nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md

Release 23.11 (“Tapir”, 2023.11/??)

Highlights

• FoundationDB now defaults to major version 7.

• Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the hostapd package, along with a significant rework of the hostapd module.

New Services

• MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.

• acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.

• river, A dynamic tiling wayland compositor. Available as programs.river.

• GoToSocial, an ActivityPub social network server, written in Golang. Available as services.gotosocial.

• Anuko Time Tracker, a simple, easy to use, open source time tracking system. Available as services.anuko-time-tracker.

• sitespeed-io, a tool that can generate metrics (timings, diagnostics) for websites. Available as services.sitespeed-io.

• Apache Guacamole, a cross-platform, clientless remote desktop gateway. Available as services.guacamole-server and services.guacamole-client services.

Backward Incompatibilities

• The boot.loader.raspberryPi options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs (before mid-2019) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

• python3.pkgs.sequoia was removed in favor of python3.pkgs.pysequoia. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from gitlab:sequoia-pgp/sequoia were removed long ago.

• writeTextFile now requires executable to be boolean, values like null or "" will now fail to evaluate.

• The latest version of clonehero now stores custom content in ~/.clonehero. See the migration instructions. Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in ~/.config/unity3d/srylain Inc_/Clone Hero.

• The services.hostapd module was rewritten to support passwordFile like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.

  • hostapd is now started with additional systemd sandbox/hardening options for better security.
  • services.hostapd.interface was replaced with a per-radio and per-bss configuration scheme using services.hostapd.radios.
  • services.hostapd.wpa has been replaced by services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword and services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords which configure WPA2-PSK and WP3-SAE respectively.
  • The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.

• python3.pkgs.fetchPypi (and python3Packages.fetchPypi) has been deprecated in favor of top-level fetchPypi.

• mariadb now defaults to mariadb_1011 instead of mariadb_106, meaning the default version was upgraded from 10.6.x to 10.11.x. See the upgrade notes for potential issues.

• getent has been moved from glibc's bin output to its own dedicated output, reducing closure size for many dependents. Dependents using the getent alias should not be affected; others should move from using glibc.bin or getBin glibc to getent (which also improves compatibility with non-glibc platforms).

• The services.ananicy.extraRules option now has the type of listOf attrs instead of string.

• etcd has been updated to 3.5, you will want to read the 3.3 to 3.4 and 3.4 to 3.5 upgrade guides

• consul has been updated to 1.16.0. See the release note for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.

• himalaya has been updated to 0.8.0, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the release note for more details.

• The services.caddy.acmeCA option now defaults to null instead of "https://acme-v02.api.letsencrypt.org/directory", to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.

• php80 is no longer supported due to upstream not supporting this version anymore.

• PHP now defaults to PHP 8.2, updated from 8.1.

• util-linux is now supported on Darwin and is no longer an alias to unixtools. Use the unixtools.util-linux package for access to the Apple variants of the utilities.

• services.keyd changed API. Now you can create multiple configuration files.

• services.ddclient has been removed on the request of the upstream maintainer because it is unmaintained and has bugs. Please switch to a different software like inadyn or knsupdate.

• The vlock program from the kbd package has been moved into its own package output and should now be referenced explicitly as kbd.vlock or replaced with an alternative such as the standalone vlock package or physlock.

• fileSystems.<name>.autoFormat now uses systemd-makefs, which does not accept formatting options. Therefore, fileSystems.<name>.formatOptions has been removed.

• fileSystems.<name>.autoResize now uses systemd-growfs to resize the file system online in stage 2. This means that f2fs and ext2 can no longer be auto resized, while xfs and btrfs now can be.

• The services.vaultwarden.config option default value was changed to make Vaultwarden only listen on localhost, following the secure defaults for most NixOS services.

• services.lemmy.settings.federation was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the release notes for more details.

• pict-rs was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems with stateVersion = "23.05"; or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and set services.pict-rs.package = pkgs.pict-rs;.

• The following packages in haskellPackages have now a separate bin output: cabal-fmt, calligraphy, eventlog2html, ghc-debug-brick, hindent, nixfmt, releaser. This means you need to replace e.g. "${pkgs.haskellPackages.nixfmt}/bin/nixfmt" with "${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt" or "${lib.getExe pkgs.haskellPackages.nixfmt}". The binaries also won’t be in scope if you rely on them being installed e.g. via ghcWithPackages. environment.packages picks the bin output automatically, so for normal installation no intervention is required. Also, toplevel attributes like pkgs.nixfmt are not impacted negatively by this change.

• spamassassin no longer supports the Hashcash module. The module needs to be removed from the loadplugin list if it was copied over from the default initPreConf option.

• services.outline.sequelizeArguments has been removed, as outline no longer executes database migrations via the sequelize cli.

• The Caddy module gained a new option named services.caddy.enableReload which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the Caddy admin API. If you keep this option enabled, you should consider setting grace_period to a non-infinite value to prevent Caddy from delaying the reload indefinitely.

• mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by stateVersion), but the appropriate settings will be generated by nixos-generate-config when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use stateVersion correctly or set boot.swraid.enable manually.

• The go-ethereum package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from leveldb to pebble but leveldb can be forced with the --db.engine=leveldb flag. The checkpoint-admin command was removed along with trusted checkpoints.

Other Notable Changes

• The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; from your NixOS configuration.

• fontconfig now defaults to using greyscale antialiasing instead of subpixel antialiasing because of a recommendation from one of the downstreams. You can change this value by configuring accordingly.

• The latest available version of Nextcloud is v27 (available as pkgs.nextcloud27). The installation logic is as follows:

  • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
  • If system.stateVersion is >=23.11, pkgs.nextcloud27 will be installed by default.
  • If system.stateVersion is >=23.05, pkgs.nextcloud26 will be installed by default.
  • Please note that an upgrade from v25 (or older) to v27 directly is not possible. Please upgrade to nextcloud26 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud26;.

• New options were added to services.searx for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server.

• A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing virtualisation.vlans is still supported for cases where the name of the network interface is irrelevant.

• DocBook option documentation is no longer supported, all module documentation now uses markdown.

• services.fail2ban.jails can now be configured with attribute sets defining settings and filters instead of lines. The stringed options daemonConfig and extraSettings have respectively been replaced by daemonSettings and jails.DEFAULT.settings which use attribute sets.

• The module services.ankisyncd has been switched to anki-sync-server-rs from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action.

• services.nginx gained a defaultListen option at server-level with support for PROXY protocol listeners, also proxyProtocol is now exposed in services.nginx.virtualHosts.<name>.listen option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see #213510 for more details.

• services.prometheus.exporters has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called Scaphandre, see #239803 for more details.

• The module services.calibre-server has new options to configure the host, port, auth.enable, auth.mode and auth.userDb path, see #216497 for more details.

• services.prometheus.exporters has a new exporter to monitor PHP-FPM processes, see #240394 for more details.

• programs.gnupg.agent.pinentryFlavor is now set in /etc/gnupg/gpg-agent.conf, and will no longer take precedence over a pinentry-program set in ~/.gnupg/gpg-agent.conf.

Nixpkgs internals

• The qemu-vm.nix module by default now identifies block devices via persistent names available in /dev/disk/by-*. Because the rootDevice is identfied by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added (nixos/tests/common/auto-format-root-device.nix). To use this in a NixOS test, import the module, e.g. imports = [ ./common/auto-format-root-device.nix ]; When you use the systemd initrd, you can automatically format the root device by setting virtualisation.fileSystems."/".autoFormat = true;.