useful for all
691 people so it didn't make sense to have any desktopManager
692 enabled default.
693 </para>
694 </listitem>
695 <listitem>
696 <para>
697 The WeeChat plugin
698 <literal>pkgs.weechatScripts.weechat-xmpp</literal> has been
699 removed as it doesn't receive any updates from upstream and
700 depends on outdated Python2-based modules.
701 </para>
702 </listitem>
703 <listitem>
704 <para>
705 Old unsupported versions (<literal>logstash5</literal>,
706 <literal>kibana5</literal>, <literal>filebeat5</literal>,
707 <literal>heartbeat5</literal>, <literal>metricbeat5</literal>,
708 <literal>packetbeat5</literal>) of the ELK-stack and Elastic
709 beats have been removed.
710 </para>
711 </listitem>
712 <listitem>
713 <para>
714 For NixOS 19.03, both Prometheus 1 and 2 were available to
715 allow for a seamless transition from version 1 to 2 with
716 existing setups. Because Prometheus 1 is no longer developed,
717 it was removed. Prometheus 2 is now configured with
718 <literal>services.prometheus</literal>.
719 </para>
720 </listitem>
721 <listitem>
722 <para>
723 Citrix Receiver (<literal>citrix_receiver</literal>) has been
724 dropped in favor of Citrix Workspace
725 (<literal>citrix_workspace</literal>).
726 </para>
727 </listitem>
728 <listitem>
729 <para>
730 The <literal>services.gitlab</literal> module has had its
731 literal secret options
732 (<literal>services.gitlab.smtp.password</literal>,
733 <literal>services.gitlab.databasePassword</literal>,
734 <literal>services.gitlab.initialRootPassword</literal>,
735 <literal>services.gitlab.secrets.secret</literal>,
736 <literal>services.gitlab.secrets.db</literal>,
737 <literal>services.gitlab.secrets.otp</literal> and
738 <literal>services.gitlab.secrets.jws</literal>) replaced by
739 file-based versions
740 (<literal>services.gitlab.smtp.passwordFile</literal>,
741 <literal>services.gitlab.databasePasswordFile</literal>,
742 <literal>services.gitlab.initialRootPasswordFile</literal>,
743 <literal>services.gitlab.secrets.secretFile</literal>,
744 <literal>services.gitlab.secrets.dbFile</literal>,
745 <literal>services.gitlab.secrets.otpFile</literal> and
746 <literal>services.gitlab.secrets.jwsFile</literal>). This was
747 done so that secrets aren't stored in the world-readable nix
748 store, but means that for each option you'll have to create a
749 file with the same exact string, add "File" to the
750 end of the option name, and change the definition to a string
751 pointing to the corresponding file; e.g.
752 <literal>services.gitlab.databasePassword = "supersecurepassword"</literal>
753 becomes
754 <literal>services.gitlab.databasePasswordFile = "/path/to/secret_file"</literal>
755 where the file <literal>secret_file</literal> contains the
756 string <literal>supersecurepassword</literal>.
757 </para>
758 <para>
759 The state path (<literal>services.gitlab.statePath</literal>)
760 now has the following restriction: no parent directory can be
761 owned by any other user than <literal>root</literal> or the
762 user specified in <literal>services.gitlab.user</literal>;
763 i.e. if <literal>services.gitlab.statePath</literal> is set to
764 <literal>/var/lib/gitlab/state</literal>,
765 <literal>gitlab</literal> and all parent directories must be
766 owned by either <literal>root</literal> or the user specified
767 in <literal>services.gitlab.user</literal>.
768 </para>
769 </listitem>
770 <listitem>
771 <para>
772 The <literal>networking.useDHCP</literal> option is
773 unsupported in combination with
774 <literal>networking.useNetworkd</literal> in anticipation of
775 defaulting to it. It has to be set to <literal>false</literal>
776 and enabled per interface with
777 <literal>networking.interfaces.<name>.useDHCP = true;</literal>
778 </para>
779 </listitem>
780 <listitem>
781 <para>
782 The Twitter client <literal>corebird</literal> has been
783 dropped as
784 <link xlink:href="https://www.patreon.com/posts/corebirds-future-18921328">it
785 is discontinued and does not work against the new Twitter
786 API</link>. Please use the fork <literal>cawbird</literal>
787 instead which has been adapted to the API changes and is still
788 maintained.
789 </para>
790 </listitem>
791 <listitem>
792 <para>
793 The <literal>nodejs-11_x</literal> package has been removed as
794 it's EOLed by upstream.
795 </para>
796 </listitem>
797 <listitem>
798 <para>
799 Because of the systemd upgrade, systemd-timesyncd will no
800 longer work if <literal>system.stateVersion</literal> is not
801 set correctly. When upgrading from NixOS 19.03, please make
802 sure that <literal>system.stateVersion</literal> is set to
803 <literal>"19.03"</literal>, or lower if the
804 installation dates back to an earlier version of NixOS.
805 </para>
806 </listitem>
807 <listitem>
808 <para>
809 Due to the short lifetime of non-LTS kernel releases package
810 attributes like <literal>linux_5_1</literal>,
811 <literal>linux_5_2</literal> and <literal>linux_5_3</literal>
812 have been removed to discourage dependence on specific non-LTS
813 kernel versions in stable NixOS releases. Going forward,
814 versioned attributes like <literal>linux_4_9</literal> will
815 exist for LTS versions only. Please use
816 <literal>linux_latest</literal> or
817 <literal>linux_testing</literal> if you depend on non-LTS
818 releases. Keep in mind that <literal>linux_latest</literal>
819 and <literal>linux_testing</literal> will change versions
820 under the hood during the lifetime of a stable release and
821 might include breaking changes.
822 </para>
823 </listitem>
824 <listitem>
825 <para>
826 Because of the systemd upgrade, some network interfaces might
827 change their name. For details see
828 <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html#History">
829 upstream docs</link> or
830 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/71086">
831 our ticket</link>.
832 </para>
833 </listitem>
834 </itemizedlist>
835 </section>
836 <section xml:id="sec-release-19.09-notable-changes">
837 <title>Other Notable Changes</title>
838 <itemizedlist>
839 <listitem>
840 <para>
841 The <literal>documentation</literal> module gained an option
842 named <literal>documentation.nixos.includeAllModules</literal>
843 which makes the generated configuration.nix 5 manual page
844 include all options from all NixOS modules included in a given
845 <literal>configuration.nix</literal> configuration file.
846 Currently, it is set to <literal>false</literal> by default as
847 enabling it frequently prevents evaluation. But the plan is to
848 eventually have it set to <literal>true</literal> by default.
849 Please set it to <literal>true</literal> now in your
850 <literal>configuration.nix</literal> and fix all the bugs it
851 uncovers.
852 </para>
853 </listitem>
854 <listitem>
855 <para>
856 The <literal>vlc</literal> package gained support for
857 Chromecast streaming, enabled by default. TCP port 8010 must
858 be open for it to work, so something like
859 <literal>networking.firewall.allowedTCPPorts = [ 8010 ];</literal>
860 may be required in your configuration. Also consider enabling
861 <link xlink:href="https://nixos.wiki/wiki/Accelerated_Video_Playback">
862 Accelerated Video Playback</link> for better transcoding
863 performance.
864 </para>
865 </listitem>
866 <listitem>
867 <para>
868 The following changes apply if the
869 <literal>stateVersion</literal> is changed to 19.09 or higher.
870 For <literal>stateVersion = "19.03"</literal> or
871 lower the old behavior is preserved.
872 </para>
873 <itemizedlist spacing="compact">
874 <listitem>
875 <para>
876 <literal>solr.package</literal> defaults to
877 <literal>pkgs.solr_8</literal>.
878 </para>
879 </listitem>
880 </itemizedlist>
881 </listitem>
882 <listitem>
883 <para>
884 The <literal>hunspellDicts.fr-any</literal> dictionary now
885 ships with <literal>fr_FR.{aff,dic}</literal> which is linked
886 to <literal>fr-toutesvariantes.{aff,dic}</literal>.
887 </para>
888 </listitem>
889 <listitem>
890 <para>
891 The <literal>mysql</literal> service now runs as
892 <literal>mysql</literal> user. Previously, systemd did execute
893 it as root, and mysql dropped privileges itself. This includes
894 <literal>ExecStartPre=</literal> and
895 <literal>ExecStartPost=</literal> phases. To accomplish that,
896 runtime and data directory setup was delegated to
897 RuntimeDirectory and tmpfiles.
898 </para>
899 </listitem>
900 <listitem>
901 <para>
902 With the upgrade to systemd version 242 the
903 <literal>systemd-timesyncd</literal> service is no longer
904 using <literal>DynamicUser=yes</literal>. In order for the
905 upgrade to work we rely on an activation script to move the
906 state from the old to the new directory. The older directory
907 (prior <literal>19.09</literal>) was
908 <literal>/var/lib/private/systemd/timesync</literal>.
909 </para>
910 <para>
911 As long as the <literal>system.config.stateVersion</literal>
912 is below <literal>19.09</literal> the state folder will
913 migrated to its proper location
914 (<literal>/var/lib/systemd/timesync</literal>), if required.
915 </para>
916 </listitem>
917 <listitem>
918 <para>
919 The package <literal>avahi</literal> is now built to look up
920 service definitions from
921 <literal>/etc/avahi/services</literal> instead of its output
922 directory in the nix store. Accordingly the module
923 <literal>avahi</literal> now supports custom service
924 definitions via
925 <literal>services.avahi.extraServiceFiles</literal>, which are
926 then placed in the aforementioned directory. See
927 avahi.service5 for more information on custom service
928 definitions.
929 </para>
930 </listitem>
931 <listitem>
932 <para>
933 Since version 0.1.19, <literal>cargo-vendor</literal> honors
934 package includes that are specified in the
935 <literal>Cargo.toml</literal> file of Rust crates.
936 <literal>rustPlatform.buildRustPackage</literal> uses
937 <literal>cargo-vendor</literal> to collect and build dependent
938 crates. Since this change in <literal>cargo-vendor</literal>
939 changes the set of vendored files for most Rust packages, the
940 hash that use used to verify the dependencies,
941 <literal>cargoSha256</literal>, also changes.
942 </para>
943 <para>
944 The <literal>cargoSha256</literal> hashes of all in-tree
945 derivations that use <literal>buildRustPackage</literal> have
946 been updated to reflect this change. However, third-party
947 derivations that use <literal>buildRustPackage</literal> may
948 have to be updated as well.
949 </para>
950 </listitem>
951 <listitem>
952 <para>
953 The <literal>consul</literal> package was upgraded past
954 version <literal>1.5</literal>, so its deprecated legacy UI is
955 no longer available.
956 </para>
957 </listitem>
958 <listitem>
959 <para>
960 The default resample-method for PulseAudio has been changed
961 from the upstream default <literal>speex-float-1</literal> to
962 <literal>speex-float-5</literal>. Be aware that low-powered
963 ARM-based and MIPS-based boards will struggle with this so
964 you'll need to set
965 <literal>hardware.pulseaudio.daemon.config.resample-method</literal>
966 back to <literal>speex-float-1</literal>.
967 </para>
968 </listitem>
969 <listitem>
970 <para>
971 The <literal>phabricator</literal> package and associated
972 <literal>httpd.extraSubservice</literal>, as well as the
973 <literal>phd</literal> service have been removed from nixpkgs
974 due to lack of maintainer.
975 </para>
976 </listitem>
977 <listitem>
978 <para>
979 The <literal>mercurial</literal>
980 <literal>httpd.extraSubservice</literal> has been removed from
981 nixpkgs due to lack of maintainer.
982 </para>
983 </listitem>
984 <listitem>
985 <para>
986 The <literal>trac</literal>
987 <literal>httpd.extraSubservice</literal> has been removed from
988 nixpkgs because it was unmaintained.
989 </para>
990 </listitem>
991 <listitem>
992 <para>
993 The <literal>foswiki</literal> package and associated
994 <literal>httpd.extraSubservice</literal> have been removed
995 from nixpkgs due to lack of maintainer.
996 </para>
997 </listitem>
998 <listitem>
999 <para>
1000 The <literal>tomcat-connector</literal>
1001 <literal>httpd.extraSubservice</literal> has been removed from
1002 nixpkgs.
1003 </para>
1004 </listitem>
1005 <listitem>
1006 <para>
1007 It's now possible to change configuration in
1008 <link xlink:href="options.html#opt-services.nextcloud.enable">services.nextcloud</link>
1009 after the initial deploy since all config parameters are
1010 persisted in an additional config file generated by the
1011 module. Previously core configuration like database parameters
1012 were set using their imperative installer after creating
1013 <literal>/var/lib/nextcloud</literal>.
1014 </para>
1015 </listitem>
1016 <listitem>
1017 <para>
1018 There exists now <literal>lib.forEach</literal>, which is like
1019 <literal>map</literal>, but with arguments flipped. When
1020 mapping function body spans many lines (or has nested
1021 <literal>map</literal>s), it is often hard to follow which
1022 list is modified.
1023 </para>
1024 <para>
1025 Previous solution to this problem was either to use
1026 <literal>lib.flip map</literal> idiom or extract that
1027 anonymous mapping function to a named one. Both can still be
1028 used but <literal>lib.forEach</literal> is preferred over
1029 <literal>lib.flip map</literal>.
1030 </para>
1031 <para>
1032 The <literal>/etc/sysctl.d/nixos.conf</literal> file
1033 containing all the options set via
1034 <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
1035 was moved to <literal>/etc/sysctl.d/60-nixos.conf</literal>,
1036 as sysctl.d5 recommends prefixing all filenames in
1037 <literal>/etc/sysctl.d</literal> with a two-digit number and a
1038 dash to simplify the ordering of the files.
1039 </para>
1040 </listitem>
1041 <listitem>
1042 <para>
1043 We now install the sysctl snippets shipped with systemd.
1044 </para>
1045 <itemizedlist>
1046 <listitem>
1047 <para>
1048 Loose reverse path filtering
1049 </para>
1050 </listitem>
1051 <listitem>
1052 <para>
1053 Source route filtering
1054 </para>
1055 </listitem>
1056 <listitem>
1057 <para>
1058 <literal>fq_codel</literal> as a packet scheduler (this
1059 helps to fight bufferbloat)
1060 </para>
1061 </listitem>
1062 </itemizedlist>
1063 <para>
1064 This also configures the kernel to pass core dumps to
1065 <literal>systemd-coredump</literal>, and restricts the SysRq
1066 key combinations to the sync command only. These sysctl
1067 snippets can be found in
1068 <literal>/etc/sysctl.d/50-*.conf</literal>, and overridden via
1069 <link xlink:href="options.html#opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
1070 (which will place the parameters in
1071 <literal>/etc/sysctl.d/60-nixos.conf</literal>).
1072 </para>
1073 </listitem>
1074 <listitem>
1075 <para>
1076 Core dumps are now processed by
1077 <literal>systemd-coredump</literal> by default.
1078 <literal>systemd-coredump</literal> behaviour can still be
1079 modified via <literal>systemd.coredump.extraConfig</literal>.
1080 To stick to the old behaviour (having the kernel dump to a
1081 file called <literal>core</literal> in the working directory),
1082 without piping it through <literal>systemd-coredump</literal>,
1083 set <literal>systemd.coredump.enable</literal> to
1084 <literal>false</literal>.
1085 </para>
1086 </listitem>
1087 <listitem>
1088 <para>
1089 <literal>systemd.packages</literal> option now also supports
1090 generators and shutdown scripts. Old
1091 <literal>systemd.generator-packages</literal> option has been
1092 removed.
1093 </para>
1094 </listitem>
1095 <listitem>
1096 <para>
1097 The <literal>rmilter</literal> package was removed with
1098 associated module and options due deprecation by upstream
1099 developer. Use <literal>rspamd</literal> in proxy mode
1100 instead.
1101 </para>
1102 </listitem>
1103 <listitem>
1104 <para>
1105 systemd cgroup accounting via the
1106 <link xlink:href="options.html#opt-systemd.enableCgroupAccounting">systemd.enableCgroupAccounting</link>
1107 option is now enabled by default. It now also enables the more
1108 recent Block IO and IP accounting features.
1109 </para>
1110 </listitem>
1111 <listitem>
1112 <para>
1113 We no longer enable custom font rendering settings with
1114 <literal>fonts.fontconfig.penultimate.enable</literal> by
1115 default. The defaults from fontconfig are sufficient.
1116 </para>
1117 </listitem>
1118 <listitem>
1119 <para>
1120 The <literal>crashplan</literal> package and the
1121 <literal>crashplan</literal> service have been removed from
1122 nixpkgs due to crashplan shutting down the service, while the
1123 <literal>crashplansb</literal> package and
1124 <literal>crashplan-small-business</literal> service have been
1125 removed from nixpkgs due to lack of maintainer.
1126 </para>
1127 <para>
1128 The
1129 <link xlink:href="options.html#opt-services.redis.enable">redis
1130 module</link> was hardcoded to use the
1131 <literal>redis</literal> user, <literal>/run/redis</literal>
1132 as runtime directory and <literal>/var/lib/redis</literal> as
1133 state directory. Note that the NixOS module for Redis now
1134 disables kernel support for Transparent Huge Pages (THP),
1135 because this features causes major performance problems for
1136 Redis, e.g. (https://redis.io/topics/latency).
1137 </para>
1138 </listitem>
1139 <listitem>
1140 <para>
1141 Using <literal>fonts.enableDefaultFonts</literal> adds a
1142 default emoji font <literal>noto-fonts-emoji</literal>.
1143 </para>
1144 <itemizedlist>
1145 <listitem>
1146 <para>
1147 <literal>services.xserver.enable</literal>
1148 </para>
1149 </listitem>
1150 <listitem>
1151 <para>
1152 <literal>programs.sway.enable</literal>
1153 </para>
1154 </listitem>
1155 <listitem>
1156 <para>
1157 <literal>programs.way-cooler.enable</literal>
1158 </para>
1159 </listitem>
1160 <listitem>
1161 <para>
1162 <literal>services.xrdp.enable</literal>
1163 </para>
1164 </listitem>
1165 </itemizedlist>
1166 </listitem>
1167 <listitem>
1168 <para>
1169 The <literal>altcoins</literal> categorization of packages has
1170 been removed. You now access these packages at the top level,
1171 ie. <literal>nix-shell -p dogecoin</literal> instead of
1172 <literal>nix-shell -p altcoins.dogecoin</literal>, etc.
1173 </para>
1174 </listitem>
1175 <listitem>
1176 <para>
1177 Ceph has been upgraded to v14.2.1. See the
1178 <link xlink:href="https://ceph.com/releases/v14-2-0-nautilus-released/">release
1179 notes</link> for details. The mgr dashboard as well as osds
1180 backed by loop-devices is no longer explicitly supported by
1181 the package and module. Note: There's been some issues with
1182 python-cherrypy, which is used by the dashboard and prometheus
1183 mgr modules (and possibly others), hence
1184 0000-dont-check-cherrypy-version.patch.
1185 </para>
1186 </listitem>
1187 <listitem>
1188 <para>
1189 <literal>pkgs.weechat</literal> is now compiled against
1190 <literal>pkgs.python3</literal>. Weechat also recommends
1191 <link xlink:href="https://weechat.org/scripts/python3/">to use
1192 Python3 in their docs.</link>
1193 </para>
1194 </listitem>
1195 </itemizedlist>
1196 </section>
1197</section>