pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-21.05">
2 <title>Release 21.05 (<quote>Okapi</quote>, 2021.05/31)</title>
3 <para>
4 Support is planned until the end of December 2021, handing over to
5 21.11.
6 </para>
7 <section xml:id="sec-release-21.05-highlights">
8 <title>Highlights</title>
9 <para>
10 In addition to numerous new and upgraded packages, this release
11 has the following highlights:
12 </para>
13 <itemizedlist>
14 <listitem>
15 <para>
16 Core version changes:
17 </para>
18 <itemizedlist>
19 <listitem>
20 <para>
21 gcc: 9.3.0 -> 10.3.0
22 </para>
23 </listitem>
24 <listitem>
25 <para>
26 glibc: 2.30 -> 2.32
27 </para>
28 </listitem>
29 <listitem>
30 <para>
31 default linux: 5.4 -> 5.10, all supported kernels
32 available
33 </para>
34 </listitem>
35 <listitem>
36 <para>
37 mesa: 20.1.7 -> 21.0.1
38 </para>
39 </listitem>
40 </itemizedlist>
41 </listitem>
42 <listitem>
43 <para>
44 Desktop Environments:
45 </para>
46 <itemizedlist>
47 <listitem>
48 <para>
49 GNOME: 3.36 -> 40, see its
50 <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">release
51 notes</link>
52 </para>
53 </listitem>
54 <listitem>
55 <para>
56 Plasma5: 5.18.5 -> 5.21.3
57 </para>
58 </listitem>
59 <listitem>
60 <para>
61 kdeApplications: 20.08.1 -> 20.12.3
62 </para>
63 </listitem>
64 <listitem>
65 <para>
66 cinnamon: 4.6 -> 4.8.1
67 </para>
68 </listitem>
69 </itemizedlist>
70 </listitem>
71 <listitem>
72 <para>
73 Programming Languages and Frameworks:
74 </para>
75 <itemizedlist spacing="compact">
76 <listitem>
77 <para>
78 Python optimizations were disabled again. Builds with
79 optimizations enabled are not reproducible. Optimizations
80 can now be enabled with an option.
81 </para>
82 </listitem>
83 </itemizedlist>
84 </listitem>
85 <listitem>
86 <para>
87 The linux_latest kernel was updated to the 5.13 series. It
88 currently is not officially supported for use with the zfs
89 filesystem. If you use zfs, you should use a different kernel
90 version (either the LTS kernel, or track a specific one).
91 </para>
92 </listitem>
93 </itemizedlist>
94 </section>
95 <section xml:id="sec-release-21.05-new-services">
96 <title>New Services</title>
97 <para>
98 The following new services were added since the last release:
99 </para>
100 <itemizedlist>
101 <listitem>
102 <para>
103 <link xlink:href="https://www.gnuradio.org/">GNURadio</link>
104 3.8 and 3.9 were
105 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finally</link>
106 packaged, along with a rewrite to the Nix expressions,
107 allowing users to override the features upstream supports
108 selecting to compile or not to. Additionally, the attribute
109 <literal>gnuradio</literal> (3.9),
110 <literal>gnuradio3_8</literal> and
111 <literal>gnuradio3_7</literal> now point to an externally
112 wrapped by default derivations, that allow you to also add
113 `extraPythonPackages` to the Python interpreter used by
114 GNURadio. Missing environmental variables needed for
115 operational GUI were also added
116 (<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#75478</link>).
117 </para>
118 </listitem>
119 <listitem>
120 <para>
121 <link xlink:href="https://www.keycloak.org/">Keycloak</link>,
122 an open source identity and access management server with
123 support for
124 <link xlink:href="https://openid.net/connect/">OpenID
125 Connect</link>, <link xlink:href="https://oauth.net/2/">OAUTH
126 2.0</link> and
127 <link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
128 2.0</link>.
129 </para>
130 <para>
131 See the <link linkend="module-services-keycloak">Keycloak
132 section of the NixOS manual</link> for more information.
133 </para>
134 </listitem>
135 <listitem>
136 <para>
137 <link xlink:href="options.html#opt-services.samba-wsdd.enable">services.samba-wsdd.enable</link>
138 Web Services Dynamic Discovery host daemon
139 </para>
140 </listitem>
141 <listitem>
142 <para>
143 <link xlink:href="https://www.discourse.org/">Discourse</link>,
144 a modern and open source discussion platform.
145 </para>
146 <para>
147 See the <link linkend="module-services-discourse">Discourse
148 section of the NixOS manual</link> for more information.
149 </para>
150 </listitem>
151 <listitem>
152 <para>
153 <link xlink:href="options.html#opt-services.nebula.networks">services.nebula.networks</link>
154 <link xlink:href="https://github.com/slackhq/nebula">Nebula
155 VPN</link>
156 </para>
157 </listitem>
158 </itemizedlist>
159 </section>
160 <section xml:id="sec-release-21.05-incompatibilities">
161 <title>Backward Incompatibilities</title>
162 <para>
163 When upgrading from a previous release, please be aware of the
164 following incompatible changes:
165 </para>
166 <itemizedlist>
167 <listitem>
168 <para>
169 GNOME desktop environment was upgraded to 40, see the release
170 notes for
171 <link xlink:href="https://help.gnome.org/misc/release-notes/40.0/">40.0</link>
172 and
173 <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">3.38</link>.
174 The <literal>gnome3</literal> attribute set has been renamed
175 to <literal>gnome</literal> and so have been the NixOS
176 options.
177 </para>
178 </listitem>
179 <listitem>
180 <para>
181 If you are using <literal>services.udev.extraRules</literal>
182 to assign custom names to network interfaces, this may stop
183 working due to a change in the initialisation of dhcpcd and
184 systemd networkd. To avoid this, either move them to
185 <literal>services.udev.initrdRules</literal> or see the new
186 <link linkend="sec-custom-ifnames">Assigning custom
187 names</link> section of the NixOS manual for an example using
188 networkd links.
189 </para>
190 </listitem>
191 <listitem>
192 <para>
193 The <literal>security.hideProcessInformation</literal> module
194 has been removed. It was broken since the switch to
195 cgroups-v2.
196 </para>
197 </listitem>
198 <listitem>
199 <para>
200 The <literal>linuxPackages.ati_drivers_x11</literal> kernel
201 modules have been removed. The drivers only supported kernels
202 prior to 4.2, and thus have become obsolete.
203 </para>
204 </listitem>
205 <listitem>
206 <para>
207 The <literal>systemConfig</literal> kernel parameter is no
208 longer added to boot loader entries. It has been unused since
209 September 2010, but if do have a system generation from that
210 era, you will now be unable to boot into them.
211 </para>
212 </listitem>
213 <listitem>
214 <para>
215 <literal>systemd-journal2gelf</literal> no longer parses json
216 and expects the receiving system to handle it. How to achieve
217 this with Graylog is described in this
218 <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub
219 issue</link>.
220 </para>
221 </listitem>
222 <listitem>
223 <para>
224 If the <literal>services.dbus</literal> module is enabled,
225 then the user D-Bus session is now always socket activated.
226 The associated options
227 <literal>services.dbus.socketActivated</literal> and
228 <literal>services.xserver.startDbusSession</literal> have
229 therefore been removed and you will receive a warning if they
230 are present in your configuration. This change makes the user
231 D-Bus session available also for non-graphical logins.
232 </para>
233 </listitem>
234 <listitem>
235 <para>
236 The <literal>networking.wireless.iwd</literal> module now
237 installs the upstream-provided 80-iwd.link file, which sets
238 the NamePolicy= for all wlan devices to "keep
239 kernel", to avoid race conditions between iwd and
240 networkd. If you don't want this, you can set
241 <literal>systemd.network.links."80-iwd" = lib.mkForce {}</literal>.
242 </para>
243 </listitem>
244 <listitem>
245 <para>
246 <literal>rubyMinimal</literal> was removed due to being unused
247 and unusable. The default ruby interpreter includes JIT
248 support, which makes it reference it's compiler. Since JIT
249 support is probably needed by some Gems, it was decided to
250 enable this feature with all cc references by default, and
251 allow to build a Ruby derivation without references to cc, by
252 setting <literal>jitSupport = false;</literal> in an overlay.
253 See
254 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
255 for more info.
256 </para>
257 </listitem>
258 <listitem>
259 <para>
260 Setting
261 <literal>services.openssh.authorizedKeysFiles</literal> now
262 also affects which keys
263 <literal>security.pam.enableSSHAgentAuth</literal> will use.
264 WARNING: If you are using these options in combination do make
265 sure that any key paths you use are present in
266 <literal>services.openssh.authorizedKeysFiles</literal>!
267 </para>
268 </listitem>
269 <listitem>
270 <para>
271 The option <literal>fonts.enableFontDir</literal> has been
272 renamed to
273 <link xlink:href="options.html#opt-fonts.fontDir.enable">fonts.fontDir.enable</link>.
274 The path of font directory has also been changed to
275 <literal>/run/current-system/sw/share/X11/fonts</literal>, for
276 consistency with other X11 resources.
277 </para>
278 </listitem>
279 <listitem>
280 <para>
281 A number of options have been renamed in the kicad interface.
282 <literal>oceSupport</literal> has been renamed to
283 <literal>withOCE</literal>, <literal>withOCCT</literal> has
284 been renamed to <literal>withOCC</literal>,
285 <literal>ngspiceSupport</literal> has been renamed to
286 <literal>withNgspice</literal>, and
287 <literal>scriptingSupport</literal> has been renamed to
288 <literal>withScripting</literal>. Additionally,
289 <literal>kicad/base.nix</literal> no longer provides default
290 argument values since these are provided by
291 <literal>kicad/default.nix</literal>.
292 </para>
293 </listitem>
294 <listitem>
295 <para>
296 The socket for the <literal>pdns-recursor</literal> module was
297 moved from <literal>/var/lib/pdns-recursor</literal> to
298 <literal>/run/pdns-recursor</literal> to match upstream.
299 </para>
300 </listitem>
301 <listitem>
302 <para>
303 Paperwork was updated to version 2. The on-disk format
304 slightly changed, and it is not possible to downgrade from
305 Paperwork 2 back to Paperwork 1.3. Back your documents up
306 before upgrading. See
307 <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this
308 thread</link> for more details.
309 </para>
310 </listitem>
311 <listitem>
312 <para>
313 PowerDNS has been updated from <literal>4.2.x</literal> to
314 <literal>4.3.x</literal>. Please be sure to review the
315 <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade
316 Notes</link> provided by upstream before upgrading. Worth
317 specifically noting is that the service now runs entirely as a
318 dedicated <literal>pdns</literal> user, instead of starting as
319 <literal>root</literal> and dropping privileges, as well as
320 the default <literal>socket-dir</literal> location changing
321 from <literal>/var/lib/powerdns</literal> to
322 <literal>/run/pdns</literal>.
323 </para>
324 </listitem>
325 <listitem>
326 <para>
327 The <literal>mediatomb</literal> service is now using by
328 default the new and maintained fork <literal>gerbera</literal>
329 package instead of the unmaintained
330 <literal>mediatomb</literal> package. If you want to keep the
331 old behavior, you must declare it with:
332 </para>
333 <programlisting language="bash">
334{
335 services.mediatomb.package = pkgs.mediatomb;
336}
337</programlisting>
338 <para>
339 One new option <literal>openFirewall</literal> has been
340 introduced which defaults to false. If you relied on the
341 service declaration to add the firewall rules itself before,
342 you should now declare it with:
343 </para>
344 <programlisting language="bash">
345{
346 services.mediatomb.openFirewall = true;
347}
348</programlisting>
349 </listitem>
350 <listitem>
351 <para>
352 xfsprogs was update from 4.19 to 5.11. It now enables reflink
353 support by default on filesystem creation. Support for
354 reflinks was added with an experimental status to kernel 4.9
355 and deemed stable in kernel 4.16. If you want to be able to
356 mount XFS filesystems created with this release of xfsprogs on
357 kernel releases older than those, you need to format them with
358 <literal>mkfs.xfs -m reflink=0</literal>.
359 </para>
360 </listitem>
361 <listitem>
362 <para>
363 The uWSGI server is now built with POSIX capabilities. As a
364 consequence, root is no longer required in emperor mode and
365 the service defaults to running as the unprivileged
366 <literal>uwsgi</literal> user. Any additional capability can
367 be added via the new option
368 <link xlink:href="options.html#opt-services.uwsgi.capabilities">services.uwsgi.capabilities</link>.
369 The previous behaviour can be restored by setting:
370 </para>
371 <programlisting language="bash">
372{
373 services.uwsgi.user = "root";
374 services.uwsgi.group = "root";
375 services.uwsgi.instance =
376 {
377 uid = "uwsgi";
378 gid = "uwsgi";
379 };
380}
381</programlisting>
382 <para>
383 Another incompatibility from the previous release is that
384 vassals running under a different user or group need to use
385 <literal>immediate-{uid,gid}</literal> instead of the usual
386 <literal>uid,gid</literal> options.
387 </para>
388 </listitem>
389 <listitem>
390 <para>
391 btc1 has been abandoned upstream, and removed.
392 </para>
393 </listitem>
394 <listitem>
395 <para>
396 cpp_ethereum (aleth) has been abandoned upstream, and removed.
397 </para>
398 </listitem>
399 <listitem>
400 <para>
401 riak-cs package removed along with
402 <literal>services.riak-cs</literal> module.
403 </para>
404 </listitem>
405 <listitem>
406 <para>
407 stanchion package removed along with
408 <literal>services.stanchion</literal> module.
409 </para>
410 </listitem>
411 <listitem>
412 <para>
413 mutt has been updated to a new major version (2.x), which
414 comes with some backward incompatible changes that are
415 described in the
416 <link xlink:href="http://www.mutt.org/relnotes/2.0/">release
417 notes for Mutt 2.0</link>.
418 </para>
419 </listitem>
420 <listitem>
421 <para>
422 <literal>vim</literal> and <literal>neovim</literal> switched
423 to Python 3, dropping all Python 2 support.
424 </para>
425 </listitem>
426 <listitem>
427 <para>
428 <link xlink:href="options.html#opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>,
429 which is off by default, had a <literal>chmod</literal> race
430 condition fixed. As an aside, the parent directory's
431 permissions were widened, and the key files were made
432 owner-writable. This only affects newly created keys. However,
433 if the exact permissions are important for your setup, read
434 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>.
435 </para>
436 </listitem>
437 <listitem>
438 <para>
439 <link xlink:href="options.html#opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
440 previously did nothing, but has been fixed. However its
441 default has been changed to <literal>false</literal> to
442 preserve the existing default behaviour. If you have this
443 explicitly set to <literal>true</literal>, please note that
444 your non-root pools will now be forcibly imported.
445 </para>
446 </listitem>
447 <listitem>
448 <para>
449 openafs now points to openafs_1_8, which is the new stable
450 release. OpenAFS 1.6 was removed.
451 </para>
452 </listitem>
453 <listitem>
454 <para>
455 The WireGuard module gained a new option
456 <literal>networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds</literal>
457 that implements refreshing the IP of DNS-based endpoints
458 periodically (which WireGuard itself
459 <link xlink:href="https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html">cannot
460 do</link>).
461 </para>
462 </listitem>
463 <listitem>
464 <para>
465 MariaDB has been updated to 10.5. Before you upgrade, it would
466 be best to take a backup of your database and read
467 <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105">
468 Incompatible Changes Between 10.4 and 10.5</link>. After the
469 upgrade you will need to run <literal>mysql_upgrade</literal>.
470 </para>
471 </listitem>
472 <listitem>
473 <para>
474 The TokuDB storage engine dropped in mariadb 10.5 and removed
475 in mariadb 10.6. It is recommended to switch to RocksDB. See
476 also
477 <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>
478 and
479 <link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780:
480 Remove the TokuDB storage engine</link>.
481 </para>
482 </listitem>
483 <listitem>
484 <para>
485 The <literal>openldap</literal> module now has support for
486 OLC-style configuration, users of the
487 <literal>configDir</literal> option may wish to migrate. If
488 you continue to use <literal>configDir</literal>, ensure that
489 <literal>olcPidFile</literal> is set to
490 <literal>/run/slapd/slapd.pid</literal>.
491 </para>
492 <para>
493 As a result, <literal>extraConfig</literal> and
494 <literal>extraDatabaseConfig</literal> are removed. To help
495 with migration, you can convert your
496 <literal>slapd.conf</literal> file to OLC configuration with
497 the following script (find the location of this configuration
498 file by running <literal>systemctl status openldap</literal>,
499 it is the <literal>-f</literal> option.
500 </para>
501 <programlisting>
502$ TMPDIR=$(mktemp -d)
503$ slaptest -f /path/to/slapd.conf -F $TMPDIR
504$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
505</programlisting>
506 <para>
507 This will dump your current configuration in LDIF format,
508 which should be straightforward to convert into Nix settings.
509 This does not show your schema configuration, as this is
510 unnecessarily verbose for users of the default schemas and
511 <literal>slaptest</literal> is buggy with schemas directly in
512 the config file.
513 </para>
514 </listitem>
515 <listitem>
516 <para>
517 Amazon EC2 and OpenStack Compute (nova) images now re-fetch
518 instance meta data and user data from the instance metadata
519 service (IMDS) on each boot. For example: stopping an EC2
520 instance, changing its user data, and restarting the instance
521 will now cause it to fetch and apply the new user data.
522 </para>
523 <warning>
524 <para>
525 Specifically, <literal>/etc/ec2-metadata</literal> is
526 re-populated on each boot. Some NixOS scripts that read from
527 this directory are guarded to only run if the files they
528 want to manipulate do not already exist, and so will not
529 re-apply their changes if the IMDS response changes.
530 Examples: <literal>root</literal>'s SSH key is only added if
531 <literal>/root/.ssh/authorized_keys</literal> does not
532 exist, and SSH host keys are only set from user data if they
533 do not exist in <literal>/etc/ssh</literal>.
534 </para>
535 </warning>
536 </listitem>
537 <listitem>
538 <para>
539 The <literal>rspamd</literal> services is now sandboxed. It is
540 run as a dynamic user instead of root, so secrets and other
541 files may have to be moved or their permissions may have to be
542 fixed. The sockets are now located in
543 <literal>/run/rspamd</literal> instead of
544 <literal>/run</literal>.
545 </para>
546 </listitem>
547 <listitem>
548 <para>
549 Enabling the Tor client no longer silently also enables and
550 configures Privoxy, and the
551 <literal>services.tor.client.privoxy.enable</literal> option
552 has been removed. To enable Privoxy, and to configure it to
553 use Tor's faster port, use the following configuration:
554 </para>
555 <programlisting language="bash">
556{
557 opt-services.privoxy.enable = true;
558 opt-services.privoxy.enableTor = true;
559}
560</programlisting>
561 </listitem>
562 <listitem>
563 <para>
564 The <literal>services.tor</literal> module has a new
565 exhaustively typed
566 <link xlink:href="options.html#opt-services.tor.settings">services.tor.settings</link>
567 option following RFC 0042; backward compatibility with old
568 options has been preserved when aliasing was possible. The
569 corresponding systemd service has been hardened, but there is
570 a chance that the service still requires more permissions, so
571 please report any related trouble on the bugtracker. Onion
572 services v3 are now supported in
573 <link xlink:href="options.html#opt-services.tor.relay.onionServices">services.tor.relay.onionServices</link>.
574 A new
575 <link xlink:href="options.html#opt-services.tor.openFirewall">services.tor.openFirewall</link>
576 option as been introduced for allowing connections on all the
577 TCP ports configured.
578 </para>
579 </listitem>
580 <listitem>
581 <para>
582 The options
583 <literal>services.slurm.dbdserver.storagePass</literal> and
584 <literal>services.slurm.dbdserver.configFile</literal> have
585 been removed. Use
586 <literal>services.slurm.dbdserver.storagePassFile</literal>
587 instead to provide the database password. Extra config options
588 can be given via the option
589 <literal>services.slurm.dbdserver.extraConfig</literal>. The
590 actual configuration file is created on the fly on startup of
591 the service. This avoids that the password gets exposed in the
592 nix store.
593 </para>
594 </listitem>
595 <listitem>
596 <para>
597 The <literal>wafHook</literal> hook does not wrap Python
598 anymore. Packages depending on <literal>wafHook</literal> need
599 to include any Python into their
600 <literal>nativeBuildInputs</literal>.
601 </para>
602 </listitem>
603 <listitem>
604 <para>
605 Starting with version 1.7.0, the project formerly named
606 <literal>CodiMD</literal> is now named
607 <literal>HedgeDoc</literal>. New installations will no longer
608 use the old name for users, state directories and such, this
609 needs to be considered when moving state to a more recent
610 NixOS installation. Based on
611 <link xlink:href="options.html#opt-system.stateVersion">system.stateVersion</link>,
612 existing installations will continue to work.
613 </para>
614 </listitem>
615 <listitem>
616 <para>
617 The fish-foreign-env package has been replaced with
618 fishPlugins.foreign-env, in which the fish functions have been
619 relocated to the <literal>vendor_functions.d</literal>
620 directory to be loaded automatically.
621 </para>
622 </listitem>
623 <listitem>
624 <para>
625 The prometheus json exporter is now managed by the prometheus
626 community. Together with additional features some backwards
627 incompatibilities were introduced. Most importantly the
628 exporter no longer accepts a fixed command-line parameter to
629 specify the URL of the endpoint serving JSON. It now expects
630 this URL to be passed as an URL parameter, when scraping the
631 exporter's <literal>/probe</literal> endpoint. In the
632 prometheus scrape configuration the scrape target might look
633 like this:
634 </para>
635 <programlisting>
636http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
637</programlisting>
638 <para>
639 Existing configuration for the exporter needs to be updated,
640 but can partially be re-used. Documentation is available in
641 the upstream repository and a small example for NixOS is
642 available in the corresponding NixOS test.
643 </para>
644 <para>
645 These changes also affect
646 <link xlink:href="options.html#opt-services.prometheus.exporters.rspamd.enable">services.prometheus.exporters.rspamd.enable</link>,
647 which is just a preconfigured instance of the json exporter.
648 </para>
649 <para>
650 For more information, take a look at the
651 <link xlink:href="https://github.com/prometheus-community/json_exporter">
652 official documentation</link> of the json_exporter.
653 </para>
654 </listitem>
655 <listitem>
656 <para>
657 Androidenv was updated, removing the
658 <literal>includeDocs</literal> and
659 <literal>lldbVersions</literal> arguments. Docs only covered a
660 single version of the Android SDK, LLDB is now bundled with
661 the NDK, and both are no longer available to download from the
662 Android package repositories. Additionally, since the package
663 lists have been updated, some older versions of Android
664 packages may not be bundled. If you depend on older versions
665 of Android packages, we recommend overriding the repo.
666 </para>
667 <para>
668 Android packages are now loaded from a repo.json file created
669 by parsing Android repo XML files. The arguments
670 <literal>repoJson</literal> and <literal>repoXmls</literal>
671 have been added to allow overriding the built-in androidenv
672 repo.json with your own. Additionally, license files are now
673 written to allow compatibility with Gradle-based tools, and
674 the <literal>extraLicenses</literal> argument has been added
675 to accept more SDK licenses if your project requires it. See
676 the androidenv documentation for more details.
677 </para>
678 </listitem>
679 <listitem>
680 <para>
681 The attribute <literal>mpi</literal> is now consistently used
682 to provide a default, system-wide MPI implementation. The
683 default implementation is openmpi, which has been used before
684 by all derivations affects by this change. Note that all
685 packages that have used <literal>mpi ? null</literal> in the
686 input for optional MPI builds, have been changed to the
687 boolean input paramater <literal>useMpi</literal> to enable
688 building with MPI. Building all packages with
689 <literal>mpich</literal> instead of the default
690 <literal>openmpi</literal> can now be achived like this:
691 </para>
692 <programlisting language="bash">
693self: super:
694{
695 mpi = super.mpich;
696}
697</programlisting>
698 </listitem>
699 <listitem>
700 <para>
701 The Searx module has been updated with the ability to
702 configure the service declaratively and uWSGI integration. The
703 option <literal>services.searx.configFile</literal> has been
704 renamed to
705 <link xlink:href="options.html#opt-services.searx.settingsFile">services.searx.settingsFile</link>
706 for consistency with the new
707 <link xlink:href="options.html#opt-services.searx.settings">services.searx.settings</link>.
708 In addition, the <literal>searx</literal> uid and gid
709 reservations have been removed since they were not necessary:
710 the service is now running with a dynamically allocated uid.
711 </para>
712 </listitem>
713 <listitem>
714 <para>
715 The libinput module has been updated with the ability to
716 configure mouse and touchpad settings separately. The options
717 in <literal>services.xserver.libinput</literal> have been
718 renamed to
719 <literal>services.xserver.libinput.touchpad</literal>, while
720 there is a new
721 <literal>services.xserver.libinput.mouse</literal> for mouse
722 related configuration.
723 </para>
724 <para>
725 Since touchpad options no longer apply to all devices, you may
726 want to replicate your touchpad configuration in mouse
727 section.
728 </para>
729 </listitem>
730 <listitem>
731 <para>
732 ALSA OSS emulation
733 (<literal>sound.enableOSSEmulation</literal>) is now disabled
734 by default.
735 </para>
736 </listitem>
737 <listitem>
738 <para>
739 Thinkfan as been updated to <literal>1.2.x</literal>, which
740 comes with a new YAML based configuration format. For this
741 reason, several NixOS options of the thinkfan module have been
742 changed to non-backward compatible types. In addition, a new
743 <link xlink:href="options.html#opt-services.thinkfan.settings">services.thinkfan.settings</link>
744 option has been added.
745 </para>
746 <para>
747 Please read the
748 <link xlink:href="https://github.com/vmatare/thinkfan#readme">
749 thinkfan documentation</link> before updating.
750 </para>
751 </listitem>
752 <listitem>
753 <para>
754 Adobe Flash Player support has been dropped from the tree. In
755 particular, the following packages no longer support it:
756 </para>
757 <itemizedlist>
758 <listitem>
759 <para>
760 chromium
761 </para>
762 </listitem>
763 <listitem>
764 <para>
765 firefox
766 </para>
767 </listitem>
768 <listitem>
769 <para>
770 qt48
771 </para>
772 </listitem>
773 <listitem>
774 <para>
775 qt5.qtwebkit
776 </para>
777 </listitem>
778 </itemizedlist>
779 <para>
780 Additionally, packages flashplayer and hal-flash were removed
781 along with the <literal>services.flashpolicyd</literal>
782 module.
783 </para>
784 </listitem>
785 <listitem>
786 <para>
787 The <literal>security.rngd</literal> module has been removed.
788 It was disabled by default in 20.09 as it was functionally
789 redundant with krngd in the linux kernel. It is not necessary
790 for any device that the kernel recognises as an hardware RNG,
791 as it will automatically run the krngd task to periodically
792 collect random data from the device and mix it into the
793 kernel's RNG.
794 </para>
795 <para>
796 The default SMTP port for GitLab has been changed to
797 <literal>25</literal> from its previous default of
798 <literal>465</literal>. If you depended on this default, you
799 should now set the
800 <link xlink:href="options.html#opt-services.gitlab.smtp.port">services.gitlab.smtp.port</link>
801 option.
802 </para>
803 </listitem>
804 <listitem>
805 <para>
806 The default version of ImageMagick has been updated from 6 to
807 7. You can use imagemagick6, imagemagick6_light, and
808 imagemagick6Big if you need the older version.
809 </para>
810 </listitem>
811 <listitem>
812 <para>
813 <link xlink:href="options.html#opt-services.xserver.videoDrivers">services.xserver.videoDrivers</link>
814 no longer uses the deprecated <literal>cirrus</literal> and
815 <literal>vesa</literal> device dependent X drivers by default.
816 It also enables both <literal>amdgpu</literal> and
817 <literal>nouveau</literal> drivers by default now.
818 </para>
819 </listitem>
820 <listitem>
821 <para>
822 The <literal>kindlegen</literal> package is gone, because it
823 is no longer supported or hosted by Amazon. Sadly, its
824 replacement, Kindle Previewer, has no Linux support. However,
825 there are other ways to generate MOBI files. See
826 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/96439">the
827 discussion</link> for more info.
828 </para>
829 </listitem>
830 <listitem>
831 <para>
832 The apacheKafka packages are now built with version-matched
833 JREs. Versions 2.6 and above, the ones that recommend it, use
834 jdk11, while versions below remain on jdk8. The NixOS service
835 has been adjusted to start the service using the same version
836 as the package, adjustable with the new
837 <link xlink:href="options.html#opt-services.apache-kafka.jre">services.apache-kafka.jre</link>
838 option. Furthermore, the default list of
839 <link xlink:href="options.html#opt-services.apache-kafka.jvmOptions">services.apache-kafka.jvmOptions</link>
840 have been removed. You should set your own according to the
841 <link xlink:href="https://kafka.apache.org/documentation/#java">upstream
842 documentation</link> for your Kafka version.
843 </para>
844 </listitem>
845 <listitem>
846 <para>
847 The kodi package has been modified to allow concise addon
848 management. Consider the following configuration from previous
849 releases of NixOS to install kodi, including the
850 kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp
851 addons:
852 </para>
853 <programlisting language="bash">
854{
855 environment.systemPackages = [
856 pkgs.kodi
857 ];
858
859 nixpkgs.config.kodi = {
860 enableInputStreamAdaptive = true;
861 enableVFSSFTP = true;
862 };
863}
864</programlisting>
865 <para>
866 All Kodi <literal>config</literal> flags have been removed,
867 and as a result the above configuration should now be written
868 as:
869 </para>
870 <programlisting language="bash">
871{
872 environment.systemPackages = [
873 (pkgs.kodi.withPackages (p: with p; [
874 inputstream-adaptive
875 vfs-sftp
876 ]))
877 ];
878}
879</programlisting>
880 </listitem>
881 <listitem>
882 <para>
883 <literal>environment.defaultPackages</literal> now includes
884 the nano package. If pkgs.nano is not added to the list, make
885 sure another editor is installed and the
886 <literal>EDITOR</literal> environment variable is set to it.
887 Environment variables can be set using
888 <literal>environment.variables</literal>.
889 </para>
890 </listitem>
891 <listitem>
892 <para>
893 <literal>services.minio.dataDir</literal> changed type to a
894 list of paths, required for specifiyng multiple data
895 directories for using with erasure coding. Currently, the
896 service doesn't enforce nor checks the correct number of paths
897 to correspond to minio requirements.
898 </para>
899 </listitem>
900 <listitem>
901 <para>
902 All CUDA toolkit versions prior to CUDA 10 have been removed.
903 </para>
904 </listitem>
905 <listitem>
906 <para>
907 The kbdKeymaps package was removed since dvp and neo are now
908 included in kbd. If you want to use the Programmer Dvorak
909 Keyboard Layout, you have to use
910 <literal>dvorak-programmer</literal> in
911 <literal>console.keyMap</literal> now instead of
912 <literal>dvp</literal>. In
913 <literal>services.xserver.xkbVariant</literal> it's still
914 <literal>dvp</literal>.
915 </para>
916 </listitem>
917 <listitem>
918 <para>
919 The babeld service is now being run as an unprivileged user.
920 To achieve that the module configures
921 <literal>skip-kernel-setup true</literal> and takes care of
922 setting forwarding and rp_filter sysctls by itself as well as
923 for each interface in
924 <literal>services.babeld.interfaces</literal>.
925 </para>
926 </listitem>
927 <listitem>
928 <para>
929 The <literal>services.zigbee2mqtt.config</literal> option has
930 been renamed to
931 <literal>services.zigbee2mqtt.settings</literal> and now
932 follows
933 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
934 0042</link>.
935 </para>
936 </listitem>
937 </itemizedlist>
938 <para>
939 The yadm dotfile manager has been updated from 2.x to 3.x, which
940 has new (XDG) default locations for some data/state files. Most
941 yadm commands will fail and print a legacy path warning (which
942 describes how to upgrade/migrate your repository). If you have
943 scripts, daemons, scheduled jobs, shell profiles, etc. that invoke
944 yadm, expect them to fail or misbehave until you perform this
945 migration and prepare accordingly.
946 </para>
947 <itemizedlist>
948 <listitem>
949 <para>
950 Instead of determining
951 <literal>services.radicale.package</literal> automatically
952 based on <literal>system.stateVersion</literal>, the latest
953 version is always used because old versions are not officially
954 supported.
955 </para>
956 <para>
957 Furthermore, Radicale's systemd unit was hardened which might
958 break some deployments. In particular, a non-default
959 <literal>filesystem_folder</literal> has to be added to
960 <literal>systemd.services.radicale.serviceConfig.ReadWritePaths</literal>
961 if the deprecated <literal>services.radicale.config</literal>
962 is used.
963 </para>
964 </listitem>
965 <listitem>
966 <para>
967 In the <literal>security.acme</literal> module, use of
968 <literal>--reuse-key</literal> parameter for Lego has been
969 removed. It was introduced for HKPK, but this security feature
970 is now deprecated. It is a better security practice to rotate
971 key pairs instead of always keeping the same. If you need to
972 keep this parameter, you can add it back using
973 <literal>extraLegoRenewFlags</literal> as an option for the
974 appropriate certificate.
975 </para>
976 </listitem>
977 </itemizedlist>
978 </section>
979 <section xml:id="sec-release-21.05-notable-changes">
980 <title>Other Notable Changes</title>
981 <itemizedlist>
982 <listitem>
983 <para>
984 <literal>stdenv.lib</literal> has been deprecated and will
985 break eval in 21.11. Please use <literal>pkgs.lib</literal>
986 instead. See
987 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/108938">#108938</link>
988 for details.
989 </para>
990 </listitem>
991 <listitem>
992 <para>
993 <link xlink:href="https://www.gnuradio.org/">GNURadio</link>
994 has a <literal>pkgs</literal> attribute set, and there's a
995 <literal>gnuradio.callPackage</literal> function that extends
996 <literal>pkgs</literal> with a
997 <literal>mkDerivation</literal>, and a
998 <literal>mkDerivationWith</literal>, like Qt5. Now all
999 <literal>gnuradio.pkgs</literal> are defined with
1000 <literal>gnuradio.callPackage</literal> and some packages that
1001 depend on gnuradio are defined with this as well.
1002 </para>
1003 </listitem>
1004 <listitem>
1005 <para>
1006 <link xlink:href="https://www.privoxy.org/">Privoxy</link> has
1007 been updated to version 3.0.32 (See
1008 <link xlink:href="https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html">announcement</link>).
1009 Compared to the previous release, Privoxy has gained support
1010 for HTTPS inspection (still experimental), Brotli
1011 decompression, several new filters and lots of bug fixes,
1012 including security ones. In addition, the package is now built
1013 with compression and external filters support, which were
1014 previously disabled.
1015 </para>
1016 <para>
1017 Regarding the NixOS module, new options for HTTPS inspection
1018 have been added and
1019 <literal>services.privoxy.extraConfig</literal> has been
1020 replaced by the new
1021 <link xlink:href="options.html#opt-services.privoxy.settings">services.privoxy.settings</link>
1022 (See
1023 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
1024 0042</link> for the motivation).
1025 </para>
1026 </listitem>
1027 <listitem>
1028 <para>
1029 <link xlink:href="https://kodi.tv/">Kodi</link> has been
1030 updated to version 19.1 "Matrix". See the
1031 <link xlink:href="https://kodi.tv/article/kodi-19-0-matrix-release">announcement</link>
1032 for further details.
1033 </para>
1034 </listitem>
1035 <listitem>
1036 <para>
1037 The <literal>services.packagekit.backend</literal> option has
1038 been removed as it only supported a single setting which would
1039 always be the default. Instead new
1040 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
1041 0042</link> compliant
1042 <link xlink:href="options.html#opt-services.packagekit.settings">services.packagekit.settings</link>
1043 and
1044 <link xlink:href="options.html#opt-services.packagekit.vendorSettings">services.packagekit.vendorSettings</link>
1045 options have been introduced.
1046 </para>
1047 </listitem>
1048 <listitem>
1049 <para>
1050 <link xlink:href="https://nginx.org">Nginx</link> has been
1051 updated to stable version 1.20.0. Now nginx uses the zlib-ng
1052 library by default.
1053 </para>
1054 </listitem>
1055 <listitem>
1056 <para>
1057 KDE Gear (formerly KDE Applications) is upgraded to 21.04, see
1058 its
1059 <link xlink:href="https://kde.org/announcements/gear/21.04/">release
1060 notes</link> for details.
1061 </para>
1062 <para>
1063 The <literal>kdeApplications</literal> package set is now
1064 <literal>kdeGear</literal>, in keeping with the new name. The
1065 old name remains for compatibility, but it is deprecated.
1066 </para>
1067 </listitem>
1068 <listitem>
1069 <para>
1070 <link xlink:href="https://libreswan.org/">Libreswan</link> has
1071 been updated to version 4.4. The package now includes example
1072 configurations and manual pages by default. The NixOS module
1073 has been changed to use the upstream systemd units and write
1074 the configuration in the <literal>/etc/ipsec.d/ </literal>
1075 directory. In addition, two new options have been added to
1076 specify connection policies
1077 (<link xlink:href="options.html#opt-services.libreswan.policies">services.libreswan.policies</link>)
1078 and disable send/receive redirects
1079 (<link xlink:href="options.html#opt-services.libreswan.disableRedirects">services.libreswan.disableRedirects</link>).
1080 </para>
1081 </listitem>
1082 <listitem>
1083 <para>
1084 The Mailman NixOS module (<literal>services.mailman</literal>)
1085 has a new option
1086 <link xlink:href="options.html#opt-services.mailman.enablePostfix">services.mailman.enablePostfix</link>,
1087 defaulting to true, that controls integration with Postfix.
1088 </para>
1089 <para>
1090 If this option is disabled, default MTA config becomes not set
1091 and you should set the options in
1092 <literal>services.mailman.settings.mta</literal> according to
1093 the desired configuration as described in
1094 <link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman
1095 documentation</link>.
1096 </para>
1097 </listitem>
1098 <listitem>
1099 <para>
1100 The default-version of <literal>nextcloud</literal> is
1101 nextcloud21. Please note that it's <emphasis>not</emphasis>
1102 possible to upgrade <literal>nextcloud</literal> across
1103 multiple major versions! This means that it's e.g. not
1104 possible to upgrade from nextcloud18 to nextcloud20 in a
1105 single deploy and most <literal>20.09</literal> users will
1106 have to upgrade to nextcloud20 first.
1107 </para>
1108 <para>
1109 The package can be manually upgraded by setting
1110 <link xlink:href="options.html#opt-services.nextcloud.package">services.nextcloud.package</link>
1111 to nextcloud21.
1112 </para>
1113 </listitem>
1114 <listitem>
1115 <para>
1116 The setting
1117 <link xlink:href="options.html#opt-services.redis.bind">services.redis.bind</link>
1118 defaults to <literal>127.0.0.1</literal> now, making Redis
1119 listen on the loopback interface only, and not all public
1120 network interfaces.
1121 </para>
1122 </listitem>
1123 <listitem>
1124 <para>
1125 NixOS now emits a deprecation warning if systemd's
1126 <literal>StartLimitInterval</literal> setting is used in a
1127 <literal>serviceConfig</literal> section instead of in a
1128 <literal>unitConfig</literal>; that setting is deprecated and
1129 now undocumented for the service section by systemd upstream,
1130 but still effective and somewhat buggy there, which can be
1131 confusing. See
1132 <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link>
1133 for details.
1134 </para>
1135 <para>
1136 All services should use
1137 <link xlink:href="options.html#opt-systemd.services._name_.startLimitIntervalSec">systemd.services.<emphasis>name</emphasis>.startLimitIntervalSec</link>
1138 or <literal>StartLimitIntervalSec</literal> in
1139 <link xlink:href="options.html#opt-systemd.services._name_.unitConfig">systemd.services.<emphasis>name</emphasis>.unitConfig</link>
1140 instead.
1141 </para>
1142 </listitem>
1143 <listitem>
1144 <para>
1145 The <literal>mediatomb</literal> service declares new options.
1146 It also adapts existing options so the configuration
1147 generation is now lazy. The existing option
1148 <literal>customCfg</literal> (defaults to false), when
1149 enabled, stops the service configuration generation
1150 completely. It then expects the users to provide their own
1151 correct configuration at the right location (whereas the
1152 configuration was generated and not used at all before). The
1153 new option <literal>transcodingOption</literal> (defaults to
1154 no) allows a generated configuration. It makes the mediatomb
1155 service pulls the necessary runtime dependencies in the nix
1156 store (whereas it was generated with hardcoded values before).
1157 The new option <literal>mediaDirectories</literal> allows the
1158 users to declare autoscan media directories from their nixos
1159 configuration:
1160 </para>
1161 <programlisting language="bash">
1162{
1163 services.mediatomb.mediaDirectories = [
1164 { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
1165 { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
1166 ];
1167}
1168</programlisting>
1169 </listitem>
1170 <listitem>
1171 <para>
1172 The Unbound DNS resolver service
1173 (<literal>services.unbound</literal>) has been refactored to
1174 allow reloading, control sockets and to fix startup ordering
1175 issues.
1176 </para>
1177 <para>
1178 It is now possible to enable a local UNIX control socket for
1179 unbound by setting the
1180 <link xlink:href="options.html#opt-services.unbound.localControlSocketPath">services.unbound.localControlSocketPath</link>
1181 option.
1182 </para>
1183 <para>
1184 Previously we just applied a very minimal set of restrictions
1185 and trusted unbound to properly drop root privs and
1186 capabilities.
1187 </para>
1188 <para>
1189 As of this we are (for the most part) just using the upstream
1190 example unit file for unbound. The main difference is that we
1191 start unbound as <literal>unbound</literal> user with the
1192 required capabilities instead of letting unbound do the chroot
1193 & uid/gid changes.
1194 </para>
1195 <para>
1196 The upstream unit configuration this is based on is a lot
1197 stricter with all kinds of permissions then our previous
1198 variant. It also came with the default of having the
1199 <literal>Type</literal> set to <literal>notify</literal>,
1200 therefore we are now also using the
1201 <literal>unbound-with-systemd</literal> package here. Unbound
1202 will start up, read the configuration files and start
1203 listening on the configured ports before systemd will declare
1204 the unit <literal>active (running)</literal>. This will likely
1205 help with startup order and the occasional race condition
1206 during system activation where the DNS service is started but
1207 not yet ready to answer queries. Services depending on
1208 <literal>nss-lookup.target</literal> or
1209 <literal>unbound.service</literal> are now be able to use
1210 unbound when those targets have been reached.
1211 </para>
1212 <para>
1213 Additionally to the much stricter runtime environment the
1214 <literal>/dev/urandom</literal> mount lines we previously had
1215 in the code (that randomly failed during the stop-phase) have
1216 been removed as systemd will take care of those for us.
1217 </para>
1218 <para>
1219 The <literal>preStart</literal> script is now only required if
1220 we enabled the trust anchor updates (which are still enabled
1221 by default).
1222 </para>
1223 <para>
1224 Another benefit of the refactoring is that we can now issue
1225 reloads via either <literal>pkill -HUP unbound</literal> and
1226 <literal>systemctl reload unbound</literal> to reload the
1227 running configuration without taking the daemon offline. A
1228 prerequisite of this was that unbound configuration is
1229 available on a well known path on the file system. We are
1230 using the path <literal>/etc/unbound/unbound.conf</literal> as
1231 that is the default in the CLI tooling which in turn enables
1232 us to use <literal>unbound-control</literal> without passing a
1233 custom configuration location.
1234 </para>
1235 <para>
1236 The module has also been reworked to be
1237 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
1238 0042</link> compliant. As such,
1239 <literal>sevices.unbound.extraConfig</literal> has been
1240 removed and replaced by
1241 <link xlink:href="options.html#opt-services.unbound.settings">services.unbound.settings</link>.
1242 <literal>services.unbound.interfaces</literal> has been
1243 renamed to
1244 <literal>services.unbound.settings.server.interface</literal>.
1245 </para>
1246 <para>
1247 <literal>services.unbound.forwardAddresses</literal> and
1248 <literal>services.unbound.allowedAccess</literal> have also
1249 been changed to use the new settings interface. You can follow
1250 the instructions when executing
1251 <literal>nixos-rebuild</literal> to upgrade your configuration
1252 to use the new interface.
1253 </para>
1254 </listitem>
1255 <listitem>
1256 <para>
1257 The <literal>services.dnscrypt-proxy2</literal> module now
1258 takes the upstream's example configuration and updates it with
1259 the user's settings. An option has been added to restore the
1260 old behaviour if you prefer to declare the configuration from
1261 scratch.
1262 </para>
1263 </listitem>
1264 <listitem>
1265 <para>
1266 NixOS now defaults to the unified cgroup hierarchy
1267 (cgroupsv2). See the
1268 <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora
1269 Article for 31</link> for details on why this is desirable,
1270 and how it impacts containers.
1271 </para>
1272 <para>
1273 If you want to run containers with a runtime that does not yet
1274 support cgroupsv2, you can switch back to the old behaviour by
1275 setting
1276 <link xlink:href="options.html#opt-systemd.enableUnifiedCgroupHierarchy">systemd.enableUnifiedCgroupHierarchy</link>
1277 = <literal>false</literal>; and rebooting.
1278 </para>
1279 </listitem>
1280 <listitem>
1281 <para>
1282 PulseAudio was upgraded to 14.0, with changes to the handling
1283 of default sinks. See its
1284 <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release
1285 notes</link>.
1286 </para>
1287 </listitem>
1288 <listitem>
1289 <para>
1290 GNOME users may wish to delete their
1291 <literal>~/.config/pulse</literal> due to the changes to
1292 stream routing logic. See
1293 <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio
1294 bug 832</link> for more information.
1295 </para>
1296 </listitem>
1297 <listitem>
1298 <para>
1299 The zookeeper package does not provide
1300 <literal>zooInspector.sh</literal> anymore, as that
1301 "contrib" has been dropped from upstream releases.
1302 </para>
1303 </listitem>
1304 <listitem>
1305 <para>
1306 In the ACME module, the data used to build the hash for the
1307 account directory has changed to accomodate new features to
1308 reduce account rate limit issues. This will trigger new
1309 account creation on the first rebuild following this update.
1310 No issues are expected to arise from this, thanks to the new
1311 account creation handling.
1312 </para>
1313 </listitem>
1314 <listitem>
1315 <para>
1316 <link xlink:href="options.html#opt-users.users._name_.createHome">users.users.<emphasis>name</emphasis>.createHome</link>
1317 now always ensures home directory permissions to be
1318 <literal>0700</literal>. Permissions had previously been
1319 ignored for already existing home directories, possibly
1320 leaving them readable by others. The option's description was
1321 incorrect regarding ownership management and has been
1322 simplified greatly.
1323 </para>
1324 </listitem>
1325 <listitem>
1326 <para>
1327 When defining a new user, one of
1328 <link xlink:href="options.html#opt-users.users._name_.isNormalUser">users.users.<emphasis>name</emphasis>.isNormalUser</link>
1329 and
1330 <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
1331 is now required. This is to prevent accidentally giving a UID
1332 above 1000 to system users, which could have unexpected
1333 consequences, like running user activation scripts for system
1334 users. Note that users defined with an explicit UID below 500
1335 are exempted from this check, as
1336 <link xlink:href="options.html#opt-users.users._name_.isSystemUser">users.users.<emphasis>name</emphasis>.isSystemUser</link>
1337 has no effect for those.
1338 </para>
1339 </listitem>
1340 <listitem>
1341 <para>
1342 The <literal>security.apparmor</literal> module, for the
1343 <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
1344 Mandatory Access Control system, has been substantialy
1345 improved along with related tools, so that module maintainers
1346 can now more easily write AppArmor profiles for NixOS. The
1347 most notable change on the user-side is the new option
1348 <link xlink:href="options.html#opt-security.apparmor.policies">security.apparmor.policies</link>,
1349 replacing the previous <literal>profiles</literal> option to
1350 provide a way to disable a profile and to select whether to
1351 confine in enforce mode (default) or in complain mode (see
1352 <literal>journalctl -b --grep apparmor</literal>).
1353 Security-minded users may also want to enable
1354 <link xlink:href="options.html#opt-security.apparmor.killUnconfinedConfinables">security.apparmor.killUnconfinedConfinables</link>,
1355 at the cost of having some of their processes killed when
1356 updating to a NixOS version introducing new AppArmor profiles.
1357 </para>
1358 </listitem>
1359 <listitem>
1360 <para>
1361 The GNOME desktop manager once again installs gnome.epiphany
1362 by default.
1363 </para>
1364 </listitem>
1365 <listitem>
1366 <para>
1367 NixOS now generates empty <literal>/etc/netgroup</literal>.
1368 <literal>/etc/netgroup</literal> defines network-wide groups
1369 and may affect to setups using NIS.
1370 </para>
1371 </listitem>
1372 <listitem>
1373 <para>
1374 Platforms, like <literal>stdenv.hostPlatform</literal>, no
1375 longer have a <literal>platform</literal> attribute. It has
1376 been (mostly) flattened away:
1377 </para>
1378 <itemizedlist>
1379 <listitem>
1380 <para>
1381 <literal>platform.gcc</literal> is now
1382 <literal>gcc</literal>
1383 </para>
1384 </listitem>
1385 <listitem>
1386 <para>
1387 <literal>platform.kernel*</literal> is now
1388 <literal>linux-kernel.*</literal>
1389 </para>
1390 </listitem>
1391 </itemizedlist>
1392 <para>
1393 Additionally, <literal>platform.kernelArch</literal> moved to
1394 the top level as <literal>linuxArch</literal> to match the
1395 other <literal>*Arch</literal> variables.
1396 </para>
1397 <para>
1398 The <literal>platform</literal> grouping of these things never
1399 meant anything, and was just a historial/implementation
1400 artifact that was overdue removal.
1401 </para>
1402 </listitem>
1403 <listitem>
1404 <para>
1405 <literal>services.restic</literal> now uses a dedicated cache
1406 directory for every backup defined in
1407 <literal>services.restic.backups</literal>. The old global
1408 cache directory, <literal>/root/.cache/restic</literal>, is
1409 now unused and can be removed to free up disk space.
1410 </para>
1411 </listitem>
1412 <listitem>
1413 <para>
1414 <literal>isync</literal>: The <literal>isync</literal>
1415 compatibility wrapper was removed and the Master/Slave
1416 terminology has been deprecated and should be replaced with
1417 Far/Near in the configuration file.
1418 </para>
1419 </listitem>
1420 <listitem>
1421 <para>
1422 The nix-gc service now accepts randomizedDelaySec (default: 0)
1423 and persistent (default: true) parameters. By default nix-gc
1424 will now run immediately if it would have been triggered at
1425 least once during the time when the timer was inactive.
1426 </para>
1427 </listitem>
1428 <listitem>
1429 <para>
1430 The <literal>rustPlatform.buildRustPackage</literal> function
1431 is split into several hooks: cargoSetupHook to set up
1432 vendoring for Cargo-based projects, cargoBuildHook to build a
1433 project using Cargo, cargoInstallHook to install a project
1434 using Cargo, and cargoCheckHook to run tests in Cargo-based
1435 projects. With this change, mixed-language projects can use
1436 the relevant hooks within builders other than
1437 <literal>buildRustPackage</literal>. However, these changes
1438 also required several API changes to
1439 <literal>buildRustPackage</literal> itself:
1440 </para>
1441 <itemizedlist>
1442 <listitem>
1443 <para>
1444 The <literal>target</literal> argument was removed.
1445 Instead, <literal>buildRustPackage</literal> will always
1446 use the same target as the C/C++ compiler that is used.
1447 </para>
1448 </listitem>
1449 <listitem>
1450 <para>
1451 The <literal>cargoParallelTestThreads</literal> argument
1452 was removed. Parallel tests are now disabled through
1453 <literal>dontUseCargoParallelTests</literal>.
1454 </para>
1455 </listitem>
1456 </itemizedlist>
1457 </listitem>
1458 <listitem>
1459 <para>
1460 The <literal>rustPlatform.maturinBuildHook</literal> hook was
1461 added. This hook can be used with
1462 <literal>buildPythonPackage</literal> to build Python packages
1463 that are written in Rust and use Maturin as their build tool.
1464 </para>
1465 </listitem>
1466 <listitem>
1467 <para>
1468 Kubernetes has
1469 <link xlink:href="https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/">deprecated
1470 docker</link> as container runtime. As a consequence, the
1471 Kubernetes module now has support for configuration of custom
1472 remote container runtimes and enables containerd by default.
1473 Note that containerd is more strict regarding container image
1474 OCI-compliance. As an example, images with CMD or ENTRYPOINT
1475 defined as strings (not lists) will fail on containerd, while
1476 working fine on docker. Please test your setup and container
1477 images with containerd prior to upgrading.
1478 </para>
1479 </listitem>
1480 <listitem>
1481 <para>
1482 The GitLab module now has support for automatic backups. A
1483 schedule can be set with the
1484 <link xlink:href="options.html#opt-services.gitlab.backup.startAt">services.gitlab.backup.startAt</link>
1485 option.
1486 </para>
1487 </listitem>
1488 <listitem>
1489 <para>
1490 Prior to this release, systemd would also read system units
1491 from an undocumented
1492 <literal>/etc/systemd-mutable/system</literal> path. This path
1493 has been dropped from the defaults. That path (or others) can
1494 be re-enabled by adding it to the
1495 <link xlink:href="options.html#opt-boot.extraSystemdUnitPaths">boot.extraSystemdUnitPaths</link>
1496 list.
1497 </para>
1498 </listitem>
1499 <listitem>
1500 <para>
1501 PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle
1502 and has been removed.
1503 </para>
1504 </listitem>
1505 <listitem>
1506 <para>
1507 <link xlink:href="https://www.xfce.org/">Xfce4</link> relies
1508 on GIO/GVfs for userspace virtual filesystem access in
1509 applications like
1510 <link xlink:href="https://docs.xfce.org/xfce/thunar/">thunar</link>
1511 and
1512 <link xlink:href="https://docs.xfce.org/apps/gigolo/">gigolo</link>.
1513 For that to work, the gvfs nixos service is enabled by
1514 default, and it can be configured with the specific package
1515 that provides GVfs. Until now Xfce4 was setting it to use a
1516 lighter version of GVfs (without support for samba). To avoid
1517 conflicts with other desktop environments this setting has
1518 been dropped. Users that still want it should add the
1519 following to their system configuration:
1520 </para>
1521 <programlisting language="bash">
1522{
1523 services.gvfs.package = pkgs.gvfs.override { samba = null; };
1524}
1525</programlisting>
1526 </listitem>
1527 <listitem>
1528 <para>
1529 The newly enabled <literal>systemd-pstore.service</literal>
1530 now automatically evacuates crashdumps and panic logs from the
1531 persistent storage to
1532 <literal>/var/lib/systemd/pstore</literal>. This prevents
1533 NVRAM from filling up, which ensures the latest diagnostic
1534 data is always stored and alleviates problems with writing new
1535 boot configurations.
1536 </para>
1537 </listitem>
1538 <listitem>
1539 <para>
1540 Nixpkgs now contains
1541 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/118232">automatically
1542 packaged GNOME Shell extensions</link> from the
1543 <link xlink:href="https://extensions.gnome.org/">GNOME
1544 Extensions</link> portal. You can find them, filed by their
1545 UUID, under <literal>gnome38Extensions</literal> attribute for
1546 GNOME 3.38 and under <literal>gnome40Extensions</literal> for
1547 GNOME 40. Finally, the <literal>gnomeExtensions</literal>
1548 attribute contains extensions for the latest GNOME Shell
1549 version in Nixpkgs, listed under a more human-friendly name.
1550 The unqualified attribute scope also contains manually
1551 packaged extensions. Note that the automatically packaged
1552 extensions are provided for convenience and are not checked or
1553 guaranteed to work.
1554 </para>
1555 </listitem>
1556 <listitem>
1557 <para>
1558 Erlang/OTP versions older than R21 got dropped. We also
1559 dropped the cuter package, as it was purely an example of how
1560 to build a package. We also dropped <literal>lfe_1_2</literal>
1561 as it could not build with R21+. Moving forward, we expect to
1562 only support 3 yearly releases of OTP.
1563 </para>
1564 </listitem>
1565 </itemizedlist>
1566 </section>
1567</section>