diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 9ab898060143..242ebdf56a1b 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -197,7 +197,7 @@ - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details. -- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. +- The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules. - The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`. This change does not affect the override interface of most Python packages, as [`.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute. @@ -206,7 +206,7 @@ - All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`). -- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage: +- `transmission` has been aliased with a `trace` warning to `transmission_3`, since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0) and Transmission 3 will eventually go away -- this is meant to make people aware of the new version. `services.transmission.package` now also defaults to `transmission_3`, as the upgrade can cause data loss in some cases (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory if you may be affected: - `transmission-gtk`: `~/.config/transmission` - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`) @@ -216,7 +216,7 @@ - `unifi` has been updated to UniFi 8. `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life. -- `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later. +- `androidenv.androidPkgs_9_0` has been removed. It is replaced with `androidenv.androidPkgs` for a more complete Android SDK, including support for Android 9 and later. - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. @@ -234,14 +234,13 @@ - `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: . Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`). - `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust. - The module was updated to accommodate for breaking changes. - Breaking changes to the module API were minimised as much as possible, - but some were nonetheless inevitable due to changes in the upstream CLI. - Certain options were moved from separate CLI arguments into the forward specifications, - and those options were also removed from the module's API, - please consult the wstunnel man page for more detail. + The module was updated to accommodate for breaking changes and breaking changes to the + module options were minimised as much as possible. Nonetheless, some were inevitable due + to changes in the upstream CLI. Certain options were moved from separate CLI arguments into + the forward specifications, and those options were also removed from the module's options. + Please consult the wstunnel man page for more details. Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}..extraArgs`, - that those might have been removed or modified upstream. + they may have been modified or removed upstream. - `percona-server_8_4` and `mysql84` now have password authentication via the deprecated `mysql_native_password` disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods [see upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html). The config file directive `default_authentication_plugin` has been removed. @@ -252,29 +251,29 @@ - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`. - Top-level `clang_tools_` attributes are now aliases; these will be removed in a future release. -- `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html). +- `buildbot` was updated to 4.0 and the AngularJS frontend replaced by a React frontend. See the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html). -- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details. +- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration, including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details. -- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`. +- `nginx` package no longer includes the `gd` and `geoip` dependencies. To re-enable them, override `nginx` with the options `withImageFilter = true;` and `withGeoIP = true;`. -- `systemd.enableUnifiedCgroupHierarchy` option has been removed. - In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. - To forcibly reenable cgroup v1 support, you can `set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`. - NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. +- `systemd.enableUnifiedCgroupHierarchy` has been removed. + In systemd 256, support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd will refuse to boot under it by default. + To forcibly re-enable cgroup v1 support, you can set `boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`. + This is not an officially supported configuration and might cause your system to become unbootable in future versions. You are on your own. -- `nrfutil` which previously pointed to the now-deprecated `pc-nrfutil` python package, has been repackaged under the same name with the new nrfutil tool. +- `nrfutil` -- which previously pointed to the now-deprecated `pc-nrfutil` Python package -- has been repackaged under the same name with the new nrfutil tool. -- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can - use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). +- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components. Users needing this support can + use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` package flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). - `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if it is set, instead of the previous hardcoded default of `${networking.hostName}.${security.ipa.domain}`. -- The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. +- The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. -- The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network. +- The logrotate service has been hardened and now requires enabling `allowNetworking` if network access is required. - `mautrix-whatsapp` has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required. @@ -291,8 +290,8 @@ Processes also now run as a dynamically allocated user by default instead of root. -- The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. - In case you want to update your configuration make sure to check the NixOS manual. +- The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. + In case you want to update your configuration, make sure to check the NixOS manual. - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. @@ -305,15 +304,15 @@ - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead. -- Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. +- The `mkLayer` and `shellScript` build helpers in `singularity-tools` are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. - The `rust.toTargetArch`, `rust.toTargetOs`, `rust.toTargetFamily`, `rust.toTargetVendor`, `rust.toRustTarget`, `rust.toRustTargetSpec`, `rust.toRustTargetSpecShort`, and `rust.IsNoStdTarget` functions are deprecated in favour of the `rust.platform.arch`, `rust.platform.os`, `rust.platform.target-family`, `rust.platform.vendor`, `rust.rustcTarget`, `rust.rustcTargetSpec`, `rust.cargoShortTarget`, `rust.cargoEnvVarTarget`, and `rust.isNoStdTarget` platform attributes respectively. -- The `budgie` and `budgiePlugins` scope have been removed and their packages - moved into the top level scope (i.e., `budgie.budgie-desktop` is now - `budgie-desktop`) +- All Budgie and `budgiePlugins` packages have been moved to top-level (i.e., + `budgie.budgie-desktop` is now `budgie-desktop` and `budgiePlugins.budgie-media-player-applet` + is now `budgie-media-player-applet`). -- The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant. +- The method of safely handling secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of `wpa_supplicant`. The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade. - NetBox was updated to `>= 4.1.0`. @@ -350,26 +349,36 @@ to use `extraOpts` flags. A previous configuration may have looked like this: + ```nix - featureGates = [ "EphemeralContainers" ]; - extraOpts = pkgs.lib.concatStringsSep " " ( - [ - ''--feature-gates="CSIMigration=false"'' - }); + { + featureGates = [ "EphemeralContainers" ]; + extraOpts = pkgs.lib.concatStringsSep " " ( + [ + ''--feature-gates="CSIMigration=false"'' + ] + ); + } ``` - Using an AttrSet instead, the new configuration would be: + Using an attribute set instead, the new configuration would be: + ```nix - featureGates = {EphemeralContainers = true; CSIMigration=false;}; + { + featureGates = { + EphemeralContainers = true; + CSIMigration=false; + }; + } ``` -- `pkgs.nextcloud27` has been removed since it's EOL. +- `pkgs.nextcloud27` has been removed as it has reached EOL. - The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose. If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about. -- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please go read the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0). - Most prominently access to the webinterface and API are now protected by authentication. Retrieve the auto-created +- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please review the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0). + Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created admin account from the `frigate.service` journal after upgrading. - `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped. @@ -389,7 +398,7 @@ - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead. -- `services.pgbouncer` systemd service is configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings) according to the NixOS RFC 0042. +- `services.pgbouncer` systemd service is now configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings). - Docear was removed because it was unmaintained upstream. JabRef, Zotero, or Mendeley are potential replacements. @@ -410,23 +419,23 @@ Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324). -- `tests.overriding` has its `passthru.tests` restructured as an attribute set instead of a list, making individual tests accessible by their names. +- `tests.overriding`'s `passthru.tests` has been restructured as an attribute set instead of a list, making individual tests accessible by their names. -- Package `skk-dict` was split into multiple packages under `skkDictionaries`. - If in doubt, try `skkDictionaries.l`. As part of this change, the dictionaries - were moved from `$out/share` to `$out/share/skk`. Also, the dictionaries won't - be converted to UTF-8 unless the `useUtf8` package option is enabled. UTF-8 +- `skk-dict` was split into multiple packages under `skkDictionaries`. + If in doubt of what to use, try `skkDictionaries.l`. As part of this change, the dictionaries + were moved from `$out/share` to `$out/share/skk`. The dictionaries also won't + be converted to UTF-8 unless the `useUtf8` package option is enabled; UTF-8 converted dictionaries will have the .utf8 suffix appended to its filename. - `vaultwarden` lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in - your local configuration. + your configuration. -- The Invoiceplane module now only accepts the structured `settings` option. - `extraConfig` is now removed. +- `services.invoiceplane.sites..extraConfig` was removed. Configuration must now be done + through the structured `services.invoiceplane.sites..settings` option. -- The `ollama` services replaces its `sandbox` toggle with options to configure - a static `user` and `group`. The `writablePaths` option has been removed and +- `services.ollama.sandbox` has been replaced with options to configure + a static `user` and `group`. The `writablePaths` option has also been removed and the models directory is now always exempt from sandboxing. - The `gns3-server` service now runs under the `gns3` system user @@ -443,7 +452,7 @@ before changing the package to `pkgs.stalwart-mail` in [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package). -- The `nomad_1_5` and `nomad_1_6` package were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error. +- `nomad_1_5` and `nomad_1_6` were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error. - The default `nomad` package has been updated to 1.8.x. For more information, see [breaking changes for Nomad 1.8](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#nomad-1-8-0) @@ -451,7 +460,7 @@ - Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android. -- the `ankisyncd` package and its `services.ankisyncd` have been removed, use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead. +- `ankisyncd` package and its `services.ankisyncd` have been removed. Use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead. - `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`, and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream. @@ -460,35 +469,35 @@ - `nodePackages.prisma` has been replaced by `prisma`. - `fetchNextcloudApp` has been rewritten to use `fetchurl` rather than - `fetchzip`. This invalidates all existing hashes but you can restore the old + `fetchzip`. This invalidates all existing hashes, but you can restore the old behavior by passing it `unpack = true`. -- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the - output by default, to alert users to closure size issues caused by +- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in its + output by default to alert users to closure size issues caused by [#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging Helpers" in the Haskell section of the Nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers) for information on working around `output '...' is not allowed to refer to the following paths` errors caused by this change. -- The `stalwart-mail` service now runs under the `stalwart-mail` system user - instead of a dynamically created one via `DynamicUser`, to avoid automatic - ownership changes on its large file store each time the service was started. +- `services.stalwart-mail` now runs under the `stalwart-mail` system user + instead of a dynamic one via `DynamicUser` in order to avoid automatic + ownership changes on its large file store on service restart. This change requires to manually move the state directory from - `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to + `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail`, and to change the ownership of the directory and its content to `stalwart-mail`. -- The `stalwart-mail` module now uses RocksDB as the default storage backend - for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured - data and the filesystem for blobs). +- `services.stalwart-mail` now uses RocksDB as the default storage backend + for `stateVersion` ≥ 24.11. It was previously using SQLite for structured + data and the filesystem for blobs. -- The `stargazer` service has been hardened to improve security, but these +- `services.stargazer` has been hardened to improve security, but these changes make break certain setups, particularly around traditional CGI. - - The `stargazer.allowCgiUser` option has been added, enabling + - `services.stargazer.allowCgiUser` has been added, enabling Stargazer's `cgi-user` option to work, which was previously broken. -- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option: +- `services.shiori` now requires the HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided as an environment variable. `services.shiori.environmentFile` has been introduced to handle this: ``` # This is how a environment file can be generated: @@ -498,26 +507,26 @@ - `/share/nano` is now only linked when `programs.nano.enable` is enabled. -- PPD files for Utax printers got renamed (spaces replaced by underscores) in newest `foomatic-db` package; users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value. +- PPD files for Utax printers were renamed (spaces replaced by underscores) in the newest `foomatic-db` package. Users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value to account for this. - `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on JavaFX for Java 8, which we do not support. -- The `kvdo` kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is called `dm-vdo`. +- The `kvdo` kernel module package was removed as it was upstreamed in kernel version 6.9, where it is now called `dm-vdo`. - `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details. - `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will - ultimately remove it in GitLab 18.0, as outlined in the - [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes). + ultimately remove it in GitLab 18.0 (as outlined in the + [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes)). After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170). GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170) with *runner authentication tokens* until the release of GitLab 18.0. -- `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. +- `gitlab` has been updated from 16.x to 17.x and requires `postgresql` >= 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. -- `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git` to maintain compatibility with GitLab. +- `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git`, to maintain compatibility with GitLab. - `nixos/gitlab` no longer adds `pkgs.git` to `environment.systemPackages` by default. @@ -533,10 +542,10 @@ - `zx` was updated to v8, which introduces several breaking changes. See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information. -- `feishin` removed support for Navidrome `< v0.53.2` due to an API change; more information in the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0). +- `feishin` removed support for Navidrome `< v0.53.2` due to an API change. See the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0) for more information. -- The `dnscrypt-wrapper` module was removed since the project has been effectively unmaintained since 2018; moreover the NixOS module had to rely on an abandoned version of dnscrypt-proxy v1 for the rotation of keys. - To wrap a resolver with DNSCrypt you can instead use `dnsdist`. See options `services.dnsdist.dnscrypt.*` +- `services.dnscrypt-wrapper` was removed, as the project has been effectively unmaintained since 2018. Moreover, the NixOS module had to rely on an abandoned version of `dnscrypt-proxy` v1 for the rotation of keys. + To wrap a resolver with DNSCrypt, you can instead use `dnsdist`. See `services.dnsdist.dnscrypt` - The `portunus` package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. @@ -551,7 +560,7 @@ Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back the old default behavior. -- Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084). +- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084). - `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected. @@ -581,12 +590,12 @@ support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new package `tracy-x11`. -- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. +- `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead. - The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained. -- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300) +- `services.patroni.raft` has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300). - The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down JCenter JAR repository. @@ -597,25 +606,25 @@ - `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments. -- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer. - Consequently the package `pkgs.ma1sd` has also been removed. +- `services.mxisd` has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are no longer maintained. + Consequently, the package `ma1sd` has also been removed. - The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`. Consider using the `services.rss-bridge.config` option instead. -- The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`. +- `xdg.portal.gtkUsePortal` has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`. - Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed. -- The `services.trust-dns` module has been renamed to `services.hickory-dns`. +- `services.trust-dns` has been renamed to `services.hickory-dns`. -- The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since +- `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since it leaked the connection string (and thus potentially the DB password) into the cmdline of process making it effectively world-readable. Use [`services.prometheus.exporters.pgbouncer.connectionEnvFile`](#opt-services.prometheus.exporters.pgbouncer.connectionEnvFile) instead. -- The `lsh` package and the `services.lshd` module have been removed as they had no maintainer in Nixpkgs and hadn’t seen an upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`. +- `lsh` and `services.lshd` have been removed as they had no maintainer in Nixpkgs and no upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`. - `ceph` has been upgraded to v19. See the [Ceph "squid" release notes](https://docs.ceph.com/en/latest/releases/squid/#v19-2-0-squid) for details and recommended upgrade procedure. @@ -629,23 +638,22 @@ were not used by any other package. External users are encouraged to migrate to OpenCV 4. -- The `tvheadend` package and the `services.tvheadend` module have been - removed as nobody was willing to maintain them and they were stuck on - an unmaintained version that required FFmpeg 4; please see [pull +- `tvheadend` package and the `services.tvheadend` module have been + removed due to lack of maintenance in Nixpkgs and being stuck on + an unmaintained version that required FFmpeg 4. Please see the related [pull request #332259](https://github.com/NixOS/nixpkgs/pull/332259) if you are interested in maintaining a newer version. -- The `antennas` package and the `services.antennas` module have been - removed as they only work with `tvheadend` (see above). +- `antennas` and `services.antennas` have been removed as they only work with `tvheadend` (see above). -- The `system.build.brightboxImage` image has been removed as It did not build anymore and has not seen any maintenance in over 7 years (excluding tree-wide changes). +- `system.build.brightboxImage` has been removed as it no longer built and has not seen any maintenance in over 7 years (excluding tree-wide changes). -- The `services.syncplay` module now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup. +- `services.syncplay` now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup. The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated. -- The `openlens` package got removed, suggested replacement `lens-desktop` +- `openlens` was removed. It is recommended to use `lens-desktop` instead. -- The `services.dnsmasq.extraConfig` option has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`. +- `services.dnsmasq.extraConfig` has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`. - The NixOS installation media no longer support the ReiserFS or JFS file systems by default. @@ -662,17 +670,17 @@ - `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/). -- The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details. +- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details. - Legacy package `globalprotect-openconnect` 1.x and related module - `globalprotect-vpn` were dropped. Two new packages `gpauth` and `gpclient` - from the 2.x version of the GlobalProtect-openconnect project are added in its + `services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient` + from the 2.x version of the GlobalProtect-openconnect project -- are added in its place. The GUI components related to the project are non-free and not packaged. - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details. -- The `rustic` package was upgrade to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0). +- `rustic` was upgraded to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0). - `pkgs.formats.ini` and `pkgs.formats.iniWithGlobalSection` with `listsAsDuplicateKeys` or `listToValue` no longer merge non-list values into