rl-2003: release date

[NixPkgs.git] / nixos / doc / manual / release-notes / rl-2003.xml

<section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.03">
 <title>Release 20.03 (“Markhor”, 2020.04/20)</title>

 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.03-highlights">
  <title>Highlights</title>

  <para>
   In addition to numerous new and upgraded packages, this release has the
   following highlights:
  </para>

  <itemizedlist>
   <listitem>
    <para>
     Support is planned until the end of October 2020, handing over to 20.09.
    </para>
   </listitem>
   <listitem>
    <para>Core version changes:</para>
    <para>gcc: 8.3.0 -&gt; 9.2.0</para>
    <para>glibc: 2.27 -&gt; 2.30</para>
    <para>linux: 4.19 -&gt; 5.4</para>
    <para>mesa: 19.1.5 -&gt; 19.3.3</para>
    <para>openssl: 1.0.2u -&gt; 1.1.1d</para>
   </listitem>
   <listitem>
    <para>Desktop version changes:</para>
    <para>plasma5: 5.16.5 -&gt; 5.17.5</para>
    <para>kdeApplications: 19.08.2 -&gt; 19.12.3</para>
    <para>gnome3: 3.32 -&gt; 3.34</para>
    <para>pantheon: 5.0 -&gt; 5.1.3</para>
   </listitem>
   <listitem>
    <para>
     Linux kernel is updated to branch 5.4 by default (from 4.19).
    </para>
   </listitem>
   <listitem>
    <para>
     Postgresql for NixOS service now defaults to v11.
    </para>
   </listitem>
   <listitem>
    <para>
     The graphical installer image starts the graphical session automatically.
     Before you'd be greeted by a tty and asked to enter <command>systemctl start display-manager</command>.
     It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal>
     quirk in the boot menu.
    </para>
   </listitem>
   <listitem>
    <para>
     GNOME 3 has been upgraded to 3.34. Please take a look at their
     <link xlink:href="https://help.gnome.org/misc/release-notes/3.34">Release Notes</link>
     for details.
    </para>
   </listitem>
   <listitem>
    <para>
     If you enable the Pantheon Desktop Manager via
     <xref linkend="opt-services.xserver.desktopManager.pantheon.enable" />, we now default to also use
     <link xlink:href="https://blog.elementary.io/say-hello-to-the-new-greeter/">
      Pantheon's newly designed greeter
     </link>.
      Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of
      NixOS 20.03 when backwards compatible.
    </para>
   </listitem>
   <listitem>
     <para>
       By default zfs pools will now be trimmed on a weekly basis.
       Trimming is only done on supported devices (i.e. NVME or SSDs)
       and should improve throughput and lifetime of these devices.
       It is controlled by the <varname>services.zfs.trim.enable</varname> varname.
       The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>)
       and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>)
       are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or
       <varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain
       zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>.
     </para>
   </listitem>
   <listitem>
    <para>
      <command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness,
      and adding a <option>-r</option> option which prints all options and their values recursively.
    </para>
   </listitem>
   <listitem>
    <para>
     <option>services.xserver.desktopManager.default</option> and <option>services.xserver.windowManager.default</option> options were replaced by a single <xref linkend="opt-services.xserver.displayManager.defaultSession"/> option to improve support for upstream session files. If you used something like:
<programlisting>
services.xserver.desktopManager.default = "xfce";
services.xserver.windowManager.default = "icewm";
</programlisting>
     you should change it to:
<programlisting>
services.xserver.displayManager.defaultSession = "xfce+icewm";
</programlisting>
    </para>
   </listitem>
   <listitem>
    <para>
     The testing driver implementation in NixOS is now in Python <filename>make-test-python.nix</filename>.
     This was done by Jacek Galowicz (<link xlink:href="https://github.com/tfc">@tfc</link>), and with the
     collaboration of Julian Stecklina (<link xlink:href="https://github.com/blitz">@blitz</link>) and
     Jana Traue (<link xlink:href="https://github.com/jtraue">@jtraue</link>). All documentation has been updated to use this
     testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation,
     <filename>make-test.nix</filename>, is slated for removal. This should give users of the NixOS integration framework
     a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see
     this warning everytime they use it:
<screen>
<prompt>$ </prompt>warning: Perl VM tests are deprecated and will be removed for 20.09.
Please update your tests to use the python test driver.
See https://github.com/NixOS/nixpkgs/pull/71684 for details.
</screen>
     API compatibility is planned to be kept for at least the next release with the perl driver.
    </para>
   </listitem>
  </itemizedlist>
 </section>

 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.03-new-services">
  <title>New Services</title>

  <para>
   The following new services were added since the last release:
  </para>

  <itemizedlist>
   <listitem>
    <para>
    The kubernetes kube-proxy now supports a new hostname configuration
    <literal>services.kubernetes.proxy.hostname</literal> which has to
    be set if the hostname of the node should be non default.
    </para>
   </listitem>
   <listitem>
    <para>
    UPower's configuration is now managed by NixOS and can be customized
    via <option>services.upower</option>.
    </para>
   </listitem>
   <listitem>
    <para>
     To use Geary you should enable <xref linkend="opt-programs.geary.enable"/> instead of
     just adding it to <xref linkend="opt-environment.systemPackages"/>.
     It was created so Geary could function properly outside of GNOME.
    </para>
   </listitem>
   <listitem>
     <para>
       <filename>./config/console.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./hardware/brillo.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./hardware/tuxedo-keyboard.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./programs/bandwhich.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./programs/bash-my-aws.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./programs/liboping.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./programs/traceroute.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/backup/sanoid.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/backup/syncoid.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/backup/zfs-replication.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/continuous-integration/buildkite-agents.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/databases/victoriametrics.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/desktops/gnome3/gnome-initial-setup.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/desktops/neard.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/games/openarena.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/hardware/fancontrol.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/mail/sympa.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/misc/freeswitch.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/misc/mame.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/monitoring/do-agent.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/monitoring/prometheus/xmpp-alerts.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/network-filesystems/orangefs/server.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/network-filesystems/orangefs/client.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/3proxy.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/corerad.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/go-shadowsocks2.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/ntp/openntpd.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/shorewall.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/shorewall6.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/spacecookie.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/trickster.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/v2ray.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/xandikos.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/networking/yggdrasil.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/dokuwiki.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/gotify-server.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/grocy.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/ihatemoney</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/moinmoin.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/trac.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/trilium.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-apps/shiori.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/web-servers/ttyd.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/x11/picom.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/x11/hardware/digimend.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./services/x11/imwheel.nix</filename>
     </para>
   </listitem>
   <listitem>
     <para>
       <filename>./virtualisation/cri-o.nix</filename>
     </para>
   </listitem>
  </itemizedlist>

 </section>

 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.03-incompatibilities">
  <title>Backward Incompatibilities</title>

  <para>
   When upgrading from a previous release, please be aware of the following
   incompatible changes:
  </para>

  <itemizedlist>
   <listitem>
    <para>
     The <package>dhcpcd</package> package <link xlink:href="https://roy.marples.name/archives/dhcpcd-discuss/0002621.html">
     does not request IPv4 addresses for tap and bridge interfaces anymore by default</link>.
     In order to still get an address on a bridge interface, one has to disable
     <literal>networking.useDHCP</literal> and explicitly enable
     <literal>networking.interfaces.&lt;name&gt;.useDHCP</literal> on
     every interface, that should get an address via DHCP. This way, dhcpcd
     is configured in an explicit way about which interface to run on.
    </para>
   </listitem>
   <listitem>
    <para>
      GnuPG is now built without support for a graphical passphrase entry
      by default. Please enable the <literal>gpg-agent</literal> user service
      via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
      Note that upstream recommends using <literal>gpg-agent</literal> and
      will spawn a <literal>gpg-agent</literal> on the first invocation of
      GnuPG anyway.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>dynamicHosts</literal> option has been removed from the
     <link linkend="opt-networking.networkmanager.enable">NetworkManager</link>
     module. Allowing (multiple) regular users to override host entries
     affecting the whole system opens up a huge attack vector.
     There seem to be very rare cases where this might be useful.
     Consider setting system-wide host entries using
     <link linkend="opt-networking.hosts">networking.hosts</link>, provide
     them via the DNS server in your network, or use
     <link linkend="opt-environment.etc">environment.etc</link>
     to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
     reconfiguring <literal>hostsdir</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>99-main.network</literal> file was removed. Matching all
     network interfaces caused many breakages, see
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link>
       and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>.
    </para>
    <para>
     We already don't support the global <link linkend="opt-networking.useDHCP">networking.useDHCP</link>,
     <link linkend="opt-networking.defaultGateway">networking.defaultGateway</link> and
     <link linkend="opt-networking.defaultGateway6">networking.defaultGateway6</link> options
     if <link linkend="opt-networking.useNetworkd">networking.useNetworkd</link> is enabled,
     but direct users to configure the per-device
     <link linkend="opt-networking.interfaces">networking.interfaces.&lt;name&gt;.…</link> options.
    </para>
   </listitem>
   <listitem>
    <para>
      The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables.
      Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before.
      Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
    </para>
   </listitem>
   <listitem>
    <para>
     The SLIM Display Manager has been removed, as it has been unmaintained since 2013.
     Consider migrating to a different display manager such as LightDM (current default in NixOS),
     SDDM, GDM, or using the startx module which uses Xinitrc.
    </para>
   </listitem>
   <listitem>
    <para>
     The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
     There are no more <literal>way-cooler</literal> attribute and <literal>programs.way-cooler</literal> options.
    </para>
   </listitem>
   <listitem>
    <para>
      The BEAM package set has been deleted. You will only find there the different interpreters.
      You should now use the different build tools coming with the languages with sandbox mode disabled.
    </para>
   </listitem>
   <listitem>
    <para>
     There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
     and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
     packages. And in the future NixOS releases will be the latest released version of Xfce available at the
     time of the release's development (if viable).
    </para>
   </listitem>
   <listitem>
    <para>
      The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
      <literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
      If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
      setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
    </para>
   </listitem>
   <listitem>
    <para>
     KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more.
    </para>
   </listitem>
   <listitem>
    <para>
     The BeeGFS module has been removed.
    </para>
   </listitem>
   <listitem>
    <para>
     The osquery module has been removed.
    </para>
   </listitem>
   <listitem>
    <para>
      Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default.
      If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>.
      The aforementioned option was added this release.
    </para>
   </listitem>
   <listitem>
    <para>
      The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
      This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
    </para>
    </listitem>
   <listitem>
    <para>
     Pango was upgraded to 1.44, which no longer uses freetype for font loading.  This means that type1
     and bitmap fonts are no longer supported in applications relying on Pango for font rendering
     (notably, GTK application). See <link xlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386">
     upstream issue</link> for more information.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>roundcube</literal> module has been hardened.
     <itemizedlist>
      <listitem>
       <para>
        The password of the database is not written world readable in the store any more. If <literal>database.host</literal> is set to <literal>localhost</literal>, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option <literal>database.passwordFile</literal>, which should be set to the path of a file containing the password and readable by the user <literal>nginx</literal> only. The <literal>database.password</literal> option is insecure and deprecated. Usage of this option will print a warning.
       </para>
      </listitem>
      <listitem>
       <para>
        A random <literal>des_key</literal> is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
       </para>
      </listitem>
     </itemizedlist>
    </para>
   </listitem>
   <listitem>
    <para>
     The packages <literal>openobex</literal> and <literal>obexftp</literal>
     are no longer installed when enabling Bluetooth via
     <option>hardware.bluetooth.enable</option>.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090
     as its upstream. However, this version does not have an internal webserver anymore. The
     assets in the <literal>share/dump1090</literal> directory of the derivation can be used
     in conjunction with an external webserver to replace this functionality.
    </para>
   </listitem>
   <listitem>
    <para>
     The fourStore and fourStoreEndpoint modules have been removed.
    </para>
   </listitem>
   <listitem>
    <para>
     Polkit no longer has the user of uid 0 (root) as an admin identity.
     We now follow the upstream default of only having every member of the wheel
     group admin privileged. Before it was root and members of wheel.
     The positive outcome of this is pkexec GUI popups or terminal prompts
     will no longer require the user to choose between two essentially equivalent
     choices (whether to perform the action as themselves with wheel permissions, or as the root user).
    </para>
   </listitem>
   <listitem>
    <para>
     NixOS containers no longer build NixOS manual by default. This saves evaluation time,
     especially if there are many declarative containers defined. Note that this is already done
     when <literal>&lt;nixos/modules/profiles/minimal.nix&gt;</literal> module is included
     in container config.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>kresd</literal> services deprecates the <literal>interfaces</literal> option
     in favor of the <literal>listenPlain</literal> option which requires full
     <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=">systemd.socket compatible</link>
     declaration which always include a port.
    </para>
   </listitem>
   <listitem>
    <para>
     Virtual console options have been reorganized and can be found under
     a single top-level attribute: <literal>console</literal>.
     The full set of changes is as follows:
    </para>
    <itemizedlist>
      <listitem>
       <para>
         <literal>i18n.consoleFont</literal> renamed to
         <link linkend="opt-console.font">console.font</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>i18n.consoleKeyMap</literal> renamed to
         <link linkend="opt-console.keyMap">console.keyMap</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>i18n.consoleColors</literal> renamed to
         <link linkend="opt-console.colors">console.colors</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>i18n.consolePackages</literal> renamed to
         <link linkend="opt-console.packages">console.packages</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>i18n.consoleUseXkbConfig</literal> renamed to
         <link linkend="opt-console.useXkbConfig">console.useXkbConfig</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>boot.earlyVconsoleSetup</literal> renamed to
         <link linkend="opt-console.earlySetup">console.earlySetup</link>
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>boot.extraTTYs</literal> renamed to
         <link linkend="opt-console.extraTTYs">console.extraTTYs</link>
       </para>
      </listitem>
    </itemizedlist>
   </listitem>
   <listitem>
    <para>
     The <link linkend="opt-services.awstats.enable">awstats</link> module has been rewritten
     to serve stats via static html pages, updated on a timer, over <link linkend="opt-services.nginx.virtualHosts">nginx</link>,
     instead of dynamic cgi pages over <link linkend="opt-services.httpd.enable">apache</link>.
    </para>
    <para>
     Minor changes will be required to migrate existing configurations. Details of the
     required changes can seen by looking through the <link linkend="opt-services.awstats.enable">awstats</link>
     module.
    </para>
   </listitem>
   <listitem>
    <para>
      The httpd module no longer provides options to support serving web content without defining a virtual host. As a
      result of this the <link linkend="opt-services.httpd.logPerVirtualHost">services.httpd.logPerVirtualHost</link>
      option now defaults to <literal>true</literal> instead of <literal>false</literal>. Please update your
      configuration to make use of <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts</link>.
    </para>
    <para>
      The <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;</link>
      option has changed type from a list of submodules to an attribute set of submodules, better matching
      <link linkend="opt-services.nginx.virtualHosts">services.nginx.virtualHosts.&lt;name&gt;</link>.
    </para>
    <para>
      This change comes with the addition of the following options which mimic the functionality of their <literal>nginx</literal> counterparts:
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.addSSL</link>,
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.forceSSL</link>,
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.onlySSL</link>,
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.enableACME</link>,
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.acmeRoot</link>, and
      <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.useACMEHost</link>.
    </para>
   </listitem>
   <listitem>
    <para>
     For NixOS configuration options, the <literal>loaOf</literal> type has
     been deprecated and will be removed in a future release. In nixpkgs,
     options of this type will be changed to <literal>attrsOf</literal>
     instead. If you were using one of these in your configuration, you will
     see a warning suggesting what changes will be required.
    </para>
    <para>
     For example, <link linkend="opt-users.users">users.users</link> is a
     <literal>loaOf</literal> option that is commonly used as follows:
     <programlisting>
users.users =
  [ { name = "me";
      description = "My personal user.";
      isNormalUser = true;
    }
  ];
     </programlisting>
     This should be rewritten by removing the list and using the
     value of <literal>name</literal> as the name of the attribute set:
     <programlisting>
users.users.me =
  { description = "My personal user.";
    isNormalUser = true;
  };
     </programlisting>
    </para>
    <para>
     For more information on this change have look at these links:
     <link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>,
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>.
    </para>
   </listitem>
   <listitem>
    <para>
     For NixOS modules, the types <literal>types.submodule</literal> and <literal>types.submoduleWith</literal> now support
     paths as allowed values, similar to how <literal>imports</literal> supports paths.
     Because of this, if you have a module that defines an option of type
     <literal>either (submodule ...) path</literal>, it will break since a path
     is now treated as the first type instead of the second. To fix this, change
     the type to <literal>either path (submodule ...)</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
      The <link linkend="opt-services.buildkite-agents">Buildkite
      Agent</link> module and corresponding packages have been updated to
      3.x, and to support multiple instances of the agent running at the
      same time. This means you will have to rename
      <literal>services.buildkite-agent</literal> to
      <literal>services.buildkite-agents.&lt;name&gt;</literal>. Furthermore,
      the following options have been changed:
    </para>
    <itemizedlist>
      <listitem>
       <para>
         <literal>services.buildkite-agent.meta-data</literal> has been renamed to
         <link linkend="opt-services.buildkite-agents">services.buildkite-agents.&lt;name&gt;.tags</link>,
         to match upstreams naming for 3.x.
         Its type has also changed - it now accepts an attrset of strings.
       </para>
      </listitem>
      <listitem>
       <para>
         The<literal>services.buildkite-agent.openssh.publicKeyPath</literal> option
         has been removed, as it's not necessary to deploy public keys to clone private
         repositories.
       </para>
      </listitem>
      <listitem>
       <para>
         <literal>services.buildkite-agent.openssh.privateKeyPath</literal>
         has been renamed to
         <link linkend="opt-services.buildkite-agents">buildkite-agents.&lt;name&gt;.privateSshKeyPath</link>,
         as the whole <literal>openssh</literal> now only contained that single option.
       </para>
      </listitem>
      <listitem>
       <para>
         <link linkend="opt-services.buildkite-agents">services.buildkite-agents.&lt;name&gt;.shell</link>
         has been introduced, allowing to specify a custom shell to be used.
       </para>
      </listitem>
    </itemizedlist>
   </listitem>
   <listitem>
    <para>
     The <literal>citrix_workspace_19_3_0</literal> package has been removed as
     it will be EOLed within the lifespan of 20.03. For further information,
     please refer to the <link xlink:href="https://www.citrix.com/de-de/support/product-lifecycle/milestones/receiver.html">support and maintenance information</link> from upstream.
    </para>
   </listitem>
   <listitem>
    <para>
     The <literal>gcc5</literal> and <literal>gfortran5</literal> packages have been removed.
    </para>
   </listitem>
   <listitem>
    <para>
     The <option>services.xserver.displayManager.auto</option> module has been removed.
     It was only intended for use in internal NixOS tests, and gave the false impression
     of it being a special display manager when it's actually LightDM.
     Please use the <xref linkend="opt-services.xserver.displayManager.lightdm.autoLogin"/> options instead,
     or any other display manager in NixOS as they all support auto-login. If you used this module specifically
     because it permitted root auto-login you can override the lightdm-autologin pam module like:
<programlisting>
<link xlink:href="#opt-security.pam.services._name__.text">security.pam.services.lightdm-autologin.text</link> = lib.mkForce ''
    auth     requisite pam_nologin.so
    auth     required  pam_succeed_if.so quiet
    auth     required  pam_permit.so

    account  include   lightdm

    password include   lightdm

    session  include   lightdm
'';
</programlisting>
     The difference is the:
<programlisting>
auth required pam_succeed_if.so quiet
</programlisting>
     line, where default it's:
<programlisting>
auth required pam_succeed_if.so uid >= 1000 quiet
</programlisting>
     not permitting users with uid's below 1000 (like root).
     All other display managers in NixOS are configured like this.
    </para>
   </listitem>
   <listitem>
     <para>
       There have been lots of improvements to the Mailman module.  As
       a result,
     </para>
     <itemizedlist>
       <listitem>
         <para>
           The <option>services.mailman.hyperkittyBaseUrl</option>
           option has been renamed to <xref
           linkend="opt-services.mailman.hyperkitty.baseUrl"/>.
         </para>
       </listitem>
       <listitem>
         <para>
           The <option>services.mailman.hyperkittyApiKey</option>
           option has been removed.  This is because having an option
           for the Hyperkitty API key meant that the API key would be
           stored in the world-readable Nix store, which was a
           security vulnerability.  A new Hyperkitty API key will be
           generated the first time the new Hyperkitty service is run,
           and it will then be persisted outside of the Nix store.  To
           continue using Hyperkitty, you must set <xref
           linkend="opt-services.mailman.hyperkitty.enable"/> to
           <literal>true</literal>.
         </para>
       </listitem>
       <listitem>
         <para>
           Additionally, some Postfix configuration must now be set
           manually instead of automatically by the Mailman module:
<programlisting>
<xref linkend="opt-services.postfix.relayDomains"/> = [ "hash:/var/lib/mailman/data/postfix_domains" ];
<xref linkend="opt-services.postfix.config"/>.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
<xref linkend="opt-services.postfix.config"/>.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
</programlisting>
           This is because some users may want to include other values
           in these lists as well, and this was not possible if they
           were set automatically by the Mailman module.  It would not
           have been possible to just concatenate values from multiple
           modules each setting the values they needed, because the
           order of elements in the list is significant.
         </para>
       </listitem>
     </itemizedlist>
   </listitem>
   <listitem>
    <para>The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.</para>
   </listitem>
   <listitem>
    <para>
     The <option>networking.interfaces.*.preferTempAddress</option> option has
     been replaced by <option>networking.interfaces.*.tempAddress</option>.
     The new option allows better control of the IPv6 temporary addresses,
     including completely disabling them for interfaces where they are not
     needed.
    </para>
   </listitem>
   <listitem>
     <para>
       Rspamd was updated to version 2.2. Read
       <link xlink:href="https://rspamd.com/doc/migration.html#migration-to-rspamd-20">
       the upstream migration notes</link> carefully. Please be especially
       aware that some modules were removed and the default Bayes backend is
       now Redis.
     </para>
   </listitem>
   <listitem>
    <para>
     The <literal>*psu</literal> versions of <package>oraclejdk8</package> have been removed
     as they aren't provided by upstream anymore.
    </para>
   </listitem>
   <listitem>
    <para>
     The <option>services.dnscrypt-proxy</option> module has been removed
     as it used the deprecated version of dnscrypt-proxy. We've added
     <xref linkend="opt-services.dnscrypt-proxy2.enable"/> to use the supported version.
     This module supports configuration via the Nix attribute set
     <xref linkend="opt-services.dnscrypt-proxy2.settings" />, or by passing a TOML configuration file via
     <xref linkend="opt-services.dnscrypt-proxy2.configFile" />.
<programlisting>
# Example configuration:
services.dnscrypt-proxy2.enable = true;
services.dnscrypt-proxy2.settings = {
  listen_addresses = [ "127.0.0.1:43" ];
  sources.public-resolvers = {
    urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
    cache_file = "public-resolvers.md";
    minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    refresh_delay = 72;
  };
};

services.dnsmasq.enable = true;
services.dnsmasq.servers = [ "127.0.0.1#43" ];
</programlisting>
    </para>
   </listitem>
   <listitem>
    <para>
     <literal>qesteidutil</literal> has been deprecated in favor of <literal>qdigidoc</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
     <package>sqldeveloper_18</package> has been removed as it's not maintained anymore,
     <package>sqldeveloper</package> has been updated to version <literal>19.4</literal>.
     Please note that this means that this means that the <package>oraclejdk</package> is now
     required. For further information please read the
     <link xlink:href="https://www.oracle.com/technetwork/developer-tools/sql-developer/downloads/sqldev-relnotes-194-5908846.html">release notes</link>.
    </para>
   </listitem>
   <listitem>
    <para>
      Haskell <varname>env</varname> and <varname>shellFor</varname> dev shell environments now organized dependencies the same way as regular builds.
      In particular, rather than receiving all the different lists of dependencies master together as one big lists, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.
    </para>
    <para>
      This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a <varname>buildDepends</varname> or run-time Haskell dependency as a <varname>setupDepends</varname>, whereas things would have worked before they may not work now.
    </para>
   </listitem>
   <listitem>
    <para>
     The <package>gcc-snapshot</package>-package has been removed. It's marked as broken for &gt;2 years and used to point
     to a fairly old snapshot  from the <package>gcc7</package>-branch.
    </para>
   </listitem>
   <listitem>
    <para>
     The <citerefentry><refentrytitle>nixos-build-vms</refentrytitle><manvolnum>8</manvolnum>
     </citerefentry>-script now uses the python test-driver.
    </para>
   </listitem>
   <listitem>
    <para>
     The <package>riot-web</package> package now accepts configuration overrides as an attribute set instead of a string.
     A formerly used JSON configuration can be converted to an attribute set with <literal>builtins.fromJSON</literal>.
    </para>
    <para>
     The new default configuration also disables automatic guest account registration and analytics to improve privacy.
     The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
    </para>
   </listitem>
   <listitem>
     <para>
       Stand-alone usage of <literal>Upower</literal> now requires
       <option>services.upower.enable</option> instead of just installing into
       <xref linkend="opt-environment.systemPackages"/>.
     </para>
   </listitem>
   <listitem>
    <para>
     <package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
     that users from NixOS 19.09 can't upgrade directly since you can only move one version
      forward and 19.09 uses <literal>v16.0.8</literal>.
    </para>
    <para>
     To provide a safe upgrade-path and to circumvent similar issues in the future, the following
     measures were taken:
     <itemizedlist>
      <listitem>
       <para>
        The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
        versioned attributes (currently <package>pkgs.nextcloud17</package> and
        <package>pkgs.nextcloud18</package>). With this change major-releases can be backported
        without breaking stuff and to make upgrade-paths easier.
       </para>
      </listitem>
      <listitem>
       <para>
        Existing setups will be detected using
        <link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
        <package>nextcloud17</package> will be used, but will raise a warning which notes
        that after that deploy it's recommended to update to the latest stable version
        (<package>nextcloud18</package>) by declaring the newly introduced setting
        <link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
       </para>
      </listitem>
      <listitem>
       <para>
        Users with an overlay (e.g. to use <package>nextcloud</package> at version
        <literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
        by default. This is done to ensure that our
        <link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
        older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
        or to set <link linkend="opt-services.nextcloud.package">package</link> to
        <package>pkgs.nextcloud</package> explicitly.
       </para>
      </listitem>
     </itemizedlist>
    </para>
    <warning>
     <para>
      Please note that if you're coming from <literal>19.03</literal> or older, you have
      to manually upgrade to <literal>19.09</literal> first to upgrade your server
      to Nextcloud v16.
     </para>
    </warning>
   </listitem>
   <listitem>
    <para>
     <package>Hydra</package> has gained a massive performance improvement due to
     <link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema
     changes</link> by adding several IDs and better indexing. However, it's necessary
     to upgrade Hydra in multiple steps:
     <itemizedlist>
      <listitem>
       <para>
        At first, an older version of Hydra needs to be deployed which adds those
        (nullable) columns. When having set <link linkend="opt-system.stateVersion">stateVersion
        </link> to a value older than <literal>20.03</literal>, this package will be selected
        by default from the module when upgrading. Otherwise, the package can be deployed using
        the following config:
<programlisting>{ pkgs, ... }: {
  <link linkend="opt-services.hydra.package">services.hydra.package</link> = pkgs.hydra-migration;
}</programlisting>
       </para>
      </listitem>
      <listitem>
       <para>
        Automatically fill the newly added ID columns on the server by running the following
        command:
<screen>
<prompt>$ </prompt>hydra-backfill-ids
</screen>
        <warning>
         <para>Please note that this process can take a while depending on your database-size!</para>
        </warning>
       </para>
      </listitem>
      <listitem>
       <para>
        Deploy a newer version of Hydra to activate the DB optimizations. This can be done by
        using <package>hydra-unstable</package>. This package already includes
        <link xlink:href="https://github.com/nixos/rfcs/pull/49">flake-support</link> and is
        therefore compiled against <package>pkgs.nixFlakes</package>.
        <warning>
         <para>
          If your <link linkend="opt-system.stateVersion">stateVersion</link> is set to
          <literal>20.03</literal> or greater, <package>hydra-unstable</package> will be used
          automatically! This will break your setup if you didn't run the migration.
         </para>
        </warning>
        Please note that Hydra is currently not available with <package>nixStable</package>
        as this doesn't compile anymore.
       </para>
      </listitem>
     </itemizedlist>
     <warning>
      <para>
       <package>pkgs.hydra</package> has been removed to ensure a graceful database-migration
       using the dedicated package-attributes. If you still have <package>pkgs.hydra</package>
       defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
       you need to set <xref linkend="opt-services.hydra.package" /> to <package>pkgs.hydra</package>
       explicitly and make sure you know what you're doing!
      </para>
     </warning>
    </para>
   </listitem>
   <listitem>
     <para>
       The TokuDB storage engine will be disabled in <package>mariadb</package> 10.5. It is recommended to switch
       to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>.
     </para>
   </listitem>
  </itemizedlist>
 </section>

 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.03-notable-changes">
  <title>Other Notable Changes</title>

  <itemizedlist>
   <listitem>
     <para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
   </listitem>
   <listitem>
    <para>
     The nginx web server previously started its master process as root
     privileged, then ran worker processes as a less privileged identity user
     (the <literal>nginx</literal> user).
     This was changed to start all of nginx as a less privileged user (defined by
     <literal>services.nginx.user</literal> and
     <literal>services.nginx.group</literal>). As a consequence, all files that
     are needed for nginx to run (included configuration fragments, SSL
     certificates and keys, etc.) must now be readable by this less privileged
     user/group.
    </para>
    <para>
     To continue to use the old approach, you can configure:
      <programlisting>
services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
      </programlisting>
    </para>
   </listitem>
   <listitem>
    <para>
     OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
     but with potential incompatibilities.  Consult the
     <link xlink:href="https://www.openssh.com/txt/release-8.1">
     release announcement</link> for more information.
    </para>
   </listitem>
   <listitem>
     <para>
       <literal>PRETTY_NAME</literal> in <literal>/etc/os-release</literal>
       now uses the short rather than full version string.
     </para>
   </listitem>
   <listitem>
    <para>
     The ACME module has switched from simp-le to <link xlink:href="https://github.com/go-acme/lego">lego</link>
     which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added:
     <link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link>,
     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.dnsProvider</link>,
     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.credentialsFile</link>,
     <link linkend="opt-security.acme.certs">security.acme.certs.&lt;name&gt;.dnsPropagationCheck</link>.
     As well as this, the options <literal>security.acme.acceptTerms</literal> and either
     <literal>security.acme.email</literal> or <literal>security.acme.certs.&lt;name&gt;.email</literal>
     must be set in order to use the ACME module.
     Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
     In particular private keys will not be preserved. However, the credentials for simp-le are preserved and
     thus it is possible to roll back to previous versions without breaking certificate generation.
     Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can
     have consequences if you embed your public key in apps.
    </para>
   </listitem>
   <listitem>
    <para>
    It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
    via <option>boot.initrd.luks.fido2Support</option>.
    </para>
   </listitem>
   <listitem>
    <para>
     Predictably named network interfaces get renamed in stage-1. This means that it is possible
     to use the proper interface name for e.g. Dropbear setups.
    </para>
    <para>
     For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
    </para>
   </listitem>
   <listitem>
    <para>
     The <package>matrix-synapse</package>-package has been updated to
     <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
     Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
     for database configuration when using <package>postgresql</package>, the automated database setup
     of the module has been removed to avoid any further edge-cases.
    </para>
    <para>
     <package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
     <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
     <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
     instructs <literal>postgresql</literal> to ignore any locale-based preferences.
    </para>
    <para>
     Depending on your setup, you need to incorporate one of the following changes in your setup to
     upgrade to 20.03:
     <itemizedlist>
      <listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
      <listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
       to change anything as well since this module was never designed to configure remote databases.
      </para></listitem>
      <listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
       <literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
        explicitly:
<programlisting>{ ... }: {
  services.matrix-synapse = {
    <link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
    /* and all the other config you've defined here */
  };
  <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
}</programlisting>
      </para></listitem>
      <listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
       the database yourself (e.g. by using the
       <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
       option). An example for this can be found in the
       <link linkend="module-services-matrix">documentation of the Matrix module</link>.
      </para></listitem>
      <listitem><para>If you initially deployed your <package>matrix-synapse</package> on
       <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
       your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
       startup with a warning, but it's recommended to reconfigure the database to set the values
       <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
       <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
      </para></listitem>
     </itemizedlist>
    </para>
  </listitem>
  <listitem>
   <para>
    The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
    even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
    This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
    not <command>systemd-networkd</command>.
   </para>
  </listitem>
  <listitem>
   <para>
    <package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
    <warning>
     <para>
      Please note that <package>mongodb</package> has been relicensed under their own
      <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal>
      sspl</literal></link>-license. Since it's not entirely free and not OSI-approved,
      it's listed as non-free. This means that Hydra doesn't provide prebuilt
      <package>mongodb</package>-packages and needs to be built locally.
     </para>
    </warning>
   </para>
  </listitem>
  </itemizedlist>
 </section>
</section>