- Certificate generation via the `security.acme` limits the concurrent number
of running certificate renewals and generation jobs now. This is to avoid
spiking resource usage when processing many certificates at once. The limit
defaults to *5* and can be adjusted via `maxConcurrentRenewals`. Setting the
value to *0* disables the limits altogether.
- `services.borgmatic.settings.location` and
`services.borgmatic.configurations.<name>.location` are deprecated, please
move your options out of sections to the global scope.
- `services.fail2ban.jails` can be configured with attribute sets now, defining
settings and filters instead of lines. The stringed options `daemonConfig`
and `extraSettings` have respectively been replaced by `daemonSettings` and
`jails.DEFAULT.settings`. Those use attribute sets.
- The `services.mbpfan` module has the option `aggressive` enabled by default
now. This is for better heat moderation. To get the upstream defaults you may
disable this.
- Apptainer/Singularity defaults to using `"$out/var/lib"` for the
`LOCALSTATEDIR` configuration option instead of the top-level `"/var/lib"`
now. This change impacts the `SESSIONDIR` (container-run-time mount point)
configuration, which is set to `$LOCALSTATEDIR/<apptainer or
singularity>/mnt/session`. This detaches the packages from the top-level
directory, rendering the NixOS module optional.
The default behavior of the NixOS module `programs.singularity` stays
unchanged. We add a new option
`programs.singularity.enableExternalSysConfDir` (default to `true`) to
specify whether to set the top-level `"/var/lib"` as `LOCALSTATEDIR` or not.
- The `services.sslh` module has been updated to follow [RFC
0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md).
As such, several options have been moved to the freeform attribute set
[services.sslh.settings](#opt-services.sslh.settings), which allows to change
any of the settings in {manpage}`sslh(8)`.
In addition, the newly added option
[services.sslh.method](#opt-services.sslh.method) allows to switch between
the {manpage}`fork(2)`, {manpage}`select(2)` and `libev`-based connection
handling method. Refer to the [sslh
docs](https://github.com/yrutschle/sslh/blob/master/doc/INSTALL.md#binaries)
for a comparison.
- Suricata was upgraded from v6.0 to v7.0 and no longer considers HTTP/2
support as experimental. Refer to [upstream release
notes](https://forum.suricata.io/t/suricata-7-0-0-released/3715) for more
details.
- `teleport` has been upgraded from major version 12 to major version 14.
Refer to upstream [upgrade
instructions](https://goteleport.com/docs/management/operations/upgrading/)
and release notes for
[v13](https://goteleport.com/docs/changelog/#1300-050823) and
[v14](https://goteleport.com/docs/changelog/#1400-092023). Note that Teleport
does not officially support upgrades across more than one major version at a
time. If you're running Teleport server components, it is recommended to
first upgrade to an intermediate v13.x version by setting
`services.teleport.package = pkgs.teleport_13`. Afterwards, this option can
be removed to upgrade to the default version (14).
- `zfs` was updated from v2.1.x to v2.2.0, [enabling newer kernel support and
adding new features](https://github.com/openzfs/zfs/releases/tag/zfs-2.2.0).
- The use of `sourceRoot = "source";`, `sourceRoot = "source/subdir";`, and
similar lines in package derivations using the default `unpackPhase` is
deprecated as it requires `unpackPhase` to always produce a directory named
"source". Use `sourceRoot = src.name`, `sourceRoot = "${src.name}/subdir";`,
or `setSourceRoot = "sourceRoot=$(echo */subdir)";` or similar instead.
- The `django` alias in the python package set was upgraded to Django v4.x.
Applications that consume Django should always pin their python environment
to a compatible major version, so they can move at their own pace.