talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md
Vladimír Čunát 28e9b6d60f
Merge staging-next 2024-09-01 (#338840)
2024-09-10 07:42:45 +02:00

39 KiB
Raw Blame History

Release 24.11 (“Vicuña”, 2024.11/??)

Highlights

  • This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15. Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS. Users on old macOS versions should consider upgrading to a supported version (potentially using OpenCore Legacy Patcher for old hardware) or installing NixOS. If neither of those options are viable and you require new versions of software, MacPorts supports back to Mac OS X Snow Leopard 10.6.

  • Convenience options for amdgpu, open source driver for Radeon cards, is now available under hardware.amdgpu.

  • AMDVLK, AMD's open source Vulkan driver, is now available to be configured as hardware.amdgpu.amdvlk option. This also allows configuring runtime settings of AMDVLK and enabling experimental features.

  • The moonlight-qt package (Moonlight game streaming) now has HDR support on Linux systems.

  • PostgreSQL now defaults to major version 16.

  • authelia has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the release blog post. This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version.

  • compressDrv can compress selected files in a derivation. compressDrvWeb compresses files for common web server usage (.gz with zopfli, .br with brotli).

  • hardware.display is a new module implementing workarounds for misbehaving monitors through setting up custom EDID files and forcing kernel/framebuffer modes.

  • A new display-manager services.displayManager.ly was added. It is a tui based replacement of sddm and lightdm for window manager users. Users can use it by services.displayManager.ly.enable and config it by services.displayManager.ly.settings to generate /etc/ly/config.ini

  • The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire. Users that want to keep PulseAudio will want to set services.pipewire.enable = false; and hardware.pulseaudio.enable = true;. There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.

  • The Rust rewrite of the switch-to-configuration program is now used for system activation by default. If you experience any issues, please report them. The original Perl script can still be used for now by setting system.switch.enableNg to false.

New Modules

Backward Incompatibilities

  • transmission package has been aliased with a trace warning to transmission_3. Since Transmission 4 has been released last year, and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The services.transmission.package defaults to transmission_3 as well because the upgrade can cause data loss in certain specific usage patterns (examples: #5153, #6796). Please make sure to back up to your data directory per your usage:

    • transmission-gtk: ~/.config/transmission
    • transmission-daemon using NixOS module: ${config.services.transmission.home}/.config/transmission-daemon (defaults to /var/lib/transmission/.config/transmission-daemon)

  • androidenv.androidPkgs_9_0 has been removed, and replaced with androidenv.androidPkgs for a more complete Android SDK including support for Android 9 and later.

  • grafana has been updated to version 11.1. This version doesn't support setting http_addr to a hostname anymore, an IP address is expected.

  • knot-dns has been updated to version 3.4.x. Check the migration guide for breaking changes.

  • services.kubernetes.kubelet.clusterDns now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.

  • wstunnel has had a major version upgrade that entailed rewriting the program in Rust. The module was updated to accommodate for breaking changes. Breaking changes to the module API were minimised as much as possible, but some were nonetheless inevitable due to changes in the upstream CLI. Certain options were moved from separate CLI arguments into the forward specifications, and those options were also removed from the module's API, please consult the wstunnel man page for more detail. Also be aware that if you have set additional options in services.wstunnel.{clients,servers}.<name>.extraArgs, that those might have been removed or modified upstream.

  • clang-tools_<version> packages have been moved into llvmPackages_<version> (i.e. clang-tools_18 is now llvmPackages_18.clang-tools).

    • For convenience, the top-level clang-tools attribute remains and is now bound to llvmPackages.clang-tools.
    • Top-level clang_tools_<version> attributes are now aliases; these will be removed in a future release.

  • buildbot was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the upstream release notes.

  • nginx package no longer includes gd and geoip dependencies. For enabling it, override nginx package with the optionals withImageFilter and withGeoIP.

  • systemd.enableUnifiedCgroupHierarchy option has been removed. In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. To forcibly reenable cgroup v1 support, you can set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]. NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own.

  • openssh and openssh_hpn are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the new opensshWithKerberos and openssh_hpnWithKerberos flavors (e.g. programs.ssh.package = pkgs.openssh_gssapi).

  • security.ipa.ipaHostname now defaults to the value of networking.fqdn if it is set, instead of the previous hardcoded default of ${networking.hostName}.${security.ipa.domain}.

  • The MSMTP_QUEUE and MSMTP_LOG environment variables accepted by msmtpq have now been renamed to MSMTPQ_Q and MSMTPQ_LOG respectively.

  • The fcgiwrap module now allows multiple instances running as distinct users. The option services.fgciwrap now takes an attribute set of the configuration of each individual instance. This requires migrating any previous configuration keys from services.fcgiwrap.* to services.fcgiwrap.instances.some-instance.*. The ownership and mode of the UNIX sockets created by this service are now configurable and private by default. Processes also now run as a dynamically allocated user by default instead of root.

  • The mautrix-signal module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. In case you want to update your configuration make sure to check the NixOS manual.

  • The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set hardware.nvidia.open to select the proprietary or open driver.

  • singularity-tools have the storeDir argument removed from its override interface and use builtins.storeDir instead.

  • Two build helpers in singularity-tools, i.e., mkLayer and shellScript, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.

  • The rust.toTargetArch, rust.toTargetOs, rust.toTargetFamily, rust.toTargetVendor, rust.toRustTarget, rust.toRustTargetSpec, rust.toRustTargetSpecShort, and rust.IsNoStdTarget functions are deprecated in favour of the rust.platform.arch, rust.platform.os, rust.platform.target-family, rust.platform.vendor, rust.rustcTarget, rust.rustcTargetSpec, rust.cargoShortTarget, rust.cargoEnvVarTarget, and rust.isNoStdTarget platform attributes respectively.

  • The budgie and budgiePlugins scope have been removed and their packages moved into the top level scope (i.e., budgie.budgie-desktop is now budgie-desktop)

  • All Cinnamon and XApp packages have been moved to top-level (i.e., cinnamon.nemo is now nemo).

  • All GNOME packages have been moved to top-level (i.e., gnome.nautilus is now nautilus).

  • services.cgit now runs as the cgit user by default instead of root. This change requires granting access to the repositories to this user or setting the appropriate one through services.cgit.some-instance.user.

  • nvimpager was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in -c and --cmd now override the respective default settings because they are executed later.

  • Kubernetes featureGates have changed from a listOf str to attrsOf bool. This refactor makes it possible to also disable feature gates, without having to use extraOpts flags.

    A previous configuration may have looked like this:

    featureGates = [ "EphemeralContainers" ];
extraOpts = pkgs.lib.concatStringsSep " " (
[
  ''--feature-gates="CSIMigration=false"''
});

    Using an AttrSet instead, the new configuration would be:

    featureGates = {EphemeralContainers = true; CSIMigration=false;};

  • pkgs.nextcloud27 has been removed since it's EOL.

  • frigate was updated past 0.14.0. This release includes various breaking changes, so please go read the release notes. Most prominently access to the webinterface and API are now protected by authentication. Retrieve the auto-created admin account from the frigate.service journal after upgrading.

  • services.forgejo.mailerPasswordFile has been deprecated by the drop-in replacement services.forgejo.secrets.mailer.PASSWD, which is part of the new free-form services.forgejo.secrets option. services.forgejo.secrets is a small wrapper over systemd's LoadCredential=. It has the same structure (sections/keys) as services.forgejo.settings but takes file paths that will be read before service startup instead of some plaintext value.

  • forgejo and forgejo-lts no longer support the opt-in feature PAM (Pluggable Authentication Module).

  • gitea no longer supports the opt-in feature [PAM (Pluggable Authentication Module)][https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module].

  • services.ddclient.use has been deprecated: ddclient now supports separate IPv4 and IPv6 configuration. Use services.ddclient.usev4 and services.ddclient.usev6 instead.

  • services.pgbouncer systemd service is configured with Type=notify-reload and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named services.pgbouncer.settings according to the NixOS RFC 0042.

  • teleport has been upgraded from major version 15 to major version 16. Refer to upstream upgrade instructions and release notes for v16.

  • tests.overriding has its passthru.tests restructured as an attribute set instead of a list, making individual tests accessible by their names.

  • vaultwarden lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allow CAP_NET_BIND_SERVICE in your local configuration.

  • The Invoiceplane module now only accepts the structured settings option. extraConfig is now removed.

  • The ollama services replaces its sandbox toggle with options to configure a static user and group. The writablePaths option has been removed and the models directory is now always exempt from sandboxing.

  • Legacy package stalwart-mail_0_6 was dropped, please note the manual upgrade process before changing the package to pkgs.stalwart-mail in services.stalwart-mail.package.

  • The nomad_1_5 package was dropped, as it has reached end-of-life upstream. Evaluating it will throw an error.

  • androidndkPkgs has been updated to androidndkPkgs_26.

  • Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.

  • nodePackages.vscode-css-languageserver-bin, nodePackages.vscode-html-languageserver-bin, and nodePackages.vscode-json-languageserver-bin were dropped due to an unmaintained upstream. The vscode-langservers-extracted package is a maintained drop-in replacement.

  • nodePackages.prisma has been replaced by prisma.

  • fetchNextcloudApp has been rewritten to use fetchurl rather than fetchzip. This invalidates all existing hashes but you can restore the old behavior by passing it unpack = true.

  • haskell.lib.compose.justStaticExecutables now disallows references to GHC in the output by default, to alert users to closure size issues caused by #164630. See "Packaging Helpers" in the Haskell section of the Nixpkgs manual for information on working around output '...' is not allowed to refer to the following paths errors caused by this change.

  • The stalwart-mail service now runs under the stalwart-mail system user instead of a dynamically created one via DynamicUser, to avoid automatic ownership changes on its large file store each time the service was started. This change requires to manually move the state directory from /var/lib/private/stalwart-mail to /var/lib/stalwart-mail and to change the ownership of the directory and its content to stalwart-mail.

  • The stalwart-mail module now uses RocksDB as the default storage backend for stateVersion ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs).

  • The stargazer service has been hardened to improve security, but these changes make break certain setups, particularly around traditional CGI.

    • The stargazer.allowCgiUser option has been added, enabling Stargazer's cgi-user option to work, which was previously broken.

  • The shiori service now requires an HTTP secret value SHIORI_HTTP_SECRET_KEY to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:

    # This is how a environment file can be generated:
# $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file
services.shiori.environmentFile = "/path/to/env-file";

  • /share/nano is now only linked when programs.nano.enable is enabled.

  • PPD files for Utax printers got renamed (spaces replaced by underscores) in newest foomatic-db package; users of Utax printers might need to adapt their hardware.printers.ensurePrinters.*.model value.

  • The kvdo kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is called dm-vdo.

  • libe57format has been updated to >= 3.0.0, which contains some backward-incompatible API changes. See the release note for more details.

  • gitlab deprecated support for runner registration tokens in GitLab 16.0, disabled their support in GitLab 17.0 and will ultimately remove it in GitLab 18.0, as outlined in the documentation. After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on using registration tokens after GitLab 17.0. GitLab administrators should migrate to the new runner registration workflow with runner authentication tokens until the release of GitLab 18.0.

  • gitlab has been updated from 16.x to 17.x and requires at least postgresql 14.9, as stated in the documentation. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation.

  • gitaly (part of gitlab) is now using the bundled git package instead of pkgs.git to maintain compatibility with GitLab.

  • nixos/gitlab no longer adds pkgs.git to environment.systemPackages by default.

  • The replay-sorcery package and module was removed as it unmaintained upstream. Consider using gpu-screen-recorder or obs-studio instead.

  • To follow RFC 0042 a few options of samba have been moved from extraConfig and configText to the new freeform option settings and renamed, e.g.:

    • services.samba.invalidUsers to services.samba.settings.global."invalid users"
    • services.samba.securityType to services.samba.settings.global."security type"
    • services.samba.shares to services.samba.settings
    • services.samba.enableWinbindd to services.samba.winbindd.enable
    • services.samba.enableNmbd to services.samba.nmbd.enable

  • zx was updated to v8, which introduces several breaking changes. See the v8 changelog for more information.

  • The portunus package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:

    services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };

  • The default value of services.kubernetes.kubelet.hostname is now lowercased. Explicitly set kubelet.hostname to networking.fqdnOrHostName to get back the old default behavior.

  • Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after February 1, 2024.

  • postgresql was split into default and -dev outputs. To make this work without circular dependencies, the output of the pg_config system view has been removed. The pg_config binary is provided in the -dev output and still works as expected.

  • keycloak was updated to version 25, which introduces new hostname related options. See Upgrading Guide for instructions.

  • programs.vim.defaultEditor now only works if programs.vim.enable is enabled.

  • The indi-full package no longer contains non-free drivers. To get the old collection of drivers use indi-full-nonfree or create your own collection of drivers by overriding indi-with-drivers. E.g.: pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}

  • /share/vim-plugins now only gets linked if programs.vim.enable is enabled

  • The tracy package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new package tracy-x11.

  • The services.prometheus.exporters.minio option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in Prometheus metrics exposure, which can be used instead.

  • The services.patroni.raft option has been removed, as Raft has been deprecated by upstream since 3.0.0

  • services.roundcube.maxAttachmentSize will multiply the value set with 1.37 to offset overhead introduced by the base64 encoding applied to attachments.

  • The sound options have been removed or renamed, as they had a lot of unintended side effects. See below for details.

  • The services.mxisd module has been removed as both mxisd and ma1sd are not maintained any longer. Consequently the package pkgs.ma1sd has also been removed.

  • ffmpeg_5 has been removed. Please use the unversioned ffmpeg, pin a newer version, or if necessary pin ffmpeg_4 for compatibility.

  • The xdg.portal.gtkUsePortal option has been removed, as it had been deprecated for over 2 years. Using the GTK_USE_PORTAL environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via environment.sessionVariables.

  • The services.trust-dns module has been renamed to services.hickory-dns.

  • The option services.prometheus.exporters.pgbouncer.connectionStringFile has been removed since it leaked the connection string (and thus potentially the DB password) into the cmdline of process making it effectively world-readable.

    Use services.prometheus.exporters.pgbouncer.connectionEnvFile instead.

  • The lsh package and the services.lshd module have been removed as they had no maintainer in Nixpkgs and hadnt seen an upstream release in over a decade. It is recommended to migrate to openssh and services.openssh.

  • opencv2 and opencv3 have been removed, as they are obsolete and were not used by any other package. External users are encouraged to migrate to OpenCV 4.

  • The tvheadend package and the services.tvheadend module have been removed as nobody was willing to maintain them and they were stuck on an unmaintained version that required FFmpeg 4; please see pull request #332259 if you are interested in maintaining a newer version.

  • The antennas package and the services.antennas module have been removed as they only work with tvheadend (see above).

  • The system.build.brightboxImage image has been removed as It did not build anymore and has not seen any maintenance in over 7 years (excluding tree-wide changes).

  • The services.syncplay module now exposes all currently available command-line arguments for syncplay-server as options, as well as a useACMEHost option for easy TLS setup. The systemd service now uses DynamicUser/StateDirectory and the user and group options have been deprecated.

  • The openlens package got removed, suggested replacment lens-desktop

  • The NixOS installation media no longer support the ReiserFS or JFS file systems by default.

  • Minimal installer ISOs are no longer built on the small channel. Please obtain installer images from the full release channels.

Other Notable Changes

  • The zerocallusedregs hardening flag is enabled by default on compilers that support it.

  • The stackclashprotection hardening flag has been added, though disabled by default.

  • The pacret hardening flag has been added, though disabled by default.

  • cargoSha256 in rustPlatform.buildRustPackage has been deprecated in favor of cargoHash which supports SRI hashes. See buildRustPackage: Compiling Rust applications with Cargo for more information.

  • The vendorHash of Go packages built with buildGoModule can now be overridden with overrideAttrs. goModules, modRoot, vendorHash, deleteVendor, and proxyVendor are now passed as derivation attributes. goModules and vendorHash are no longer placed under passthru.

  • hareHook has been added as the language framework for Hare. From now on, it, not the hare package, should be added to nativeBuildInputs when building Hare programs.

  • lib.options.mkPackageOptionMD is now obsolete; use the identical lib.options.mkPackageOption instead.

  • lib.misc.mapAttrsFlatten is now formally deprecated and will be removed in future releases; use the identical lib.attrsets.mapAttrsToList instead.

  • nixosTests now provide a working IPv6 setup for VLAN 1 by default.

  • Kanidm can now be provisioned using the new [services.kanidm.provision] option, but requires using a patched version available via pkgs.kanidm.withSecretProvisioning.

  • Kanidm previously had an incorrect systemd service type, causing dependent units with an after and requires directive to start before kanidm* finished startup. The module has now been updated in line with upstream recommendations.

  • The kubelet configuration file can now be amended with arbitrary additional content using the services.kubernetes.kubelet.extraConfig option.

  • To facilitate dependency injection, the imgui package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use imgui.src if you just want to access the unpacked sources.

  • Unprivileged access to the kernel syslog via dmesg is now restricted by default. Users wanting to keep an unrestricted access to it can set boot.kernel.sysctl."kernel.dmesg_restrict" = false.

  • The i18n.inputMethod module introduces two new properties: enable and type, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in type are the same as the existing enabled option. enabled is now deprecated, and will be removed in a future release.

  • security.pam.u2f now follows RFC42. All module options are now settable through the freeform .settings.

  • Gollum was upgraded to major version 6. Read their migration notes.

  • The hooks yarnConfigHook and yarnBuildHook were added. These should replace yarn2nix.mkYarnPackage and other yarn2nix related tools. The motivation to get rid of yarn2nix tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at #296856. The transition from mkYarnPackage to yarn{Config,Build}Hook is tracked at #324246.

  • services.timesyncd.servers now defaults to null, allowing systemd-timesyncd to use NTP servers advertised by DHCP.

  • services.timesyncd.fallbackServers was added and defaults to networking.timeServers.

  • Cinnamon has been updated to 6.2, please check upstream announcement for more details. Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.

  • The shadowstack hardening flag has been added, though disabled by default.

  • xxd is now provided by the tinyxxd package, rather than vim.xxd, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's xxd utility, there is no user impact. Vim's xxd remains available as the vim.xxd package.

  • prometheus-openldap-exporter was removed since it was unmaintained upstream and had no nixpkgs maintainers.

  • restic module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.restic.backups.<name>.inhibitsSleep.

  • Support for runner registration tokens has been deprecated in gitlab-runner 15.6 and is expected to be removed in gitlab-runner 18.0. Configuration of existing runners should be changed to using runner authentication tokens by configuring {option}services.gitlab-runner.services.<name>.authenticationTokenConfigFile instead of the former {option}services.gitlab-runner.services.<name>.registrationConfigFile option.

  • iproute2 now has libbpf support.

  • nix.channel.enable = false no longer implies nix.settings.nix-path = []. Since Nix 2.13, a nix-path set in nix.conf cannot be overriden by the NIX_PATH configuration variable.

Detailed migration information

sound options removal

The sound options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled.

If you set sound.enable in your configuration:

  • If you are using Pulseaudio or PipeWire, simply remove that option
  • If you are not using an external sound server, and want volumes to be persisted across shutdowns, set hardware.alsa.enablePersistence = true instead

If you set sound.enableOSSEmulation in your configuration:

  • Make sure it is still necessary, as very few applications actually use OSS
  • If necessary, set boot.kernelModules = [ "snd_pcm_oss" ]

If you set sound.extraConfig in your configuration:

  • If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that
  • If you are not using an external sound server, set environment.etc."asound.conf".text = yourExtraConfig instead

If you set sound.mediaKeys in your configuration:

  • Preferably switch to handling media keys in your desktop environment/compositor
  • If you want to maintain the exact behavior of the option, use the following snippet
services.actkbd = let
  volumeStep = "1%";
in {
  enable = true;
  bindings = [
    # "Mute" media key
    { keys = [ 113 ]; events = [ "key" ];       command = "${alsa-utils}/bin/amixer -q set Master toggle"; }

    # "Lower Volume" media key
    { keys = [ 114 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute"; }

    # "Raise Volume" media key
    { keys = [ 115 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute"; }

    # "Mic Mute" media key
    { keys = [ 190 ]; events = [ "key" ];       command = "${alsa-utils}/bin/amixer -q set Capture toggle"; }
  ];
};