You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
790 lines
33 KiB
790 lines
33 KiB
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-19.03">
|
|
<title>Release 19.03 (<quote>Koi</quote>, 2019/04/11)</title>
|
|
<section xml:id="sec-release-19.03-highlights">
|
|
<title>Highlights</title>
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release
|
|
has the following highlights:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
End of support is planned for end of October 2019, handing
|
|
over to 19.09.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default Python 3 interpreter is now CPython 3.7 instead of
|
|
CPython 3.6.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Added the Pantheon desktop environment. It can be enabled
|
|
through
|
|
<literal>services.xserver.desktopManager.pantheon.enable</literal>.
|
|
</para>
|
|
<note>
|
|
<para>
|
|
By default,
|
|
<literal>services.xserver.desktopManager.pantheon</literal>
|
|
enables LightDM as a display manager, as pantheon's screen
|
|
locking implementation relies on it. Because of that it is
|
|
recommended to leave LightDM enabled. If you'd like to
|
|
disable it anyway, set
|
|
<literal>services.xserver.displayManager.lightdm.enable</literal>
|
|
to <literal>false</literal> and enable your preferred
|
|
display manager.
|
|
</para>
|
|
</note>
|
|
<para>
|
|
Also note that Pantheon's LightDM greeter is not enabled by
|
|
default, because it has numerous issues in NixOS and isn't
|
|
optimal for use here yet.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A major refactoring of the Kubernetes module has been
|
|
completed. Refactorings primarily focus on decoupling
|
|
components and enhancing security. Two-way TLS and RBAC has
|
|
been enabled by default for all components, which slightly
|
|
changes the way the module is configured. See:
|
|
<xref linkend="sec-kubernetes" /> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There is now a set of <literal>confinement</literal> options
|
|
for <literal>systemd.services</literal>, which allows to
|
|
restrict services into a chroot 2 ed environment that only
|
|
contains the store paths from the runtime closure of the
|
|
service.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.03-new-services">
|
|
<title>New Services</title>
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>./programs/nm-applet.nix</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There is a new <literal>security.googleOsLogin</literal>
|
|
module for using
|
|
<link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS
|
|
Login</link> to manage SSH access to Google Compute Engine
|
|
instances, which supersedes the imperative and broken
|
|
<literal>google-accounts-daemon</literal> used in
|
|
<literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>./services/misc/beanstalkd.nix</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
There is a new <literal>services.cockroachdb</literal> module
|
|
for running CockroachDB databases. NixOS now ships with
|
|
CockroachDB 2.1.x as well, available on
|
|
<literal>x86_64-linux</literal> and
|
|
<literal>aarch64-linux</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>./security/duosec.nix</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <link xlink:href="https://duo.com/docs/duounix">PAM module
|
|
for Duo Security</link> has been enabled for use. One can
|
|
configure it using the <literal>security.duosec</literal>
|
|
options along with the corresponding PAM option in
|
|
<literal>security.pam.services.<name?>.duoSecurity.enable</literal>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.03-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the
|
|
following incompatible changes:
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The minimum version of Nix required to evaluate Nixpkgs is now
|
|
2.0.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix
|
|
2.0, but supports using Nix 1.11 by setting
|
|
<literal>nix.package = pkgs.nix1;</literal>. If this
|
|
option is set to a Nix 1.11 package, you will need to
|
|
either unset the option or upgrade it to Nix 2.0.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For users of NixOS 17.09, you will first need to upgrade
|
|
Nix by setting
|
|
<literal>nix.package = pkgs.nixStable2;</literal> and run
|
|
<literal>nixos-rebuild switch</literal> as the
|
|
<literal>root</literal> user.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For users of a daemon-less Nix installation on Linux or
|
|
macOS, you can upgrade Nix by running
|
|
<literal>curl -L https://nixos.org/nix/install | sh</literal>,
|
|
or prior to doing a channel update, running
|
|
<literal>nix-env -iA nix</literal>. If you have already
|
|
run a channel update and Nix is no longer able to evaluate
|
|
Nixpkgs, the error message printed should provide adequate
|
|
directions for upgrading Nix.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
For users of the Nix daemon on macOS, you can upgrade Nix
|
|
by running
|
|
<literal>sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon</literal>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>buildPythonPackage</literal> function now sets
|
|
<literal>strictDeps = true</literal> to help distinguish
|
|
between native and non-native dependencies in order to improve
|
|
cross-compilation compatibility. Note however that this may
|
|
break user expressions.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>buildPythonPackage</literal> function now sets
|
|
<literal>LANG = C.UTF-8</literal> to enable Unicode support.
|
|
The <literal>glibcLocales</literal> package is no longer
|
|
needed as a build input.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Syncthing state and configuration data has been moved from
|
|
<literal>services.syncthing.dataDir</literal> to the newly
|
|
defined <literal>services.syncthing.configDir</literal>, which
|
|
default to
|
|
<literal>/var/lib/syncthing/.config/syncthing</literal>. This
|
|
change makes possible to share synced directories using ACLs
|
|
without Syncthing resetting the permission on every start.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>ntp</literal> module now has sane default
|
|
restrictions. If you're relying on the previous defaults,
|
|
which permitted all queries and commands from all
|
|
firewall-permitted sources, you can set
|
|
<literal>services.ntp.restrictDefault</literal> and
|
|
<literal>services.ntp.restrictSource</literal> to
|
|
<literal>[]</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Package <literal>rabbitmq_server</literal> is renamed to
|
|
<literal>rabbitmq-server</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>light</literal> module no longer uses setuid
|
|
binaries, but udev rules. As a consequence users of that
|
|
module have to belong to the <literal>video</literal> group in
|
|
order to use the executable (i.e.
|
|
<literal>users.users.yourusername.extraGroups = ["video"];</literal>).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Buildbot now supports Python 3 and its packages have been
|
|
moved to <literal>pythonPackages</literal>. The options
|
|
<literal>services.buildbot-master.package</literal> and
|
|
<literal>services.buildbot-worker.package</literal> can be
|
|
used to select the Python 2 or 3 version of the package.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Options
|
|
<literal>services.znc.confOptions.networks.name.userName</literal>
|
|
and
|
|
<literal>services.znc.confOptions.networks.name.modulePackages</literal>
|
|
were removed. They were never used for anything and can
|
|
therefore safely be removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Package <literal>wasm</literal> has been renamed
|
|
<literal>proglodyte-wasm</literal>. The package
|
|
<literal>wasm</literal> will be pointed to
|
|
<literal>ocamlPackages.wasm</literal> in 19.09, so make sure
|
|
to update your configuration if you want to keep
|
|
<literal>proglodyte-wasm</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
When the <literal>nixpkgs.pkgs</literal> option is set, NixOS
|
|
will no longer ignore the <literal>nixpkgs.overlays</literal>
|
|
option. The old behavior can be recovered by setting
|
|
<literal>nixpkgs.overlays = lib.mkForce [];</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
OpenSMTPD has been upgraded to version 6.4.0p1. This release
|
|
makes backwards-incompatible changes to the configuration file
|
|
format. See <literal>man smtpd.conf</literal> for more
|
|
information on the new file format.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The versioned <literal>postgresql</literal> have been renamed
|
|
to use underscore number seperators. For example,
|
|
<literal>postgresql96</literal> has been renamed to
|
|
<literal>postgresql_9_6</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Package <literal>consul-ui</literal> and passthrough
|
|
<literal>consul.ui</literal> have been removed. The package
|
|
<literal>consul</literal> now uses upstream releases that
|
|
vendor the UI into the binary. See
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
|
|
for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Slurm introduces the new option
|
|
<literal>services.slurm.stateSaveLocation</literal>, which is
|
|
now set to <literal>/var/spool/slurm</literal> by default
|
|
(instead of <literal>/var/spool</literal>). Make sure to move
|
|
all files to the new directory or to set the option
|
|
accordingly.
|
|
</para>
|
|
<para>
|
|
The slurmctld now runs as user <literal>slurm</literal>
|
|
instead of <literal>root</literal>. If you want to keep
|
|
slurmctld running as <literal>root</literal>, set
|
|
<literal>services.slurm.user = root</literal>.
|
|
</para>
|
|
<para>
|
|
The options <literal>services.slurm.nodeName</literal> and
|
|
<literal>services.slurm.partitionName</literal> are now sets
|
|
of strings to correctly reflect that fact that each of these
|
|
options can occour more than once in the configuration.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>solr</literal> package has been upgraded from
|
|
4.10.3 to 7.5.0 and has undergone some major changes. The
|
|
<literal>services.solr</literal> module has been updated to
|
|
reflect these changes. Please review
|
|
http://lucene.apache.org/solr/ carefully before upgrading.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Package <literal>ckb</literal> is renamed to
|
|
<literal>ckb-next</literal>, and options
|
|
<literal>hardware.ckb.*</literal> are renamed to
|
|
<literal>hardware.ckb-next.*</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option
|
|
<literal>services.xserver.displayManager.job.logToFile</literal>
|
|
which was previously set to <literal>true</literal> when using
|
|
the display managers <literal>lightdm</literal>,
|
|
<literal>sddm</literal> or <literal>xpra</literal> has been
|
|
reset to the default value (<literal>false</literal>).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Network interface indiscriminate NixOS firewall options
|
|
(<literal>networking.firewall.allow*</literal>) are now
|
|
preserved when also setting interface specific rules such as
|
|
<literal>networking.firewall.interfaces.en0.allow*</literal>.
|
|
These rules continue to use the pseudo device
|
|
"default"
|
|
(<literal>networking.firewall.interfaces.default.*</literal>),
|
|
and assigning to this pseudo device will override the
|
|
(<literal>networking.firewall.allow*</literal>) options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>nscd</literal> service now disables all caching
|
|
of <literal>passwd</literal> and <literal>group</literal>
|
|
databases by default. This was interferring with the correct
|
|
functioning of the <literal>libnss_systemd.so</literal> module
|
|
which is used by <literal>systemd</literal> to manage uids and
|
|
usernames in the presence of <literal>DynamicUser=</literal>
|
|
in systemd services. This was already the default behaviour in
|
|
presence of <literal>services.sssd.enable = true</literal>
|
|
because nscd caching would interfere with
|
|
<literal>sssd</literal> in unpredictable ways as well. Because
|
|
we're using nscd not for caching, but for convincing glibc to
|
|
find NSS modules in the nix store instead of an absolute path,
|
|
we have decided to disable caching globally now, as it's
|
|
usually not the behaviour the user wants and can lead to
|
|
surprising behaviour. Furthermore, negative caching of host
|
|
lookups is also disabled now by default. This should fix the
|
|
issue of dns lookups failing in the presence of an unreliable
|
|
network.
|
|
</para>
|
|
<para>
|
|
If the old behaviour is desired, this can be restored by
|
|
setting the <literal>services.nscd.config</literal> option
|
|
with the desired caching parameters.
|
|
</para>
|
|
<programlisting language="bash">
|
|
{
|
|
services.nscd.config =
|
|
''
|
|
server-user nscd
|
|
threads 1
|
|
paranoia no
|
|
debug-level 0
|
|
|
|
enable-cache passwd yes
|
|
positive-time-to-live passwd 600
|
|
negative-time-to-live passwd 20
|
|
suggested-size passwd 211
|
|
check-files passwd yes
|
|
persistent passwd no
|
|
shared passwd yes
|
|
|
|
enable-cache group yes
|
|
positive-time-to-live group 3600
|
|
negative-time-to-live group 60
|
|
suggested-size group 211
|
|
check-files group yes
|
|
persistent group no
|
|
shared group yes
|
|
|
|
enable-cache hosts yes
|
|
positive-time-to-live hosts 600
|
|
negative-time-to-live hosts 5
|
|
suggested-size hosts 211
|
|
check-files hosts yes
|
|
persistent hosts no
|
|
shared hosts yes
|
|
'';
|
|
}
|
|
</programlisting>
|
|
<para>
|
|
See
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
|
|
for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
GitLab Shell previously used the nix store paths for the
|
|
<literal>gitlab-shell</literal> command in its
|
|
<literal>authorized_keys</literal> file, which might stop
|
|
working after garbage collection. To circumvent that, we
|
|
regenerated that file on each startup. As
|
|
<literal>gitlab-shell</literal> has now been changed to use
|
|
<literal>/var/run/current-system/sw/bin/gitlab-shell</literal>,
|
|
this is not necessary anymore, but there might be leftover
|
|
lines with a nix store path. Regenerate the
|
|
<literal>authorized_keys</literal> file via
|
|
<literal>sudo -u git -H gitlab-rake gitlab:shell:setup</literal>
|
|
in that case.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>pam_unix</literal> account module is now loaded
|
|
with its control field set to <literal>required</literal>
|
|
instead of <literal>sufficient</literal>, so that later PAM
|
|
account modules that might do more extensive checks are being
|
|
executed. Previously, the whole account module verification
|
|
was exited prematurely in case a nss module provided the
|
|
account name to <literal>pam_unix</literal>. The LDAP and SSSD
|
|
NixOS modules already add their NSS modules when enabled. In
|
|
case your setup breaks due to some later PAM account module
|
|
previosuly shadowed, or failing NSS lookups, please file a
|
|
bug. You can get back the old behaviour by manually setting
|
|
<literal>security.pam.services.<name?>.text</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>pam_unix</literal> password module is now loaded
|
|
with its control field set to <literal>sufficient</literal>
|
|
instead of <literal>required</literal>, so that password
|
|
managed only by later PAM password modules are being executed.
|
|
Previously, for example, changing an LDAP account's password
|
|
through PAM was not possible: the whole password module
|
|
verification was exited prematurely by
|
|
<literal>pam_unix</literal>, preventing
|
|
<literal>pam_ldap</literal> to manage the password as it
|
|
should.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>fish</literal> has been upgraded to 3.0. It comes
|
|
with a number of improvements and backwards incompatible
|
|
changes. See the <literal>fish</literal>
|
|
<link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release
|
|
notes</link> for more information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The ibus-table input method has had a change in config format,
|
|
which causes all previous settings to be lost. See
|
|
<link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this
|
|
commit message</link> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NixOS module system type <literal>types.optionSet</literal>
|
|
and <literal>lib.mkOption</literal> argument
|
|
<literal>options</literal> are deprecated. Use
|
|
<literal>types.submodule</literal> instead.
|
|
(<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>matrix-synapse</literal> has been updated to version
|
|
0.99. It will
|
|
<link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no
|
|
longer generate a self-signed certificate on first
|
|
launch</link> and will be
|
|
<link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the
|
|
last version to accept self-signed certificates</link>. As
|
|
such, it is now recommended to use a proper certificate
|
|
verified by a root CA (for example Let's Encrypt). The new
|
|
<link linkend="module-services-matrix">manual chapter on
|
|
Matrix</link> contains a working example of using nginx as a
|
|
reverse proxy in front of <literal>matrix-synapse</literal>,
|
|
using Let's Encrypt certificates.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>mailutils</literal> now works by default when
|
|
<literal>sendmail</literal> is not in a setuid wrapper. As a
|
|
consequence, the <literal>sendmailPath</literal> argument,
|
|
having lost its main use, has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>graylog</literal> has been upgraded from version 2.*
|
|
to 3.*. Some setups making use of extraConfig (especially
|
|
those exposing Graylog via reverse proxies) need to be updated
|
|
as upstream removed/replaced some settings. See
|
|
<link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading
|
|
Graylog</link> for details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <literal>users.ldap.bind.password</literal> was
|
|
renamed to <literal>users.ldap.bind.passwordFile</literal>,
|
|
and needs to be readable by the <literal>nslcd</literal> user.
|
|
Same applies to the new
|
|
<literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>nodejs-6_x</literal> is end-of-life.
|
|
<literal>nodejs-6_x</literal>,
|
|
<literal>nodejs-slim-6_x</literal> and
|
|
<literal>nodePackages_6_x</literal> are removed.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
<section xml:id="sec-release-19.03-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.matomo</literal> module gained the
|
|
option <literal>services.matomo.package</literal> which
|
|
determines the used Matomo version.
|
|
</para>
|
|
<para>
|
|
The Matomo module now also comes with the systemd service
|
|
<literal>matomo-archive-processing.service</literal> and a
|
|
timer that automatically triggers archive processing every
|
|
hour. This means that you can safely
|
|
<link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
|
|
disable browser triggers for Matomo archiving </link> at
|
|
<literal>Administration > System > General Settings</literal>.
|
|
</para>
|
|
<para>
|
|
Additionally, you can enable to
|
|
<link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
|
|
delete old visitor logs </link> at
|
|
<literal>Administration > System > Privacy</literal>,
|
|
but make sure that you run
|
|
<literal>systemctl start matomo-archive-processing.service</literal>
|
|
at least once without errors if you have already collected
|
|
data before, so that the reports get archived before the
|
|
source data gets deleted.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>composableDerivation</literal> along with supporting
|
|
library functions has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The deprecated <literal>truecrypt</literal> package has been
|
|
removed and <literal>truecrypt</literal> attribute is now an
|
|
alias for <literal>veracrypt</literal>. VeraCrypt is
|
|
backward-compatible with TrueCrypt volumes. Note that
|
|
<literal>cryptsetup</literal> also supports loading TrueCrypt
|
|
volumes.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Kubernetes DNS addons, kube-dns, has been replaced with
|
|
CoreDNS. This change is made in accordance with Kubernetes
|
|
making CoreDNS the official default starting from
|
|
<link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes
|
|
v1.11</link>. Please beware that upgrading DNS-addon on
|
|
existing clusters might induce minor downtime while the
|
|
DNS-addon terminates and re-initializes. Also note that the
|
|
DNS-service now runs with 2 pod replicas by default. The
|
|
desired number of replicas can be configured using:
|
|
<literal>services.kubernetes.addons.dns.replicas</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The quassel-webserver package and module was removed from
|
|
nixpkgs due to the lack of maintainers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The manual gained a <link linkend="module-services-matrix">
|
|
new chapter on self-hosting <literal>matrix-synapse</literal>
|
|
and <literal>riot-web</literal> </link>, the most prevalent
|
|
server and client implementations for the
|
|
<link xlink:href="https://matrix.org/">Matrix</link> federated
|
|
communication network.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The astah-community package was removed from nixpkgs due to it
|
|
being discontinued and the downloads not being available
|
|
anymore.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The httpd service now saves log files with a .log file
|
|
extension by default for easier integration with the logrotate
|
|
service.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The owncloud server packages and httpd subservice module were
|
|
removed from nixpkgs due to the lack of maintainers.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
It is possible now to uze ZRAM devices as general purpose
|
|
ephemeral block devices, not only as swap. Using more than 1
|
|
device as ZRAM swap is no longer recommended, but is still
|
|
possible by setting <literal>zramSwap.swapDevices</literal>
|
|
explicitly.
|
|
</para>
|
|
<para>
|
|
ZRAM algorithm can be changed now.
|
|
</para>
|
|
<para>
|
|
Changes to ZRAM algorithm are applied during
|
|
<literal>nixos-rebuild switch</literal>, so make sure you have
|
|
enough swap space on disk to survive ZRAM device rebuild.
|
|
Alternatively, use
|
|
<literal>nixos-rebuild boot; reboot</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Flat volumes are now disabled by default in
|
|
<literal>hardware.pulseaudio</literal>. This has been done to
|
|
prevent applications, which are unaware of this feature,
|
|
setting their volumes to 100% on startup causing harm to your
|
|
audio hardware and potentially your ears.
|
|
</para>
|
|
<note>
|
|
<para>
|
|
With this change application specific volumes are relative
|
|
to the master volume which can be adjusted independently,
|
|
whereas before they were absolute; meaning that in effect,
|
|
it scaled the device-volume with the volume of the loudest
|
|
application.
|
|
</para>
|
|
</note>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The
|
|
<link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link>
|
|
module now supports
|
|
<link xlink:href="options.html#opt-services.ndppd.enable">all
|
|
config options</link> provided by the current upstream version
|
|
as service options. Additionally the <literal>ndppd</literal>
|
|
package doesn't contain the systemd unit configuration from
|
|
upstream anymore, the unit is completely configured by the
|
|
NixOS module now.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
New installs of NixOS will default to the Redmine 4.x series
|
|
unless otherwise specified in
|
|
<literal>services.redmine.package</literal> while existing
|
|
installs of NixOS will default to the Redmine 3.x series.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The
|
|
<link xlink:href="options.html#opt-services.grafana.enable">Grafana
|
|
module</link> now supports declarative
|
|
<link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource
|
|
and dashboard</link> provisioning.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The use of insecure ports on kubernetes has been deprecated.
|
|
Thus options:
|
|
<literal>services.kubernetes.apiserver.port</literal> and
|
|
<literal>services.kubernetes.controllerManager.port</literal>
|
|
has been renamed to <literal>.insecurePort</literal>, and
|
|
default of both options has changed to 0 (disabled).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Note that the default value of
|
|
<literal>services.kubernetes.apiserver.bindAddress</literal>
|
|
has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver
|
|
to be accessible from outside the master node itself. If the
|
|
apiserver insecurePort is enabled, it is strongly recommended
|
|
to only bind on the loopback interface. See:
|
|
<literal>services.kubernetes.apiserver.insecurebindAddress</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option
|
|
<literal>services.kubernetes.apiserver.allowPrivileged</literal>
|
|
and
|
|
<literal>services.kubernetes.kubelet.allowPrivileged</literal>
|
|
now defaults to false. Disallowing privileged containers on
|
|
the cluster.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The kubernetes module does no longer add the kubernetes
|
|
package to <literal>environment.systemPackages</literal>
|
|
implicitly.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>intel</literal> driver has been removed from the
|
|
default list of
|
|
<link xlink:href="options.html#opt-services.xserver.videoDrivers">X.org
|
|
video drivers</link>. The <literal>modesetting</literal>
|
|
driver should take over automatically, it is better maintained
|
|
upstream and has less problems with advanced X11 features.
|
|
This can lead to a change in the output names used by
|
|
<literal>xrandr</literal>. Some performance regressions on
|
|
some GPU models might happen. Some OpenCL and VA-API
|
|
applications might also break (Beignet seems to provide OpenCL
|
|
support with <literal>modesetting</literal> driver, too).
|
|
Kernel mode setting API does not support backlight control, so
|
|
<literal>xbacklight</literal> tool will not work; backlight
|
|
level can be controlled directly via <literal>/sys/</literal>
|
|
or with <literal>brightnessctl</literal>. Users who need this
|
|
functionality more than multi-output XRandR are advised to add
|
|
`intel` to `videoDrivers` and report an issue (or provide
|
|
additional details in an existing one)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Openmpi has been updated to version 4.0.0, which removes some
|
|
deprecated MPI-1 symbols. This may break some older
|
|
applications that still rely on those symbols. An upgrade
|
|
guide can be found
|
|
<link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
|
|
</para>
|
|
<para>
|
|
The nginx package now relies on OpenSSL 1.1 and supports TLS
|
|
1.3 by default. You can set the protocols used by the nginx
|
|
service using
|
|
<link xlink:href="options.html#opt-services.nginx.sslProtocols">services.nginx.sslProtocols</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A new subcommand <literal>nixos-rebuild edit</literal> was
|
|
added.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|
|
|