cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2
nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md
Ryan Lahfa 5337ff6a80
Merge pull request #254405 from lf-/jade/nix-path-flakes 
nixos/flake: set up NIX_PATH and system flake registry automatically
2024-02-25 21:08:19 +01:00

31 KiB
Raw Blame History

Release 24.05 (“Uakari”, 2024.05/??)

Support is planned until the end of December 2024, handing over to 24.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • cryptsetup has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. Take the time to review the release notes. One of the highlight is that it is now possible to use hardware OPAL-based encryption of your disk with cryptsetup, it has a lot of caveats, see the above notes for the full details.

  • screen's module has been cleaned, and will now require you to set programs.screen.enable in order to populate screenrc and add the program to the environment.

  • linuxPackages_testing_bcachefs is now fully deprecated by linuxPackages_latest, and is therefore no longer available.

  • NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.

    • This can be disabled through the environment.stub-ld.enable option.
    • If you use programs.nix-ld.enable, no changes are needed. The stub will be disabled automatically.

  • On flake-based NixOS configurations using nixpkgs.lib.nixosSystem, NixOS will automatically set NIX_PATH and the system-wide flake registry (/etc/nix/registry.json) to point <nixpkgs> and the unqualified flake path nixpkgs to the version of nixpkgs used to build the system.

    This makes nix run nixpkgs#hello and nix-build '<nixpkgs>' -A hello work out of the box with no added configuration, reusing dependencies already on the system.

    This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.

    To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.

  • Julia environments can now be built with arbitrary packages from the ecosystem using the .withPackages function. For example: julia.withPackages ["Plots"].

  • A new option systemd.sysusers.enable was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script.

  • A new option virtualisation.containers.cdi was added. It contains static and dynamic attributes (corresponding to /etc/cdi and /run/cdi respectively) to configure the Container Device Interface (CDI).

  • virtualisation.docker.enableNvidia and virtualisation.podman.enableNvidia options are deprecated. virtualisation.containers.cdi.dynamic.nvidia.enable should be used instead. This option will expose GPUs on containers with the --device CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.

  • A new option system.etc.overlay.enable was added. If enabled, /etc is mounted via an overlayfs instead of being created by a custom perl script.

  • It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:

    { modulesPath, ... }: {
  imports = [ "${modulesPath}/profiles/perlless.nix" ];
}

New Services

Backward Incompatibilities

  • himalaya was updated to v1.0.0-beta, which introduces breaking changes. Check out the release note for details.

  • The power.ups module now generates upsd.conf, upsd.users and upsmon.conf automatically from a set of new configuration options. This breaks compatibility with existing power.ups setups where these files were created manually. Back up these files before upgrading NixOS.

  • k9s was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration.

  • idris2 was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details.

  • neo4j has been updated to 5, you may want to read the release notes for Neo4j 5

  • services.neo4j.allowUpgrade was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.

  • nitter requires a guest_accounts.jsonl to be provided as a path or loaded into the default location at /var/lib/nitter/guest_accounts.jsonl. See Guest Account Branch Deployment for details.

  • boot.supportedFilesystems and boot.initrd.supportedFilesystems are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using supportedFilesystems.fs or false instead of using lib.elem "fs" supportedFilesystems as was done previously.

  • services.aria2.rpcSecret has been replaced with services.aria2.rpcSecretFile. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have create a file with the same exact string, and change your module options to point to that file. For example, services.aria2.rpcSecret = "mysecret" becomes services.aria2.rpcSecretFile = "/path/to/secret_file" where the file secret_file contains the string mysecret.

  • Invidious has changed its default database username from kemal to invidious. Setups involving an externally provisioned database (i.e. services.invidious.database.createLocally == false) should adjust their configuration accordingly. The old kemal user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

  • inetutils now has a lower priority to avoid shadowing the commonly used util-linux. If one wishes to restore the default priority, simply use lib.setPrio 5 inetutils or override with meta.priority = 5.

  • paperless' services.paperless.extraConfig setting has been removed and converted to the freeform type and option named services.paperless.settings.

  • The legacy and long deprecated systemd target network-interfaces.target has been removed. Use network.target instead.

  • services.frp.settings now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.

    • The settings.common section in the configuration is no longer valid and all the options form inside it now goes directly under settings.
    • The _ separating words in the configuration options is removed so the options are now in camel case. For example: server_addr becomes serverAddr, server_port becomes serverPort etc.
    • Proxies are now defined with a new option settings.proxies which takes a list of proxies.
    • Consult the upstream documentation for more details on the changes.

  • mkosi was updated to v20. Parts of the user interface have changed. Consult the release notes of v19 and v20 for a list of changes.

  • The woodpecker-* packages have been updated to v2 which includes breaking changes.

  • services.nginx will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:

      locations."/".extraConfig = ''
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
  '';
  locations."^~ /assets/".extraConfig = ''
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
  '';

  • The package optparse-bash is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include argc, argbash, bashly and gum, to name a few.

  • The kanata package has been updated to v1.5.0, which includes breaking changes.

  • The craftos-pc package has been updated to v2.8, which includes breaking changes.

    • Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
    • The ROM was updated to match ComputerCraft version v1.109.2.
    • The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
    • The WebSocket API was rewritten, which introduced breaking changes.

  • The gtest package has been updated past v1.13.0, which requires C++14 or higher.

  • The latest available version of Nextcloud is v28 (available as pkgs.nextcloud28). The installation logic is as follows:

  • The vendored third party libraries have been mostly removed from cudaPackages.nsight_systems, which we now only ship for cudaPackages_11_8 and later due to outdated dependencies. Users comfortable with the vendored dependencies may use overrideAttrs to amend the postPatch phase and the meta.broken correspondingly. Alternatively, one could package the deprecated boost170 locally, as required for cudaPackages_11_4.nsight_systems.

  • The cudaPackages package scope has been updated to cudaPackages_12.

  • Ada packages (libraries and tools) have been moved into the gnatPackages scope. gnatPackages uses the default GNAT compiler, gnat12Packages and gnat13Packages use the respective matching compiler version.

  • spark2014 has been renamed to gnatprove. A version of gnatprove matching different GNAT versions is available from the different gnatPackages sets.

  • services.resolved.fallbackDns can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

  • xxd has been moved from vim default output to its own output to reduce closure size. The canonical way to reference it across all platforms is unixtools.xxd.

  • The stalwart-mail package has been updated to v0.5.3, which includes breaking changes.

  • services.zope2 has been removed as zope2 is unmaintained and was relying on Python2.

  • services.avahi.nssmdns got split into services.avahi.nssmdns4 and services.avahi.nssmdns6 which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.

  • A warning has been added for services that are after = [ "network-online.target" ] but do not depend on it (e.g. using wants), because the dependency that multi-user.target has on network-online.target is planned for removal.

  • services.pgbouncer now has systemd support enabled and will log to journald. The default setting for services.pgbouncer.logFile is now null to disable logging to a separate log file.

  • services.archisteamfarm no longer uses the abbreviation asf for its state directory (/var/lib/asf), user and group (both asf). Instead the long name archisteamfarm is used. Configurations with system.stateVersion 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.

  • networking.iproute2.enable now does not set environment.etc."iproute2/rt_tables".text.

    Setting environment.etc."iproute2/{CONFIG_FILE_NAME}".text will override the whole configuration file instead of appending it to the upstream configuration file.

    CONFIG_FILE_NAME includes bpf_pinning, ematch_map, group, nl_protos, rt_dsfield, rt_protos, rt_realms, rt_scopes, and rt_tables.

  • netbox was updated to v3.7. services.netbox.package still defaults to v3.6 if stateVersion is earlier than 24.05. Refer to upstream's breaking changes for v3.7.0 and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

  • The executable file names for firefox-devedition, firefox-beta, firefox-esr now matches their package names, which is consistent with the firefox-*-bin packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.

  • switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.

  • The systemd.oomd module behavior is changed as:

    • Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit

    • Remove swap policy. This helps prevent killing processes when user's swap is small.

    • Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: commit

    • systemd.oomd.enableUserServices is renamed to systemd.oomd.enableUserSlices.

  • security.pam.enableSSHAgentAuth now requires services.openssh.authorizedKeysFiles to be non-empty, which is the case when services.openssh.enable is true. Previously, pam_ssh_agent_auth silently failed to work.

  • The configuration format for services.prometheus.exporters.snmp changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository.

  • watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.

  • The jdt-language-server package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:

    • The main binary for the package is now named jdtls instead of jdt-language-server, equivalent to what most editors expect the binary to be named.

    • JVM arguments should now be provided with the --jvm-arg flag instead of setting JAVA_OPTS.

    • The -data path is no longer required to run the package, and will be set to point to a folder in $TMP if missing.

  • nomad has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.

    • nomad is now Nomad 1.7.x.

    • nomad_1_4 has been removed, as it is now unsupported upstream.

  • The livebook package is now built as a mix release instead of an escript. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that the livebook service configuration has changed:

    • The erlang_node_short_name, erlang_node_name, port and options configuration parameters are gone, and have been replaced with an environment parameter. Use the appropriate environment variables inside environment to configure the service instead.

Other Notable Changes

  • addDriverRunpath has been added to facilitate the deprecation of the old addOpenGLRunpath setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.

  • Cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release.

  • services.postgresql.extraPlugins changed its type from just a list of packages to also a function that returns such a list. For example a config line like services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ]; is recommended to be changed to services.postgresql.extraPlugins = ps: with ps; [ postgis ];;

  • The Matrix homeserver Synapse module now supports configuring UNIX domain socket listeners through the path option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

  • Programs written in Nim are built with libraries selected by lockfiles. The nimPackages and nim2Packages sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

  • Portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.

  • A stdenv's default set of hardening flags can now be set via its bintools-wrapper's defaultHardeningFlags argument. A convenient stdenv adapter, withDefaultHardeningFlags, can be used to override an existing stdenv's defaultHardeningFlags.

  • libass now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with mpv, ffmpeg, etc.

  • Lilypond and Denemo are now compiled with Guile 3.0.

  • The following options of the Nextcloud module were moved into services.nextcloud.settings and renamed to match the name from Nextcloud's config.php:

  • The option [services.nextcloud.config.dbport] of the Nextcloud module was removed to match upstream. The port can be specified in services.nextcloud.config.dbhost.

  • A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.

  • systemd units can now specify the Upholds= and UpheldBy= unit dependencies via the aptly named upholds and upheldBy options. These options get systemd to enforce that the dependencies remain continuosly running for as long as the dependent unit is in a running state.

  • stdenv: The --replace flag in substitute, substituteInPlace, substituteAll, substituteAllStream, and substituteStream is now deprecated if favor of the new --replace-fail, --replace-warn and --replace-quiet. The deprecated --replace equates to --replace-warn.

  • A new hardening flag, zerocallusedregs was made available, corresponding to the gcc/clang option -fzero-call-used-regs=used-gpr.

  • New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see services.dnsdist.dnscrypt.enable, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

  • With a bump to sonarr v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly.

  • The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set boot.kernel.sysctl."kernel.yama.ptrace_scope" to 0.

  • The netbird module now allows running multiple tunnels in parallel through services.netbird.tunnels.

  • Nginx virtual hosts using forceSSL or globalRedirect can now have redirect codes other than 301 through redirectCode.

  • libjxl 0.9.0 dropped support for the butteraugli API. You will no longer be able to set enableButteraugli on libaom.

  • The source of the mockgen package has changed to the go.uber.org/mock fork because the original repository is no longer maintained.

  • security.pam.enableSSHAgentAuth was renamed to security.pam.sshAgentAuth.enable and an authorizedKeysFiles option was added, to control which authorized_keys files are trusted. It defaults to the previous behaviour, which is insecure: see #31611.

  • changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as since 22.11.

  • A new top-level package set, pkgsExtraHardening is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

  • services.zfs.zed.enableMail now uses the global sendmail wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

  • nextcloud-setup.service no longer changes the group of each file & directory inside /var/lib/nextcloud/{config,data,store-apps} if one of these directories has the wrong owner group. This was part of transitioning the group used for /var/lib/nextcloud, but isn't necessary anymore.

  • The krb5 module has been rewritten and moved to security.krb5, moving all options but security.krb5.enable and security.krb5.package into security.krb5.settings.

  • Gitea 1.21 upgrade has several breaking changes, including:

    • Custom themes and other assets that were previously stored in custom/public/* now belong in custom/public/assets/*
    • New instances of Gitea using MySQL now ignore the [database].CHARSET config option and always use the utf8mb4 charset, existing instances should migrate via the gitea doctor convert CLI command.

  • The services.paperless module no longer uses the previously downloaded NLTK data stored in /var/cache/paperless/nltk. This directory can be removed.

  • The services.teeworlds module now has a wealth of configuration options, including a new package option.

  • The hardware.pulseaudio module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399.

  • The module services.github-runner has been removed. To configure a single GitHub Actions Runner refer to services.github-runners.*. Note that this will trigger a new runner registration.

  • The btrbk module now automatically selects and provides required compression program depending on the configured stream_compress option. Since this replaces the need for the extraPackages option, this option will be deprecated in future releases.

  • The mpich package expression now requires withPm to be a list, e.g. "hydra:gforker" becomes [ "hydra" "gforker" ].

  • YouTrack is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.

  • QtMultimedia has changed its default backend to QT_MEDIA_BACKEND=ffmpeg (previously gstreamer on Linux or darwin on MacOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.

  • The oil shell is now using the c++ version by default. The python based build is still available as oil-python