pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-20.09">
2 <title>Release 20.09 (<quote>Nightingale</quote>, 2020.10/27)</title>
3 <para>
4 Support is planned until the end of June 2021, handing over to
5 21.05. (Plans
6 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md#core-changes">
7 have shifted</link> by two months since release of 20.09.)
8 </para>
9 <section xml:id="sec-release-20.09-highlights">
10 <title>Highlights</title>
11 <para>
12 In addition to 7349 new, 14442 updated, and 8181 removed packages,
13 this release has the following highlights:
14 </para>
15 <itemizedlist>
16 <listitem>
17 <para>
18 Core version changes:
19 </para>
20 <itemizedlist>
21 <listitem>
22 <para>
23 gcc: 9.2.0 -> 9.3.0
24 </para>
25 </listitem>
26 <listitem>
27 <para>
28 glibc: 2.30 -> 2.31
29 </para>
30 </listitem>
31 <listitem>
32 <para>
33 linux: still defaults to 5.4.x, all supported kernels
34 available
35 </para>
36 </listitem>
37 <listitem>
38 <para>
39 mesa: 19.3.5 -> 20.1.7
40 </para>
41 </listitem>
42 </itemizedlist>
43 </listitem>
44 <listitem>
45 <para>
46 Desktop Environments:
47 </para>
48 <itemizedlist>
49 <listitem>
50 <para>
51 plasma5: 5.17.5 -> 5.18.5
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 kdeApplications: 19.12.3 -> 20.08.1
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 gnome3: 3.34 -> 3.36, see its
62 <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release
63 notes</link>
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 cinnamon: added at 4.6
69 </para>
70 </listitem>
71 <listitem>
72 <para>
73 NixOS now distributes an official
74 <link xlink:href="https://nixos.org/download.html#nixos-iso">GNOME
75 ISO</link>
76 </para>
77 </listitem>
78 </itemizedlist>
79 </listitem>
80 <listitem>
81 <para>
82 Programming Languages and Frameworks:
83 </para>
84 <itemizedlist>
85 <listitem>
86 <para>
87 Agda ecosystem was heavily reworked (see more details
88 below)
89 </para>
90 </listitem>
91 <listitem>
92 <para>
93 PHP now defaults to PHP 7.4, updated from 7.3
94 </para>
95 </listitem>
96 <listitem>
97 <para>
98 PHP 7.2 is no longer supported due to upstream not
99 supporting this version for the entire lifecycle of the
100 20.09 release
101 </para>
102 </listitem>
103 <listitem>
104 <para>
105 Python 3 now defaults to Python 3.8 instead of 3.7
106 </para>
107 </listitem>
108 <listitem>
109 <para>
110 Python 3.5 reached its upstream EOL at the end of
111 September 2020: it has been removed from the list of
112 available packages
113 </para>
114 </listitem>
115 </itemizedlist>
116 </listitem>
117 <listitem>
118 <para>
119 Databases and Service Monitoring:
120 </para>
121 <itemizedlist>
122 <listitem>
123 <para>
124 MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
125 Please read the related upgrade instructions under
126 <link linkend="sec-release-20.09-incompatibilities">backwards
127 incompatibilities</link> before upgrading.
128 </para>
129 </listitem>
130 <listitem>
131 <para>
132 Zabbix now defaults to 5.0, updated from 4.4. Please read
133 related sections under
134 <link linkend="sec-release-20.09-incompatibilities">backwards
135 compatibilities</link> before upgrading.
136 </para>
137 </listitem>
138 </itemizedlist>
139 </listitem>
140 <listitem>
141 <para>
142 Major module changes:
143 </para>
144 <itemizedlist>
145 <listitem>
146 <para>
147 Quickly configure a complete, private, self-hosted video
148 conferencing solution with the new Jitsi Meet module.
149 </para>
150 </listitem>
151 <listitem>
152 <para>
153 Two new options,
154 <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
155 and
156 <link xlink:href="options.html#opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>,
157 have been added to the <literal>openssh</literal> module.
158 If you have <literal>AuthorizedKeysCommand</literal> in
159 your
160 <link xlink:href="options.html#opt-services.openssh.extraConfig">services.openssh.extraConfig</link>
161 you should make use of these new options instead.
162 </para>
163 </listitem>
164 <listitem>
165 <para>
166 There is a new module for Podman
167 (<literal>virtualisation.podman</literal>), a drop-in
168 replacement for the Docker command line.
169 </para>
170 </listitem>
171 <listitem>
172 <para>
173 The new <literal>virtualisation.containers</literal>
174 module manages configuration shared by the CRI-O and
175 Podman modules.
176 </para>
177 </listitem>
178 <listitem>
179 <para>
180 Declarative Docker containers are renamed from
181 <literal>docker-containers</literal> to
182 <literal>virtualisation.oci-containers.containers</literal>.
183 This is to make it possible to use
184 <literal>podman</literal> instead of
185 <literal>docker</literal>.
186 </para>
187 </listitem>
188 <listitem>
189 <para>
190 The new option
191 <link xlink:href="options.html#opt-documentation.man.generateCaches">documentation.man.generateCaches</link>
192 has been added to automatically generate the
193 <literal>man-db</literal> caches, which are needed by
194 utilities like <literal>whatis</literal> and
195 <literal>apropos</literal>. The caches are generated
196 during the build of the NixOS configuration: since this
197 can be expensive when a large number of packages are
198 installed, the feature is disabled by default.
199 </para>
200 </listitem>
201 <listitem>
202 <para>
203 <literal>services.postfix.sslCACert</literal> was replaced
204 by
205 <literal>services.postfix.tlsTrustedAuthorities</literal>
206 which now defaults to system certificate authorities.
207 </para>
208 </listitem>
209 <listitem>
210 <para>
211 The various documented workarounds to use steam have been
212 converted to a module.
213 <literal>programs.steam.enable</literal> enables steam,
214 controller support and the workarounds.
215 </para>
216 </listitem>
217 <listitem>
218 <para>
219 Support for built-in LCDs in various pieces of Logitech
220 hardware (keyboards and USB speakers).
221 <literal>hardware.logitech.lcd.enable</literal> enables
222 support for all hardware supported by the
223 <link xlink:href="https://sourceforge.net/projects/g15daemon/">g15daemon
224 project</link>.
225 </para>
226 </listitem>
227 <listitem>
228 <para>
229 The GRUB module gained support for basic password
230 protection, which allows to restrict non-default entries
231 in the boot menu to one or more users. The users and
232 passwords are defined via the option
233 <literal>boot.loader.grub.users</literal>. Note: Password
234 support is only available in GRUB version 2.
235 </para>
236 </listitem>
237 </itemizedlist>
238 </listitem>
239 <listitem>
240 <para>
241 NixOS module changes:
242 </para>
243 <itemizedlist>
244 <listitem>
245 <para>
246 The NixOS module system now supports freeform modules as a
247 mix between <literal>types.attrsOf</literal> and
248 <literal>types.submodule</literal>. These allow you to
249 explicitly declare a subset of options while still
250 permitting definitions without an associated option. See
251 <xref linkend="sec-freeform-modules" /> for how to use
252 them.
253 </para>
254 </listitem>
255 <listitem>
256 <para>
257 Following its deprecation in 20.03, the Perl NixOS test
258 driver has been removed. All remaining tests have been
259 ported to the Python test framework. Code outside nixpkgs
260 using <literal>make-test.nix</literal> or
261 <literal>testing.nix</literal> needs to be ported to
262 <literal>make-test-python.nix</literal> and
263 <literal>testing-python.nix</literal> respectively.
264 </para>
265 </listitem>
266 <listitem>
267 <para>
268 Subordinate GID and UID mappings are now set up
269 automatically for all normal users. This will make
270 container tools like Podman work as non-root users out of
271 the box.
272 </para>
273 </listitem>
274 </itemizedlist>
275 </listitem>
276 <listitem>
277 <para>
278 Starting with this release, the hydra-build-result
279 <literal>nixos-YY.MM</literal> branches no longer exist in the
280 <link xlink:href="https://github.com/nixos/nixpkgs-channels">deprecated
281 nixpkgs-channels repository</link>. These branches are now in
282 <link xlink:href="https://github.com/nixos/nixpkgs">the main
283 nixpkgs repository</link>.
284 </para>
285 </listitem>
286 </itemizedlist>
287 </section>
288 <section xml:id="sec-release-20.09-new-services">
289 <title>New Services</title>
290 <para>
291 In addition to 1119 new, 118 updated, and 476 removed options; 61
292 new modules were added since the last release:
293 </para>
294 <itemizedlist>
295 <listitem>
296 <para>
297 Hardware:
298 </para>
299 <itemizedlist>
300 <listitem>
301 <para>
302 <link xlink:href="options.html#opt-hardware.system76.firmware-daemon.enable">hardware.system76.firmware-daemon.enable</link>
303 adds easy support of system76 firmware
304 </para>
305 </listitem>
306 <listitem>
307 <para>
308 <link xlink:href="options.html#opt-hardware.uinput.enable">hardware.uinput.enable</link>
309 loads uinput kernel module
310 </para>
311 </listitem>
312 <listitem>
313 <para>
314 <link xlink:href="options.html#opt-hardware.video.hidpi.enable">hardware.video.hidpi.enable</link>
315 enable good defaults for HiDPI displays
316 </para>
317 </listitem>
318 <listitem>
319 <para>
320 <link xlink:href="options.html#opt-hardware.wooting.enable">hardware.wooting.enable</link>
321 support for Wooting keyboards
322 </para>
323 </listitem>
324 <listitem>
325 <para>
326 <link xlink:href="options.html#opt-hardware.xpadneo.enable">hardware.xpadneo.enable</link>
327 xpadneo driver for Xbox One wireless controllers
328 </para>
329 </listitem>
330 </itemizedlist>
331 </listitem>
332 <listitem>
333 <para>
334 Programs:
335 </para>
336 <itemizedlist>
337 <listitem>
338 <para>
339 <link xlink:href="options.html#opt-programs.hamster.enable">programs.hamster.enable</link>
340 enable hamster time tracking
341 </para>
342 </listitem>
343 <listitem>
344 <para>
345 <link xlink:href="options.html#opt-programs.steam.enable">programs.steam.enable</link>
346 adds easy enablement of steam and related system
347 configuration
348 </para>
349 </listitem>
350 </itemizedlist>
351 </listitem>
352 <listitem>
353 <para>
354 Security:
355 </para>
356 <itemizedlist>
357 <listitem>
358 <para>
359 <link xlink:href="options.html#opt-security.doas.enable">security.doas.enable</link>
360 alternative to sudo, allows non-root users to execute
361 commands as root
362 </para>
363 </listitem>
364 <listitem>
365 <para>
366 <link xlink:href="options.html#opt-security.tpm2.enable">security.tpm2.enable</link>
367 add Trusted Platform Module 2 support
368 </para>
369 </listitem>
370 </itemizedlist>
371 </listitem>
372 <listitem>
373 <para>
374 System:
375 </para>
376 <itemizedlist spacing="compact">
377 <listitem>
378 <para>
379 <link xlink:href="options.html#opt-boot.initrd.network.openvpn.enable">boot.initrd.network.openvpn.enable</link>
380 start an OpenVPN client during initrd boot
381 </para>
382 </listitem>
383 </itemizedlist>
384 </listitem>
385 <listitem>
386 <para>
387 Virtualization:
388 </para>
389 <itemizedlist>
390 <listitem>
391 <para>
392 <link xlink:href="options.html#opt-boot.enableContainers">boot.enableContainers</link>
393 use nixos-containers
394 </para>
395 </listitem>
396 <listitem>
397 <para>
398 <link xlink:href="options.html#opt-virtualisation.oci-containers.containers">virtualisation.oci-containers.containers</link>
399 run OCI (Docker) containers
400 </para>
401 </listitem>
402 <listitem>
403 <para>
404 <link xlink:href="options.html#opt-virtualisation.podman.enable">virtualisation.podman.enable</link>
405 daemonless container engine
406 </para>
407 </listitem>
408 </itemizedlist>
409 </listitem>
410 <listitem>
411 <para>
412 Services:
413 </para>
414 <itemizedlist>
415 <listitem>
416 <para>
417 <link xlink:href="options.html#opt-services.ankisyncd.enable">services.ankisyncd.enable</link>
418 Anki sync server
419 </para>
420 </listitem>
421 <listitem>
422 <para>
423 <link xlink:href="options.html#opt-services.bazarr.enable">services.bazarr.enable</link>
424 Subtitle manager for Sonarr and Radarr
425 </para>
426 </listitem>
427 <listitem>
428 <para>
429 <link xlink:href="options.html#opt-services.biboumi.enable">services.biboumi.enable</link>
430 Biboumi XMPP gateway to IRC
431 </para>
432 </listitem>
433 <listitem>
434 <para>
435 <link xlink:href="options.html#opt-services.blockbook-frontend">services.blockbook-frontend</link>
436 Blockbook-frontend, a service for the Trezor wallet
437 </para>
438 </listitem>
439 <listitem>
440 <para>
441 <link xlink:href="options.html#opt-services.cage.enable">services.cage.enable</link>
442 Wayland cage service
443 </para>
444 </listitem>
445 <listitem>
446 <para>
447 <link xlink:href="options.html#opt-services.convos.enable">services.convos.enable</link>
448 IRC daemon, which can be accessed throught the browser
449 </para>
450 </listitem>
451 <listitem>
452 <para>
453 <link xlink:href="options.html#opt-services.engelsystem.enable">services.engelsystem.enable</link>
454 Tool for coordinating volunteers and shifts on large
455 events
456 </para>
457 </listitem>
458 <listitem>
459 <para>
460 <link xlink:href="options.html#opt-services.espanso.enable">services.espanso.enable</link>
461 text-expander written in rust
462 </para>
463 </listitem>
464 <listitem>
465 <para>
466 <link xlink:href="options.html#opt-services.foldingathome.enable">services.foldingathome.enable</link>
467 Folding@home client
468 </para>
469 </listitem>
470 <listitem>
471 <para>
472 <link xlink:href="options.html#opt-services.gerrit.enable">services.gerrit.enable</link>
473 Web-based team code collaboration tool
474 </para>
475 </listitem>
476 <listitem>
477 <para>
478 <link xlink:href="options.html#opt-services.go-neb.enable">services.go-neb.enable</link>
479 Matrix bot
480 </para>
481 </listitem>
482 <listitem>
483 <para>
484 <link xlink:href="options.html#opt-services.hardware.xow.enable">services.hardware.xow.enable</link>
485 xow as a systemd service
486 </para>
487 </listitem>
488 <listitem>
489 <para>
490 <link xlink:href="options.html#opt-services.hercules-ci-agent.enable">services.hercules-ci-agent.enable</link>
491 Hercules CI build agent
492 </para>
493 </listitem>
494 <listitem>
495 <para>
496 <link xlink:href="options.html#opt-services.jicofo.enable">services.jicofo.enable</link>
497 Jitsi Conference Focus, component of Jitsi Meet
498 </para>
499 </listitem>
500 <listitem>
501 <para>
502 <link xlink:href="options.html#opt-services.jirafeau.enable">services.jirafeau.enable</link>
503 A web file repository
504 </para>
505 </listitem>
506 <listitem>
507 <para>
508 <link xlink:href="options.html#opt-services.jitsi-meet.enable">services.jitsi-meet.enable</link>
509 Secure, simple and scalable video conferences
510 </para>
511 </listitem>
512 <listitem>
513 <para>
514 <link xlink:href="options.html#opt-services.jitsi-videobridge.enable">services.jitsi-videobridge.enable</link>
515 Jitsi Videobridge, a WebRTC compatible router
516 </para>
517 </listitem>
518 <listitem>
519 <para>
520 <link xlink:href="options.html#opt-services.jupyterhub.enable">services.jupyterhub.enable</link>
521 Jupyterhub development server
522 </para>
523 </listitem>
524 <listitem>
525 <para>
526 <link xlink:href="options.html#opt-services.k3s.enable">services.k3s.enable</link>
527 Lightweight Kubernetes distribution
528 </para>
529 </listitem>
530 <listitem>
531 <para>
532 <link xlink:href="options.html#opt-services.magic-wormhole-mailbox-server.enable">services.magic-wormhole-mailbox-server.enable</link>
533 Magic Wormhole Mailbox Server
534 </para>
535 </listitem>
536 <listitem>
537 <para>
538 <link xlink:href="options.html#opt-services.malcontent.enable">services.malcontent.enable</link>
539 Parental Control support
540 </para>
541 </listitem>
542 <listitem>
543 <para>
544 <link xlink:href="options.html#opt-services.matrix-appservice-discord.enable">services.matrix-appservice-discord.enable</link>
545 Matrix and Discord bridge
546 </para>
547 </listitem>
548 <listitem>
549 <para>
550 <link xlink:href="options.html#opt-services.mautrix-telegram.enable">services.mautrix-telegram.enable</link>
551 Matrix-Telegram puppeting/relaybot bridge
552 </para>
553 </listitem>
554 <listitem>
555 <para>
556 <link xlink:href="options.html#opt-services.mirakurun.enable">services.mirakurun.enable</link>
557 Japanese DTV Tuner Server Service
558 </para>
559 </listitem>
560 <listitem>
561 <para>
562 <link xlink:href="options.html#opt-services.molly-brown.enable">services.molly-brown.enable</link>
563 Molly-Brown Gemini server
564 </para>
565 </listitem>
566 <listitem>
567 <para>
568 <link xlink:href="options.html#opt-services.mullvad-vpn.enable">services.mullvad-vpn.enable</link>
569 Mullvad VPN daemon
570 </para>
571 </listitem>
572 <listitem>
573 <para>
574 <link xlink:href="options.html#opt-services.ncdns.enable">services.ncdns.enable</link>
575 Namecoin to DNS bridge
576 </para>
577 </listitem>
578 <listitem>
579 <para>
580 <link xlink:href="options.html#opt-services.nextdns.enable">services.nextdns.enable</link>
581 NextDNS to DoH Proxy service
582 </para>
583 </listitem>
584 <listitem>
585 <para>
586 <link xlink:href="options.html#opt-services.nix-store-gcs-proxy">services.nix-store-gcs-proxy</link>
587 Google storage bucket to be used as a nix store
588 </para>
589 </listitem>
590 <listitem>
591 <para>
592 <link xlink:href="options.html#opt-services.onedrive.enable">services.onedrive.enable</link>
593 OneDrive sync service
594 </para>
595 </listitem>
596 <listitem>
597 <para>
598 <link xlink:href="options.html#opt-services.pinnwand.enable">services.pinnwand.enable</link>
599 Pastebin-like service
600 </para>
601 </listitem>
602 <listitem>
603 <para>
604 <link xlink:href="options.html#opt-services.pixiecore.enable">services.pixiecore.enable</link>
605 Manage network booting of machines
606 </para>
607 </listitem>
608 <listitem>
609 <para>
610 <link xlink:href="options.html#opt-services.privacyidea.enable">services.privacyidea.enable</link>
611 Privacy authentication server
612 </para>
613 </listitem>
614 <listitem>
615 <para>
616 <link xlink:href="options.html#opt-services.quorum.enable">services.quorum.enable</link>
617 Quorum blockchain daemon
618 </para>
619 </listitem>
620 <listitem>
621 <para>
622 <link xlink:href="options.html#opt-services.robustirc-bridge.enable">services.robustirc-bridge.enable</link>
623 RobustIRC bridge
624 </para>
625 </listitem>
626 <listitem>
627 <para>
628 <link xlink:href="options.html#opt-services.rss-bridge.enable">services.rss-bridge.enable</link>
629 Generate RSS and Atom feeds
630 </para>
631 </listitem>
632 <listitem>
633 <para>
634 <link xlink:href="options.html#opt-services.rtorrent.enable">services.rtorrent.enable</link>
635 rTorrent service
636 </para>
637 </listitem>
638 <listitem>
639 <para>
640 <link xlink:href="options.html#opt-services.smartdns.enable">services.smartdns.enable</link>
641 SmartDNS DNS server
642 </para>
643 </listitem>
644 <listitem>
645 <para>
646 <link xlink:href="options.html#opt-services.sogo.enable">services.sogo.enable</link>
647 SOGo groupware
648 </para>
649 </listitem>
650 <listitem>
651 <para>
652 <link xlink:href="options.html#opt-services.teeworlds.enable">services.teeworlds.enable</link>
653 Teeworlds game server
654 </para>
655 </listitem>
656 <listitem>
657 <para>
658 <link xlink:href="options.html#opt-services.torque.mom.enable">services.torque.mom.enable</link>
659 torque computing node
660 </para>
661 </listitem>
662 <listitem>
663 <para>
664 <link xlink:href="options.html#opt-services.torque.server.enable">services.torque.server.enable</link>
665 torque server
666 </para>
667 </listitem>
668 <listitem>
669 <para>
670 <link xlink:href="options.html#opt-services.tuptime.enable">services.tuptime.enable</link>
671 A total uptime service
672 </para>
673 </listitem>
674 <listitem>
675 <para>
676 <link xlink:href="options.html#opt-services.urserver.enable">services.urserver.enable</link>
677 X11 remote server
678 </para>
679 </listitem>
680 <listitem>
681 <para>
682 <link xlink:href="options.html#opt-services.wasabibackend.enable">services.wasabibackend.enable</link>
683 Wasabi backend service
684 </para>
685 </listitem>
686 <listitem>
687 <para>
688 <link xlink:href="options.html#opt-services.yubikey-agent.enable">services.yubikey-agent.enable</link>
689 Yubikey agent
690 </para>
691 </listitem>
692 <listitem>
693 <para>
694 <link xlink:href="options.html#opt-services.zigbee2mqtt.enable">services.zigbee2mqtt.enable</link>
695 Zigbee to MQTT bridge
696 </para>
697 </listitem>
698 </itemizedlist>
699 </listitem>
700 </itemizedlist>
701 </section>
702 <section xml:id="sec-release-20.09-incompatibilities">
703 <title>Backward Incompatibilities</title>
704 <para>
705 When upgrading from a previous release, please be aware of the
706 following incompatible changes:
707 </para>
708 <itemizedlist>
709 <listitem>
710 <para>
711 MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
712 Before you upgrade, it would be best to take a backup of your
713 database. For MariaDB Galera Cluster, see
714 <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading
715 from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link>
716 instead. Before doing the upgrade read
717 <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible
718 Changes Between 10.3 and 10.4</link>. After the upgrade you
719 will need to run <literal>mysql_upgrade</literal>. MariaDB
720 10.4 introduces a number of changes to the authentication
721 process, intended to make things easier and more intuitive.
722 See
723 <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication
724 from MariaDB 10.4</link>. unix_socket auth plugin does not use
725 a password, and uses the connecting user's UID instead. When a
726 new MariaDB data directory is initialized, two MariaDB users
727 are created and can be used with new unix_socket auth plugin,
728 as well as traditional mysql_native_password plugin:
729 root@localhost and mysql@localhost. To actually use the
730 traditional mysql_native_password plugin method, one must run
731 the following:
732 </para>
733 <programlisting language="bash">
734{
735services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
736 ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
737'';
738}
739</programlisting>
740 <para>
741 When MariaDB data directory is just upgraded (not
742 initialized), the users are not created or modified.
743 </para>
744 </listitem>
745 <listitem>
746 <para>
747 MySQL server is now started with additional systemd
748 sandbox/hardening options for better security. The PrivateTmp,
749 ProtectHome, and ProtectSystem options may be problematic when
750 MySQL is attempting to read from or write to your filesystem
751 anywhere outside of its own state directory, for example when
752 calling
753 <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>.
754 In this scenario a variant of the following may be required: -
755 allow MySQL to read from /home and /tmp directories when using
756 <literal>LOAD DATA INFILE</literal>
757 </para>
758 <programlisting language="bash">
759{
760 systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
761}
762</programlisting>
763 <para>
764 - allow MySQL to write to custom folder
765 <literal>/var/data</literal> when using
766 <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql
767 user has write access to <literal>/var/data</literal>
768 </para>
769 <programlisting language="bash">
770{
771 systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
772}
773</programlisting>
774 <para>
775 The MySQL service no longer runs its
776 <literal>systemd</literal> service startup script as
777 <literal>root</literal> anymore. A dedicated non
778 <literal>root</literal> super user account is required for
779 operation. This means users with an existing MySQL or MariaDB
780 database server are required to run the following SQL
781 statements as a super admin user before upgrading:
782 </para>
783 <programlisting language="SQL">
784CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
785GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
786</programlisting>
787 <para>
788 If you use MySQL instead of MariaDB please replace
789 <literal>unix_socket</literal> with
790 <literal>auth_socket</literal>. If you have changed the value
791 of
792 <link xlink:href="options.html#opt-services.mysql.user">services.mysql.user</link>
793 from the default of <literal>mysql</literal> to a different
794 user please change <literal>'mysql'@'localhost'</literal> to
795 the corresponding user instead.
796 </para>
797 </listitem>
798 <listitem>
799 <para>
800 Zabbix now defaults to 5.0, updated from 4.4. Please carefully
801 read through
802 <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the
803 upgrade guide</link> and apply any changes required. Be sure
804 to take special note of the section on
805 <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling
806 extended range of numeric (float) values</link> as you will
807 need to apply this database migration manually.
808 </para>
809 <para>
810 If you are using Zabbix Server with a MySQL or MariaDB
811 database you should note that using a character set of
812 <literal>utf8</literal> and a collate of
813 <literal>utf8_bin</literal> has become mandatory with this
814 release. See the upstream
815 <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link>
816 for further discussion. Before upgrading you should check the
817 character set and collation used by your database and ensure
818 they are correct:
819 </para>
820 <programlisting language="SQL">
821SELECT
822 default_character_set_name,
823 default_collation_name
824FROM
825 information_schema.schemata
826WHERE
827 schema_name = 'zabbix';
828</programlisting>
829 <para>
830 If these values are not correct you should take a backup of
831 your database and convert the character set and collation as
832 required. Here is an
833 <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link>
834 of how to do so, taken from the Zabbix forums:
835 </para>
836 <programlisting language="SQL">
837ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
838
839-- the following will produce a list of SQL commands you should subsequently execute
840SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString
841FROM information_schema.`COLUMNS`
842WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";
843</programlisting>
844 </listitem>
845 <listitem>
846 <para>
847 maxx package removed along with
848 <literal>services.xserver.desktopManager.maxx</literal>
849 module. Please migrate to cdesktopenv and
850 <literal>services.xserver.desktopManager.cde</literal> module.
851 </para>
852 </listitem>
853 <listitem>
854 <para>
855 The
856 <link xlink:href="options.html#opt-services.matrix-synapse.enable">matrix-synapse</link>
857 module no longer includes optional dependencies by default,
858 they have to be added through the
859 <link xlink:href="options.html#opt-services.matrix-synapse.plugins">plugins</link>
860 option.
861 </para>
862 </listitem>
863 <listitem>
864 <para>
865 <literal>buildGoModule</literal> now internally creates a
866 vendor directory in the source tree for downloaded modules
867 instead of using go's
868 <link xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module
869 proxy protocol</link>. This storage format is simpler and
870 therefore less likely to break with future versions of go. As
871 a result <literal>buildGoModule</literal> switched from
872 <literal>modSha256</literal> to the
873 <literal>vendorSha256</literal> attribute to pin fetched
874 version data.
875 </para>
876 </listitem>
877 <listitem>
878 <para>
879 Grafana is now built without support for phantomjs by default.
880 Phantomjs support has been
881 <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated
882 in Grafana</link> and the phantomjs project is
883 <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently
884 unmaintained</link>. It can still be enabled by providing
885 <literal>phantomJsSupport = true</literal> to the package
886 instantiation:
887 </para>
888 <programlisting language="bash">
889{
890 services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
891 phantomJsSupport = true;
892 });
893}
894</programlisting>
895 </listitem>
896 <listitem>
897 <para>
898 The
899 <link xlink:href="options.html#opt-services.supybot.enable">supybot</link>
900 module now uses <literal>/var/lib/supybot</literal> as its
901 default
902 <link xlink:href="options.html#opt-services.supybot.stateDir">stateDir</link>
903 path if <literal>stateVersion</literal> is 20.09 or higher. It
904 also enables a number of
905 <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd
906 sandboxing options</link> which may possibly interfere with
907 some plugins. If this is the case you can disable the options
908 through attributes in
909 <literal>systemd.services.supybot.serviceConfig</literal>.
910 </para>
911 </listitem>
912 <listitem>
913 <para>
914 The <literal>security.duosec.skey</literal> option, which
915 stored a secret in the nix store, has been replaced by a new
916 <link xlink:href="options.html#opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
917 option for better security.
918 </para>
919 <para>
920 <literal>security.duosec.ikey</literal> has been renamed to
921 <link xlink:href="options.html#opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
922 </para>
923 </listitem>
924 <listitem>
925 <para>
926 <literal>vmware</literal> has been removed from the
927 <literal>services.x11.videoDrivers</literal> defaults. For
928 VMWare guests set
929 <literal>virtualisation.vmware.guest.enable</literal> to
930 <literal>true</literal> which will include the appropriate
931 drivers.
932 </para>
933 </listitem>
934 <listitem>
935 <para>
936 The initrd SSH support now uses OpenSSH rather than Dropbear
937 to allow the use of Ed25519 keys and other OpenSSH-specific
938 functionality. Host keys must now be in the OpenSSH format,
939 and at least one pre-generated key must be specified.
940 </para>
941 <para>
942 If you used the
943 <literal>boot.initrd.network.ssh.host*Key</literal> options,
944 you'll get an error explaining how to convert your host keys
945 and migrate to the new
946 <literal>boot.initrd.network.ssh.hostKeys</literal> option.
947 Otherwise, if you don't have any host keys set, you'll need to
948 generate some; see the <literal>hostKeys</literal> option
949 documentation for instructions.
950 </para>
951 </listitem>
952 <listitem>
953 <para>
954 Since this release there's an easy way to customize your PHP
955 install to get a much smaller base PHP with only wanted
956 extensions enabled. See the following snippet installing a
957 smaller PHP with the extensions <literal>imagick</literal>,
958 <literal>opcache</literal>, <literal>pdo</literal> and
959 <literal>pdo_mysql</literal> loaded:
960 </para>
961 <programlisting language="bash">
962{
963 environment.systemPackages = [
964 (pkgs.php.withExtensions
965 ({ all, ... }: with all; [
966 imagick
967 opcache
968 pdo
969 pdo_mysql
970 ])
971 )
972 ];
973}
974</programlisting>
975 <para>
976 The default <literal>php</literal> attribute hasn't lost any
977 extensions. The <literal>opcache</literal> extension has been
978 added. All upstream PHP extensions are available under
979 php.extensions.<name?>.
980 </para>
981 <para>
982 All PHP <literal>config</literal> flags have been removed for
983 the following reasons:
984 </para>
985 </listitem>
986 <listitem>
987 <para>
988 The updated <literal>php</literal> attribute is now easily
989 customizable to your liking by using
990 <literal>php.withExtensions</literal> or
991 <literal>php.buildEnv</literal> instead of writing config
992 files or changing configure flags.
993 </para>
994 </listitem>
995 <listitem>
996 <para>
997 The remaining configuration flags can now be set directly on
998 the <literal>php</literal> attribute. For example, instead of
999 </para>
1000 <programlisting language="bash">
1001{
1002 php.override {
1003 config.php.embed = true;
1004 config.php.apxs2 = false;
1005 }
1006}
1007</programlisting>
1008 <para>
1009 you should now write
1010 </para>
1011 <programlisting language="bash">
1012{
1013 php.override {
1014 embedSupport = true;
1015 apxs2Support = false;
1016 }
1017}
1018</programlisting>
1019 </listitem>
1020 <listitem>
1021 <para>
1022 The ACME module has been overhauled for simplicity and
1023 maintainability. Cert generation now implicitly uses the
1024 <literal>acme</literal> user, and the
1025 <literal>security.acme.certs._name_.user</literal> option has
1026 been removed. Instead, certificate access from other services
1027 is now managed through group permissions. The module no longer
1028 runs lego twice under certain conditions, and will correctly
1029 renew certificates if their configuration is changed. Services
1030 which reload nginx and httpd after certificate renewal are now
1031 properly configured too so you no longer have to do this
1032 manually if you are using HTTPS enabled virtual hosts. A
1033 mechanism for regenerating certs on demand has also been added
1034 and documented.
1035 </para>
1036 </listitem>
1037 <listitem>
1038 <para>
1039 Gollum received a major update to version 5.x and you may have
1040 to change some links in your wiki when migrating from gollum
1041 4.x. More information can be found
1042 <link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>.
1043 </para>
1044 </listitem>
1045 <listitem>
1046 <para>
1047 Deluge 2.x was added and is used as default for new NixOS
1048 installations where stateVersion is >= 20.09. If you are
1049 upgrading from a previous NixOS version, you can set
1050 <literal>service.deluge.package = pkgs.deluge-2_x</literal> to
1051 upgrade to Deluge 2.x and migrate the state to the new format.
1052 Be aware that backwards state migrations are not supported by
1053 Deluge.
1054 </para>
1055 </listitem>
1056 <listitem>
1057 <para>
1058 Nginx web server now starting with additional
1059 sandbox/hardening options. By default, write access to
1060 <literal>/var/log/nginx</literal> and
1061 <literal>/var/cache/nginx</literal> is allowed. To allow
1062 writing to other folders, use
1063 <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
1064 </para>
1065 <programlisting language="bash">
1066{
1067 systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
1068}
1069</programlisting>
1070 <para>
1071 Nginx is also started with the systemd option
1072 <literal>ProtectHome = mkDefault true;</literal> which forbids
1073 it to read anything from <literal>/home</literal>,
1074 <literal>/root</literal> and <literal>/run/user</literal> (see
1075 <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome
1076 docs</link> for details). If you require serving files from
1077 home directories, you may choose to set e.g.
1078 </para>
1079 <programlisting language="bash">
1080{
1081 systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
1082}
1083</programlisting>
1084 </listitem>
1085 <listitem>
1086 <para>
1087 The NixOS options <literal>nesting.clone</literal> and
1088 <literal>nesting.children</literal> have been deleted, and
1089 replaced with named
1090 <link xlink:href="options.html#opt-specialisation">specialisation</link>
1091 configurations.
1092 </para>
1093 <para>
1094 Replace a <literal>nesting.clone</literal> entry with:
1095 </para>
1096 <programlisting language="bash">
1097{
1098 specialisation.example-sub-configuration = {
1099 configuration = {
1100 ...
1101 };
1102};
1103</programlisting>
1104 <para>
1105 Replace a <literal>nesting.children</literal> entry with:
1106 </para>
1107 <programlisting language="bash">
1108{
1109 specialisation.example-sub-configuration = {
1110 inheritParentConfig = false;
1111 configuration = {
1112 ...
1113 };
1114};
1115</programlisting>
1116 <para>
1117 To switch to a specialised configuration at runtime you need
1118 to run:
1119 </para>
1120 <programlisting>
1121$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
1122</programlisting>
1123 <para>
1124 Before you would have used:
1125 </para>
1126 <programlisting>
1127$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
1128</programlisting>
1129 </listitem>
1130 <listitem>
1131 <para>
1132 The Nginx log directory has been moved to
1133 <literal>/var/log/nginx</literal>, the cache directory to
1134 <literal>/var/cache/nginx</literal>. The option
1135 <literal>services.nginx.stateDir</literal> has been removed.
1136 </para>
1137 </listitem>
1138 <listitem>
1139 <para>
1140 The httpd web server previously started its main process as
1141 root privileged, then ran worker processes as a less
1142 privileged identity user. This was changed to start all of
1143 httpd as a less privileged user (defined by
1144 <link xlink:href="options.html#opt-services.httpd.user">services.httpd.user</link>
1145 and
1146 <link xlink:href="options.html#opt-services.httpd.group">services.httpd.group</link>).
1147 As a consequence, all files that are needed for httpd to run
1148 (included configuration fragments, SSL certificates and keys,
1149 etc.) must now be readable by this less privileged user/group.
1150 </para>
1151 <para>
1152 The default value for
1153 <link xlink:href="options.html#opt-services.httpd.mpm">services.httpd.mpm</link>
1154 has been changed from <literal>prefork</literal> to
1155 <literal>event</literal>. Along with this change the default
1156 value for
1157 <link xlink:href="options.html#opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link>
1158 has been set to <literal>true</literal>.
1159 </para>
1160 </listitem>
1161 <listitem>
1162 <para>
1163 The <literal>systemd-networkd</literal> option
1164 <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal>
1165 has been removed following upstream systemd's deprecation of
1166 the same. It is recommended to use
1167 <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal>
1168 instead. See systemd.network 5 for details.
1169 </para>
1170 </listitem>
1171 <listitem>
1172 <para>
1173 The <literal>systemd-networkd</literal> option
1174 <literal>systemd.network.networks._name_.dhcpConfig</literal>
1175 has been renamed to
1176 <link xlink:href="options.html#opt-systemd.network.networks._name_.dhcpV4Config">systemd.network.networks.<emphasis>name</emphasis>.dhcpV4Config</link>
1177 following upstream systemd's documentation change. See
1178 systemd.network 5 for details.
1179 </para>
1180 </listitem>
1181 <listitem>
1182 <para>
1183 In the <literal>picom</literal> module, several options that
1184 accepted floating point numbers encoded as strings (for
1185 example
1186 <link xlink:href="options.html#opt-services.picom.activeOpacity">services.picom.activeOpacity</link>)
1187 have been changed to the (relatively) new native
1188 <literal>float</literal> type. To migrate your configuration
1189 simply remove the quotes around the numbers.
1190 </para>
1191 </listitem>
1192 <listitem>
1193 <para>
1194 When using <literal>buildBazelPackage</literal> from Nixpkgs,
1195 <literal>flat</literal> hash mode is now used for dependencies
1196 instead of <literal>recursive</literal>. This is to better
1197 allow using hashed mirrors where needed. As a result, these
1198 hashes will have changed.
1199 </para>
1200 </listitem>
1201 <listitem>
1202 <para>
1203 The syntax of the PostgreSQL configuration file is now checked
1204 at build time. If your configuration includes a file
1205 inaccessible inside the build sandbox, set
1206 <literal>services.postgresql.checkConfig</literal> to
1207 <literal>false</literal>.
1208 </para>
1209 </listitem>
1210 <listitem>
1211 <para>
1212 The rkt module has been removed, it was archived by upstream.
1213 </para>
1214 </listitem>
1215 <listitem>
1216 <para>
1217 The
1218 <link xlink:href="https://bazaar.canonical.com">Bazaar</link>
1219 VCS is unmaintained and, as consequence of the Python 2 EOL,
1220 the packages <literal>bazaar</literal> and
1221 <literal>bazaarTools</literal> were removed. Breezy, the
1222 backward compatible fork of Bazaar (see the
1223 <link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>),
1224 was packaged as <literal>breezy</literal> and can be used
1225 instead.
1226 </para>
1227 <para>
1228 Regarding Nixpkgs, <literal>fetchbzr</literal>,
1229 <literal>nix-prefetch-bzr</literal> and Bazaar support in
1230 Hydra will continue to work through Breezy.
1231 </para>
1232 </listitem>
1233 <listitem>
1234 <para>
1235 In addition to the hostname, the fully qualified domain name
1236 (FQDN), which consists of
1237 <literal>${networking.hostName}</literal> and
1238 <literal>${networking.domain}</literal> is now added to
1239 <literal>/etc/hosts</literal>, to allow local FQDN resolution,
1240 as used by the <literal>hostname --fqdn</literal> command and
1241 other applications that try to determine the FQDN. These new
1242 entries take precedence over entries from the DNS which could
1243 cause regressions in some very specific setups. Additionally
1244 the hostname is now resolved to <literal>127.0.0.2</literal>
1245 instead of <literal>127.0.1.1</literal> to be consistent with
1246 what <literal>nss-myhostname</literal> (from systemd) returns.
1247 The old behaviour can e.g. be restored by using
1248 <literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>.
1249 </para>
1250 </listitem>
1251 <listitem>
1252 <para>
1253 The hostname (<literal>networking.hostName</literal>) must now
1254 be a valid DNS label (see RFC 1035, RFC 1123) and as such must
1255 not contain the domain part. This means that the hostname must
1256 start with a letter or digit, end with a letter or digit, and
1257 have as interior characters only letters, digits, and hyphen.
1258 The maximum length is 63 characters. Additionally it is
1259 recommended to only use lower-case characters. If (e.g. for
1260 legacy reasons) a FQDN is required as the Linux kernel network
1261 node hostname (<literal>uname --nodename</literal>) the option
1262 <literal>boot.kernel.sysctl."kernel.hostname"</literal>
1263 can be used as a workaround (but be aware of the 64 character
1264 limit).
1265 </para>
1266 </listitem>
1267 <listitem>
1268 <para>
1269 The GRUB specific option
1270 <literal>boot.loader.grub.extraInitrd</literal> has been
1271 replaced with the generic option
1272 <literal>boot.initrd.secrets</literal>. This option creates a
1273 secondary initrd from the specified files, rather than using a
1274 manually created initrd file. Due to an existing bug with
1275 <literal>boot.loader.grub.extraInitrd</literal>, it is not
1276 possible to directly boot an older generation that used that
1277 option. It is still possible to rollback to that generation if
1278 the required initrd file has not been deleted.
1279 </para>
1280 </listitem>
1281 <listitem>
1282 <para>
1283 The
1284 <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
1285 package and NixOS module have been removed from Nixpkgs as the
1286 software is unmaintained and can't be built. For more
1287 information see issue
1288 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
1289 </para>
1290 </listitem>
1291 <listitem>
1292 <para>
1293 In the <literal>resilio</literal> module,
1294 <link xlink:href="options.html#opt-services.resilio.httpListenAddr">services.resilio.httpListenAddr</link>
1295 has been changed to listen to <literal>[::1]</literal> instead
1296 of <literal>0.0.0.0</literal>.
1297 </para>
1298 </listitem>
1299 <listitem>
1300 <para>
1301 <literal>sslh</literal> has been updated to version
1302 <literal>1.21</literal>. The <literal>ssl</literal> probe must
1303 be renamed to <literal>tls</literal> in
1304 <link xlink:href="options.html#opt-services.sslh.appendConfig">services.sslh.appendConfig</link>.
1305 </para>
1306 </listitem>
1307 <listitem>
1308 <para>
1309 Users of <link xlink:href="http://openafs.org">OpenAFS
1310 1.6</link> must upgrade their services to OpenAFS 1.8! In this
1311 release, the OpenAFS package version 1.6.24 is marked broken
1312 but can be used during transition to OpenAFS 1.8.x. Use the
1313 options
1314 <literal>services.openafsClient.packages.module</literal>,
1315 <literal>services.openafsClient.packages.programs</literal>
1316 and <literal>services.openafsServer.package</literal> to
1317 select a different OpenAFS package. OpenAFS 1.6 will be
1318 removed in the next release. The package
1319 <literal>openafs</literal> and the service options will then
1320 silently point to the OpenAFS 1.8 release.
1321 </para>
1322 <para>
1323 See also the OpenAFS
1324 <link xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator
1325 Guide</link> for instructions. Beware of the following when
1326 updating servers:
1327 </para>
1328 <itemizedlist>
1329 <listitem>
1330 <para>
1331 The storage format of the server key has changed and the
1332 key must be converted before running the new release.
1333 </para>
1334 </listitem>
1335 <listitem>
1336 <para>
1337 When updating multiple database servers, turn off the
1338 database servers from the highest IP down to the lowest
1339 with resting periods in between. Start up in reverse
1340 order. Do not concurrently run database servers working
1341 with different OpenAFS releases!
1342 </para>
1343 </listitem>
1344 <listitem>
1345 <para>
1346 Update servers first, then clients.
1347 </para>
1348 </listitem>
1349 </itemizedlist>
1350 </listitem>
1351 <listitem>
1352 <para>
1353 Radicale's default package has changed from 2.x to 3.x. An
1354 upgrade checklist can be found
1355 <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>.
1356 You can use the newer version in the NixOS service by setting
1357 the <literal>package</literal> to
1358 <literal>radicale3</literal>, which is done automatically if
1359 <literal>stateVersion</literal> is 20.09 or higher.
1360 </para>
1361 </listitem>
1362 <listitem>
1363 <para>
1364 <literal>udpt</literal> experienced a complete rewrite from
1365 C++ to rust. The configuration format changed from ini to
1366 toml. The new configuration documentation can be found at
1367 <link xlink:href="https://naim94a.github.io/udpt/config.html">the
1368 official website</link> and example configuration is packaged
1369 in <literal>${udpt}/share/udpt/udpt.toml</literal>.
1370 </para>
1371 </listitem>
1372 <listitem>
1373 <para>
1374 We now have a unified
1375 <link xlink:href="options.html#opt-services.xserver.displayManager.autoLogin">services.xserver.displayManager.autoLogin</link>
1376 option interface to be used for every display-manager in
1377 NixOS.
1378 </para>
1379 </listitem>
1380 <listitem>
1381 <para>
1382 The <literal>bitcoind</literal> module has changed to
1383 multi-instance, using submodules. Therefore, it is now
1384 mandatory to name each instance. To use this new
1385 multi-instance config with an existing bitcoind data directory
1386 and user, you have to adjust the original config, e.g.:
1387 </para>
1388 <programlisting language="bash">
1389{
1390 services.bitcoind = {
1391 enable = true;
1392 extraConfig = "...";
1393 ...
1394 };
1395}
1396</programlisting>
1397 <para>
1398 To something similar:
1399 </para>
1400 <programlisting language="bash">
1401{
1402 services.bitcoind.mainnet = {
1403 enable = true;
1404 dataDir = "/var/lib/bitcoind";
1405 user = "bitcoin";
1406 extraConfig = "...";
1407 ...
1408 };
1409}
1410</programlisting>
1411 <para>
1412 The key settings are:
1413 </para>
1414 <itemizedlist>
1415 <listitem>
1416 <para>
1417 <literal>dataDir</literal> - to continue using the same
1418 data directory.
1419 </para>
1420 </listitem>
1421 <listitem>
1422 <para>
1423 <literal>user</literal> - to continue using the same user
1424 so that bitcoind maintains access to its files.
1425 </para>
1426 </listitem>
1427 </itemizedlist>
1428 </listitem>
1429 <listitem>
1430 <para>
1431 Graylog introduced a change in the LDAP server certificate
1432 validation behaviour for version 3.3.3 which might break
1433 existing setups. When updating Graylog from a version before
1434 3.3.3 make sure to check the Graylog
1435 <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release
1436 info</link> for information on how to avoid the issue.
1437 </para>
1438 </listitem>
1439 <listitem>
1440 <para>
1441 The <literal>dokuwiki</literal> module has changed to
1442 multi-instance, using submodules. Therefore, it is now
1443 mandatory to name each instance. Moreover, forcing SSL by
1444 default has been dropped, so <literal>nginx.forceSSL</literal>
1445 and <literal>nginx.enableACME</literal> are no longer set to
1446 <literal>true</literal>. To continue using your service with
1447 the original SSL settings, you have to adjust the original
1448 config, e.g.:
1449 </para>
1450 <programlisting language="bash">
1451{
1452 services.dokuwiki = {
1453 enable = true;
1454 ...
1455 };
1456}
1457</programlisting>
1458 <para>
1459 To something similar:
1460 </para>
1461 <programlisting language="bash">
1462{
1463 services.dokuwiki."mywiki" = {
1464 enable = true;
1465 nginx = {
1466 forceSSL = true;
1467 enableACME = true;
1468 };
1469 ...
1470 };
1471}
1472</programlisting>
1473 <para>
1474 The base package has also been upgraded to the 2020-07-29
1475 "Hogfather" release. Plugins might be incompatible
1476 or require upgrading.
1477 </para>
1478 </listitem>
1479 <listitem>
1480 <para>
1481 The
1482 <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link>
1483 option is now set to
1484 <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal>
1485 regardless of your
1486 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.
1487 Users with an existing postgresql install that have a
1488 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>
1489 of <literal>17.03</literal> or below should double check what
1490 the value of their
1491 <link xlink:href="options.html#opt-services.postgresql.dataDir">services.postgresql.dataDir</link>
1492 option is (<literal>/var/db/postgresql</literal>) and then
1493 explicitly set this value to maintain compatibility:
1494 </para>
1495 <programlisting language="bash">
1496{
1497 services.postgresql.dataDir = "/var/db/postgresql";
1498}
1499</programlisting>
1500 <para>
1501 The postgresql module now expects there to be a database super
1502 user account called <literal>postgres</literal> regardless of
1503 your
1504 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>.
1505 Users with an existing postgresql install that have a
1506 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>
1507 of <literal>17.03</literal> or below should run the following
1508 SQL statements as a database super admin user before
1509 upgrading:
1510 </para>
1511 <programlisting language="SQL">
1512CREATE ROLE postgres LOGIN SUPERUSER;
1513</programlisting>
1514 </listitem>
1515 <listitem>
1516 <para>
1517 The USBGuard module now removes options and instead hardcodes
1518 values for <literal>IPCAccessControlFiles</literal>,
1519 <literal>ruleFiles</literal>, and
1520 <literal>auditFilePath</literal>. Audit logs can be found in
1521 the journal.
1522 </para>
1523 </listitem>
1524 <listitem>
1525 <para>
1526 The NixOS module system now evaluates option definitions more
1527 strictly, allowing it to detect a larger set of problems. As a
1528 result, what previously evaluated may not do so anymore. See
1529 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the
1530 PR that changed this</link> for more info.
1531 </para>
1532 </listitem>
1533 <listitem>
1534 <para>
1535 For NixOS configuration options, the type
1536 <literal>loaOf</literal>, after its initial deprecation in
1537 release 20.03, has been removed. In NixOS and Nixpkgs options
1538 using this type have been converted to
1539 <literal>attrsOf</literal>. For more information on this
1540 change have look at these links:
1541 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue
1542 #1800</link>,
1543 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR
1544 #63103</link>.
1545 </para>
1546 </listitem>
1547 <listitem>
1548 <para>
1549 <literal>config.systemd.services.${name}.path</literal> now
1550 returns a list of paths instead of a colon-separated string.
1551 </para>
1552 </listitem>
1553 <listitem>
1554 <para>
1555 Caddy module now uses Caddy v2 by default. Caddy v1 can still
1556 be used by setting
1557 <link xlink:href="options.html#opt-services.caddy.package">services.caddy.package</link>
1558 to <literal>pkgs.caddy1</literal>.
1559 </para>
1560 <para>
1561 New option
1562 <link xlink:href="options.html#opt-services.caddy.adapter">services.caddy.adapter</link>
1563 has been added.
1564 </para>
1565 </listitem>
1566 <listitem>
1567 <para>
1568 The
1569 <link xlink:href="options.html#opt-services.jellyfin.enable">jellyfin</link>
1570 module will use and stay on the Jellyfin version
1571 <literal>10.5.5</literal> if <literal>stateVersion</literal>
1572 is lower than <literal>20.09</literal>. This is because
1573 significant changes were made to the database schema, and it
1574 is highly recommended to backup your instance before
1575 upgrading. After making your backup, you can upgrade to the
1576 latest version either by setting your
1577 <literal>stateVersion</literal> to <literal>20.09</literal> or
1578 higher, or set the
1579 <literal>services.jellyfin.package</literal> to
1580 <literal>pkgs.jellyfin</literal>. If you do not wish to
1581 upgrade Jellyfin, but want to change your
1582 <literal>stateVersion</literal>, you can set the value of
1583 <literal>services.jellyfin.package</literal> to
1584 <literal>pkgs.jellyfin_10_5</literal>.
1585 </para>
1586 </listitem>
1587 <listitem>
1588 <para>
1589 The <literal>security.rngd</literal> service is now disabled
1590 by default. This choice was made because there's krngd in the
1591 linux kernel space making it (for most usecases) functionally
1592 redundent.
1593 </para>
1594 </listitem>
1595 <listitem>
1596 <para>
1597 The <literal>hardware.nvidia.optimus_prime.enable</literal>
1598 service has been renamed to
1599 <literal>hardware.nvidia.prime.sync.enable</literal> and has
1600 many new enhancements. Related nvidia prime settings may have
1601 also changed.
1602 </para>
1603 </listitem>
1604 <listitem>
1605 <para>
1606 The package nextcloud17 has been removed and nextcloud18 was
1607 marked as insecure since both of them will
1608 <link xlink:href="https://docs.nextcloud.com/server/19/admin_manual/release_schedule.html">
1609 will be EOL (end of life) within the lifetime of 20.09</link>.
1610 </para>
1611 <para>
1612 It's necessary to upgrade to nextcloud19:
1613 </para>
1614 <itemizedlist>
1615 <listitem>
1616 <para>
1617 From nextcloud17, you have to upgrade to nextcloud18 first
1618 as Nextcloud doesn't allow going multiple major revisions
1619 forward in a single upgrade. This is possible by setting
1620 <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
1621 to nextcloud18.
1622 </para>
1623 </listitem>
1624 <listitem>
1625 <para>
1626 From nextcloud18, it's possible to directly upgrade to
1627 nextcloud19 by setting
1628 <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
1629 to nextcloud19.
1630 </para>
1631 </listitem>
1632 </itemizedlist>
1633 </listitem>
1634 <listitem>
1635 <para>
1636 The GNOME desktop manager no longer default installs
1637 gnome3.epiphany. It was chosen to do this as it has a
1638 usability breaking issue (see issue
1639 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>)
1640 that makes it unsuitable to be a default app.
1641 </para>
1642 <note>
1643 <para>
1644 Issue
1645 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/98819">#98819</link>
1646 is now fixed and gnome3.epiphany is once again installed by
1647 default.
1648 </para>
1649 </note>
1650 </listitem>
1651 <listitem>
1652 <para>
1653 If you want to manage the configuration of wpa_supplicant
1654 outside of NixOS you must ensure that none of
1655 <link xlink:href="options.html#opt-networking.wireless.networks">networking.wireless.networks</link>,
1656 <link xlink:href="options.html#opt-networking.wireless.extraConfig">networking.wireless.extraConfig</link>
1657 or
1658 <link xlink:href="options.html#opt-networking.wireless.userControlled.enable">networking.wireless.userControlled.enable</link>
1659 is being used or <literal>true</literal>. Using any of those
1660 options will cause wpa_supplicant to be started with a NixOS
1661 generated configuration file instead of your own.
1662 </para>
1663 </listitem>
1664 </itemizedlist>
1665 </section>
1666 <section xml:id="sec-release-20.09-notable-changes">
1667 <title>Other Notable Changes</title>
1668 <itemizedlist>
1669 <listitem>
1670 <para>
1671 SD images are now compressed by default using
1672 <literal>zstd</literal>. The compression for ISO images has
1673 also been changed to <literal>zstd</literal>, but ISO images
1674 are still not compressed by default.
1675 </para>
1676 </listitem>
1677 <listitem>
1678 <para>
1679 <literal>services.journald.rateLimitBurst</literal> was
1680 updated from <literal>1000</literal> to
1681 <literal>10000</literal> to follow the new upstream systemd
1682 default.
1683 </para>
1684 </listitem>
1685 <listitem>
1686 <para>
1687 The notmuch package moves its emacs-related binaries and emacs
1688 lisp files to a separate output. They're not part of the
1689 default <literal>out</literal> output anymore - if you relied
1690 on the <literal>notmuch-emacs-mua</literal> binary or the
1691 emacs lisp files, access them via the
1692 <literal>notmuch.emacs</literal> output.
1693 </para>
1694 </listitem>
1695 <listitem>
1696 <para>
1697 Device tree overlay support was improved in
1698 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/79370">#79370</link>
1699 and now uses
1700 <link xlink:href="options.html#opt-hardware.deviceTree.kernelPackage">hardware.deviceTree.kernelPackage</link>
1701 instead of <literal>hardware.deviceTree.base</literal>.
1702 <link xlink:href="options.html#opt-hardware.deviceTree.overlays">hardware.deviceTree.overlays</link>
1703 configuration was extended to support <literal>.dts</literal>
1704 files with symbols. Device trees can now be filtered by
1705 setting
1706 <link xlink:href="options.html#opt-hardware.deviceTree.filter">hardware.deviceTree.filter</link>
1707 option.
1708 </para>
1709 </listitem>
1710 <listitem>
1711 <para>
1712 The default output of <literal>buildGoPackage</literal> is now
1713 <literal>$out</literal> instead of <literal>$bin</literal>.
1714 </para>
1715 </listitem>
1716 <listitem>
1717 <para>
1718 <literal>buildGoModule</literal> <literal>doCheck</literal>
1719 now defaults to <literal>true</literal>.
1720 </para>
1721 </listitem>
1722 <listitem>
1723 <para>
1724 Packages built using <literal>buildRustPackage</literal> now
1725 use <literal>release</literal> mode for the
1726 <literal>checkPhase</literal> by default.
1727 </para>
1728 <para>
1729 Please note that Rust packages utilizing a custom
1730 build/install procedure (e.g. by using a
1731 <literal>Makefile</literal>) or test suites that rely on the
1732 structure of the <literal>target/</literal> directory may
1733 break due to those assumptions. For further information,
1734 please read the Rust section in the Nixpkgs manual.
1735 </para>
1736 </listitem>
1737 <listitem>
1738 <para>
1739 The cc- and binutils-wrapper's "infix salt" and
1740 <literal>_BUILD_</literal> and <literal>_TARGET_</literal>
1741 user infixes have been replaced with with a "suffix
1742 salt" and suffixes and <literal>_FOR_BUILD</literal> and
1743 <literal>_FOR_TARGET</literal>. This matches the autotools
1744 convention for env vars which standard for these things,
1745 making interfacing with other tools easier.
1746 </para>
1747 </listitem>
1748 <listitem>
1749 <para>
1750 Additional Git documentation (HTML and text files) is now
1751 available via the <literal>git-doc</literal> package.
1752 </para>
1753 </listitem>
1754 <listitem>
1755 <para>
1756 Default algorithm for ZRAM swap was changed to
1757 <literal>zstd</literal>.
1758 </para>
1759 </listitem>
1760 <listitem>
1761 <para>
1762 The installer now enables sshd by default. This improves
1763 installation on headless machines especially ARM
1764 single-board-computer. To login through ssh, either a password
1765 or an ssh key must be set for the root user or the nixos user.
1766 </para>
1767 </listitem>
1768 <listitem>
1769 <para>
1770 The scripted networking system now uses
1771 <literal>.link</literal> files in
1772 <literal>/etc/systemd/network</literal> to configure mac
1773 address and link MTU, instead of the sometimes buggy
1774 <literal>network-link-*</literal> units, which have been
1775 removed. Bringing the interface up has been moved to the
1776 beginning of the <literal>network-addresses-*</literal> unit.
1777 Note this doesn't require <literal>systemd-networkd</literal>
1778 - it's udev that parses <literal>.link</literal> files. Extra
1779 care needs to be taken in the presence of
1780 <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy
1781 udev rules</link> to rename interfaces, as MAC Address and MTU
1782 defined in these options can only match on the original link
1783 name. In such cases, you most likely want to create a
1784 <literal>10-*.link</literal> file through
1785 <link xlink:href="options.html#opt-systemd.network.links">systemd.network.links</link>
1786 and set both name and MAC Address / MTU there.
1787 </para>
1788 </listitem>
1789 <listitem>
1790 <para>
1791 Grafana received a major update to version 7.x. A plugin is
1792 now needed for image rendering support, and plugins must now
1793 be signed by default. More information can be found
1794 <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in
1795 the Grafana documentation</link>.
1796 </para>
1797 </listitem>
1798 <listitem>
1799 <para>
1800 The <literal>hardware.u2f</literal> module, which was
1801 installing udev rules was removed, as udev gained native
1802 support to handle FIDO security tokens.
1803 </para>
1804 </listitem>
1805 <listitem>
1806 <para>
1807 The <literal>services.transmission</literal> module was
1808 enhanced with the new options:
1809 <link xlink:href="options.html#opt-services.transmission.credentialsFile">services.transmission.credentialsFile</link>,
1810 <link xlink:href="options.html#opt-services.transmission.openFirewall">services.transmission.openFirewall</link>,
1811 and
1812 <link xlink:href="options.html#opt-services.transmission.performanceNetParameters">services.transmission.performanceNetParameters</link>.
1813 </para>
1814 <para>
1815 <literal>transmission-daemon</literal> is now started with
1816 additional systemd sandbox/hardening options for better
1817 security. Please
1818 <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
1819 any use case where this is not working well. In particular,
1820 the <literal>RootDirectory</literal> option newly set forbids
1821 uploading or downloading a torrent outside of the default
1822 directory configured at
1823 <link xlink:href="options.html#opt-services.transmission.settings">settings.download-dir</link>.
1824 If you really need Transmission to access other directories,
1825 you must include those directories into the
1826 <literal>BindPaths</literal> of the service:
1827 </para>
1828 <programlisting language="bash">
1829{
1830 systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
1831}
1832</programlisting>
1833 <para>
1834 Also, connection to the RPC (Remote Procedure Call) of
1835 <literal>transmission-daemon</literal> is now only available
1836 on the local network interface by default. Use:
1837 </para>
1838 <programlisting language="bash">
1839{
1840 services.transmission.settings.rpc-bind-address = "0.0.0.0";
1841}
1842</programlisting>
1843 <para>
1844 to get the previous behavior of listening on all network
1845 interfaces.
1846 </para>
1847 </listitem>
1848 <listitem>
1849 <para>
1850 With this release <literal>systemd-networkd</literal> (when
1851 enabled through
1852 <link xlink:href="options.html#opt-networking.useNetworkd">networking.useNetworkd</link>)
1853 has it's netlink socket created through a
1854 <literal>systemd.socket</literal> unit. This gives us control
1855 over socket buffer sizes and other parameters. For larger
1856 setups where networkd has to create a lot of (virtual) devices
1857 the default buffer size (currently 128MB) is not enough.
1858 </para>
1859 <para>
1860 On a machine with >100 virtual interfaces (e.g., wireguard
1861 tunnels, VLANs, …), that all have to be brought up during
1862 system startup, the receive buffer size will spike for a brief
1863 period. Eventually some of the message will be dropped since
1864 there is not enough (permitted) buffer space available.
1865 </para>
1866 <para>
1867 By having <literal>systemd-networkd</literal> start with a
1868 netlink socket created by <literal>systemd</literal> we can
1869 configure the <literal>ReceiveBufferSize=</literal> parameter
1870 in the socket options (i.e.
1871 <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>)
1872 without recompiling <literal>systemd-networkd</literal>.
1873 </para>
1874 <para>
1875 Since the actual memory requirements depend on hardware,
1876 timing, exact configurations etc. it isn't currently possible
1877 to infer a good default from within the NixOS module system.
1878 Administrators are advised to monitor the logs of
1879 <literal>systemd-networkd</literal> for
1880 <literal>rtnl: kernel receive buffer overrun</literal> spam
1881 and increase the memory limit as they see fit.
1882 </para>
1883 <para>
1884 Note: Increasing the <literal>ReceiveBufferSize=</literal>
1885 doesn't allocate any memory. It just increases the upper bound
1886 on the kernel side. The memory allocation depends on the
1887 amount of messages that are queued on the kernel side of the
1888 netlink socket.
1889 </para>
1890 </listitem>
1891 <listitem>
1892 <para>
1893 Specifying
1894 <link xlink:href="options.html#opt-services.dovecot2.mailboxes">mailboxes</link>
1895 in the dovecot2 module as a list is deprecated and will break
1896 eval in 21.05. Instead, an attribute-set should be specified
1897 where the <literal>name</literal> should be the key of the
1898 attribute.
1899 </para>
1900 <para>
1901 This means that a configuration like this
1902 </para>
1903 <programlisting language="bash">
1904{
1905 services.dovecot2.mailboxes = [
1906 { name = "Junk";
1907 auto = "create";
1908 }
1909 ];
1910}
1911</programlisting>
1912 <para>
1913 should now look like this:
1914 </para>
1915 <programlisting language="bash">
1916{
1917 services.dovecot2.mailboxes = {
1918 Junk.auto = "create";
1919 };
1920}
1921</programlisting>
1922 </listitem>
1923 <listitem>
1924 <para>
1925 netbeans was upgraded to 12.0 and now defaults to OpenJDK 11.
1926 This might cause problems if your projects depend on packages
1927 that were removed in Java 11.
1928 </para>
1929 </listitem>
1930 <listitem>
1931 <para>
1932 nextcloud has been updated to
1933 <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>.
1934 </para>
1935 <para>
1936 If you have an existing installation, please make sure that
1937 you're on nextcloud18 before upgrading to nextcloud19 since
1938 Nextcloud doesn't support upgrades across multiple major
1939 versions.
1940 </para>
1941 </listitem>
1942 <listitem>
1943 <para>
1944 The <literal>nixos-run-vms</literal> script now deletes the
1945 previous run machines states on test startup. You can use the
1946 <literal>--keep-vm-state</literal> flag to match the previous
1947 behaviour and keep the same VM state between different test
1948 runs.
1949 </para>
1950 </listitem>
1951 <listitem>
1952 <para>
1953 The
1954 <link xlink:href="options.html#opt-nix.buildMachines">nix.buildMachines</link>
1955 option is now type-checked. There are no functional changes,
1956 however this may require updating some configurations to use
1957 correct types for all attributes.
1958 </para>
1959 </listitem>
1960 <listitem>
1961 <para>
1962 The <literal>fontconfig</literal> module stopped generating
1963 config and cache files for fontconfig 2.10.x, the
1964 <literal>/etc/fonts/fonts.conf</literal> now belongs to the
1965 latest fontconfig, just like on other Linux distributions, and
1966 we will
1967 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/95358">no
1968 longer</link> be versioning the config directories.
1969 </para>
1970 <para>
1971 Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t
1972 been used in any Nixpkgs package for years now.
1973 </para>
1974 </listitem>
1975 <listitem>
1976 <para>
1977 Nginx module
1978 <literal>nginxModules.fastcgi-cache-purge</literal> renamed to
1979 official name <literal>nginxModules.cache-purge</literal>.
1980 Nginx module <literal>nginxModules.ngx_aws_auth</literal>
1981 renamed to official name
1982 <literal>nginxModules.aws-auth</literal>.
1983 </para>
1984 </listitem>
1985 <listitem>
1986 <para>
1987 The option <literal>defaultPackages</literal> was added. It
1988 installs the packages perl, rsync and strace for now. They
1989 were added unconditionally to
1990 <literal>systemPackages</literal> before, but are not strictly
1991 necessary for a minimal NixOS install. You can set it to an
1992 empty list to have a more minimal system. Be aware that some
1993 functionality might still have an impure dependency on those
1994 packages, so things might break.
1995 </para>
1996 </listitem>
1997 <listitem>
1998 <para>
1999 The <literal>undervolt</literal> option no longer needs to
2000 apply its settings every 30s. If they still become undone,
2001 open an issue and restore the previous behaviour using
2002 <literal>undervolt.useTimer</literal>.
2003 </para>
2004 </listitem>
2005 <listitem>
2006 <para>
2007 Agda has been heavily reworked.
2008 </para>
2009 <itemizedlist>
2010 <listitem>
2011 <para>
2012 <literal>agda.mkDerivation</literal> has been heavily
2013 changed and is now located at agdaPackages.mkDerivation.
2014 </para>
2015 </listitem>
2016 <listitem>
2017 <para>
2018 New top-level packages agda and
2019 <literal>agda.withPackages</literal> have been added, the
2020 second of which sets up agda with access to chosen
2021 libraries.
2022 </para>
2023 </listitem>
2024 <listitem>
2025 <para>
2026 All agda libraries now live under
2027 <literal>agdaPackages</literal>.
2028 </para>
2029 </listitem>
2030 <listitem>
2031 <para>
2032 Many broken libraries have been removed.
2033 </para>
2034 </listitem>
2035 </itemizedlist>
2036 <para>
2037 See the
2038 <link xlink:href="https://nixos.org/nixpkgs/manual/#agda">new
2039 documentation</link> for more information.
2040 </para>
2041 </listitem>
2042 <listitem>
2043 <para>
2044 The <literal>deepin</literal> package set has been removed
2045 from nixpkgs. It was a work in progress to package the
2046 <link xlink:href="https://www.deepin.org/en/dde/">Deepin
2047 Desktop Environment (DDE)</link>, including libraries, tools
2048 and applications, and it was still missing a service to launch
2049 the desktop environment. It has shown to no longer be a
2050 feasible goal due to reasons discussed in
2051 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/94870">issue
2052 #94870</link>. The package
2053 <literal>netease-cloud-music</literal> has also been removed,
2054 as it depends on libraries from deepin.
2055 </para>
2056 </listitem>
2057 <listitem>
2058 <para>
2059 The <literal>opendkim</literal> module now uses systemd
2060 sandboxing features to limit the exposure of the system
2061 towards the opendkim service.
2062 </para>
2063 </listitem>
2064 <listitem>
2065 <para>
2066 Kubernetes has been upgraded to 1.19.1, which also means that
2067 the golang version to build it has been bumped to 1.15. This
2068 may have consequences for your existing clusters and their
2069 certificates. Please consider
2070 <link xlink:href="https://relnotes.k8s.io/?markdown=93264">
2071 the release notes for Kubernetes 1.19 carefully </link> before
2072 upgrading.
2073 </para>
2074 </listitem>
2075 <listitem>
2076 <para>
2077 For AMD GPUs, Vulkan can now be used by adding
2078 <literal>amdvlk</literal> to
2079 <literal>hardware.opengl.extraPackages</literal>.
2080 </para>
2081 </listitem>
2082 <listitem>
2083 <para>
2084 Similarly, still for AMD GPUs, the ROCm OpenCL stack can now
2085 be used by adding <literal>rocm-opencl-icd</literal> to
2086 <literal>hardware.opengl.extraPackages</literal>.
2087 </para>
2088 </listitem>
2089 </itemizedlist>
2090 </section>
2091 <section xml:id="sec-release-20.09-contributions">
2092 <title>Contributions</title>
2093 <para>
2094 I, Jonathan Ringer, would like to thank the following individuals
2095 for their work on nixpkgs. This release could not be done without
2096 the hard work of the NixOS community. There were 31282
2097 contributions across 1313 contributors.
2098 </para>
2099 <orderedlist numeration="arabic">
2100 <listitem>
2101 <para>
2102 2288 Mario Rodas
2103 </para>
2104 </listitem>
2105 <listitem>
2106 <para>
2107 1837 Frederik Rietdijk
2108 </para>
2109 </listitem>
2110 <listitem>
2111 <para>
2112 946 Jörg Thalheim
2113 </para>
2114 </listitem>
2115 <listitem>
2116 <para>
2117 925 Maximilian Bosch
2118 </para>
2119 </listitem>
2120 <listitem>
2121 <para>
2122 687 Jonathan Ringer
2123 </para>
2124 </listitem>
2125 <listitem>
2126 <para>
2127 651 Jan Tojnar
2128 </para>
2129 </listitem>
2130 <listitem>
2131 <para>
2132 622 Daniël de Kok
2133 </para>
2134 </listitem>
2135 <listitem>
2136 <para>
2137 605 WORLDofPEACE
2138 </para>
2139 </listitem>
2140 <listitem>
2141 <para>
2142 597 Florian Klink
2143 </para>
2144 </listitem>
2145 <listitem>
2146 <para>
2147 528 José Romildo Malaquias
2148 </para>
2149 </listitem>
2150 <listitem>
2151 <para>
2152 281 volth
2153 </para>
2154 </listitem>
2155 <listitem>
2156 <para>
2157 101 Robert Scott
2158 </para>
2159 </listitem>
2160 <listitem>
2161 <para>
2162 86 Tim Steinbach
2163 </para>
2164 </listitem>
2165 <listitem>
2166 <para>
2167 76 WORLDofPEACE
2168 </para>
2169 </listitem>
2170 <listitem>
2171 <para>
2172 49 Maximilian Bosch
2173 </para>
2174 </listitem>
2175 <listitem>
2176 <para>
2177 42 Thomas Tuegel
2178 </para>
2179 </listitem>
2180 <listitem>
2181 <para>
2182 37 Doron Behar
2183 </para>
2184 </listitem>
2185 <listitem>
2186 <para>
2187 36 Vladimír Čunát
2188 </para>
2189 </listitem>
2190 <listitem>
2191 <para>
2192 27 Jonathan Ringer
2193 </para>
2194 </listitem>
2195 <listitem>
2196 <para>
2197 27 Maciej Krüger
2198 </para>
2199 </listitem>
2200 </orderedlist>
2201 <para>
2202 I, Jonathan Ringer, would also like to personally thank
2203 @WORLDofPEACE for their help in mentoring me on the release
2204 process. Special thanks also goes to Thomas Tuegel for helping
2205 immensely with stabilizing Qt, KDE, and Plasma5; I would also like
2206 to thank Robert Scott for his numerous fixes and pull request
2207 reviews.
2208 </para>
2209 </section>
2210</section>