The matrix-synapse package will stop accepting the enableSystemd and enableRedis arguments, since their discoverability is weak. Instead, all extras can now be configured from the module at services.matrix-synapse.extras.

https://github.com/NixOS/nixpkgs/pull/221318

PR #224042 is going to refactor RIME data support of ibus-rime and fcitx5-rime, causing two small breaking changes:

1. fcitx5-rime users need to remove i18n.inputMethod.fcitx5.enableRimeData = true from their configuration.

   The option is no longer needed, the default rime data package rime-data is included in fcitx5-rime by default. To customize rime data, use fcitx5-rime.override { rimeData = [ data1, data2, ... ] }fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ] } (currently there is only one RIME data package rime-data in nixpkgs.)

2. ibus-rime 's rime-data ibus_rime.yaml is not loaded before this PR. As a workaround, some users use a ~/.config/ibus/rime/ibus_rime.yaml file to customize ibus-rime. With this change, ibus_rime.yaml will be properly loaded, users need to use a ~/.config/ibus/rime/ibus_rime.custom.yaml file instead to customize ibus-rime.

   Migration example:

   Old workaround ~/.config/ibus/rime/ibus_rime.yaml

   style:
       horizontal: true
   

   Should be changed to ~/.config/ibus/rime/ibus_rime.custom.yaml

   patch:
     style/horizontal: true
   

https://github.com/NixOS/nixpkgs/pull/224042

nixos/bootspec: adopt the merged RFC-0125 by RaitoBezarius · Pull Request #224489 · NixOS/nixpkgs · GitHub will break GitHub - nix-community/lanzaboote: Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur] and any previous generations using the old format for bootspec.

If you are interested in backward compatibility for your older generations, please start a discussion in bootspec channel.

buildFHSEnv will default to using the Bubblewrap implementation rather than Chrootenv. If your FHS-wrapped packages start to misbehave, please ping me.

https://github.com/NixOS/nixpkgs/pull/225748

Heads-up

We decided to make Node.js 14, 16 and OpenSSL 1.1 EOL at the moment on unstable.
For what is worth, this had the effect to mark as insecure a serious amount of web applications: https://hydra.nixos.org/eval/1795260?full=1#tabs-removed including this very forum software.

While we are working hard to minimize this set by fixing stuff in Ruby, we cannot make it up for upstream shortcomings while they had months to adopt the newer V8 engine (useful reminder: Node.js | endoflife.date).

https://github.com/rubyjs/mini_racer/pull/261 ; Will Node 18 LTS become the default Node version on the agent images? · actions/runner-images · Discussion #5429 · GitHub ; [PM-358] Bump electron to 24 and node to 18 (#5205) · bitwarden/clients@9a41d5d · GitHub (not part of any release at the time of writing).

It will be a bumpy ride for the next days, but we can only hope or wait for upstream to figure out this.

FYI, it will be likely those insecure warnings (which can be bypassed by following the instructions) will be part of the stable release.

pkgs.ankisyncd and the services.ankisyncd service have been switched from an old obsolete version of anki-sync-server to anki-sync-server-rs
The old version only implemented the old protocol compatible with the old 2.1.15 anki package (and similarly old android/external clients), while the new one only implements the new protocol which will work with the current nixos anki packages, ankidroid etc, so if you were using it with clients held back on purpose you will need to upgrade your clients.

The password database and anki data itself is compatible, so upgrading clients should just work, resyncing if required.

PR: ankisyncd-rs: add package for anki-sync-server-rs by martinetd · Pull Request #224366 · NixOS/nixpkgs · GitHub

The default version for python310Packages.django is moving from django_3 (3.2.x) to django_4 (4.2.x). This is because we want to follow the mainstream LTS support, while Django 3.x has already entered the extended LTS support period in 2021/12.

Applications should generally pin their Django version, to the upstream supported version.

  python = python3.override {
    packageOverrides = self: super: {
      django = super.django_3;
    };
  };

https://github.com/NixOS/nixpkgs/pull/245436

Heads-up, systemd in nixpkgs unstable will move to v254 soon in systemd: 253.5 -> 254.3 by RaitoBezarius · Pull Request #243242 · NixOS/nixpkgs · GitHub

Please review NEWS to see if you will be affected by this bump.

From experience, it seems like the upgrade does not require reboot, but if you have mission-critical deployments, always consider rebooting into a new system rather than switching at runtime a systemd because this can fail in horrible ways.

I’m replacing the prometheus-unbound-exporter with the exporter maintained by Let’s Encrypt. The module requires a few benign changes, and the metrics might differ slightly.

https://github.com/NixOS/nixpkgs/pull/252041

I clicked the -rs link out of curiosity, and I see it’s no longer actively maintained either…

Uh that wasn’t there when I did that work a couple of months ago… Great news

Since it’s using the anki sources as server engine in theory it shouldn’t be too hard to maintain and I’ll try to update it if it breaks as I don’t want to get/run the whole anki on my server, but I’m not sure I care enough either if lots of problems do come up…
For now it’s running fine so let’s cross fingers and keep using it as long as possible ; migrating to the built in anki server won’t be compatible with the old sqlite db at the very least (not sure about the data layout)

(We’ll probably want to split that in a new thread and/or github issue instead of spamming everyone watching this; feel free to @-me in a new thread if you want to bring anything up)

systemd v254 will land soonish in nixos-unstable-small and nixos-unstable.

Please take the time to read https://github.com/systemd/systemd/blob/174e8e9897c2d1c8b2c8324f07a6c784d7127410/NEWS and read systemd: 253.5 -> 254.3 by RaitoBezarius · Pull Request #243242 · NixOS/nixpkgs · GitHub.

Unfortunately, we lost musl support, cross-compilation to RISC-V and armv7l, please if you care about those platforms, consider getting in touch with folks in staging and in the NixOS systemd matrix channel: https://matrix.to/#/#systemd:nixos.org.

We will bump the primary python version from 3.10 to 3.11 in the next staging cycle.

We already sorted out a huge number of issues in the latest python-updates run, but there will always be more, especially on leaf packages.

https://github.com/NixOS/nixpkgs/pull/251878

It is our expectation that the most dire issues will be found on staging-next, and that the remaining problems will be addressed during ZHF.

Feel free to join #python:nixos.org if you have questions.

ffmpeg will be updated from version 5 to version 6 in the next staging cycle. We built almost all dependant packages but cannot test them all.

Should something multimedia-related break in the coming weeks, that might be why. Please create issues and ping us.

https://github.com/NixOS/nixpkgs/pull/251494

https://github.com/NixOS/nixpkgs/pull/261923

Drop of Linux 4.14 (including hardened and hardkernel) as per release wiki page Feature Freeze announcement and pre-release cleanup - NixOS Release Wiki

The default LLVM has been updated from 11 to 16 for the next staging cycle. Some packages may fail to build due to breaking changes in clang. An attempt has been made to catch those failures and preemptively patch the affected packages, but it’s not possible to do so for every single affected package. If a package does not build for you, please open an issue.

https://github.com/NixOS/nixpkgs/pull/241692

The Kea services for dhcp4, dhcp6, ctrl-agent and dhcp-ddns will each get their own RuntimeDirectory shortly, since restarting one unit would previously clean out the shared /run/kea runtime directory.

This is especially relevant for users of the Prometheus Kea Exporter, which relies on the unix socket to retrieve statistics from Kea.

https://github.com/NixOS/nixpkgs/pull/263315

Heads-up, we ran into an annoying issue with newer PostgreSQL and our ensure-logic (ensurePermissions).

TL;DR: services.postgresql.*.ensurePermissions is deprecated and forbidden inside nixpkgs from now on, slated for deletion just after branch-off.

We went back’n’forth with multiple options, as the secondary release manager of NixOS 23.11, I decided to move forward with a semi-breaking change (breaking change because I am deprecating something now and semi because the option is still available in the broken state it is): nixos/postgresql: deprecate ensurePermissions, fix ensureUsers for postgresql15 by Ma27 · Pull Request #266270 · NixOS/nixpkgs · GitHub

What does it mean to you?

• If you are a NixOS module author which is using a PostgreSQL database, your module has been migrated to ensureDBOwnership which will just ensure that the user will own the database.
• If you are writing a NixOS module which is using a PostgreSQL database, your module will have to use ensureDBOwnership and any extra fix up procedure will have to use either initialScript (if it’s once) or postStart / preStart measures you design yourself.
• If you need sophisticated privileges scheme, you will have to write your own ensure logic code.
• If you are a user and have a warning about ensurePermissions being used, check that you don’t own custom logic out of tree on it and migrate it accordingly, otherwise, you may be using such a module out of tree.

Will we get ensurePermissions again?

Short-term: No.

Long-term: Anyone is free to work on rethinking the ensure logic design and build more engineering around them to make them usable and stable without potential for data loss, you can look into RFC: `ensure`-style options in NixOS modules · Issue #206467 · NixOS/nixpkgs · GitHub to see the context, and you can contact me if you want to be helped/guided/mentored/whatever to work on that, but please, do not blindly re-introduce ensurePermissions, those options create a high amount of churn for the long term maintainers, and it’s unacceptable to make long term maintainers pay the cost of “nice to have” without proper investment.

Can you provide documentation to migrate?

We will write more documentation:

• this announcement is part of it
• release notes for 23.11 will include information pertaining to this
• the PostgreSQL manual in nixpkgs will see a section on this and offer guidance on migration strategies

In a few weeks we will restore the runtime dependency validation of python packages, that use the pypaInstallHook, which is used for the pyproject format.

It will complain about version constraint mismatches

Checking runtime dependencies for sphinx_prompt-1.6.0-py3-none-any.whl
  - sphinx==7.0.0 not satisfied by version 7.2.6
  - docutils==0.19 not satisfied by version 0.20.1
  - pygments==2.15.1 not satisfied by version 2.16.1

as well as missing dependencies

Checking runtime dependencies for pysml-0.1.1-py3-none-any.whl
  - aiohttp not installed

Both cases will be considered a hard failure, and indicate further work is needed to get a package to run correctly.

For too tight version constraints I recommend using pythonRelaxDepsHook, which lifts constraints from the built wheel for the package names given in the pythonRelaxDeps list.

The work is currently happening in the following PR, and unfortunately we’ve justed missed the latest staging cycle, so it will be in the next one after that.

https://github.com/NixOS/nixpkgs/pull/270457

Zammad will be updated to version 6.1.0, which now requires a Redis server configured to run Zammad and brings a renamed/replaced systemd service.

https://github.com/NixOS/nixpkgs/pull/269469