pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-22.05">
2 <title>Release 22.05 (“Quokka”, 2022.05/30)</title>
3 <itemizedlist spacing="compact">
4 <listitem>
5 <para>
6 Support is planned until the end of December 2022, handing over
7 to 22.11.
8 </para>
9 </listitem>
10 </itemizedlist>
11 <section xml:id="sec-release-22.05-highlights">
12 <title>Highlights</title>
13 <para>
14 In addition to numerous new and upgraded packages, this release
15 has the following highlights:
16 </para>
17 <itemizedlist>
18 <listitem>
19<literallayout>Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the <literal>nix</literal> command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the relase notes for <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html">nix-2.4</link>,
20<link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html">nix-2.5</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html">nix-2.6</link>, <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html">nix-2.7</link> and <link xlink:href="https://nixos.org/manual/nix/stable/release-notes/rl-2.8.html">nix-2.8</link></literallayout>
21 </listitem>
22 <listitem>
23 <para>
24 The <literal>firefox</literal> browser on
25 <literal>x86_64-linux</literal> now makes use of
26 profile-guided optimisation, resulting in a much more
27 responsive browsing experience.
28 </para>
29 </listitem>
30 <listitem>
31 <para>
32 GNOME has been upgraded to 42. Please take a look at their
33 <link xlink:href="https://release.gnome.org/42/">Release
34 Notes</link> for details. In particular, it replaces gedit
35 with GNOME Text Editor, GNOME Terminal with GNOME Console
36 (formerly King’s Cross) and GNOME Screenshot by a tool
37 integrated into the Shell.
38 </para>
39 </listitem>
40 <listitem>
41 <para>
42 PHP 8.1 is now available.
43 </para>
44 </listitem>
45 <listitem>
46 <para>
47 systemd services can now set
48 <link linkend="opt-systemd.services">systemd.services.<name>.reloadTriggers</link>
49 instead of <literal>reloadIfChanged</literal> for a more
50 granular distinction between reloads and restarts.
51 </para>
52 </listitem>
53 <listitem>
54 <para>
55 Systemd has been upgraded to the version 250.
56 </para>
57 </listitem>
58 <listitem>
59 <para>
60 Pulseaudio has been updated to version 15.0 and now optionally
61 <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/15.0/#supportforldacandaptxbluetoothcodecsplussbcxqsbcwithhigher-qualityparameters">supports
62 additional Bluetooth audio codecs</link> such as aptX or LDAC,
63 with codec switching available in
64 <literal>pavucontrol</literal>. This feature is disabled by
65 default, but can be enabled with the option
66 <literal>hardware.pulseaudio.package = pkgs.pulseaudioFull;</literal>.
67 Existing third-party modules that offered similar functions,
68 such as <literal>pulseaudio-modules-bt</literal> or
69 <literal>pulseaudio-hsphfpd</literal>, are obsolete and have
70 been removed.
71 </para>
72 </listitem>
73 <listitem>
74 <para>
75 PostgreSQL now defaults to major version 14.
76 </para>
77 </listitem>
78 <listitem>
79 <para>
80 Module authors can use
81 <literal>mkRenamedOptionModuleWith</literal> to automate the
82 deprecation cycle without annoying out-of-tree module authors
83 and their users.
84 </para>
85 </listitem>
86 <listitem>
87 <para>
88 The default GHC version has been updated from 8.10.7 to 9.0.2.
89 <literal>pkgs.haskellPackages</literal> and
90 <literal>pkgs.ghc</literal> will now use this version by
91 default.
92 </para>
93 </listitem>
94 <listitem>
95 <para>
96 The GNOME and Plasma installation CDs now use
97 <literal>pkgs.calamares</literal> and
98 <literal>pkgs.calamares-nixos-extensions</literal> to allow
99 users to easily install and set up NixOS with a GUI.
100 </para>
101 </listitem>
102 <listitem>
103 <para>
104 <literal>security.acme.defaults</literal> has been added to
105 simplify the configuration of settings for many certificates
106 at once. This also opens up the option to use DNS-01
107 validation when using <literal>enableACME</literal> web server
108 virtual hosts (e.g.
109 <literal>services.nginx.virtualHosts.*.enableACME</literal>).
110 </para>
111 </listitem>
112 </itemizedlist>
113 </section>
114 <section xml:id="sec-release-22.05-new-services">
115 <title>New Services</title>
116 <itemizedlist>
117 <listitem>
118 <para>
119 <link xlink:href="https://1password.com/">1password</link>,
120 command-lines and graphic interface for 1Password. Available
121 as
122 <link linkend="opt-programs._1password.enable">programs._1password</link>
123 and
124 <link linkend="opt-programs._1password.enable">programs._1password-gui</link>.
125 </para>
126 </listitem>
127 <listitem>
128 <para>
129 <link xlink:href="https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw">aesmd</link>,
130 the Intel SGX Architectural Enclave Service Manager. Available
131 as
132 <link linkend="opt-services.aesmd.enable">services.aesmd</link>.
133 </para>
134 </listitem>
135 <listitem>
136 <para>
137 <link xlink:href="https://github.com/mbrubeck/agate">agate</link>,
138 a very simple server for the Gemini hypertext protocol.
139 Available as
140 <link linkend="opt-services.agate.enable">services.agate</link>.
141 </para>
142 </listitem>
143 <listitem>
144 <para>
145 <link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>,
146 a kernel module for mounting the Apple File System (APFS).
147 </para>
148 </listitem>
149 <listitem>
150 <para>
151 <link xlink:href="https://gitlab.com/DarkElvenAngel/argononed">argonone</link>,
152 a replacement daemon for the Raspberry Pi Argon One power
153 button and cooler. Available at
154 <link xlink:href="options.html#opt-services.hardware.argonone.enable">services.hardware.argonone</link>.
155 </para>
156 </listitem>
157 <listitem>
158 <para>
159 <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm">ArchiSteamFarm</link>,
160 a C# application with primary purpose of idling Steam cards
161 from multiple accounts simultaneously. Available as
162 <link linkend="opt-services.archisteamfarm.enable">services.archisteamfarm</link>.
163 </para>
164 </listitem>
165 <listitem>
166 <para>
167 <link xlink:href="https://loic-sharma.github.io/BaGet/">BaGet</link>,
168 a lightweight NuGet and symbol server. Available at
169 <link linkend="opt-services.baget.enable">services.baget</link>.
170 </para>
171 </listitem>
172 <listitem>
173 <para>
174 <link xlink:href="https://github.com/xddxdd/bird-lg-go">bird-lg</link>,
175 a BGP looking glass for Bird Routing. Available as
176 <link linkend="opt-services.bird-lg.package">services.bird-lg</link>.
177 </para>
178 </listitem>
179 <listitem>
180 <para>
181 <link xlink:href="https://0xerr0r.github.io/blocky/">blocky</link>,
182 fast and lightweight DNS proxy as ad-blocker for local network
183 with many features. Available as
184 <link linkend="opt-services.blocky.enable">services.blocky</link>.
185 </para>
186 </listitem>
187 <listitem>
188 <para>
189 <link xlink:href="https://github.com/kissgyorgy/cloudflare-dyndns">cloudflare-dyndns</link>,
190 CloudFlare Dynamic DNS client. Available as
191 <link linkend="opt-services.cloudflare-dyndns.enable">services.cloudflare-dyndns</link>.
192 </para>
193 </listitem>
194 <listitem>
195 <para>
196 <link xlink:href="https://corosync.github.io/corosync/">Corosync</link>
197 and
198 <link xlink:href="https://clusterlabs.org/pacemaker/">Pacemaker</link>,
199 A open-source high availability resource manager. Available as
200 <link linkend="opt-services.corosync.enable">services.corosync</link>
201 and
202 <link linkend="opt-services.pacemaker.enable">services.pacemaker</link>.
203 </para>
204 </listitem>
205 <listitem>
206 <para>
207 <link xlink:href="https://github.com/lakinduakash/linux-wifi-hotspot">create_ap</link>,
208 a module for creating wifi hotspots using the program
209 linux-wifi-hotspot. Available as
210 <link linkend="opt-services.create_ap.enable">services.create_ap</link>.
211 </para>
212 </listitem>
213 <listitem>
214 <para>
215 <link xlink:href="https://www.envoyproxy.io/">Envoy</link>, a
216 high-performance reverse proxy. Available as
217 <link linkend="opt-services.envoy.enable">services.envoy</link>.
218 </para>
219 </listitem>
220 <listitem>
221 <para>
222 <link xlink:href="https://ergo.chat">ergochat</link>, a modern
223 IRC with IRCv3 features. Available as
224 <link linkend="opt-services.ergochat.enable">services.ergochat</link>.
225 </para>
226 </listitem>
227 <listitem>
228 <para>
229 <link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>,
230 an online collaborative spreadsheet. Available as
231 <link linkend="opt-services.ethercalc.enable">services.ethercalc</link>.
232 </para>
233 </listitem>
234 <listitem>
235 <para>
236 <link xlink:href="https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html">filebeat</link>,
237 a lightweight shipper for forwarding and centralizing log
238 data. Available as
239 <link linkend="opt-services.filebeat.enable">services.filebeat</link>.
240 </para>
241 </listitem>
242 <listitem>
243 <para>
244 <link xlink:href="https://frrouting.org/">FRRouting</link>, a
245 popular suite of Internet routing protocol daemons (BGP, BFD,
246 OSPF, IS-IS, VRRP and others). Available as
247 <link linkend="opt-services.frr.babel.enable">services.frr</link>.
248 </para>
249 </listitem>
250 <listitem>
251 <para>
252 <link xlink:href="https://grafana.com/oss/mimir/">Grafana
253 Mimir</link>, an open source, horizontally scalable, highly
254 available, multi-tenant, long-term storage for Prometheus.
255 Available as
256 <link linkend="opt-services.mimir.enable">services.mimir</link>.
257 </para>
258 </listitem>
259 <listitem>
260 <para>
261 <link xlink:href="https://hastebin.com/about.md">Haste</link>,
262 a pastebin written in node.js. Available as
263 <link linkend="opt-services.haste-server.enable">services.haste</link>.
264 </para>
265 </listitem>
266 <listitem>
267 <para>
268 <link xlink:href="https://github.com/juanfont/headscale">headscale</link>,
269 an Open Source implementation of the
270 <link xlink:href="https://tailscale.io">Tailscale</link>
271 Control Server. Available as
272 <link linkend="opt-services.headscale.enable">services.headscale</link>.
273 </para>
274 </listitem>
275 <listitem>
276 <para>
277 <link xlink:href="https://github.com/hifi/heisenbridge">heisenbridge</link>,
278 a bouncer-style Matrix IRC bridge. Available as
279 <link linkend="opt-services.heisenbridge.enable">services.heisenbridge</link>.
280 </para>
281 </listitem>
282 <listitem>
283 <para>
284 <link xlink:href="https://github.com/aarond10/https_dns_proxy">https-dns-proxy</link>,
285 DNS to DNS over HTTPS (DoH) proxy. Available as
286 <link linkend="opt-services.https-dns-proxy.enable">services.https-dns-proxy</link>.
287 </para>
288 </listitem>
289 <listitem>
290 <para>
291 <link xlink:href="https://github.com/sezanzeb/input-remapper">input-remapper</link>,
292 an easy to use tool to change the mapping of your input device
293 buttons. Available at
294 <link linkend="opt-services.input-remapper.enable">services.input-remapper</link>.
295 </para>
296 </listitem>
297 <listitem>
298 <para>
299 <link xlink:href="https://invoiceplane.com">InvoicePlane</link>,
300 web application for managing and creating invoices. Available
301 at
302 <link linkend="opt-services.invoiceplane.sites._name_.enable">services.invoiceplane</link>.
303 </para>
304 </listitem>
305 <listitem>
306 <para>
307 <link xlink:href="https://userbase.kde.org/K3b">k3b</link>,
308 the KDE disk burning application. Available as
309 <link linkend="opt-programs.k3b.enable">programs.k3b</link>.
310 </para>
311 </listitem>
312 <listitem>
313 <para>
314 <link xlink:href="https://www.scorchworks.com/K40whisperer/k40whisperer.html">K40-Whisperer</link>,
315 a program to control cheap Chinese laser cutters. Available as
316 <link linkend="opt-programs.k40-whisperer.enable">programs.k40-whisperer.enable</link>.
317 Users must add themselves to the <literal>k40</literal> group
318 to be able to access the device.
319 </para>
320 </listitem>
321 <listitem>
322 <para>
323 <link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>,
324 an identity management server written in Rust. Available as
325 <link linkend="opt-services.kanidm.enableServer">services.kanidm</link>
326 </para>
327 </listitem>
328 <listitem>
329 <para>
330 <link xlink:href="https://maddy.email/">Maddy</link>, a free
331 an open source mail server. Availabe as
332 <link linkend="opt-services.maddy.enable">services.maddy</link>.
333 </para>
334 </listitem>
335 <listitem>
336 <para>
337 <link xlink:href="https://conduit.rs/">matrix-conduit</link>,
338 a simple, fast and reliable chat server powered by matrix.
339 Available as
340 <link xlink:href="option.html#opt-services.matrix-conduit.enable">services.matrix-conduit</link>.
341 </para>
342 </listitem>
343 <listitem>
344 <para>
345 <link xlink:href="https://moosefs.com">Moosefs</link>, fault
346 tolerant petabyte distributed file system. Available as
347 <link linkend="opt-services.moosefs.master.enable">moosefs</link>.
348 </para>
349 </listitem>
350 <listitem>
351 <para>
352 <link xlink:href="https://github.com/mozilla-mobile/mozilla-vpn-client">mozillavpn</link>,
353 the client for the
354 <link xlink:href="https://vpn.mozilla.org/">Mozilla VPN</link>
355 service. Available as
356 <link linkend="opt-services.mozillavpn.enable">services.mozillavpn</link>.
357 </para>
358 </listitem>
359 <listitem>
360 <para>
361 <link xlink:href="https://github.com/mgumz/mtr-exporter">mtr-exporter</link>,
362 a Prometheus exporter for mtr metrics. Available as
363 <link linkend="opt-services.mtr-exporter.enable">services.mtr-exporter</link>.
364 </para>
365 </listitem>
366 <listitem>
367 <para>
368 <link xlink:href="https://nbd.sourceforge.io/">nbd</link>, a
369 Network Block Device server. Available as
370 <link linkend="opt-services.nbd.server.enable">services.nbd</link>.
371 </para>
372 </listitem>
373 <listitem>
374 <para>
375 <link xlink:href="https://github.com/netbox-community/netbox">netbox</link>,
376 infrastructure resource modeling (IRM) tool. Available as
377 <link linkend="opt-services.netbox.enable">services.netbox</link>.
378 </para>
379 </listitem>
380 <listitem>
381 <para>
382 <link xlink:href="https://github.com/vvilhonen/nethoscope">nethoscope</link>,
383 listen to your network traffic. Available as
384 <link linkend="opt-programs.nethoscope.enable">programs.nethoscope</link>.
385 </para>
386 </listitem>
387 <listitem>
388 <para>
389 <link xlink:href="https://nifi.apache.org">nifi</link>, an
390 easy to use, powerful, and reliable system to process and
391 distribute data. Available as
392 <link linkend="opt-services.nifi.enable">services.nifi</link>.
393 </para>
394 </listitem>
395 <listitem>
396 <para>
397 <link xlink:href="https://github.com/Mic92/nix-ld">nix-ld</link>,
398 Run unpatched dynamic binaries on NixOS. Available as
399 <link linkend="opt-programs.nix-ld.enable">programs.nix-ld</link>.
400 </para>
401 </listitem>
402 <listitem>
403 <para>
404 <link xlink:href="http://www.nncpgo.org">NNCP</link>, NNCP
405 (Node to Node copy) utilities and configuration, Available as
406 <link linkend="opt-programs.nncp.enable">programs.nncp</link>.
407 </para>
408 </listitem>
409 <listitem>
410 <para>
411 <link xlink:href="https://github.com/postgres/pgadmin4">pgadmin4</link>,
412 an admin interface for the PostgreSQL database. Available at
413 <link linkend="opt-services.pgadmin.enable">services.pgadmin</link>.
414 </para>
415 </listitem>
416 <listitem>
417 <para>
418 <link xlink:href="https://github.com/ngoduykhanh/PowerDNS-Admin">PowerDNS-Admin</link>,
419 a web interface for the PowerDNS server. Available at
420 <link linkend="opt-services.powerdns-admin.enable">services.powerdns-admin</link>.
421 </para>
422 </listitem>
423 <listitem>
424 <para>
425 <link xlink:href="https://github.com/prometheus-pve/prometheus-pve-exporter">prometheus-pve-exporter</link>,
426 a tool that exposes information from the Proxmox VE API for
427 use by Prometheus. Available as
428 <link linkend="opt-services.prometheus.exporters.pve.enable">services.prometheus.exporters.pve</link>.
429 </para>
430 </listitem>
431 <listitem>
432 <para>
433 <link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>,
434 a server for handling XMPP HTTP Upload requests. Available at
435 <link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>.
436 </para>
437 </listitem>
438 <listitem>
439 <para>
440 <link xlink:href="https://public-inbox.org">Public
441 Inbox</link>, an <quote>archives first</quote> approach to
442 mailing lists. Available as
443 <link linkend="opt-services.public-inbox.enable">services.public-inbox</link>.
444 </para>
445 </listitem>
446 <listitem>
447 <para>
448 <link xlink:href="https://github.com/fleaz/r53-ddns">r53-ddns</link>,
449 a small tool to run your own DDNS service via AWS Route53.
450 Available as
451 <link linkend="opt-services.r53-ddns.enable">services.r53-ddns</link>.
452 </para>
453 </listitem>
454 <listitem>
455 <para>
456 <link xlink:href="https://ddvk.github.io/rmfakecloud/">rmfakecloud</link>,
457 a clone of the cloud sync the remarkable tablet. Available as
458 <link linkend="opt-services.rmfakecloud.enable">services.rmfakecloud</link>.
459 </para>
460 </listitem>
461 <listitem>
462 <para>
463 <link xlink:href="https://docs.docker.com/engine/security/rootless/">rootless
464 Docker</link>, a <literal>systemd --user</literal> Docker
465 service which runs without root permissions. Available as
466 <link linkend="opt-virtualisation.docker.rootless.enable">virtualisation.docker.rootless.enable</link>.
467 </para>
468 </listitem>
469 <listitem>
470 <para>
471 <link xlink:href="https://www.rstudio.com/products/rstudio/#rstudio-server">rstudio-server</link>,
472 a browser-based version of the RStudio IDE for the R
473 programming language. Available as
474 <link linkend="opt-services.rstudio-server.enable">services.rstudio-server</link>.
475 </para>
476 </listitem>
477 <listitem>
478 <para>
479 <link xlink:href="https://github.com/aler9/rtsp-simple-server">rtsp-simple-server</link>,
480 ready-to-use RTSP / RTMP / HLS server and proxy that allows to
481 read, publish and proxy video and audio streams. Available as
482 <link linkend="opt-services.rtsp-simple-server.enable">services.rtsp-simple-server</link>.
483 </para>
484 </listitem>
485 <listitem>
486 <para>
487 <link xlink:href="https://snipeitapp.com">Snipe-IT</link>, a
488 free open source IT asset/license management system. Available
489 as
490 <link linkend="opt-services.snipe-it.enable">services.snipe-it</link>.
491 </para>
492 </listitem>
493 <listitem>
494 <para>
495 <link xlink:href="https://snowflake.torproject.org/">snowflake-proxy</link>,
496 a system to defeat internet censorship. Available as
497 <link linkend="opt-services.snowflake-proxy.enable">services.snowflake-proxy</link>.
498 </para>
499 </listitem>
500 <listitem>
501 <para>
502 <link xlink:href="https://sslmate.com/">sslmate-agent</link>,
503 a daemon for managing SSL/TLS certificates on a server.
504 Available as
505 <link xlink:href="services.sslmate-agent.enable">services.sslmate-agent</link>.
506 </para>
507 </listitem>
508 <listitem>
509 <para>
510 <link xlink:href="https://starship.rs">starship</link>, a
511 minimal, blazing-fast, and infinitely customizable prompt for
512 any shell. Available at
513 <link linkend="opt-programs.starship.enable">programs.startship</link>.
514 </para>
515 </listitem>
516 <listitem>
517 <para>
518 <link xlink:href="https://github.com/rfjakob/systembus-notify">systembus-notify</link>,
519 allow system level notifications to reach the users. Available
520 as
521 <link xlink:href="opt-services.systembus-notify.enable">services.systembus-notify</link>.
522 Please keep in mind that this service should only be enabled
523 on machines with fully trusted users, as any local user is
524 able to DoS user sessions by spamming notifications.
525 </para>
526 </listitem>
527 <listitem>
528 <para>
529 <link xlink:href="https://goteleport.com">teleport</link>,
530 allows engineers and security professionals to unify access
531 for SSH servers, Kubernetes clusters, web applications, and
532 databases across all environments. Available at
533 <link linkend="opt-services.teleport.enable">services.teleport</link>.
534 </para>
535 </listitem>
536 <listitem>
537 <para>
538 <link xlink:href="https://tetrd.app">tetrd</link>, share your
539 internet connection from your device to your PC and vice versa
540 through a USB cable. Available at
541 <link linkend="opt-services.tetrd.enable">services.tetrd</link>.
542 </para>
543 </listitem>
544 <listitem>
545 <para>
546 <link xlink:href="https://upterm.dev">uptermd</link>, an
547 open-source solution for sharing terminal sessions instantly
548 over the public internet via secure tunnels. Available at
549 <link linkend="opt-services.uptermd.enable">services.uptermd</link>.
550 </para>
551 </listitem>
552 <listitem>
553 <para>
554 <link xlink:href="https://github.com/darrylb123/usbrelay">usbrelayd</link>,
555 an USB Relay MQTT daemon. Available as
556 <link linkend="opt-services.usbrelayd.enable">services.usbrelayd</link>.
557 </para>
558 </listitem>
559 <listitem>
560 <para>
561 <link xlink:href="https://github.com/miquels/webdav-server-rs">webdav-server-rs</link>,
562 Webdav server in rust. Available as
563 <link linkend="opt-services.webdav-server-rs.enable">services.webdav-server-rs</link>.
564 </para>
565 </listitem>
566 <listitem>
567 <para>
568 <link xlink:href="https://github.com/gin66/wg_netmanager">wg-netmanager</link>,
569 the Wireguard network manager. Available as
570 <link linkend="opt-services.wg-netmanager.enable">services.wg-netmanager</link>.
571 </para>
572 </listitem>
573 <listitem>
574 <para>
575 <link xlink:href="https://zammad.org/">Zammad</link>, a
576 web-based, open source user support/ticketing solution.
577 Available as
578 <link linkend="opt-services.zammad.enable">services.zammad</link>.
579 </para>
580 </listitem>
581 </itemizedlist>
582 </section>
583 <section xml:id="sec-release-22.05-incompatibilities">
584 <title>Backward Incompatibilities</title>
585 <itemizedlist>
586 <listitem>
587 <para>
588 <literal>pkgs.ghc</literal> now refers to
589 <literal>pkgs.targetPackages.haskellPackages.ghc</literal>.
590 This <emphasis>only</emphasis> makes a difference if you are
591 cross-compiling and will ensure that
592 <literal>pkgs.ghc</literal> always runs on the host platform
593 and compiles for the target platform (similar to
594 <literal>pkgs.gcc</literal> for example).
595 <literal>haskellPackages.ghc</literal> still behaves as
596 before, running on the build platform and compiling for the
597 host platform (similar to <literal>stdenv.cc</literal>). This
598 means you don’t have to adjust your derivations if you use
599 <literal>haskellPackages.callPackage</literal>, but when using
600 <literal>pkgs.callPackage</literal> and taking
601 <literal>ghc</literal> as an input, you should now use
602 <literal>buildPackages.ghc</literal> instead to ensure cross
603 compilation keeps working (or switch to
604 <literal>haskellPackages.callPackage</literal>).
605 </para>
606 </listitem>
607 <listitem>
608 <para>
609 <literal>pkgs.ghc.withPackages</literal> as well as
610 <literal>haskellPackages.ghcWithPackages</literal> etc. now
611 needs be overridden directly, as opposed to overriding the
612 result of calling it. Additionally, the
613 <literal>withLLVM</literal> parameter has been renamed to
614 <literal>useLLVM</literal>. So instead of
615 <literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>,
616 one needs to use
617 <literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>.
618 </para>
619 </listitem>
620 <listitem>
621 <para>
622 The update of the haskell package set brings with it a new
623 version of the <literal>xmonad</literal> module, which will
624 break your configuration if you use <literal>launch</literal>
625 as entrypoint. The example code the corresponding nixos module
626 was adjusted, you may want to have a look at it.
627 </para>
628 </listitem>
629 <listitem>
630 <para>
631 The <literal>home-assistant</literal> module now requires
632 users that don’t want their configuration to be managed
633 declaratively to set
634 <literal>services.home-assistant.config = null;</literal>.
635 This is required due to the way default settings are handled
636 with the new settings style.
637 </para>
638 <para>
639 Additionally the default list of
640 <literal>extraComponents</literal> now includes the minimal
641 dependencies to successfully complete the
642 <link xlink:href="https://www.home-assistant.io/getting-started/onboarding/">onboarding</link>
643 procedure.
644 </para>
645 </listitem>
646 <listitem>
647 <para>
648 <literal>pkgs.emacsPackages.orgPackages</literal> is removed
649 because org elpa is deprecated. The packages in the top level
650 of <literal>pkgs.emacsPackages</literal>, such as org and
651 org-contrib, refer to the ones in
652 <literal>pkgs.emacsPackages.elpaPackages</literal> and
653 <literal>pkgs.emacsPackages.nongnuPackages</literal> where the
654 new versions will release.
655 </para>
656 </listitem>
657 <listitem>
658 <para>
659 The configuration and state directories used by
660 <literal>nixos-containers</literal> have been moved from
661 <literal>/etc/containers</literal> and
662 <literal>/var/lib/containers</literal> to
663 <literal>/etc/nixos-containers</literal> and
664 <literal>/var/lib/nixos-containers</literal>.
665 </para>
666 <para>
667 If you are changing <literal>system.stateVersion</literal> to
668 <literal>"22.05"</literal> manually on an existing
669 system you are responsible for migrating these directories
670 yourself.
671 </para>
672 <para>
673 This is to improve compatibility with
674 <literal>libcontainer</literal> based software such as Podman
675 and Skopeo which assumes they have ownership over
676 <literal>/etc/containers</literal>.
677 </para>
678 </listitem>
679 <listitem>
680 <para>
681 <literal>lib.systems.supported</literal> has been removed, as
682 it was overengineered for determining the systems to support
683 in the nixpkgs flake. The list of systems exposed by the
684 nixpkgs flake can now be accessed as
685 <literal>lib.systems.flakeExposed</literal>.
686 </para>
687 </listitem>
688 <listitem>
689 <para>
690 For new installations
691 <literal>virtualisation.oci-containers.backend</literal> is
692 now set to <literal>podman</literal> by default. If you still
693 want to use Docker on systems where
694 <literal>system.stateVersion</literal> is set to to
695 <literal>"22.05"</literal> set
696 <literal>virtualisation.oci-containers.backend = "docker";</literal>.Old
697 systems with older <literal>stateVersion</literal>s stay with
698 <quote>docker</quote>.
699 </para>
700 </listitem>
701 <listitem>
702 <para>
703 <literal>security.klogd</literal> was removed. Logging of
704 kernel messages is handled by systemd since Linux 3.5.
705 </para>
706 </listitem>
707 <listitem>
708 <para>
709 <literal>pkgs.ssmtp</literal> has been dropped due to the
710 program being unmaintained. <literal>pkgs.msmtp</literal> can
711 be used instead as a substitute <literal>sendmail</literal>
712 implementation. The corresponding options
713 <literal>services.ssmtp.*</literal> have been removed as well.
714 <literal>programs.msmtp.*</literal> can be used instead for an
715 equivalent setup. For example:
716 </para>
717 <programlisting language="bash">
718{
719 # Original ssmtp configuration:
720 services.ssmtp = {
721 enable = true;
722 useTLS = true;
723 useSTARTTLS = true;
724 hostName = "smtp.example:587";
725 authUser = "someone";
726 authPassFile = "/secrets/password.txt";
727 };
728
729 # Equivalent msmtp configuration:
730 programs.msmtp = {
731 enable = true;
732 accounts.default = {
733 tls = true;
734 tls_starttls = true;
735 auth = true;
736 host = "smtp.example";
737 port = 587;
738 user = "someone";
739 passwordeval = "cat /secrets/password.txt";
740 };
741 };
742}
743</programlisting>
744 </listitem>
745 <listitem>
746 <para>
747 <literal>services.kubernetes.addons.dashboard</literal> was
748 removed due to it being an outdated version.
749 </para>
750 </listitem>
751 <listitem>
752 <para>
753 <literal>services.kubernetes.scheduler.{port,address}</literal>
754 now set <literal>--secure-port</literal> and
755 <literal>--bind-address</literal> instead of
756 <literal>--port</literal> and <literal>--address</literal>,
757 since the former have been deprecated and are no longer
758 functional in kubernetes>=1.23. Ensure that you are not
759 relying on the insecure behaviour before upgrading.
760 </para>
761 </listitem>
762 <listitem>
763 <para>
764 In the PowerDNS Recursor module
765 (<literal>services.pdns-recursor</literal>), default values of
766 several IP address-related NixOS options have been updated to
767 match the default upstream behavior. In particular, Recursor
768 by default will:
769 </para>
770 <itemizedlist spacing="compact">
771 <listitem>
772 <para>
773 listen on (and allows connections from) both IPv4 and IPv6
774 addresses
775 (<literal>services.pdns-recursor.dns.address</literal>,
776 <literal>services.pdns-recursor.dns.allowFrom</literal>);
777 </para>
778 </listitem>
779 <listitem>
780 <para>
781 allow only local connections to the REST API server
782 (<literal>services.pdns-recursor.api.allowFrom</literal>).
783 </para>
784 </listitem>
785 </itemizedlist>
786 </listitem>
787 <listitem>
788 <para>
789 In the ncdns module, the default value of
790 <literal>services.ncdns.address</literal> has been changed to
791 the IPv6 loopback address (<literal>::1</literal>).
792 </para>
793 </listitem>
794 <listitem>
795 <para>
796 <literal>openldap</literal> (and therefore the slapd LDAP
797 server) were updated to version 2.6.2. The project introduced
798 backwards-incompatible changes, namely the removal of the bdb,
799 hdb, ndb, and shell backends in slapd. Therefore before
800 updating, dump your database <literal>slapcat -n 1</literal>
801 in LDIF format, and reimport it after updating your
802 <literal>services.openldap.settings</literal>, which
803 represents your <literal>cn=config</literal>.
804 </para>
805 <para>
806 Additionally with 2.5 the argon2 module was included in the
807 standard distrubtion and renamed from
808 <literal>pw-argon2</literal> to <literal>argon2</literal>.
809 Remember to update your <literal>olcModuleLoad</literal> entry
810 in <literal>cn=config</literal>.
811 </para>
812 </listitem>
813 <listitem>
814 <para>
815 <literal>openssh</literal> has been update to 8.9p1, changing
816 the FIDO security key middleware interface.
817 </para>
818 </listitem>
819 <listitem>
820 <para>
821 <literal>git</literal> no longer hardcodes the path to
822 openssh’ ssh binary to reduce the amount of rebuilds. If you
823 are using git with ssh remotes and do not have a ssh binary in
824 your enviroment consider adding <literal>openssh</literal> to
825 it or switching to <literal>gitFull</literal>.
826 </para>
827 </listitem>
828 <listitem>
829 <para>
830 <literal>services.k3s.enable</literal> no longer implies
831 <literal>systemd.enableUnifiedCgroupHierarchy = false</literal>,
832 and will default to the <quote>systemd</quote> cgroup driver
833 when using <literal>services.k3s.docker = true</literal>. This
834 change may require a reboot to take effect, and k3s may not be
835 able to run if the boot cgroup hierarchy does not match its
836 configuration. The previous behavior may be retained by
837 explicitly setting
838 <literal>systemd.enableUnifiedCgroupHierarchy = false</literal>
839 in your configuration.
840 </para>
841 </listitem>
842 <listitem>
843 <para>
844 <literal>fonts.fonts</literal> no longer includes ancient
845 bitmap fonts when both
846 <literal>config.services.xserver.enable</literal> and
847 <literal>config.nixpkgs.config.allowUnfree</literal> are
848 enabled. If you still want these fonts, use:
849 </para>
850 <programlisting language="bash">
851{
852 fonts.fonts = [
853 pkgs.xorg.fontbhlucidatypewriter100dpi
854 pkgs.xorg.fontbhlucidatypewriter75dpi
855 pkgs.xorg.fontbh100dpi
856 ];
857}
858</programlisting>
859 </listitem>
860 <listitem>
861 <para>
862 <literal>services.prometheus.alertManagerTimeout</literal> has
863 been removed as it has been deprecated upstream and has no
864 effect.
865 </para>
866 </listitem>
867 <listitem>
868 <para>
869 The DHCP server (<literal>services.dhcpd4</literal>,
870 <literal>services.dhcpd6</literal>) has been hardened. The
871 service is now using the systemd’s
872 <literal>DynamicUser</literal> mechanism to run as an
873 unprivileged dynamically-allocated user with limited
874 capabilities. The dhcpd state files are now always stored in
875 <literal>/var/lib/dhcpd{4,6}</literal> and the
876 <literal>services.dhcpd4.stateDir</literal> and
877 <literal>service.dhcpd6.stateDir</literal> options have been
878 removed. If you were depending on root privileges or
879 set{uid,gid,cap} binaries in dhcpd shell hooks, you may give
880 dhcpd more capabilities with e.g.
881 <literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>.
882 </para>
883 </listitem>
884 <listitem>
885 <para>
886 The <literal>mailpile</literal> email webclient
887 (<literal>services.mailpile</literal>) has been removed due to
888 its reliance on python2.
889 </para>
890 </listitem>
891 <listitem>
892 <para>
893 <literal>services.ipfs.extraFlags</literal> is now escaped
894 with <literal>utils.escapeSystemdExecArgs</literal>. If you
895 rely on systemd interpolating <literal>extraFlags</literal> in
896 the service <literal>ExecStart</literal>, this will no longer
897 work.
898 </para>
899 </listitem>
900 <listitem>
901 <para>
902 <literal>hbase</literal> version 0.98.24 has been removed. The
903 package now defaults to version 2.4.11. Versions 1.7.1 and
904 3.0.0-alpha-2 are also available.
905 </para>
906 </listitem>
907 <listitem>
908 <para>
909 <literal>services.paperless-ng</literal> was renamed to
910 <literal>services.paperless</literal>. Accordingly, the
911 <literal>paperless-ng-manage</literal> script (located in
912 <literal>dataDir</literal>) was renamed to
913 <literal>paperless-manage</literal>.
914 <literal>services.paperless</literal> now uses
915 <literal>paperless-ngx</literal>.
916 </para>
917 </listitem>
918 <listitem>
919 <para>
920 The <literal>matrix-synapse</literal> service
921 (<literal>services.matrix-synapse</literal>) has been
922 converted to use the <literal>settings</literal> option
923 defined in RFC42. This means that options that are part of
924 your <literal>homeserver.yaml</literal> configuration, and
925 that were specified at the top-level of the module
926 (<literal>services.matrix-synapse</literal>) now need to be
927 moved into
928 <literal>services.matrix-synapse.settings</literal>. And while
929 not all options you may use are defined in there, they are
930 still supported, because you can set arbitrary values in this
931 freeform type.
932 </para>
933 <para>
934 The <literal>listeners.*.bind_address</literal> option was
935 renamed to <literal>bind_addresses</literal> in order to match
936 the upstream <literal>homeserver.yaml</literal> option name.
937 It is now also a list of strings instead of a string.
938 </para>
939 <para>
940 An example to make the required migration clearer:
941 </para>
942 <para>
943 Before:
944 </para>
945 <programlisting language="bash">
946{
947 services.matrix-synapse = {
948 enable = true;
949
950 server_name = "example.com";
951 public_baseurl = "https://example.com:8448";
952
953 enable_registration = false;
954 registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
955 macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";
956
957 tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
958 tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
959
960 listeners = [ {
961 port = 8448;
962 bind_address = "";
963 type = "http";
964 tls = true;
965 resources = [ {
966 names = [ "client" ];
967 compress = true;
968 } {
969 names = [ "federation" ];
970 compress = false;
971 } ];
972 } ];
973
974 };
975}
976</programlisting>
977 <para>
978 After:
979 </para>
980 <programlisting language="bash">
981{
982 services.matrix-synapse = {
983 enable = true;
984
985 # this attribute set holds all values that go into your homeserver.yaml configuration
986 # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
987 # possible values.
988 settings = {
989 server_name = "example.com";
990 public_baseurl = "https://example.com:8448";
991
992 enable_registration = false;
993 # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead
994
995 tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
996 tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
997
998 listeners = [ {
999 port = 8448;
1000 bind_addresses = [
1001 "::"
1002 "0.0.0.0"
1003 ];
1004 type = "http";
1005 tls = true;
1006 resources = [ {
1007 names = [ "client" ];
1008 compress = true;
1009 } {
1010 names = [ "federation" ];
1011 compress = false;
1012 } ];
1013 } ];
1014 };
1015
1016 extraConfigFiles = [
1017 "/run/keys/matrix-synapse/secrets.yaml"
1018 ];
1019 };
1020}
1021</programlisting>
1022 <para>
1023 The secrets in your original config should be migrated into a
1024 YAML file that is included via
1025 <literal>extraConfigFiles</literal>. The filename must be
1026 quoted to prevent nix from copying it to the (world readable)
1027 store.
1028 </para>
1029 <para>
1030 Additionally a few option defaults have been synced up with
1031 upstream default values, for example the
1032 <literal>max_upload_size</literal> grew from
1033 <literal>10M</literal> to <literal>50M</literal>. For the same
1034 reason, the default <literal>media_store_path</literal> was
1035 changed from <literal>${dataDir}/media</literal> to
1036 <literal>${dataDir}/media_store</literal> if
1037 <literal>system.stateVersion</literal> is at least
1038 <literal>22.05</literal>. Files will need to be manually moved
1039 to the new location if the <literal>stateVersion</literal> is
1040 updated.
1041 </para>
1042 <para>
1043 As of Synapse 1.58.0, the old groups/communities feature has
1044 been disabled by default. It will be completely removed with
1045 Synapse 1.61.0.
1046 </para>
1047 </listitem>
1048 <listitem>
1049 <para>
1050 The Keycloak package (<literal>pkgs.keycloak</literal>) has
1051 been switched from the Wildfly version, which will soon be
1052 deprecated, to the Quarkus based version. The Keycloak service
1053 (<literal>services.keycloak</literal>) has been updated to
1054 accommodate the change and now differs from the previous
1055 version in a few ways:
1056 </para>
1057 <itemizedlist>
1058 <listitem>
1059 <para>
1060 <literal>services.keycloak.extraConfig</literal> has been
1061 removed in favor of the new
1062 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link>
1063 <link linkend="opt-services.keycloak.settings"><literal>services.keycloak.settings</literal></link>
1064 option. The available options correspond directly to
1065 parameters in <literal>conf/keycloak.conf</literal>. Some
1066 of the most important parameters are documented as
1067 suboptions, the rest can be found in the
1068 <link xlink:href="https://www.keycloak.org/server/all-config">All
1069 configuration section of the Keycloak Server Installation
1070 and Configuration Guide</link>. While the new
1071 configuration is much simpler and cleaner than the old
1072 JBoss CLI one, this unfortunately mean that there’s no
1073 straightforward way to convert an old configuration to the
1074 new format and some settings may not even be available
1075 anymore.
1076 </para>
1077 </listitem>
1078 <listitem>
1079 <para>
1080 <literal>services.keycloak.frontendUrl</literal> was
1081 removed and the frontend URL is now configured through the
1082 <literal>hostname</literal> family of settings in
1083 <link linkend="opt-services.keycloak.settings"><literal>services.keycloak.settings</literal></link>
1084 instead. See the
1085 <link xlink:href="https://www.keycloak.org/server/hostname">Hostname
1086 section of the Keycloak Server Installation and
1087 Configuration Guide</link> for more details. Additionally,
1088 <literal>/auth</literal> was removed from the default
1089 context path and needs to be added back in
1090 <link linkend="opt-services.keycloak.settings.http-relative-path"><literal>services.keycloak.settings.http-relative-path</literal></link>
1091 if you want to keep compatibility with your current
1092 clients.
1093 </para>
1094 </listitem>
1095 <listitem>
1096 <para>
1097 <literal>services.keycloak.bindAddress</literal>,
1098 <literal>services.keycloak.forceBackendUrlToFrontendUrl</literal>,
1099 <literal>services.keycloak.httpPort</literal> and
1100 <literal>services.keycloak.httpsPort</literal> have been
1101 removed in favor of their equivalent options in
1102 <link linkend="opt-services.keycloak.settings"><literal>services.keycloak.settings</literal></link>.
1103 <literal>httpPort</literal> and
1104 <literal>httpsPort</literal> have additionally had their
1105 types changed from <literal>str</literal> to
1106 <literal>port</literal>.
1107 </para>
1108 <para>
1109 The new names are as follows:
1110 </para>
1111 <itemizedlist spacing="compact">
1112 <listitem>
1113 <para>
1114 <literal>bindAddress</literal>:
1115 <link linkend="opt-services.keycloak.settings.http-host"><literal>services.keycloak.settings.http-host</literal></link>
1116 </para>
1117 </listitem>
1118 <listitem>
1119 <para>
1120 <literal>forceBackendUrlToFrontendUrl</literal>:
1121 <link linkend="opt-services.keycloak.settings.hostname-strict-backchannel"><literal>services.keycloak.settings.hostname-strict-backchannel</literal></link>
1122 </para>
1123 </listitem>
1124 <listitem>
1125 <para>
1126 <literal>httpPort</literal>:
1127 <link linkend="opt-services.keycloak.settings.http-port"><literal>services.keycloak.settings.http-port</literal></link>
1128 </para>
1129 </listitem>
1130 <listitem>
1131 <para>
1132 <literal>httpsPort</literal>:
1133 <link linkend="opt-services.keycloak.settings.https-port"><literal>services.keycloak.settings.https-port</literal></link>
1134 </para>
1135 </listitem>
1136 </itemizedlist>
1137 </listitem>
1138 </itemizedlist>
1139 <para>
1140 For example, when using a reverse proxy the migration could
1141 look like this:
1142 </para>
1143 <para>
1144 Before:
1145 </para>
1146 <programlisting language="bash">
1147 services.keycloak = {
1148 enable = true;
1149 httpPort = "8080";
1150 frontendUrl = "https://keycloak.example.com/auth";
1151 database.passwordFile = "/run/keys/db_password";
1152 extraConfig = {
1153 "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
1154 };
1155 };
1156</programlisting>
1157 <para>
1158 After:
1159 </para>
1160 <programlisting language="bash">
1161 services.keycloak = {
1162 enable = true;
1163 settings = {
1164 http-port = 8080;
1165 hostname = "keycloak.example.com";
1166 http-relative-path = "/auth";
1167 proxy = "edge";
1168 };
1169 database.passwordFile = "/run/keys/db_password";
1170 };
1171</programlisting>
1172 </listitem>
1173 <listitem>
1174 <para>
1175 The MoinMoin wiki engine
1176 (<literal>services.moinmoin</literal>) has been removed,
1177 because Python 2 is being retired from nixpkgs.
1178 </para>
1179 </listitem>
1180 <listitem>
1181 <para>
1182 Services in the <literal>hadoop</literal> module previously
1183 set <literal>openFirewall</literal> to true by default. This
1184 has now been changed to false. Node definitions for multi-node
1185 clusters would need <literal>openFirewall = true;</literal> to
1186 be added to to hadoop services when upgrading from NixOS
1187 21.11.
1188 </para>
1189 </listitem>
1190 <listitem>
1191 <para>
1192 <literal>services.hadoop.yarn.nodemanager</literal> now uses
1193 cgroup-based CPU limit enforcement by default. Additionally,
1194 the option <literal>useCGroups</literal> was added to
1195 nodemanagers as an easy way to switch back to the old
1196 behavior.
1197 </para>
1198 </listitem>
1199 <listitem>
1200 <para>
1201 The <literal>wafHook</literal> hook now honors
1202 <literal>NIX_BUILD_CORES</literal> when
1203 <literal>enableParallelBuilding</literal> is not set
1204 explicitly. Packages can restore the old behaviour by setting
1205 <literal>enableParallelBuilding=false</literal>.
1206 </para>
1207 </listitem>
1208 <listitem>
1209 <para>
1210 <literal>pkgs.claws-mail-gtk2</literal>, representing Claws
1211 Mail’s older release version three, was removed in order to
1212 get rid of Python 2. Please switch to
1213 <literal>claws-mail</literal>, which is Claws Mail’s latest
1214 release based on GTK+3 and Python 3.
1215 </para>
1216 </listitem>
1217 <listitem>
1218 <para>
1219 The <literal>writers.writePython2</literal> and corresponding
1220 <literal>writers.writePython2Bin</literal> convenience
1221 functions to create executable Python 2 scripts in the store
1222 were removed in preparation of removal of the Python 2
1223 interpreter. Scripts have to be converted to Python 3 for use
1224 with <literal>writers.writePython3</literal> or
1225 <literal>writers.writePyPy2</literal> needs to be used.
1226 </para>
1227 </listitem>
1228 <listitem>
1229 <para>
1230 <literal>buildGoModule</literal> was updated to use
1231 <literal>go_1_17</literal>, third party derivations that
1232 specify >= go 1.17 in the main <literal>go.mod</literal>
1233 will need to regenerate their <literal>vendorSha256</literal>
1234 hash.
1235 </para>
1236 </listitem>
1237 <listitem>
1238 <para>
1239 The <literal>gnome-passwordsafe</literal> package updated to
1240 <link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version
1241 6.x</link> and renamed to <literal>gnome-secrets</literal>.
1242 </para>
1243 </listitem>
1244 <listitem>
1245 <para>
1246 <literal>services.gnome.experimental-features.realtime-scheduling</literal>
1247 option has been removed, as GNOME Shell now
1248 <link xlink:href="https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2060">uses
1249 rtkit</link>. Use
1250 <literal>security.rtkit.enable = true;</literal> instead. As
1251 before, you will need to have it enabled using GSettings.
1252 </para>
1253 </listitem>
1254 <listitem>
1255 <para>
1256 <literal>services.telepathy</literal> will no longer be
1257 enabled by default for GNOME desktops, one should enable it in
1258 their configs if using Empathy or Polari.
1259 </para>
1260 </listitem>
1261 <listitem>
1262 <para>
1263 If you previously used
1264 <literal>/etc/docker/daemon.json</literal>, you need to
1265 incorporate the changes into the new option
1266 <literal>virtualisation.docker.daemon.settings</literal>.
1267 </para>
1268 </listitem>
1269 <listitem>
1270 <para>
1271 Ntopng (<literal>services.ntopng</literal>) is updated to
1272 5.2.1 and uses a separate Redis instance if
1273 <literal>system.stateVersion</literal> is at least
1274 <literal>22.05</literal>. Existing setups shouldn’t be
1275 affected.
1276 </para>
1277 </listitem>
1278 <listitem>
1279 <para>
1280 The backward compatibility in
1281 <literal>services.wordpress</literal> to configure sites with
1282 the old interface has been removed. Please use
1283 <literal>services.wordpress.sites</literal> instead.
1284 </para>
1285 </listitem>
1286 <listitem>
1287 <para>
1288 The backward compatibility in
1289 <literal>services.dokuwiki</literal> to configure sites with
1290 the old interface has been removed. Please use
1291 <literal>services.dokuwiki.sites</literal> instead.
1292 </para>
1293 </listitem>
1294 <listitem>
1295 <para>
1296 opensmtpd-extras is no longer build with python2 scripting
1297 support due to python2 deprecation in nixpkgs
1298 </para>
1299 </listitem>
1300 <listitem>
1301 <para>
1302 <literal>services.miniflux.adminCredentialFiles</literal> is
1303 now required, instead of defaulting to
1304 <literal>admin</literal> and <literal>password</literal>.
1305 </para>
1306 </listitem>
1307 <listitem>
1308 <para>
1309 The <literal>taskserver</literal> module no longer implicitly
1310 opens ports in the firewall configuration. This is now
1311 controlled through the option
1312 <literal>services.taskserver.openFirewall</literal>.
1313 </para>
1314 </listitem>
1315 <listitem>
1316 <para>
1317 The <literal>autorestic</literal> package has been upgraded
1318 from 1.3.0 to 1.5.0 which introduces breaking changes in
1319 config file, check
1320 <link xlink:href="https://autorestic.vercel.app/migration/1.4_1.5">their
1321 migration guide</link> for more details.
1322 </para>
1323 </listitem>
1324 <listitem>
1325 <para>
1326 <literal>teleport</literal> has been upgraded to major version
1327 9. Please see upstream
1328 <link xlink:href="https://goteleport.com/docs/setup/operations/upgrading/">upgrade
1329 instructions</link> and
1330 <link xlink:href="https://goteleport.com/docs/changelog/#900">release
1331 notes</link>.
1332 </para>
1333 </listitem>
1334 <listitem>
1335 <para>
1336 For <literal>pkgs.python3.pkgs.ipython</literal>, its direct
1337 dependency
1338 <literal>pkgs.python3.pkgs.matplotlib-inline</literal> (which
1339 is really an adapter to integrate matplotlib in ipython if it
1340 is installed) does not depend on
1341 <literal>pkgs.python3.pkgs.matplotlib</literal> anymore. This
1342 is closer to a non-Nix install of ipython. This has the added
1343 benefit to reduce the closure size of
1344 <literal>ipython</literal> from ~400MB to ~160MB (including
1345 ~100MB for python itself).
1346 </para>
1347 </listitem>
1348 <listitem>
1349 <para>
1350 <literal>documentation.man</literal> has been refactored to
1351 support choosing a man implementation other than GNU’s
1352 <literal>man-db</literal>. For this,
1353 <literal>documentation.man.manualPages</literal> has been
1354 renamed to
1355 <literal>documentation.man.man-db.manualPages</literal>. If
1356 you want to use the new alternative man implementation
1357 <literal>mandoc</literal>, add
1358 <literal>documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }</literal>
1359 to your configuration.
1360 </para>
1361 </listitem>
1362 <listitem>
1363 <para>
1364 Normal users (with <literal>isNormalUser = true</literal>)
1365 which have non-empty <literal>subUidRanges</literal> or
1366 <literal>subGidRanges</literal> set no longer have additional
1367 implicit ranges allocated. To enable automatic allocation back
1368 set <literal>autoSubUidGidRange = true</literal>.
1369 </para>
1370 </listitem>
1371 <listitem>
1372 <para>
1373 <literal>idris2</literal> now requires
1374 <literal>--package</literal> when using packages
1375 <literal>contrib</literal> and <literal>network</literal>,
1376 while previously these idris2 packages were automatically
1377 loaded.
1378 </para>
1379 </listitem>
1380 <listitem>
1381 <para>
1382 The iputils package, which is installed by default, no longer
1383 provides the legacy tools <literal>tftpd</literal> and
1384 <literal>traceroute6</literal>. More tools
1385 (<literal>ninfod</literal>, <literal>rarpd</literal>, and
1386 <literal>rdisc</literal>) are going to be removed in the next
1387 release. See
1388 <link xlink:href="https://github.com/iputils/iputils/releases/tag/20211215">upstream’s
1389 release notes</link> for more details and available
1390 replacements.
1391 </para>
1392 </listitem>
1393 <listitem>
1394 <para>
1395 <literal>services.thelounge.private</literal> was removed in
1396 favor of <literal>services.thelounge.public</literal>, to
1397 follow with upstream changes.
1398 </para>
1399 </listitem>
1400 <listitem>
1401 <para>
1402 <literal>pkgs.docbookrx</literal> was removed since it’s
1403 unmaintained
1404 </para>
1405 </listitem>
1406 <listitem>
1407 <para>
1408 <literal>pkgs._7zz</literal> is now correctly licensed as
1409 LGPL3+ and BSD3 with optional unfree unRAR licensed code
1410 </para>
1411 </listitem>
1412 <listitem>
1413 <para>
1414 The <literal>vim.customize</literal> function produced by
1415 <literal>vimUtils.makeCustomizable</literal> now has a
1416 slightly different interface:
1417 </para>
1418 <itemizedlist spacing="compact">
1419 <listitem>
1420 <para>
1421 The wrapper now includes everything in the given Vim
1422 derivation if <literal>name</literal> is
1423 <literal>"vim"</literal> (the default). This
1424 makes the <literal>wrapManual</literal> argument obsolete,
1425 but this behavior can be overriden by setting the
1426 <literal>standalone</literal> argument.
1427 </para>
1428 </listitem>
1429 <listitem>
1430 <para>
1431 All the executables present in the given derivation (or,
1432 in <literal>standalone</literal> mode, only the
1433 <literal>*vim</literal> ones) are wrapped. This makes the
1434 <literal>wrapGui</literal> argument obsolete.
1435 </para>
1436 </listitem>
1437 <listitem>
1438 <para>
1439 The <literal>vimExecutableName</literal> and
1440 <literal>gvimExecutableName</literal> arguments were
1441 replaced by a single <literal>executableName</literal>
1442 argument in which the shell variable
1443 <literal>$exe</literal> can be used to refer to the
1444 wrapped executable’s name.
1445 </para>
1446 </listitem>
1447 </itemizedlist>
1448 <para>
1449 See the comments in
1450 <literal>pkgs/applications/editors/vim/plugins/vim-utils.nix</literal>
1451 for more details.
1452 </para>
1453 <para>
1454 <literal>vimUtils.vimWithRC</literal> was removed. You should
1455 instead use <literal>customize</literal> on a Vim derivation,
1456 which now accepts <literal>vimrcFile</literal> and
1457 <literal>gvimrcFile</literal> arguments.
1458 </para>
1459 </listitem>
1460 <listitem>
1461 <para>
1462 <literal>tilp2</literal> was removed together with its module
1463 </para>
1464 </listitem>
1465 <listitem>
1466 <para>
1467 The F-PROT antivirus (<literal>fprot</literal> package) and
1468 its service module were removed because it reached
1469 <link xlink:href="https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/434/0/end-of-sale--end-of-life-for-f-prot-and-csam">end-of-life</link>.
1470 </para>
1471 </listitem>
1472 <listitem>
1473 <para>
1474 <literal>bird1</literal> and its modules
1475 <literal>services.bird</literal> as well as
1476 <literal>services.bird6</literal> have been removed. Upgrade
1477 to <literal>services.bird2</literal>.
1478 </para>
1479 </listitem>
1480 <listitem>
1481 <para>
1482 The options
1483 <literal>networking.interfaces.<name>.ipv4.routes</literal>
1484 and
1485 <literal>networking.interfaces.<name>.ipv6.routes</literal>
1486 are no longer ignored when using networkd instead of the
1487 default scripted network backend by setting
1488 <literal>networking.useNetworkd</literal> to
1489 <literal>true</literal>.
1490 </para>
1491 </listitem>
1492 <listitem>
1493 <para>
1494 The <literal>miller</literal> package has been upgraded from
1495 5.10.3 to
1496 <link xlink:href="https://github.com/johnkerl/miller/releases/tag/v6.2.0">6.2.0</link>.
1497 See
1498 <link xlink:href="https://miller.readthedocs.io/en/latest/new-in-miller-6">What’s
1499 new in Miller 6</link>.
1500 </para>
1501 </listitem>
1502 <listitem>
1503 <para>
1504 MultiMC has been replaced with the fork PrismLauncher due to
1505 upstream developers being hostile to 3rd party package
1506 maintainers. PrismLauncher removes all MultiMC branding and is
1507 aimed at providing proper 3rd party packages like the one
1508 contained in Nixpkgs. This change affects the data folder
1509 where game instances and other save and configuration files
1510 are stored. Users with existing installations should rename
1511 <literal>~/.local/share/multimc</literal> to
1512 <literal>~/.local/share/PrismLauncher</literal>. The main
1513 config file’s path has also moved from
1514 <literal>~/.local/share/multimc/multimc.cfg</literal> to
1515 <literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>.
1516 </para>
1517 </listitem>
1518 <listitem>
1519 <para>
1520 <literal>systemd-nspawn@.service</literal> settings have been
1521 reverted to the default systemd behaviour. User namespaces are
1522 now activated by default. If you want to keep running nspawn
1523 containers without user namespaces you need to set
1524 <literal>systemd.nspawn.<name>.execConfig.PrivateUsers = false</literal>
1525 </para>
1526 </listitem>
1527 <listitem>
1528 <para>
1529 <literal>systemd-shutdown</literal> is now properly linked on
1530 shutdown to unmount all filesystems and device mapper devices
1531 cleanly. This can be disabled using
1532 <literal>systemd.shutdownRamfs.enable</literal>.
1533 </para>
1534 </listitem>
1535 <listitem>
1536 <para>
1537 The Tor SOCKS proxy is now actually disabled if
1538 <literal>services.tor.client.enable</literal> is set to
1539 <literal>false</literal> (the default). If you are using this
1540 functionality but didn’t change the setting or set it to
1541 <literal>false</literal>, you now need to set it to
1542 <literal>true</literal>.
1543 </para>
1544 </listitem>
1545 <listitem>
1546 <para>
1547 <literal>services.github-runner</literal> has been hardened.
1548 Notably address families and system calls have been
1549 restricted, which may adversely affect some kinds of testing,
1550 e.g. using <literal>AF_BLUETOOTH</literal> to test bluetooth
1551 devices.
1552 </para>
1553 </listitem>
1554 <listitem>
1555 <para>
1556 The terraform 0.12 compatibility has been removed and the
1557 <literal>terraform.withPlugins</literal> and
1558 <literal>terraform-providers.mkProvider</literal>
1559 implementations simplified. Providers now need to be stored
1560 under
1561 <literal>$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version></literal>
1562 (which mkProvider does).
1563 </para>
1564 <para>
1565 This breaks back-compat so it’s not possible to mix-and-match
1566 with previous versions of nixpkgs. In exchange, it now becomes
1567 possible to use the providers from
1568 <link xlink:href="https://github.com/numtide/nixpkgs-terraform-providers-bin">nixpkgs-terraform-providers-bin</link>
1569 directly.
1570 </para>
1571 </listitem>
1572 <listitem>
1573 <para>
1574 The <literal>dendrite</literal> package has been upgraded from
1575 0.5.1 to
1576 <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.5">0.6.5</link>.
1577 Instances configured with split sqlite databases, which has
1578 been the default in NixOS, require merging of the federation
1579 sender and signing key databases. See upstream
1580 <link xlink:href="https://github.com/matrix-org/dendrite/releases/tag/v0.6.0">release
1581 notes</link> on version 0.6.0 for details on database changes.
1582 </para>
1583 </listitem>
1584 <listitem>
1585 <para>
1586 The existing <literal>pkgs.opentelemetry-collector</literal>
1587 has been moved to
1588 <literal>pkgs.opentelemetry-collector-contrib</literal> to
1589 match the actual source being the <quote>contrib</quote>
1590 edition. <literal>pkgs.opentelemetry-collector</literal> is
1591 now the actual core release of opentelemetry-collector. If you
1592 use the community contributions you should change the package
1593 you refer to. If you don’t need them update your commands from
1594 <literal>otelcontribcol</literal> to
1595 <literal>otelcorecol</literal> and enjoy a 7x smaller binary.
1596 </para>
1597 </listitem>
1598 <listitem>
1599 <para>
1600 <literal>services.zookeeper</literal> has a new option
1601 <literal>jre</literal> for specifying the JRE to start
1602 zookeeper with. It defaults to the JRE that
1603 <literal>pkgs.zookeeper</literal> was wrapped with, instead of
1604 <literal>pkgs.jre</literal>. This changes the JRE to
1605 <literal>pkgs.jdk11_headless</literal> by default.
1606 </para>
1607 </listitem>
1608 <listitem>
1609 <para>
1610 <literal>pkgs.pgadmin</literal> now refers to
1611 <literal>pkgs.pgadmin4</literal>. <literal>pgadmin3</literal>
1612 has been removed.
1613 </para>
1614 </listitem>
1615 <listitem>
1616 <para>
1617 <literal>pkgs.minetestclient_4</literal> and
1618 <literal>pkgs.minetestserver_4</literal> have been removed, as
1619 the last 4.x release was in 2018.
1620 <literal>pkgs.minetestclient</literal> (equivalent to
1621 <literal>pkgs.minetest</literal> ) and
1622 <literal>pkgs.minetestserver</literal> can be used instead.
1623 </para>
1624 </listitem>
1625 <listitem>
1626 <para>
1627 <literal>pkgs.noto-fonts-cjk</literal> is now deprecated in
1628 favor of <literal>pkgs.noto-fonts-cjk-sans</literal> and
1629 <literal>pkgs.noto-fonts-cjk-serif</literal> because they each
1630 have different release schedules. To maintain compatibility
1631 with prior releases of Nixpkgs,
1632 <literal>pkgs.noto-fonts-cjk</literal> is currently an alias
1633 of <literal>pkgs.noto-fonts-cjk-sans</literal> and doesn’t
1634 include serif fonts.
1635 </para>
1636 </listitem>
1637 <listitem>
1638 <para>
1639 <literal>pkgs.epgstation</literal> has been upgraded from v1
1640 to v2, resulting in incompatible changes in the database
1641 scheme and configuration format.
1642 </para>
1643 </listitem>
1644 <listitem>
1645 <para>
1646 Some top-level settings under
1647 <link linkend="opt-services.epgstation.enable">services.epgstation</link>
1648 is now deprecated because it was redudant due to the same
1649 options being present in
1650 <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link>.
1651 </para>
1652 </listitem>
1653 <listitem>
1654 <para>
1655 The option <literal>services.epgstation.basicAuth</literal>
1656 was removed because basic authentication support was dropped
1657 by upstream.
1658 </para>
1659 </listitem>
1660 <listitem>
1661 <para>
1662 The option
1663 <link linkend="opt-services.epgstation.database.passwordFile">services.epgstation.database.passwordFile</link>
1664 no longer has a default value. Make sure to set this option
1665 explicitly before upgrading. Change the database password if
1666 necessary.
1667 </para>
1668 </listitem>
1669 <listitem>
1670 <para>
1671 The
1672 <link linkend="opt-services.epgstation.settings">services.epgstation.settings</link>
1673 option now expects options for <literal>config.yml</literal>
1674 in EPGStation v2.
1675 </para>
1676 </listitem>
1677 <listitem>
1678 <para>
1679 Existing data for the
1680 <link linkend="opt-services.epgstation.enable">services.epgstation</link>
1681 module would have to be backed up prior to the upgrade. To
1682 back up exising data to
1683 <literal>/tmp/epgstation.bak</literal>, run
1684 <literal>sudo -u epgstation epgstation run backup /tmp/epgstation.bak</literal>.
1685 To import that data after to the upgrade, run
1686 <literal>sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak</literal>
1687 </para>
1688 </listitem>
1689 <listitem>
1690 <para>
1691 <literal>switch-to-configuration</literal> (the script that is
1692 run when running <literal>nixos-rebuild switch</literal> for
1693 example) has been reworked
1694 </para>
1695 <itemizedlist spacing="compact">
1696 <listitem>
1697 <para>
1698 The interface that allows activation scripts to restart
1699 units has been streamlined. Restarting and reloading is
1700 now done by a single file
1701 <literal>/run/nixos/activation-restart-list</literal> that
1702 honors <literal>restartIfChanged</literal> and
1703 <literal>reloadIfChanged</literal> of the units.
1704 </para>
1705 <itemizedlist spacing="compact">
1706 <listitem>
1707 <para>
1708 Preferring to reload instead of restarting can still
1709 be achieved using
1710 <literal>/run/nixos/activation-reload-list</literal>.
1711 </para>
1712 </listitem>
1713 </itemizedlist>
1714 </listitem>
1715 <listitem>
1716 <para>
1717 The script now uses a proper ini-file parser to parse
1718 systemd units. Some values are now only searched in one
1719 section instead of in the entire unit. This is only
1720 relevant for units that don’t use the NixOS systemd moule.
1721 </para>
1722 <itemizedlist spacing="compact">
1723 <listitem>
1724 <para>
1725 <literal>RefuseManualStop</literal>,
1726 <literal>X-OnlyManualStart</literal>,
1727 <literal>X-StopOnRemoval</literal>,
1728 <literal>X-StopOnReconfiguration</literal> are only
1729 searched in the <literal>[Unit]</literal> section
1730 </para>
1731 </listitem>
1732 <listitem>
1733 <para>
1734 <literal>X-ReloadIfChanged</literal>,
1735 <literal>X-RestartIfChanged</literal>,
1736 <literal>X-StopIfChanged</literal> are only searched
1737 in the <literal>[Service]</literal> section
1738 </para>
1739 </listitem>
1740 </itemizedlist>
1741 </listitem>
1742 </itemizedlist>
1743 </listitem>
1744 <listitem>
1745 <para>
1746 The <literal>services.bookstack.cacheDir</literal> option has
1747 been removed, since the cache directory is now handled by
1748 systemd.
1749 </para>
1750 </listitem>
1751 <listitem>
1752 <para>
1753 The <literal>services.bookstack.extraConfig</literal> option
1754 has been replaced by
1755 <literal>services.bookstack.config</literal> which implements
1756 a
1757 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link>
1758 configuration.
1759 </para>
1760 </listitem>
1761 <listitem>
1762 <para>
1763 <literal>lib.assertMsg</literal> and
1764 <literal>lib.assertOneOf</literal> no longer return
1765 <literal>false</literal> if the passed condition is
1766 <literal>false</literal>, <literal>throw</literal>ing the
1767 given error message instead (which makes the resulting error
1768 message less cluttered). This will not impact the behaviour of
1769 code using these functions as intended, namely as top-level
1770 wrapper for <literal>assert</literal> conditions.
1771 </para>
1772 </listitem>
1773 <listitem>
1774 <para>
1775 The <literal>vpnc</literal> package has been changed to use
1776 GnuTLS instead of OpenSSL by default for licensing reasons.
1777 </para>
1778 </listitem>
1779 <listitem>
1780 <para>
1781 The default version of <literal>nextcloud</literal> is
1782 <emphasis role="strong">nextcloud24</emphasis>. Please note
1783 that it’s <emphasis role="strong">not</emphasis> possible to
1784 upgrade <literal>nextcloud</literal> across multiple major
1785 versions! This means it’s e.g. not possible to upgrade from
1786 <literal>nextcloud22</literal> to
1787 <literal>nextcloud24</literal> in a single deploy and most
1788 <literal>21.11</literal> users will have to upgrade to
1789 <literal>nextcloud23</literal> first.
1790 </para>
1791 </listitem>
1792 <listitem>
1793 <para>
1794 <literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to
1795 <link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link>
1796 (formerly refers to
1797 <link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>).
1798 </para>
1799 </listitem>
1800 <listitem>
1801 <para>
1802 <literal>services.pipewire.enable</literal> will default to
1803 enabling the WirePlumber session manager instead of
1804 pipewire-media-session. pipewire-media-session is deprecated
1805 by upstream and not recommended, but can still be manually
1806 enabled by setting
1807 <literal>services.pipewire.media-session.enable</literal> to
1808 <literal>true</literal> and
1809 <literal>services.pipewire.wireplumber.enable</literal> to
1810 <literal>false</literal>.
1811 </para>
1812 </listitem>
1813 <listitem>
1814 <para>
1815 <literal>pkgs.makeDesktopItem</literal> has been refactored to
1816 provide a more idiomatic API. Specifically:
1817 </para>
1818 <itemizedlist spacing="compact">
1819 <listitem>
1820 <para>
1821 All valid options as of FDO Desktop Entry specification
1822 version 1.4 can now be passed in as explicit arguments
1823 </para>
1824 </listitem>
1825 <listitem>
1826 <para>
1827 <literal>exec</literal> can now be null, for entries that
1828 are not of type Application
1829 </para>
1830 </listitem>
1831 <listitem>
1832 <para>
1833 <literal>mimeType</literal> argument is renamed to
1834 <literal>mimeTypes</literal> for consistency
1835 </para>
1836 </listitem>
1837 <listitem>
1838 <para>
1839 <literal>mimeTypes</literal>,
1840 <literal>categories</literal>,
1841 <literal>implements</literal>,
1842 <literal>keywords</literal>, <literal>onlyShowIn</literal>
1843 and <literal>notShowIn</literal> take lists of strings
1844 instead of one string with semicolon separators
1845 </para>
1846 </listitem>
1847 <listitem>
1848 <para>
1849 <literal>extraDesktopEntries</literal> renamed to
1850 <literal>extraConfig</literal> for consistency
1851 </para>
1852 </listitem>
1853 <listitem>
1854 <para>
1855 Actions should now be provided as an attrset
1856 <literal>actions</literal>, the <literal>Actions</literal>
1857 line will be autogenerated.
1858 </para>
1859 </listitem>
1860 <listitem>
1861 <para>
1862 <literal>extraEntries</literal> is removed.
1863 </para>
1864 </listitem>
1865 <listitem>
1866 <para>
1867 Additional validation is added both at eval time and at
1868 build time.
1869 </para>
1870 </listitem>
1871 </itemizedlist>
1872 <para>
1873 See the <literal>vscode</literal> package for a more detailed
1874 example.
1875 </para>
1876 </listitem>
1877 <listitem>
1878 <para>
1879 Existing <literal>resholve*</literal> functions have been
1880 renamed and nested under <literal>pkgs.resholve</literal>.
1881 Update uses to:
1882 </para>
1883 <itemizedlist spacing="compact">
1884 <listitem>
1885 <para>
1886 <literal>resholvePackage</literal> ->
1887 <literal>resholve.mkDerivation</literal>
1888 </para>
1889 </listitem>
1890 <listitem>
1891 <para>
1892 <literal>resholveScript</literal> ->
1893 <literal>resholve.writeScript</literal>
1894 </para>
1895 </listitem>
1896 <listitem>
1897 <para>
1898 <literal>resholveScriptBin</literal> ->
1899 <literal>resholve.writeScriptBin</literal>
1900 </para>
1901 </listitem>
1902 </itemizedlist>
1903 </listitem>
1904 <listitem>
1905 <para>
1906 <literal>pkgs.cosmopolitan</literal> no longer provides the
1907 <literal>cosmoc</literal> command. It has been moved to
1908 <literal>pkgs.cosmoc</literal>.
1909 </para>
1910 </listitem>
1911 <listitem>
1912 <para>
1913 <literal>pkgs.graalvmXX-ce</literal> packages no longer
1914 provide support for Python/Ruby/WASM, instead focusing only in
1915 Java and Native Image Support. If you need to add support
1916 back, please see the
1917 <literal>pkgs.graalvmCEPackages.mkGraal</literal> function to
1918 create your own customized version of GraalVM with support for
1919 what you need.
1920 </para>
1921 </listitem>
1922 </itemizedlist>
1923 </section>
1924 <section xml:id="sec-release-22.05-notable-changes">
1925 <title>Other Notable Changes</title>
1926 <itemizedlist>
1927 <listitem>
1928 <para>
1929 The option
1930 <link linkend="opt-services.redis.servers">services.redis.servers</link>
1931 was added to support per-application
1932 <literal>redis-server</literal> which is more secure since
1933 Redis databases are only mere key prefixes without any
1934 configuration or ACL of their own. Backward-compatibility is
1935 preserved by mapping old
1936 <literal>services.redis.settings</literal> to
1937 <literal>services.redis.servers."".settings</literal>,
1938 but you are strongly encouraged to name each
1939 <literal>redis-server</literal> instance after the application
1940 using it, instead of keeping that nameless one. Except for the
1941 nameless
1942 <literal>services.redis.servers.""</literal> still
1943 accessible at <literal>127.0.0.1:6379</literal>, and to the
1944 members of the Unix group <literal>redis</literal> through the
1945 Unix socket <literal>/run/redis/redis.sock</literal>, all
1946 other <literal>services.redis.servers.${serverName}</literal>
1947 are only accessible by default to the members of the Unix
1948 group <literal>redis-${serverName}</literal> through the Unix
1949 socket <literal>/run/redis-${serverName}/redis.sock</literal>.
1950 </para>
1951 </listitem>
1952 <listitem>
1953 <para>
1954 The option
1955 <link linkend="opt-virtualisation.vmVariant">virtualisation.vmVariant</link>
1956 was added to allow users to make changes to the
1957 <literal>nixos-rebuild build-vm</literal> configuration that
1958 do not apply to their normal system.
1959 </para>
1960 <para>
1961 The <literal>config.system.build.vm</literal> attribute now
1962 always exists and defaults to the value from
1963 <literal>vmVariant</literal>. Configurations that import the
1964 <literal>virtualisation/qemu-vm.nix</literal> module
1965 themselves will override this value, such that
1966 <literal>vmVariant</literal> is not used.
1967 </para>
1968 <para>
1969 Similarly
1970 <link linkend="opt-virtualisation.vmVariantWithBootLoader">virtualisation.vmVariantWithBootloader</link>
1971 was added.
1972 </para>
1973 </listitem>
1974 <listitem>
1975 <para>
1976 The configuration portion of the <literal>nix-daemon</literal>
1977 module has been reworked and exposed as
1978 <link xlink:href="options.html#opt-nix-settings">nix.settings</link>:
1979 </para>
1980 <itemizedlist spacing="compact">
1981 <listitem>
1982 <para>
1983 Legacy options have been mapped to the corresponding
1984 options under under
1985 <link xlink:href="options.html#opt-nix.settings">nix.settings</link>
1986 and will be deprecated when NixOS 21.11 reaches end of
1987 life.
1988 </para>
1989 </listitem>
1990 <listitem>
1991 <para>
1992 <link xlink:href="options.html#opt-nix.buildMachines.publicHostKey">nix.buildMachines.publicHostKey</link>
1993 has been added.
1994 </para>
1995 </listitem>
1996 </itemizedlist>
1997 </listitem>
1998 <listitem>
1999 <para>
2000 <link xlink:href="https://kops.sigs.k8s.io"><literal>kops</literal></link>
2001 defaults to 1.23.2, which will enable
2002 <link xlink:href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html">Instance
2003 Metadata Service Version 2</link> and require tokens on new
2004 clusters with Kubernetes >= 1.22. This will increase
2005 security by default, but may break some types of workloads.
2006 The default behaviour for
2007 <literal>spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS</literal>
2008 has changed from <literal>true</literal> to
2009 <literal>false</literal>. Cilium now has
2010 <literal>disable-cnp-status-updates: true</literal> by
2011 default. Set this to false if you rely on the
2012 CiliumNetworkPolicy status fields. Support for Kubernetes
2013 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS
2014 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been
2015 removed. See the
2016 <link xlink:href="https://kops.sigs.k8s.io/releases/1.22-notes/">1.22
2017 release notes</link> and
2018 <link xlink:href="https://kops.sigs.k8s.io/releases/1.23-notes/">1.23
2019 release notes</link> for more details, including other
2020 significant changes.
2021 </para>
2022 </listitem>
2023 <listitem>
2024 <para>
2025 Mattermost has been upgraded to extended support version 6.3
2026 as the previously packaged extended support version 5.37 is
2027 <link xlink:href="https://docs.mattermost.com/upgrade/extended-support-release.html">reaching
2028 end of life</link>. Migration may take some time, see the
2029 <link xlink:href="https://docs.mattermost.com/install/self-managed-changelog.html#release-v6-3-extended-support-release">changelog</link>
2030 and
2031 <link xlink:href="https://docs.mattermost.com/upgrade/important-upgrade-notes.html">important
2032 upgrade notes</link>.
2033 </para>
2034 </listitem>
2035 <listitem>
2036 <para>
2037 The
2038 <literal>writers.writePyPy2</literal>/<literal>writers.writePyPy3</literal>
2039 and corresponding
2040 <literal>writers.writePyPy2Bin</literal>/<literal>writers.writePyPy3Bin</literal>
2041 convenience functions to create executable Python 2/3 scripts
2042 using the PyPy interpreter were added.
2043 </para>
2044 </listitem>
2045 <listitem>
2046 <para>
2047 Some improvements have been made to the
2048 <literal>hadoop</literal> module:
2049 </para>
2050 <itemizedlist spacing="compact">
2051 <listitem>
2052 <para>
2053 A <literal>gatewayRole</literal> option has been added,
2054 for deploying hadoop cluster configuration files to a node
2055 that does not have any active services
2056 </para>
2057 </listitem>
2058 <listitem>
2059 <para>
2060 Support for older versions of hadoop have been added to
2061 the module
2062 </para>
2063 </listitem>
2064 <listitem>
2065 <para>
2066 Overriding and extending site XML files has been made
2067 easier
2068 </para>
2069 </listitem>
2070 </itemizedlist>
2071 </listitem>
2072 <listitem>
2073 <para>
2074 The auto-upgrade service now accepts persistent (default:
2075 true) parameter. By default auto-upgrade will now run
2076 immediately if it would have been triggered at least once
2077 during the time when the timer was inactive.
2078 </para>
2079 </listitem>
2080 <listitem>
2081 <para>
2082 Mastodon now uses <literal>services.redis.servers</literal> to
2083 start a new redis server, instead of using a global redis
2084 server. This improves compatibility with other services that
2085 use redis.
2086 </para>
2087 <para>
2088 Note that this will recreate the redis database, although
2089 according to the
2090 <link xlink:href="https://docs.joinmastodon.org/admin/backups/">Mastodon
2091 docs</link>, this is almost harmless:
2092 </para>
2093 <blockquote>
2094 <para>
2095 Losing the Redis database is almost harmless: The only
2096 irrecoverable data will be the contents of the Sidekiq
2097 queues and scheduled retries of previously failed jobs. The
2098 home and list feeds are stored in Redis, but can be
2099 regenerated with tootctl.
2100 </para>
2101 </blockquote>
2102 <para>
2103 If you do want to save the redis database, you can use the
2104 following commands:
2105 </para>
2106 <programlisting language="bash">
2107redis-cli save
2108cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
2109</programlisting>
2110 </listitem>
2111 <listitem>
2112 <para>
2113 Peertube now uses services.redis.servers to start a new redis
2114 server, instead of using a global redis server. This improves
2115 compatibility with other services that use redis.
2116 </para>
2117 <para>
2118 Redis database is used for storage only cache and job queue.
2119 More information can be found here -
2120 <link xlink:href="https://docs.joinpeertube.org/contribute-architecture">Peertube
2121 architecture</link>.
2122 </para>
2123 <para>
2124 If you do want to save the redis database, you can use the
2125 following commands before upgrade OS:
2126 </para>
2127 <programlisting language="bash">
2128redis-cli save
2129sudo mkdir /var/lib/redis-peertube
2130sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
2131</programlisting>
2132 </listitem>
2133 <listitem>
2134 <para>
2135 Added the <literal>keter</literal> NixOS module. Keter reverse
2136 proxies requests to your loaded application based on virtual
2137 hostnames.
2138 </para>
2139 </listitem>
2140 <listitem>
2141 <para>
2142 If you are using Wayland you can choose to use the Ozone
2143 Wayland support in Chrome and several Electron apps by setting
2144 the environment variable <literal>NIXOS_OZONE_WL=1</literal>
2145 (for example via
2146 <literal>environment.sessionVariables.NIXOS_OZONE_WL = "1"</literal>).
2147 This is not enabled by default because Ozone Wayland is still
2148 under heavy development and behavior is not always flawless.
2149 Furthermore, not all Electron apps use the latest Electron
2150 versions.
2151 </para>
2152 </listitem>
2153 <listitem>
2154 <para>
2155 A new option group
2156 <literal>systemd.network.wait-online</literal> was added, with
2157 options to configure
2158 <literal>systemd-networkd-wait-online.service</literal>:
2159 </para>
2160 <itemizedlist spacing="compact">
2161 <listitem>
2162 <para>
2163 <literal>anyInterface</literal> allows specifying that the
2164 network should be considered online when <emphasis>at
2165 least one</emphasis> interface is online (useful on
2166 laptops)
2167 </para>
2168 </listitem>
2169 <listitem>
2170 <para>
2171 <literal>timeout</literal> defines how long to wait for
2172 the network to come online
2173 </para>
2174 </listitem>
2175 <listitem>
2176 <para>
2177 <literal>extraArgs</literal> for everything else
2178 </para>
2179 </listitem>
2180 </itemizedlist>
2181 </listitem>
2182 <listitem>
2183 <para>
2184 The <literal>influxdb2</literal> package was split into
2185 <literal>influxdb2-server</literal> and
2186 <literal>influxdb2-cli</literal>, matching the split that took
2187 place upstream. A combined <literal>influxdb2</literal>
2188 package is still provided in this release for backwards
2189 compatibilty, but will be removed at a later date.
2190 </para>
2191 </listitem>
2192 <listitem>
2193 <para>
2194 The <literal>unifi</literal> package was switched from
2195 <literal>unifi6</literal> to <literal>unifi7</literal>. Direct
2196 downgrades from Unifi 7 to Unifi 6 are not possible and
2197 require restoring from a backup made by Unifi 6.
2198 </para>
2199 </listitem>
2200 <listitem>
2201 <para>
2202 <literal>programs.zsh.autosuggestions.strategy</literal> now
2203 takes a list of strings instead of a string.
2204 </para>
2205 </listitem>
2206 <listitem>
2207 <para>
2208 The <literal>asterisk</literal> and
2209 <literal>asterisk-stable</literal> packages were switched from
2210 <literal>asterisk_18</literal> to the newly-packaged
2211 <literal>asterisk_19</literal>. Asterisk 13 and 17 have been
2212 removed as they have reached their end of life.
2213 </para>
2214 </listitem>
2215 <listitem>
2216 <para>
2217 The <literal>services.unifi.openPorts</literal> option default
2218 value of <literal>true</literal> is now deprecated and will be
2219 changed to <literal>false</literal> in 22.11. Configurations
2220 using this default will print a warning when rebuilt.
2221 </para>
2222 </listitem>
2223 <listitem>
2224 <para>
2225 The <literal>services.unifi-video.openPorts</literal> option
2226 default value of <literal>true</literal> is now deprecated and
2227 will be changed to <literal>false</literal> in 22.11.
2228 Configurations using this default will print a warning when
2229 rebuilt.
2230 </para>
2231 </listitem>
2232 <listitem>
2233 <para>
2234 <literal>security.acme</literal> certificates will now
2235 correctly check for CA revokation before reaching their
2236 minimum age.
2237 </para>
2238 </listitem>
2239 <listitem>
2240 <para>
2241 Removing domains from
2242 <literal>security.acme.certs._name_.extraDomainNames</literal>
2243 will now correctly remove those domains during rebuild/renew.
2244 </para>
2245 </listitem>
2246 <listitem>
2247 <para>
2248 MariaDB is now offered in several versions, not just the
2249 newest one. So if you have a need for running MariaDB 10.4 for
2250 example, you can now just set
2251 <literal>services.mysql.package = pkgs.mariadb_104;</literal>.
2252 In general, it is recommended to run the newest version, to
2253 get the newest features, while sticking with an LTS version
2254 will most likely provide a more stable experience. Sometimes
2255 software is also incompatible with the newest version of
2256 MariaDB.
2257 </para>
2258 </listitem>
2259 <listitem>
2260 <para>
2261 The option
2262 <link linkend="opt-programs.ssh.enableAskPassword">programs.ssh.enableAskPassword</link>
2263 was added, decoupling the setting of
2264 <literal>SSH_ASKPASS</literal> from
2265 <literal>services.xserver.enable</literal>. This allows easy
2266 usage in non-X11 environments, e.g. Wayland.
2267 </para>
2268 </listitem>
2269 <listitem>
2270 <para>
2271 <link linkend="opt-programs.ssh.knownHosts">programs.ssh.knownHosts</link>
2272 has gained an <literal>extraHostNames</literal> option to
2273 augment <literal>hostNames</literal>. It is now possible to
2274 use the attribute name of a <literal>knownHosts</literal>
2275 entry as the primary host name and specify secondary host
2276 names using <literal>extraHostNames</literal> without having
2277 to duplicate the primary host name.
2278 </para>
2279 </listitem>
2280 <listitem>
2281 <para>
2282 The <literal>services.stubby</literal> module was converted to
2283 a
2284 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">settings-style</link>
2285 configuration.
2286 </para>
2287 </listitem>
2288 <listitem>
2289 <para>
2290 The option
2291 <link linkend="opt-services.xserver.desktopManager.runXdgAutostartIfNone">services.xserver.desktopManager.runXdgAutostartIfNone</link>
2292 was added in order to automatically run XDG autostart files
2293 for sessions without a desktop manager. This replaces helpers
2294 like the <literal>dex</literal> package.
2295 </para>
2296 </listitem>
2297 <listitem>
2298 <para>
2299 When setting
2300 <link linkend="opt-i18n.inputMethod.enabled">i18n.inputMethod.enabled</link>
2301 to <literal>fcitx5</literal>, it no longer creates
2302 corresponding systemd user services. It now relies on XDG
2303 autostart files to start and work properly in your desktop
2304 sessions. If you are using only a window manager without a
2305 desktop manager, you need to enable
2306 <literal>services.xserver.desktopManager.runXdgAutostartIfNone</literal>
2307 or using the <literal>dex</literal> package to make
2308 <literal>fcitx5</literal> work.
2309 </para>
2310 </listitem>
2311 <listitem>
2312 <para>
2313 The option <literal>services.duplicati.dataDir</literal> has
2314 been added to allow changing the location of duplicati’s
2315 files.
2316 </para>
2317 </listitem>
2318 <listitem>
2319 <para>
2320 The options <literal>boot.extraModprobeConfig</literal> and
2321 <literal>boot.blacklistedKernelModules</literal> now also take
2322 effect in the initrd by copying the file
2323 <literal>/etc/modprobe.d/nixos.conf</literal> into the initrd.
2324 </para>
2325 </listitem>
2326 <listitem>
2327 <para>
2328 <literal>nixos-generate-config</literal> now puts the dhcp
2329 configuration in <literal>hardware-configuration.nix</literal>
2330 instead of <literal>configuration.nix</literal>.
2331 </para>
2332 </listitem>
2333 <listitem>
2334 <para>
2335 ORY Kratos was updated to version 0.9.0-alpha.3, which
2336 introduces some breaking changes:
2337 </para>
2338 <itemizedlist spacing="compact">
2339 <listitem>
2340 <para>
2341 All endpoints at the Admin API are now exposed at
2342 <literal>/admin/</literal>. For example, endpoint
2343 <literal>https://kratos:4434/identities</literal> is now
2344 exposed at
2345 <literal>https://kratos:4434/admin/identities</literal>
2346 </para>
2347 </listitem>
2348 <listitem>
2349 <para>
2350 Configuration key
2351 <literal>selfservice.whitelisted_return_urls</literal> has
2352 been renamed to <literal>allowed_return_urls</literal>
2353 </para>
2354 </listitem>
2355 <listitem>
2356 <para>
2357 The <literal>password_identifier</literal> form field of
2358 the password login strategy has been renamed to
2359 <literal>identifier</literal> to make compatibility with
2360 passwordless flows possible.
2361 </para>
2362 </listitem>
2363 <listitem>
2364 <para>
2365 Instead of having a global
2366 <literal>default_schema_url</literal> which developers
2367 used to update their schema, you now need to define the
2368 <literal>default_schema_id</literal> which must reference
2369 schema ID in your config.
2370 </para>
2371 </listitem>
2372 <listitem>
2373 <para>
2374 Calling <literal>/self-service/recovery</literal> without
2375 flow ID or with an invalid flow ID while authenticated
2376 will now respond with an error instead of redirecting to
2377 the default page.
2378 </para>
2379 </listitem>
2380 <listitem>
2381 <para>
2382 If you are relying on the SQLite images, update your
2383 Docker Pull commands as follows:
2384 </para>
2385 <itemizedlist spacing="compact">
2386 <listitem>
2387 <para>
2388 <literal>docker pull oryd/kratos:{version}</literal>
2389 </para>
2390 </listitem>
2391 </itemizedlist>
2392 </listitem>
2393 <listitem>
2394 <para>
2395 Additionally, all passwords now have to be at least 8
2396 characters long.
2397 </para>
2398 </listitem>
2399 <listitem>
2400 <para>
2401 For more details, see:
2402 </para>
2403 <itemizedlist spacing="compact">
2404 <listitem>
2405 <para>
2406 <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.1-alpha.1">Release
2407 Notes for v0.8.1-alpha-1</link>
2408 </para>
2409 </listitem>
2410 <listitem>
2411 <para>
2412 <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.8.2-alpha.1">Release
2413 Notes for v0.8.2-alpha-1</link>
2414 </para>
2415 </listitem>
2416 <listitem>
2417 <para>
2418 <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.9.0-alpha.1">Release
2419 Notes for v0.9.0-alpha-1</link>
2420 </para>
2421 </listitem>
2422 <listitem>
2423 <para>
2424 <link xlink:href="https://github.com/ory/kratos/releases/tag/v0.9.0-alpha.3">Release
2425 Notes for v0.9.0-alpha-3</link>
2426 </para>
2427 </listitem>
2428 </itemizedlist>
2429 </listitem>
2430 </itemizedlist>
2431 </listitem>
2432 <listitem>
2433 <para>
2434 <literal>fetchFromSourcehut</literal> now allows fetching
2435 repositories recursively using <literal>fetchgit</literal> or
2436 <literal>fetchhg</literal> if the argument
2437 <literal>fetchSubmodules</literal> is set to
2438 <literal>true</literal>.
2439 </para>
2440 </listitem>
2441 <listitem>
2442 <para>
2443 A module for declarative configuration of openconnect VPN
2444 profiles was added under
2445 <literal>networking.openconnect</literal>.
2446 </para>
2447 </listitem>
2448 <listitem>
2449 <para>
2450 The <literal>element-desktop</literal> package now has an
2451 <literal>useKeytar</literal> option (defaults to
2452 <literal>true</literal>), which allows disabling
2453 <literal>keytar</literal> and in turn
2454 <literal>libsecret</literal> usage (which binds to native
2455 credential managers / keychain libraries).
2456 </para>
2457 </listitem>
2458 <listitem>
2459 <para>
2460 The option <literal>services.thelounge.plugins</literal> has
2461 been added to allow installing plugins for The Lounge. Plugins
2462 can be found in
2463 <literal>pkgs.theLoungePlugins.plugins</literal> and
2464 <literal>pkgs.theLoungePlugins.themes</literal>.
2465 </para>
2466 </listitem>
2467 <listitem>
2468 <para>
2469 The option
2470 <literal>services.xserver.videoDriver = [ "nvidia" ];</literal>
2471 will now also install
2472 <link xlink:href="https://github.com/elFarto/nvidia-vaapi-driver">nvidia
2473 VA-API drivers</link> by default.
2474 </para>
2475 </listitem>
2476 <listitem>
2477 <para>
2478 The <literal>firmwareLinuxNonfree</literal> package has been
2479 renamed to <literal>linux-firmware</literal>.
2480 </para>
2481 </listitem>
2482 <listitem>
2483 <para>
2484 It is now possible to specify wordlists to include as handy to
2485 access environment variables using the
2486 <literal>config.environment.wordlist</literal> configuration
2487 options.
2488 </para>
2489 </listitem>
2490 <listitem>
2491 <para>
2492 The <literal>services.mbpfan</literal> module was converted to
2493 a
2494 <link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
2495 0042</link> configuration.
2496 </para>
2497 </listitem>
2498 <listitem>
2499 <para>
2500 The default value for
2501 <literal>programs.spacefm.settings.graphical_su</literal> got
2502 unset. It previously pointed to <literal>gksu</literal> which
2503 has been removed.
2504 </para>
2505 </listitem>
2506 <listitem>
2507 <para>
2508 The <link xlink:href="https://dino.im">Dino</link> XMPP client
2509 was updated to 0.3, adding support for audio and video calls.
2510 </para>
2511 </listitem>
2512 <listitem>
2513 <para>
2514 <literal>services.mattermost.plugins</literal> has been added
2515 to allow the declarative installation of Mattermost plugins.
2516 Plugins are automatically repackaged using autoPatchelf.
2517 </para>
2518 </listitem>
2519 <listitem>
2520 <para>
2521 <link linkend="opt-services.logrotate.enable">services.logrotate.enable</link>
2522 now defaults to true if any rotate path has been defined, and
2523 some paths have been added by default.
2524 </para>
2525 </listitem>
2526 <listitem>
2527 <para>
2528 The logrotate module also has been updated to freeform syntax:
2529 <literal>services.logrotate.paths</literal> and
2530 <literal>services.logrotate.extraConfig</literal> will work,
2531 but issue deprecation warnings and
2532 <link linkend="opt-services.logrotate.settings">services.logrotate.settings</link>
2533 should now be used instead.
2534 </para>
2535 </listitem>
2536 <listitem>
2537 <para>
2538 <literal>security.pam.ussh</literal> has been added, which
2539 allows authorizing PAM sessions based on SSH
2540 <emphasis>certificates</emphasis> held within an SSH agent,
2541 using
2542 <link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
2543 </para>
2544 </listitem>
2545 <listitem>
2546 <para>
2547 The <literal>vscode-extensions.ionide.ionide-fsharp</literal>
2548 package has been updated to 6.0.0 and now requires .NET 6.0.
2549 </para>
2550 </listitem>
2551 <listitem>
2552 <para>
2553 The <literal>phpPackages.box</literal> package has been
2554 updated from 2.7.5 to 3.16.0. See the
2555 <link xlink:href="https://github.com/box-project/box/blob/master/UPGRADE.md#from-27-to-30">upgrade
2556 guide</link> for more details.
2557 </para>
2558 </listitem>
2559 <listitem>
2560 <para>
2561 The <literal>zrepl</literal> package has been updated from
2562 0.4.0 to 0.5:
2563 </para>
2564 <itemizedlist spacing="compact">
2565 <listitem>
2566 <para>
2567 The RPC protocol version was bumped; all zrepl daemons in
2568 a setup must be updated and restarted before replication
2569 can resume.
2570 </para>
2571 </listitem>
2572 <listitem>
2573 <para>
2574 A bug involving encrypt-on-receive has been fixed. Read
2575 the
2576 <link xlink:href="https://zrepl.github.io/configuration/sendrecvoptions.html#job-recv-options-placeholder">zrepl
2577 documentation</link> and check the output of
2578 <literal>zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS</literal>
2579 on the receiver.
2580 </para>
2581 </listitem>
2582 </itemizedlist>
2583 </listitem>
2584 <listitem>
2585 <para>
2586 The <literal>polybar</literal> package has been updated from
2587 3.5.7 to 3.6.2. See
2588 <link xlink:href="https://github.com/polybar/polybar/releases/tag/3.6.0">the
2589 changelog</link> for more details.
2590 </para>
2591 <itemizedlist spacing="compact">
2592 <listitem>
2593 <para>
2594 Breaking changes include changes to escaping rules in
2595 configuration values, changes in behavior when
2596 encountering invalid tag names, and changes to
2597 inter-process-messaging (IPC).
2598 </para>
2599 </listitem>
2600 </itemizedlist>
2601 </listitem>
2602 <listitem>
2603 <para>
2604 Renamed option
2605 <literal>services.openssh.challengeResponseAuthentication</literal>
2606 to
2607 <literal>services.openssh.kbdInteractiveAuthentication</literal>.
2608 Reason is that the old name has been deprecated upstream.
2609 Using the old option name will still work, but produce a
2610 warning.
2611 </para>
2612 </listitem>
2613 <listitem>
2614 <para>
2615 <literal>services.autorandr</literal> now allows for adding
2616 hooks and profiles declaratively.
2617 </para>
2618 </listitem>
2619 <listitem>
2620 <para>
2621 The <literal>pomerium-cli</literal> command has been moved out
2622 of the <literal>pomerium</literal> package into the
2623 <literal>pomerium-cli</literal> package, following upstream’s
2624 repository split. If you are using the
2625 <literal>pomerium-cli</literal> command, you should now
2626 install the <literal>pomerium-cli</literal> package.
2627 </para>
2628 </listitem>
2629 <listitem>
2630 <para>
2631 The option
2632 <link linkend="opt-networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link>
2633 was added to support FCC unlock procedures. Since release
2634 1.18.4, the ModemManager daemon no longer automatically
2635 performs the FCC unlock procedure by default. See
2636 <link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the
2637 docs</link> for more details.
2638 </para>
2639 </listitem>
2640 <listitem>
2641 <para>
2642 <literal>programs.tmux</literal> has a new option
2643 <literal>plugins</literal> that accepts a list of packages
2644 from the <literal>tmuxPlugins</literal> group. The specified
2645 packages are added to the system and loaded by
2646 <literal>tmux</literal>.
2647 </para>
2648 </listitem>
2649 <listitem>
2650 <para>
2651 The polkit service, available at
2652 <literal>security.polkit.enable</literal>, is now disabled by
2653 default. It will automatically be enabled through services and
2654 desktop environments as needed.
2655 </para>
2656 </listitem>
2657 <listitem>
2658 <para>
2659 <literal>mercury</literal> was updated to 22.01.1, which has
2660 some breaking changes
2661 (<link xlink:href="https://dl.mercurylang.org/release/release-notes-22.01.html">Mercury
2662 22.01 news</link>).
2663 </para>
2664 </listitem>
2665 <listitem>
2666 <para>
2667 xfsprogs was update to version 5.15, which enables inobtcount
2668 and bigtime by default on filesystem creation. Support for
2669 these features was added in kernel 5.10 and deemed stable in
2670 kernel 5.15. If you want to be able to mount XFS filesystems
2671 created with this release of xfsprogs on kernel releases older
2672 than 5.10, you need to format them with
2673 <literal>mkfs.xfs -m bigtime=0 -m inobtcount=0</literal>.
2674 </para>
2675 </listitem>
2676 <listitem>
2677 <para>
2678 <literal>services.xserver.desktopManager.xfce</literal> now
2679 includes Xfce’s screen locker,
2680 <literal>xfce4-screensaver</literal> that is enabled by
2681 default. You can disable it by setting
2682 <literal>false</literal> to
2683 <link linkend="opt-services.xserver.desktopManager.xfce.enableScreensaver">services.xserver.desktopManager.xfce.enableScreensaver</link>.
2684 </para>
2685 </listitem>
2686 <listitem>
2687 <para>
2688 The <literal>hadoop</literal> package has added support for
2689 <literal>aarch64-linux</literal> and
2690 <literal>aarch64-darwin</literal> as of 3.3.1
2691 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link>).
2692 </para>
2693 </listitem>
2694 <listitem>
2695 <para>
2696 The <literal>R</literal> package now builds again on
2697 <literal>aarch64-darwin</literal>
2698 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>).
2699 </para>
2700 </listitem>
2701 <listitem>
2702 <para>
2703 The <literal>nss</literal> package was split into
2704 <literal>nss_esr</literal> and <literal>nss_latest</literal>,
2705 with <literal>nss</literal> being an alias for
2706 <literal>nss_esr</literal>. This was done to ease maintenance
2707 of <literal>nss</literal> and dependent high-profile packages
2708 like <literal>firefox</literal>.
2709 </para>
2710 </listitem>
2711 <listitem>
2712 <para>
2713 The default <literal>scribus</literal> version is now 1.5,
2714 while version 1.4 is still available as
2715 <literal>scribus_1_4</literal>
2716 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/172700">#172700</link>).
2717 </para>
2718 </listitem>
2719 <listitem>
2720 <para>
2721 The Nextcloud module now supports to create a Mysql database
2722 automatically with
2723 <literal>services.nextcloud.database.createLocally</literal>
2724 enabled.
2725 </para>
2726 </listitem>
2727 <listitem>
2728 <para>
2729 The Nextcloud module now allows setting the value of the
2730 <literal>max-age</literal> directive of the
2731 <literal>Strict-Transport-Security</literal> HTTP header,
2732 which is now controlled by the
2733 <literal>services.nextcloud.https</literal> option, rather
2734 than <literal>services.nginx.recommendedHttpHeaders</literal>.
2735 </para>
2736 </listitem>
2737 <listitem>
2738 <para>
2739 The <literal>spark3</literal> package has been updated from
2740 3.1.2 to 3.2.1
2741 (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/160075">#160075</link>):
2742 </para>
2743 <itemizedlist spacing="compact">
2744 <listitem>
2745 <para>
2746 Testing has been enabled for
2747 <literal>aarch64-linux</literal> in addition to
2748 <literal>x86_64-linux</literal>.
2749 </para>
2750 </listitem>
2751 <listitem>
2752 <para>
2753 The <literal>spark3</literal> package is now usable on
2754 <literal>aarch64-darwin</literal> as a result of
2755 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158613">#158613</link>
2756 and
2757 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/158992">#158992</link>.
2758 </para>
2759 </listitem>
2760 </itemizedlist>
2761 </listitem>
2762 <listitem>
2763 <para>
2764 The option <literal>services.snapserver.openFirewall</literal>
2765 will no longer default to <literal>true</literal> starting
2766 with NixOS 22.11. Enable it explicitly if you need to control
2767 Snapserver remotely or connect streamig clients from other
2768 hosts.
2769 </para>
2770 </listitem>
2771 <listitem>
2772 <para>
2773 The option
2774 <link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link>
2775 isn’t deprecated anymore. When using
2776 <link xlink:href="options.html#opt-networking.useNetworkd"><literal>systemd-networkd</literal></link>,
2777 a generic <literal>.network</literal>-unit is added which
2778 enables DHCP for each interface matching
2779 <literal>en*</literal>, <literal>eth*</literal> or
2780 <literal>wl*</literal> with priority 99 (which means that it
2781 doesn’t have any effect if such an interface is matched by a
2782 <literal>.network-</literal>unit with a lower priority). In
2783 case of scripted networking, no behavior was changed.
2784 </para>
2785 </listitem>
2786 <listitem>
2787 <para>
2788 The new
2789 <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook"><literal>postgresqlTestHook</literal></link>
2790 runs a PostgreSQL server for the duration of package checks.
2791 </para>
2792 </listitem>
2793 <listitem>
2794 <para>
2795 <literal>zfs</literal> was updated from 2.1.4 to 2.1.5,
2796 enabling it to be used with Linux kernel 5.18.
2797 </para>
2798 </listitem>
2799 <listitem>
2800 <para>
2801 <literal>stdenv.mkDerivation</literal> now supports a
2802 self-referencing <literal>finalAttrs:</literal> parameter
2803 containing the final <literal>mkDerivation</literal> arguments
2804 including overrides. <literal>drv.overrideAttrs</literal> now
2805 supports two parameters
2806 <literal>finalAttrs: previousAttrs:</literal>. This allows
2807 packaging configuration to be overridden in a consistent
2808 manner by providing an alternative to
2809 <literal>rec {}</literal> syntax.
2810 </para>
2811 <para>
2812 Additionally, <literal>passthru</literal> can now reference
2813 <literal>finalAttrs.finalPackage</literal> containing the
2814 final package, including attributes such as the output paths
2815 and <literal>overrideAttrs</literal>.
2816 </para>
2817 <para>
2818 New language integrations can be simplified by overriding a
2819 <quote>prototype</quote> package containing the
2820 language-specific logic. This removes the need for a extra
2821 layer of overriding for the <quote>generic builder</quote>
2822 arguments, thus removing a usability problem and source of
2823 error.
2824 </para>
2825 </listitem>
2826 </itemizedlist>
2827 </section>
2828</section>