tjh.dev
nixos: fix typos
+2
-2
nixos/doc/manual/manpages/README.md
+2
-2
nixos/doc/manual/manpages/README.md
···
17
- Use `Cm` to mark literal string arguments, e.g. the `boot` command argument passed to `nixos-rebuild`.
18
- Optional flags or arguments should be marked with `Op`. This includes optional repeating arguments.
19
- Required flags or arguments should not be marked.
20
-
- Mutually exclusive groups of arguments should be enclosed in curly brackets, preferrably created with `Bro`/`Brc` blocks.
21
22
When an argument is used in an example it should be marked up with `Ar` again to differentiate it from a constant. For example, a command with a `--host name` flag that calls ssh to retrieve the host's local time would signify this thusly:
23
```
···
45
...
46
.Ed
47
```
48
-
Contents of code blocks may be marked up further, e.g. if they refer to arguments that will be subsituted into them:
49
```
50
.Bd -literal -offset indent
51
{
···
17
- Use `Cm` to mark literal string arguments, e.g. the `boot` command argument passed to `nixos-rebuild`.
18
- Optional flags or arguments should be marked with `Op`. This includes optional repeating arguments.
19
- Required flags or arguments should not be marked.
20
+
- Mutually exclusive groups of arguments should be enclosed in curly brackets, preferably created with `Bro`/`Brc` blocks.
21
22
When an argument is used in an example it should be marked up with `Ar` again to differentiate it from a constant. For example, a command with a `--host name` flag that calls ssh to retrieve the host's local time would signify this thusly:
23
```
···
45
...
46
.Ed
47
```
48
+
Contents of code blocks may be marked up further, e.g. if they refer to arguments that will be substituted into them:
49
```
50
.Bd -literal -offset indent
51
{
+2
-2
nixos/doc/manual/release-notes/rl-1609.section.md
+2
-2
nixos/doc/manual/release-notes/rl-1609.section.md
···
20
21
- A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages [were changed](https://github.com/NixOS/nixpkgs/pull/14766) late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
22
23
-
- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html).
24
25
- Shell aliases for systemd sub-commands [were dropped](https://github.com/NixOS/nixpkgs/pull/15598): `start`, `stop`, `restart`, `status`.
26
···
28
29
- `/var/empty` is now immutable. Activation script runs `chattr +i` to forbid any modifications inside the folder. See [ the pull request](https://github.com/NixOS/nixpkgs/pull/18365) for what bugs this caused.
30
31
-
- Gitlab's maintainance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI.
32
33
- `services.xserver.libinput.accelProfile` default changed from `flat` to `adaptive`, as per [ official documentation](https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79).
34
···
20
21
- A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages [were changed](https://github.com/NixOS/nixpkgs/pull/14766) late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
22
23
+
- Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided `haskell.packages.lts-x_y` package sets still exist in name to avoid breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. [The motivation for this change](https://nixos.org/nix-dev/2016-June/020585.html) has been discussed at length on the `nix-dev` mailing list and in [Github issue \#14897](https://github.com/NixOS/nixpkgs/issues/14897). Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in [another nix-dev article](https://nixos.org/nix-dev/2016-June/020642.html).
24
25
- Shell aliases for systemd sub-commands [were dropped](https://github.com/NixOS/nixpkgs/pull/15598): `start`, `stop`, `restart`, `status`.
26
···
28
29
- `/var/empty` is now immutable. Activation script runs `chattr +i` to forbid any modifications inside the folder. See [ the pull request](https://github.com/NixOS/nixpkgs/pull/18365) for what bugs this caused.
30
31
+
- Gitlab's maintenance script `gitlab-runner` was removed and split up into the more clearer `gitlab-run` and `gitlab-rake` scripts, because `gitlab-runner` is a component of Gitlab CI.
32
33
- `services.xserver.libinput.accelProfile` default changed from `flat` to `adaptive`, as per [ official documentation](https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79).
34
+1
-1
nixos/doc/manual/release-notes/rl-1709.section.md
+1
-1
nixos/doc/manual/release-notes/rl-1709.section.md
···
275
276
You can check that backups still work by running `systemctl start mysql-backup` then `systemctl status mysql-backup`.
277
278
-
- Templated systemd services e.g `container@name` are now handled currectly when switching to a new configuration, resulting in them being reloaded.
279
280
- Steam: the `newStdcpp` parameter was removed and should not be needed anymore.
281
···
275
276
You can check that backups still work by running `systemctl start mysql-backup` then `systemctl status mysql-backup`.
277
278
+
- Templated systemd services e.g `container@name` are now handled correctly when switching to a new configuration, resulting in them being reloaded.
279
280
- Steam: the `newStdcpp` parameter was removed and should not be needed anymore.
281
+1
-1
nixos/doc/manual/release-notes/rl-1803.section.md
+1
-1
nixos/doc/manual/release-notes/rl-1803.section.md
···
174
175
- The `openssh` package now includes Kerberos support by default; the `openssh_with_kerberos` package is now a deprecated alias. If you do not want Kerberos support, you can do `openssh.override { withKerberos = false; }`. Note, this also applies to the `openssh_hpn` package.
176
177
-
- `cc-wrapper` has been split in two; there is now also a `bintools-wrapper`. The most commonly used files in `nix-support` are now split between the two wrappers. Some commonly used ones, like `nix-support/dynamic-linker`, are duplicated for backwards compatability, even though they rightly belong only in `bintools-wrapper`. Other more obscure ones are just moved.
178
179
- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected.
180
···
174
175
- The `openssh` package now includes Kerberos support by default; the `openssh_with_kerberos` package is now a deprecated alias. If you do not want Kerberos support, you can do `openssh.override { withKerberos = false; }`. Note, this also applies to the `openssh_hpn` package.
176
177
+
- `cc-wrapper` has been split in two; there is now also a `bintools-wrapper`. The most commonly used files in `nix-support` are now split between the two wrappers. Some commonly used ones, like `nix-support/dynamic-linker`, are duplicated for backwards compatibility, even though they rightly belong only in `bintools-wrapper`. Other more obscure ones are just moved.
178
179
- The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many `propagatedNativeBuildInputs` should instead be `propagatedBuildInputs`. Thankfully, that was and is the least used type of dependency. Also, it means that some `propagatedBuildInputs` should instead be `depsTargetTargetPropagated`. Other types dependencies should be unaffected.
180
+3
-3
nixos/doc/manual/release-notes/rl-1903.section.md
+3
-3
nixos/doc/manual/release-notes/rl-1903.section.md
···
81
82
The slurmctld now runs as user `slurm` instead of `root`. If you want to keep slurmctld running as `root`, set `services.slurm.user = root`.
83
84
-
The options `services.slurm.nodeName` and `services.slurm.partitionName` are now sets of strings to correctly reflect that fact that each of these options can occour more than once in the configuration.
85
86
- The `solr` package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. The `services.solr` module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.
87
···
91
92
- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device "default" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options.
93
94
-
- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interferring with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.
95
96
If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters.
97
···
135
136
- GitLab Shell previously used the nix store paths for the `gitlab-shell` command in its `authorized_keys` file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As `gitlab-shell` has now been changed to use `/var/run/current-system/sw/bin/gitlab-shell`, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the `authorized_keys` file via `sudo -u git -H gitlab-rake gitlab:shell:setup` in that case.
137
138
-
- The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`.
139
140
- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should.
141
···
81
82
The slurmctld now runs as user `slurm` instead of `root`. If you want to keep slurmctld running as `root`, set `services.slurm.user = root`.
83
84
+
The options `services.slurm.nodeName` and `services.slurm.partitionName` are now sets of strings to correctly reflect that fact that each of these options can occur more than once in the configuration.
85
86
- The `solr` package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. The `services.solr` module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.
87
···
91
92
- Network interface indiscriminate NixOS firewall options (`networking.firewall.allow*`) are now preserved when also setting interface specific rules such as `networking.firewall.interfaces.en0.allow*`. These rules continue to use the pseudo device "default" (`networking.firewall.interfaces.default.*`), and assigning to this pseudo device will override the (`networking.firewall.allow*`) options.
93
94
+
- The `nscd` service now disables all caching of `passwd` and `group` databases by default. This was interfering with the correct functioning of the `libnss_systemd.so` module which is used by `systemd` to manage uids and usernames in the presence of `DynamicUser=` in systemd services. This was already the default behaviour in presence of `services.sssd.enable = true` because nscd caching would interfere with `sssd` in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.
95
96
If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters.
97
···
135
136
- GitLab Shell previously used the nix store paths for the `gitlab-shell` command in its `authorized_keys` file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As `gitlab-shell` has now been changed to use `/var/run/current-system/sw/bin/gitlab-shell`, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the `authorized_keys` file via `sudo -u git -H gitlab-rake gitlab:shell:setup` in that case.
137
138
+
- The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previously shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`.
139
140
- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should.
141
+1
-1
nixos/doc/manual/release-notes/rl-1909.section.md
+1
-1
nixos/doc/manual/release-notes/rl-1909.section.md
···
194
195
`security.acme.preDelay` and `security.acme.activationDelay` options have been removed. To execute a service before certificates are provisioned or renewed add a `RequiredBy=acme-${cert}.service` to any service.
196
197
-
Furthermore, the acme module will not automatically add a dependency on `lighttpd.service` anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service `acme-${cert}.service>` manually.
198
199
For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180).
200
···
194
195
`security.acme.preDelay` and `security.acme.activationDelay` options have been removed. To execute a service before certificates are provisioned or renewed add a `RequiredBy=acme-${cert}.service` to any service.
196
197
+
Furthermore, the acme module will not automatically add a dependency on `lighttpd.service` anymore. If you are using certificates provided by letsencrypt for lighttpd, then you should depend on the certificate service `acme-${cert}.service>` manually.
198
199
For nginx, the dependencies are still automatically managed when `services.nginx.virtualhosts.<name>.enableACME` is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all `acme-certificates.target`. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at [NixOS/nixpkgs\#60180](https://github.com/NixOS/nixpkgs/issues/60180).
200
+2
-2
nixos/doc/manual/release-notes/rl-2009.section.md
+2
-2
nixos/doc/manual/release-notes/rl-2009.section.md
···
130
131
- [services.cage.enable](options.html#opt-services.cage.enable) Wayland cage service
132
133
-
- [services.convos.enable](options.html#opt-services.convos.enable) IRC daemon, which can be accessed throught the browser
134
135
- [services.engelsystem.enable](options.html#opt-services.engelsystem.enable) Tool for coordinating volunteers and shifts on large events
136
···
552
553
- The [jellyfin](options.html#opt-services.jellyfin.enable) module will use and stay on the Jellyfin version `10.5.5` if `stateVersion` is lower than `20.09`. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your `stateVersion` to `20.09` or higher, or set the `services.jellyfin.package` to `pkgs.jellyfin`. If you do not wish to upgrade Jellyfin, but want to change your `stateVersion`, you can set the value of `services.jellyfin.package` to `pkgs.jellyfin_10_5`.
554
555
-
- The `security.rngd` service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundent.
556
557
- The `hardware.nvidia.optimus_prime.enable` service has been renamed to `hardware.nvidia.prime.sync.enable` and has many new enhancements. Related nvidia prime settings may have also changed.
558
···
130
131
- [services.cage.enable](options.html#opt-services.cage.enable) Wayland cage service
132
133
+
- [services.convos.enable](options.html#opt-services.convos.enable) IRC daemon, which can be accessed through the browser
134
135
- [services.engelsystem.enable](options.html#opt-services.engelsystem.enable) Tool for coordinating volunteers and shifts on large events
136
···
552
553
- The [jellyfin](options.html#opt-services.jellyfin.enable) module will use and stay on the Jellyfin version `10.5.5` if `stateVersion` is lower than `20.09`. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your `stateVersion` to `20.09` or higher, or set the `services.jellyfin.package` to `pkgs.jellyfin`. If you do not wish to upgrade Jellyfin, but want to change your `stateVersion`, you can set the value of `services.jellyfin.package` to `pkgs.jellyfin_10_5`.
554
555
+
- The `security.rngd` service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundant.
556
557
- The `hardware.nvidia.optimus_prime.enable` service has been renamed to `hardware.nvidia.prime.sync.enable` and has many new enhancements. Related nvidia prime settings may have also changed.
558
+3
-3
nixos/doc/manual/release-notes/rl-2105.section.md
+3
-3
nixos/doc/manual/release-notes/rl-2105.section.md
···
197
198
Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments `repoJson` and `repoXmls` have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the `extraLicenses` argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.
199
200
-
- The attribute `mpi` is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used `mpi ? null` in the input for optional MPI builds, have been changed to the boolean input paramater `useMpi` to enable building with MPI. Building all packages with `mpich` instead of the default `openmpi` can now be achived like this:
201
202
```nix
203
self: super:
···
272
273
- `environment.defaultPackages` now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the `EDITOR` environment variable is set to it. Environment variables can be set using `environment.variables`.
274
275
-
- `services.minio.dataDir` changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements.
276
277
- All CUDA toolkit versions prior to CUDA 10 have been removed.
278
···
375
376
- When defining a new user, one of [users.users._name_.isNormalUser](options.html#opt-users.users._name_.isNormalUser) and [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) has no effect for those.
377
378
-
- The `security.apparmor` module, for the [AppArmor](https://gitlab.com/apparmor/apparmor/-/wikis/Documentation) Mandatory Access Control system, has been substantialy improved along with related tools, so that module maintainers can now more easily write AppArmor profiles for NixOS. The most notable change on the user-side is the new option [security.apparmor.policies](options.html#opt-security.apparmor.policies), replacing the previous `profiles` option to provide a way to disable a profile and to select whether to confine in enforce mode (default) or in complain mode (see `journalctl -b --grep apparmor`). Security-minded users may also want to enable [security.apparmor.killUnconfinedConfinables](options.html#opt-security.apparmor.killUnconfinedConfinables), at the cost of having some of their processes killed when updating to a NixOS version introducing new AppArmor profiles.
379
380
- The GNOME desktop manager once again installs gnome.epiphany by default.
381
···
197
198
Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments `repoJson` and `repoXmls` have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the `extraLicenses` argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.
199
200
+
- The attribute `mpi` is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used `mpi ? null` in the input for optional MPI builds, have been changed to the boolean input parameter `useMpi` to enable building with MPI. Building all packages with `mpich` instead of the default `openmpi` can now be achieved like this:
201
202
```nix
203
self: super:
···
272
273
- `environment.defaultPackages` now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the `EDITOR` environment variable is set to it. Environment variables can be set using `environment.variables`.
274
275
+
- `services.minio.dataDir` changed type to a list of paths, required for specifying multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements.
276
277
- All CUDA toolkit versions prior to CUDA 10 have been removed.
278
···
375
376
- When defining a new user, one of [users.users._name_.isNormalUser](options.html#opt-users.users._name_.isNormalUser) and [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as [users.users._name_.isSystemUser](options.html#opt-users.users._name_.isSystemUser) has no effect for those.
377
378
+
- The `security.apparmor` module, for the [AppArmor](https://gitlab.com/apparmor/apparmor/-/wikis/Documentation) Mandatory Access Control system, has been substantially improved along with related tools, so that module maintainers can now more easily write AppArmor profiles for NixOS. The most notable change on the user-side is the new option [security.apparmor.policies](options.html#opt-security.apparmor.policies), replacing the previous `profiles` option to provide a way to disable a profile and to select whether to confine in enforce mode (default) or in complain mode (see `journalctl -b --grep apparmor`). Security-minded users may also want to enable [security.apparmor.killUnconfinedConfinables](options.html#opt-security.apparmor.killUnconfinedConfinables), at the cost of having some of their processes killed when updating to a NixOS version introducing new AppArmor profiles.
379
380
- The GNOME desktop manager once again installs gnome.epiphany by default.
381
+1
-1
nixos/doc/manual/release-notes/rl-2111.section.md
+1
-1
nixos/doc/manual/release-notes/rl-2111.section.md
···
375
376
- `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.
377
378
-
- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This is desirable from a security point of view. The setting [`harware.openrazer.users`](options.html#opt-services.hardware.openrazer.users) can be used to add users to the `openrazer` group.
379
380
- The fontconfig service's dpi option has been removed.
381
Fontconfig should use Xft settings by default so there's no need to override one value in multiple places.
···
375
376
- `programs.neovim.runtime` switched to a `linkFarm` internally, making it impossible to use wildcards in the `source` argument.
377
378
+
- The `openrazer` and `openrazer-daemon` packages as well as the `hardware.openrazer` module now require users to be members of the `openrazer` group instead of `plugdev`. With this change, users no longer need be granted the entire set of `plugdev` group permissions, which can include permissions other than those required by `openrazer`. This is desirable from a security point of view. The setting [`hardware.openrazer.users`](options.html#opt-services.hardware.openrazer.users) can be used to add users to the `openrazer` group.
379
380
- The fontconfig service's dpi option has been removed.
381
Fontconfig should use Xft settings by default so there's no need to override one value in multiple places.
+6
-6
nixos/doc/manual/release-notes/rl-2205.section.md
+6
-6
nixos/doc/manual/release-notes/rl-2205.section.md
···
10
for Flakes, but also marks the `nix` command as experimental which now has to
11
be enabled via the configuration explicitly. For more information and
12
instructions for upgrades, see the
13
-
relase notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html),
14
[nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html),
15
[nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html),
16
[nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and
···
278
279
- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`.
280
281
-
Additionally with 2.5 the argon2 module was included in the standard distrubtion and renamed from `pw-argon2` to `argon2`. Remember to update your `olcModuleLoad` entry in `cn=config`.
282
283
- `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.
284
285
-
- `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding `openssh` to it or switching to `gitFull`.
286
287
- `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.
288
This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration.
···
639
changes in the database scheme and configuration format.
640
641
- Some top-level settings under [services.epgstation](#opt-services.epgstation.enable)
642
-
is now deprecated because it was redudant due to the same options being
643
present in [services.epgstation.settings](#opt-services.epgstation.settings).
644
645
- The option `services.epgstation.basicAuth` was removed because basic
···
653
option now expects options for `config.yml` in EPGStation v2.
654
655
- Existing data for the [services.epgstation](#opt-services.epgstation.enable)
656
-
module would have to be backed up prior to the upgrade. To back up exising
657
data to `/tmp/epgstation.bak`, run
658
`sudo -u epgstation epgstation run backup /tmp/epgstation.bak`.
659
To import that data after to the upgrade, run
···
804
- The `influxdb2` package was split into `influxdb2-server` and
805
`influxdb2-cli`, matching the split that took place upstream. A
806
combined `influxdb2` package is still provided in this release for
807
-
backwards compatibilty, but will be removed at a later date.
808
809
- The `unifi` package was switched from `unifi6` to `unifi7`.
810
Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6.
···
10
for Flakes, but also marks the `nix` command as experimental which now has to
11
be enabled via the configuration explicitly. For more information and
12
instructions for upgrades, see the
13
+
release notes for [nix-2.4](https://nixos.org/manual/nix/stable/release-notes/rl-2.4.html),
14
[nix-2.5](https://nixos.org/manual/nix/stable/release-notes/rl-2.5.html),
15
[nix-2.6](https://nixos.org/manual/nix/stable/release-notes/rl-2.6.html),
16
[nix-2.7](https://nixos.org/manual/nix/stable/release-notes/rl-2.7.html) and
···
278
279
- `openldap` (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database `slapcat -n 1` in LDIF format, and reimport it after updating your `services.openldap.settings`, which represents your `cn=config`.
280
281
+
Additionally with 2.5 the argon2 module was included in the standard distribution and renamed from `pw-argon2` to `argon2`. Remember to update your `olcModuleLoad` entry in `cn=config`.
282
283
- `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.
284
285
+
- `git` no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your environment consider adding `openssh` to it or switching to `gitFull`.
286
287
- `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.
288
This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration.
···
639
changes in the database scheme and configuration format.
640
641
- Some top-level settings under [services.epgstation](#opt-services.epgstation.enable)
642
+
is now deprecated because it was redundant due to the same options being
643
present in [services.epgstation.settings](#opt-services.epgstation.settings).
644
645
- The option `services.epgstation.basicAuth` was removed because basic
···
653
option now expects options for `config.yml` in EPGStation v2.
654
655
- Existing data for the [services.epgstation](#opt-services.epgstation.enable)
656
+
module would have to be backed up prior to the upgrade. To back up existing
657
data to `/tmp/epgstation.bak`, run
658
`sudo -u epgstation epgstation run backup /tmp/epgstation.bak`.
659
To import that data after to the upgrade, run
···
804
- The `influxdb2` package was split into `influxdb2-server` and
805
`influxdb2-cli`, matching the split that took place upstream. A
806
combined `influxdb2` package is still provided in this release for
807
+
backwards compatibility, but will be removed at a later date.
808
809
- The `unifi` package was switched from `unifi6` to `unifi7`.
810
Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6.
+2
-2
nixos/doc/manual/release-notes/rl-2211.section.md
+2
-2
nixos/doc/manual/release-notes/rl-2211.section.md
···
205
206
- Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11.
207
208
-
- (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintainance burden.
209
Use `configure.packages` instead.
210
- Neovim can not be configured with plug anymore (still works for vim).
211
···
221
222
- `mysql57` has been removed. Please update to `mysql80` or `mariadb`. See the [upgrade guide](https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/) for more information.
223
224
-
- Consequently, `cqrlog` and `amorok` now use `mariadb` instead of `mysql57` for their embedded databases. Running `mysql_upgrade` may be neccesary.
225
- `k3s` supports `clusterInit` option, and it is enabled by default, for servers.
226
227
- `percona-server56` has been removed. Please migrate to `mysql` or `mariadb` if possible.
···
205
206
- Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11.
207
208
+
- (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintenance burden.
209
Use `configure.packages` instead.
210
- Neovim can not be configured with plug anymore (still works for vim).
211
···
221
222
- `mysql57` has been removed. Please update to `mysql80` or `mariadb`. See the [upgrade guide](https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/) for more information.
223
224
+
- Consequently, `cqrlog` and `amorok` now use `mariadb` instead of `mysql57` for their embedded databases. Running `mysql_upgrade` may be necessary.
225
- `k3s` supports `clusterInit` option, and it is enabled by default, for servers.
226
227
- `percona-server56` has been removed. Please migrate to `mysql` or `mariadb` if possible.
+6
-6
nixos/doc/manual/release-notes/rl-2305.section.md
+6
-6
nixos/doc/manual/release-notes/rl-2305.section.md
···
72
73
- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
74
75
-
- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Availabe as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).
76
77
- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
78
···
88
89
- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
90
91
-
- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Mutiple servers may be configured below [services.tts.servers](#opt-services.tts.servers).
92
93
- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
94
···
98
99
- [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable).
100
101
-
- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and recieves MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
102
103
- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable)
104
···
287
288
- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
289
290
-
- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constitutents: `xorg.libX11`, `freetype` and others.
291
292
- The latest available version of Nextcloud is v26 (available as `pkgs.nextcloud26`) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:
293
- If `system.stateVersion` is >=23.05, `pkgs.nextcloud26` will be installed by default.
···
302
[upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126)
303
for more details and available replacements.
304
305
-
- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatiblity. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).
306
307
- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.
308
···
567
568
The Pipewire config semantics don't really match the NixOS module semantics, so it's extremely awkward to override the default config, especially when lists are involved. Vendoring the configuration files in nixpkgs also creates unnecessary maintenance overhead.
569
570
-
Also, upstream added a lot of accomodations to allow doing most of the things you'd want to do with a config edit in better ways.
571
572
#### Migrating your configuration {#sec-release-23.05-migration-pipewire-how}
573
···
72
73
- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable).
74
75
+
- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie).
76
77
- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable).
78
···
88
89
- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable).
90
91
+
- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers).
92
93
- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable).
94
···
98
99
- [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable).
100
101
+
- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable).
102
103
- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable)
104
···
287
288
- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
289
290
+
- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others.
291
292
- The latest available version of Nextcloud is v26 (available as `pkgs.nextcloud26`) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:
293
- If `system.stateVersion` is >=23.05, `pkgs.nextcloud26` will be installed by default.
···
302
[upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126)
303
for more details and available replacements.
304
305
+
- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed).
306
307
- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use.
308
···
567
568
The Pipewire config semantics don't really match the NixOS module semantics, so it's extremely awkward to override the default config, especially when lists are involved. Vendoring the configuration files in nixpkgs also creates unnecessary maintenance overhead.
569
570
+
Also, upstream added a lot of accommodations to allow doing most of the things you'd want to do with a config edit in better ways.
571
572
#### Migrating your configuration {#sec-release-23.05-migration-pipewire-how}
573
+1
-1
nixos/modules/config/xdg/portal.nix
+1
-1
nixos/modules/config/xdg/portal.nix
···
21
in
22
{
23
warnings = lib.mkIf config.xdg.portal.gtkUsePortal [
24
-
"The option `${lib.showOption from}' defined in ${lib.showFiles fromOpt.files} has been deprecated. Setting the variable globally with `environment.sessionVariables' NixOS option can have unforseen side-effects."
25
];
26
}
27
)
···
21
in
22
{
23
warnings = lib.mkIf config.xdg.portal.gtkUsePortal [
24
+
"The option `${lib.showOption from}' defined in ${lib.showFiles fromOpt.files} has been deprecated. Setting the variable globally with `environment.sessionVariables' NixOS option can have unforeseen side-effects."
25
];
26
}
27
)
+1
-1
nixos/modules/hardware/sensor/hddtemp.nix
+1
-1
nixos/modules/hardware/sensor/hddtemp.nix
+1
-1
nixos/modules/installer/tools/nixos-enter.sh
+1
-1
nixos/modules/installer/tools/nixos-enter.sh
···
97
exec 2>/dev/null
98
fi
99
100
-
# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
101
LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" IN_NIXOS_ENTER=1 chroot "$mountPoint" "$system/activate" 1>&2 || true
102
103
# Create /tmp. This is needed for nix-build and the NixOS activation script to work.
···
97
exec 2>/dev/null
98
fi
99
100
+
# Run the activation script. Set $LOCALE_ARCHIVE to suppress some Perl locale warnings.
101
LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" IN_NIXOS_ENTER=1 chroot "$mountPoint" "$system/activate" 1>&2 || true
102
103
# Create /tmp. This is needed for nix-build and the NixOS activation script to work.
+2
-2
nixos/modules/misc/version.nix
+2
-2
nixos/modules/misc/version.nix
···
9
literalExpression mkRenamedOptionModule mkDefault mkOption trivial types;
10
11
needsEscaping = s: null != builtins.match "[a-zA-Z0-9]+" s;
12
-
escapeIfNeccessary = s: if needsEscaping s then s else ''"${lib.escape [ "\$" "\"" "\\" "\`" ] s}"'';
13
attrsToText = attrs:
14
concatStringsSep "\n" (
15
-
mapAttrsToList (n: v: ''${n}=${escapeIfNeccessary (toString v)}'') attrs
16
) + "\n";
17
18
osReleaseContents = {
···
9
literalExpression mkRenamedOptionModule mkDefault mkOption trivial types;
10
11
needsEscaping = s: null != builtins.match "[a-zA-Z0-9]+" s;
12
+
escapeIfNecessary = s: if needsEscaping s then s else ''"${lib.escape [ "\$" "\"" "\\" "\`" ] s}"'';
13
attrsToText = attrs:
14
concatStringsSep "\n" (
15
+
mapAttrsToList (n: v: ''${n}=${escapeIfNecessary (toString v)}'') attrs
16
) + "\n";
17
18
osReleaseContents = {
+1
-1
nixos/modules/programs/fish.nix
+1
-1
nixos/modules/programs/fish.nix
···
303
programs.fish.interactiveShellInit = ''
304
# add completions generated by NixOS to $fish_complete_path
305
begin
306
-
# joins with null byte to acommodate all characters in paths, then respectively gets all paths before (exclusive) / after (inclusive) the first one including "generated_completions",
307
# splits by null byte, and then removes all empty lines produced by using 'string'
308
set -l prev (string join0 $fish_complete_path | string match --regex "^.*?(?=\x00[^\x00]*generated_completions.*)" | string split0 | string match -er ".")
309
set -l post (string join0 $fish_complete_path | string match --regex "[^\x00]*generated_completions.*" | string split0 | string match -er ".")
···
303
programs.fish.interactiveShellInit = ''
304
# add completions generated by NixOS to $fish_complete_path
305
begin
306
+
# joins with null byte to accommodate all characters in paths, then respectively gets all paths before (exclusive) / after (inclusive) the first one including "generated_completions",
307
# splits by null byte, and then removes all empty lines produced by using 'string'
308
set -l prev (string join0 $fish_complete_path | string match --regex "^.*?(?=\x00[^\x00]*generated_completions.*)" | string split0 | string match -er ".")
309
set -l post (string join0 $fish_complete_path | string match --regex "[^\x00]*generated_completions.*" | string split0 | string match -er ".")
+1
-1
nixos/modules/programs/nix-ld.nix
+1
-1
nixos/modules/programs/nix-ld.nix
+3
-3
nixos/modules/programs/singularity.nix
+3
-3
nixos/modules/programs/singularity.nix
···
25
type = types.nullOr types.package;
26
default = null;
27
description = mdDoc ''
28
-
This option provides access to the overriden result of `programs.singularity.package`.
29
30
-
For example, the following configuration makes all the Nixpkgs packages use the overriden `singularity`:
31
```Nix
32
{ config, lib, pkgs, ... }:
33
{
···
42
}
43
```
44
45
-
Use `lib.mkForce` to forcefully specify the overriden package.
46
'';
47
};
48
enableFakeroot = mkOption {
···
25
type = types.nullOr types.package;
26
default = null;
27
description = mdDoc ''
28
+
This option provides access to the overridden result of `programs.singularity.package`.
29
30
+
For example, the following configuration makes all the Nixpkgs packages use the overridden `singularity`:
31
```Nix
32
{ config, lib, pkgs, ... }:
33
{
···
42
}
43
```
44
45
+
Use `lib.mkForce` to forcefully specify the overridden package.
46
'';
47
};
48
enableFakeroot = mkOption {
+1
-1
nixos/modules/programs/turbovnc.nix
+1
-1
nixos/modules/programs/turbovnc.nix
···
39
config = mkIf cfg.ensureHeadlessSoftwareOpenGL {
40
41
# TurboVNC has builtin support for Mesa llvmpipe's `swrast`
42
-
# software rendering to implemnt GLX (OpenGL on Xorg).
43
# However, just building TurboVNC with support for that is not enough
44
# (it only takes care of the X server side part of OpenGL);
45
# the indiviudual applications (e.g. `glxgears`) also need to directly load
···
39
config = mkIf cfg.ensureHeadlessSoftwareOpenGL {
40
41
# TurboVNC has builtin support for Mesa llvmpipe's `swrast`
42
+
# software rendering to implement GLX (OpenGL on Xorg).
43
# However, just building TurboVNC with support for that is not enough
44
# (it only takes care of the X server side part of OpenGL);
45
# the indiviudual applications (e.g. `glxgears`) also need to directly load
+1
-1
nixos/modules/rename.nix
+1
-1
nixos/modules/rename.nix
···
112
(mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.")
113
(mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.")
114
115
-
(mkRemovedOptionModule [ "i18n" "inputMethod" "fcitx" ] "The fcitx module has been removed. Plesae use fcitx5 instead")
116
117
# Do NOT add any option renames here, see top of the file
118
];
···
112
(mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.")
113
(mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.")
114
115
+
(mkRemovedOptionModule [ "i18n" "inputMethod" "fcitx" ] "The fcitx module has been removed. Please use fcitx5 instead")
116
117
# Do NOT add any option renames here, see top of the file
118
];
+1
-1
nixos/modules/services/cluster/kubernetes/flannel.nix
+1
-1
nixos/modules/services/cluster/kubernetes/flannel.nix
+1
-1
nixos/modules/services/cluster/kubernetes/kubelet.nix
+1
-1
nixos/modules/services/cluster/kubernetes/kubelet.nix
+1
-1
nixos/modules/services/continuous-integration/gitea-actions-runner.nix
+1
-1
nixos/modules/services/continuous-integration/gitea-actions-runner.nix
···
207
export LABELS_CURRENT="$(cat $LABELS_FILE 2>/dev/null || echo 0)"
208
209
if [ ! -e "$INSTANCE_DIR/.runner" ] || [ "$LABELS_WANTED" != "$LABELS_CURRENT" ]; then
210
-
# remove existing registration file, so that changing the labels forces a re-registation
211
rm -v "$INSTANCE_DIR/.runner" || true
212
213
# perform the registration
···
207
export LABELS_CURRENT="$(cat $LABELS_FILE 2>/dev/null || echo 0)"
208
209
if [ ! -e "$INSTANCE_DIR/.runner" ] || [ "$LABELS_WANTED" != "$LABELS_CURRENT" ]; then
210
+
# remove existing registration file, so that changing the labels forces a re-registration
211
rm -v "$INSTANCE_DIR/.runner" || true
212
213
# perform the registration
+1
-1
nixos/modules/services/continuous-integration/woodpecker/agents.nix
+1
-1
nixos/modules/services/continuous-integration/woodpecker/agents.nix
+1
-1
nixos/modules/services/continuous-integration/woodpecker/server.nix
+1
-1
nixos/modules/services/continuous-integration/woodpecker/server.nix
···
28
WOODPECKER_GITEA_URL = "https://git.example.com";
29
}
30
'';
31
-
description = lib.mdDoc "woodpecker-server config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)";
32
};
33
environmentFile = lib.mkOption {
34
type = lib.types.nullOr lib.types.path;
···
28
WOODPECKER_GITEA_URL = "https://git.example.com";
29
}
30
'';
31
+
description = lib.mdDoc "woodpecker-server config environment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)";
32
};
33
environmentFile = lib.mkOption {
34
type = lib.types.nullOr lib.types.path;
+1
-1
nixos/modules/services/databases/cockroachdb.nix
+1
-1
nixos/modules/services/databases/cockroachdb.nix
···
164
example = [ "--advertise-addr" "[fe80::f6f2:::]" ];
165
description = lib.mdDoc ''
166
Extra CLI arguments passed to {command}`cockroach start`.
167
-
For the full list of supported argumemnts, check <https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags>
168
'';
169
};
170
};
+1
-1
nixos/modules/services/databases/couchdb.nix
+1
-1
nixos/modules/services/databases/couchdb.nix
+1
-1
nixos/modules/services/databases/firebird.nix
+1
-1
nixos/modules/services/databases/firebird.nix
+1
-1
nixos/modules/services/databases/mongodb.nix
+1
-1
nixos/modules/services/databases/mongodb.nix
+1
-1
nixos/modules/services/desktops/deepin/dde-api.nix
+1
-1
nixos/modules/services/desktops/deepin/dde-api.nix
+1
-1
nixos/modules/services/mail/roundcube.nix
+1
-1
nixos/modules/services/mail/roundcube.nix
···
72
type = types.str;
73
description = lib.mdDoc ''
74
Password file for the postgresql connection.
75
-
Must be formated according to PostgreSQL .pgpass standard (see https://www.postgresql.org/docs/current/libpq-pgpass.html)
76
but only one line, no comments and readable by user `nginx`.
77
Ignored if `database.host` is set to `localhost`, as peer authentication will be used.
78
'';
···
72
type = types.str;
73
description = lib.mdDoc ''
74
Password file for the postgresql connection.
75
+
Must be formatted according to PostgreSQL .pgpass standard (see https://www.postgresql.org/docs/current/libpq-pgpass.html)
76
but only one line, no comments and readable by user `nginx`.
77
Ignored if `database.host` is set to `localhost`, as peer authentication will be used.
78
'';
+3
-3
nixos/modules/services/misc/siproxd.nix
+3
-3
nixos/modules/services/misc/siproxd.nix
···
60
default = [ ];
61
example = [ "192.168.1.0/24" "192.168.2.0/24" ];
62
description = lib.mdDoc ''
63
-
Acess control list for incoming SIP registrations.
64
'';
65
};
66
···
69
default = [ ];
70
example = [ "123.45.0.0/16" "123.46.0.0/16" ];
71
description = lib.mdDoc ''
72
-
Acess control list for incoming SIP traffic.
73
'';
74
};
75
···
78
default = [ ];
79
example = [ "10.0.0.0/8" "11.0.0.0/8" ];
80
description = lib.mdDoc ''
81
-
Acess control list for denying incoming
82
SIP registrations and traffic.
83
'';
84
};
···
60
default = [ ];
61
example = [ "192.168.1.0/24" "192.168.2.0/24" ];
62
description = lib.mdDoc ''
63
+
Access control list for incoming SIP registrations.
64
'';
65
};
66
···
69
default = [ ];
70
example = [ "123.45.0.0/16" "123.46.0.0/16" ];
71
description = lib.mdDoc ''
72
+
Access control list for incoming SIP traffic.
73
'';
74
};
75
···
78
default = [ ];
79
example = [ "10.0.0.0/8" "11.0.0.0/8" ];
80
description = lib.mdDoc ''
81
+
Access control list for denying incoming
82
SIP registrations and traffic.
83
'';
84
};
+1
-1
nixos/modules/services/monitoring/prometheus/default.nix
+1
-1
nixos/modules/services/monitoring/prometheus/default.nix
+2
-2
nixos/modules/services/monitoring/unpoller.nix
+2
-2
nixos/modules/services/monitoring/unpoller.nix
···
47
type = types.bool;
48
default = false;
49
description = lib.mdDoc ''
50
-
Whether to disable the prometheus ouput plugin.
51
'';
52
};
53
http_listen = mkOption {
···
71
type = types.bool;
72
default = false;
73
description = lib.mdDoc ''
74
-
Whether to disable the influxdb ouput plugin.
75
'';
76
};
77
url = mkOption {
···
47
type = types.bool;
48
default = false;
49
description = lib.mdDoc ''
50
+
Whether to disable the prometheus output plugin.
51
'';
52
};
53
http_listen = mkOption {
···
71
type = types.bool;
72
default = false;
73
description = lib.mdDoc ''
74
+
Whether to disable the influxdb output plugin.
75
'';
76
};
77
url = mkOption {
+1
-1
nixos/modules/services/networking/headscale.nix
+1
-1
nixos/modules/services/networking/headscale.nix
+1
-1
nixos/modules/services/networking/wgautomesh.nix
+1
-1
nixos/modules/services/networking/wgautomesh.nix
+1
-1
nixos/modules/services/search/meilisearch.md
+1
-1
nixos/modules/services/search/meilisearch.md
···
30
31
- The default nixos package doesn't come with the [dashboard](https://docs.meilisearch.com/learn/getting_started/quick_start.html#search), since the dashboard features makes some assets downloads at compile time.
32
33
-
- Anonimized Analytics sent to meilisearch are disabled by default.
34
35
- Default deployment is development mode. It doesn't require a secret master key. All routes are not protected and accessible.
36
···
30
31
- The default nixos package doesn't come with the [dashboard](https://docs.meilisearch.com/learn/getting_started/quick_start.html#search), since the dashboard features makes some assets downloads at compile time.
32
33
+
- Anonymized Analytics sent to meilisearch are disabled by default.
34
35
- Default deployment is development mode. It doesn't require a secret master key. All routes are not protected and accessible.
36
+1
-1
nixos/modules/services/security/authelia.nix
+1
-1
nixos/modules/services/security/authelia.nix
+1
-1
nixos/modules/services/security/kanidm.nix
+1
-1
nixos/modules/services/security/kanidm.nix
···
10
certPaths = builtins.map builtins.dirOf [ cfg.serverSettings.tls_chain cfg.serverSettings.tls_key ];
11
12
# Merge bind mount paths and remove paths where a prefix is already mounted.
13
-
# This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is alread in the mount
14
# paths, no new bind mount is added. Adding subpaths caused problems on ofborg.
15
hasPrefixInList = list: newPath: lib.any (path: lib.hasPrefix (builtins.toString path) (builtins.toString newPath)) list;
16
mergePaths = lib.foldl' (merged: newPath: let
···
10
certPaths = builtins.map builtins.dirOf [ cfg.serverSettings.tls_chain cfg.serverSettings.tls_key ];
11
12
# Merge bind mount paths and remove paths where a prefix is already mounted.
13
+
# This makes sure that if e.g. the tls_chain is in the nix store and /nix/store is already in the mount
14
# paths, no new bind mount is added. Adding subpaths caused problems on ofborg.
15
hasPrefixInList = list: newPath: lib.any (path: lib.hasPrefix (builtins.toString path) (builtins.toString newPath)) list;
16
mergePaths = lib.foldl' (merged: newPath: let
+1
-1
nixos/modules/services/web-apps/dokuwiki.nix
+1
-1
nixos/modules/services/web-apps/dokuwiki.nix
···
173
}
174
{
175
assertion = config.usersFile != null -> config.mergedConfig.useacl != false;
176
-
message = "${showPath [ "settings" "useacl" ]} is required when ${showPath [ "usersFile" ]} is set (Currently defiend as `${config.usersFile}' in ${showFiles options.usersFile.files}).";
177
}
178
];
179
})
···
173
}
174
{
175
assertion = config.usersFile != null -> config.mergedConfig.useacl != false;
176
+
message = "${showPath [ "settings" "useacl" ]} is required when ${showPath [ "usersFile" ]} is set (Currently defined as `${config.usersFile}' in ${showFiles options.usersFile.files}).";
177
}
178
];
179
})
+1
-1
nixos/modules/services/web-apps/kavita.nix
+1
-1
nixos/modules/services/web-apps/kavita.nix
+1
-1
nixos/modules/services/web-apps/mastodon.nix
+1
-1
nixos/modules/services/web-apps/mastodon.nix
+1
-1
nixos/modules/services/web-apps/monica.nix
+1
-1
nixos/modules/services/web-apps/monica.nix
+1
-1
nixos/modules/services/web-apps/nextcloud-notify_push.nix
+1
-1
nixos/modules/services/web-apps/nextcloud-notify_push.nix
···
31
type = lib.types.bool;
32
default = false;
33
description = lib.mdDoc ''
34
-
Wether to add an entry to `/etc/hosts` for the configured nextcloud domain to point to `localhost` and add `localhost `to nextcloud's `trusted_proxies` config option.
35
36
This is useful when nextcloud's domain is not a static IP address and when the reverse proxy cannot be bypassed because the backend connection is done via unix socket.
37
'';
···
31
type = lib.types.bool;
32
default = false;
33
description = lib.mdDoc ''
34
+
Whether to add an entry to `/etc/hosts` for the configured nextcloud domain to point to `localhost` and add `localhost `to nextcloud's `trusted_proxies` config option.
35
36
This is useful when nextcloud's domain is not a static IP address and when the reverse proxy cannot be bypassed because the backend connection is done via unix socket.
37
'';
+1
-1
nixos/modules/services/web-apps/nextcloud.nix
+1
-1
nixos/modules/services/web-apps/nextcloud.nix
···
556
default = config.services.nextcloud.notify_push.enable;
557
defaultText = literalExpression "config.services.nextcloud.notify_push.enable";
558
description = lib.mdDoc ''
559
-
Wether to configure nextcloud to use the recommended redis settings for small instances.
560
561
::: {.note}
562
The `notify_push` app requires redis to be configured. If this option is turned off, this must be configured manually.
···
556
default = config.services.nextcloud.notify_push.enable;
557
defaultText = literalExpression "config.services.nextcloud.notify_push.enable";
558
description = lib.mdDoc ''
559
+
Whether to configure nextcloud to use the recommended redis settings for small instances.
560
561
::: {.note}
562
The `notify_push` app requires redis to be configured. If this option is turned off, this must be configured manually.
+1
-1
nixos/modules/services/web-apps/pixelfed.nix
+1
-1
nixos/modules/services/web-apps/pixelfed.nix
···
237
QUEUE_DRIVER = mkDefault "redis";
238
SESSION_DRIVER = mkDefault "redis";
239
WEBSOCKET_REPLICATION_MODE = mkDefault "redis";
240
-
# Suppport phpredis and predis configuration-style.
241
REDIS_SCHEME = "unix";
242
REDIS_HOST = config.services.redis.servers.pixelfed.unixSocket;
243
REDIS_PATH = config.services.redis.servers.pixelfed.unixSocket;
···
237
QUEUE_DRIVER = mkDefault "redis";
238
SESSION_DRIVER = mkDefault "redis";
239
WEBSOCKET_REPLICATION_MODE = mkDefault "redis";
240
+
# Support phpredis and predis configuration-style.
241
REDIS_SCHEME = "unix";
242
REDIS_HOST = config.services.redis.servers.pixelfed.unixSocket;
243
REDIS_PATH = config.services.redis.servers.pixelfed.unixSocket;
+1
-1
nixos/modules/services/web-servers/garage.md
+1
-1
nixos/modules/services/web-servers/garage.md
···
77
on fresh setups.
78
79
If major-releases will be abandoned by upstream, we should check first if those are needed
80
-
in NixOS for a safe upgrade-path before removing those. In that case we shold keep those
81
packages, but mark them as insecure in an expression like this (in
82
`<nixpkgs/pkgs/tools/filesystem/garage/default.nix>`):
83
```
···
77
on fresh setups.
78
79
If major-releases will be abandoned by upstream, we should check first if those are needed
80
+
in NixOS for a safe upgrade-path before removing those. In that case we should keep those
81
packages, but mark them as insecure in an expression like this (in
82
`<nixpkgs/pkgs/tools/filesystem/garage/default.nix>`):
83
```
+1
-1
nixos/modules/services/web-servers/stargazer.nix
+1
-1
nixos/modules/services/web-servers/stargazer.nix
···
152
153
Expressed as a list of attribute sets. Each set must have a key `route`
154
that becomes the section name for that route in the stargazer ini cofig.
155
-
The remaining keys and vaules become the parameters for that route.
156
157
[Refer to upstream docs for other params](https://git.sr.ht/~zethra/stargazer/tree/main/item/doc/stargazer.ini.5.txt)
158
'';
···
152
153
Expressed as a list of attribute sets. Each set must have a key `route`
154
that becomes the section name for that route in the stargazer ini cofig.
155
+
The remaining keys and values become the parameters for that route.
156
157
[Refer to upstream docs for other params](https://git.sr.ht/~zethra/stargazer/tree/main/item/doc/stargazer.ini.5.txt)
158
'';
+1
-1
nixos/modules/services/x11/window-managers/qtile.nix
+1
-1
nixos/modules/services/x11/window-managers/qtile.nix
+2
-2
nixos/modules/system/boot/loader/grub/install-grub.pl
+2
-2
nixos/modules/system/boot/loader/grub/install-grub.pl
···
213
$search .= $matches[0];
214
}
215
216
-
# BTRFS is a special case in that we need to fix the referrenced path based on subvolumes
217
if ($fs->type eq 'btrfs') {
218
my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "show", @{[$fs->mount]});
219
if ($status != 0) {
···
586
if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
587
else { return "both" }
588
} elsif (($grub ne "") && ($grubEfi eq "")) {
589
-
# TODO: It would be safer to disallow non-EFI grub installation if no taget is given.
590
# If no target is given, then grub auto-detects the target which can lead to errors.
591
# E.g. it seems as if grub would auto-detect a EFI target based on the availability
592
# of a EFI partition.
···
213
$search .= $matches[0];
214
}
215
216
+
# BTRFS is a special case in that we need to fix the referenced path based on subvolumes
217
if ($fs->type eq 'btrfs') {
218
my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "show", @{[$fs->mount]});
219
if ($status != 0) {
···
586
if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
587
else { return "both" }
588
} elsif (($grub ne "") && ($grubEfi eq "")) {
589
+
# TODO: It would be safer to disallow non-EFI grub installation if no target is given.
590
# If no target is given, then grub auto-detects the target which can lead to errors.
591
# E.g. it seems as if grub would auto-detect a EFI target based on the availability
592
# of a EFI partition.
+2
-2
nixos/modules/system/boot/luksroot.nix
+2
-2
nixos/modules/system/boot/luksroot.nix
···
130
''}
131
132
# Disable all input echo for the whole stage. We could use read -s
133
-
# instead but that would ocasionally leak characters between read
134
# invocations.
135
stty -echo
136
'';
···
861
'';
862
description = lib.mdDoc ''
863
Commands that should be run right before we try to mount our LUKS device.
864
-
This can be useful, if the keys needed to open the drive is on another partion.
865
'';
866
};
867
···
130
''}
131
132
# Disable all input echo for the whole stage. We could use read -s
133
+
# instead but that would occasionally leak characters between read
134
# invocations.
135
stty -echo
136
'';
···
861
'';
862
description = lib.mdDoc ''
863
Commands that should be run right before we try to mount our LUKS device.
864
+
This can be useful, if the keys needed to open the drive is on another partition.
865
'';
866
};
867
+1
-1
nixos/modules/system/boot/stage-1-init.sh
+1
-1
nixos/modules/system/boot/stage-1-init.sh
+1
-1
nixos/modules/tasks/filesystems/bcachefs.nix
+1
-1
nixos/modules/tasks/filesystems/bcachefs.nix
+1
-1
nixos/modules/tasks/filesystems/btrfs.nix
+1
-1
nixos/modules/tasks/filesystems/btrfs.nix
···
25
type = types.listOf types.path;
26
example = [ "/" ];
27
description = lib.mdDoc ''
28
-
List of paths to btrfs filesystems to regularily call {command}`btrfs scrub` on.
29
Defaults to all mount points with btrfs filesystems.
30
If you mount a filesystem multiple times or additionally mount subvolumes,
31
you need to manually specify this list to avoid scrubbing multiple times.
···
25
type = types.listOf types.path;
26
example = [ "/" ];
27
description = lib.mdDoc ''
28
+
List of paths to btrfs filesystems to regularly call {command}`btrfs scrub` on.
29
Defaults to all mount points with btrfs filesystems.
30
If you mount a filesystem multiple times or additionally mount subvolumes,
31
you need to manually specify this list to avoid scrubbing multiple times.
+1
-1
nixos/modules/tasks/network-interfaces-scripted.nix
+1
-1
nixos/modules/tasks/network-interfaces-scripted.nix
+1
-1
nixos/modules/tasks/network-interfaces-systemd.nix
+1
-1
nixos/modules/tasks/network-interfaces-systemd.nix
+1
-1
nixos/modules/testing/test-instrumentation.nix
+1
-1
nixos/modules/testing/test-instrumentation.nix
···
43
# Passing the terminal device makes bash run non-interactively.
44
# Otherwise we get errors on the terminal because bash tries to
45
# setup things like job control.
46
-
# Note: calling bash explicitely here instead of sh makes sure that
47
# we can also run non-NixOS guests during tests.
48
PS1= exec /usr/bin/env bash --norc /dev/hvc0
49
'';
···
43
# Passing the terminal device makes bash run non-interactively.
44
# Otherwise we get errors on the terminal because bash tries to
45
# setup things like job control.
46
+
# Note: calling bash explicitly here instead of sh makes sure that
47
# we can also run non-NixOS guests during tests.
48
PS1= exec /usr/bin/env bash --norc /dev/hvc0
49
'';