This means that `lib.mkForce` must be used to clear the list of default libraries.
- `screen`'s module has been cleaned, and will now require you to set `programs.screen.enable` in order to populate `screenrc` and add the program to the environment.
- `security.acme.defaults.server` now has a default value instead of `null`.
This effectively uses the same server, the Let's Encrypt production server,
but makes the default explicit, instead of relying on the Lego default.
A side effect of this is that the directory in which account data is stored
changes and the ACME module will request a new account and new certificates
for all domains. This may cause issues if you pin an `acccounturl` in a CAA
DNS record. To avoid this, you
may set `security.acme.defaults.server = null` to keep the old hashes.
- `security.pam.sshAgentAuth.enable` now requires `services.openssh.authorizedKeysFiles` to be non-empty,
which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work.
- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only**
`authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted,
defaulting to `/etc/ssh/authorized_keys.d/%u`.
::: {.warning}
Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`)
are listed in [`sshAgentAuth.authorizedKeysFiles`].
:::
::: {.note}
Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`,
which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
:::
- `services.archisteamfarm` no longer uses the abbreviation `asf` for its state directory (`/var/lib/asf`), user and group (both `asf`). Instead the long name `archisteamfarm` is used.
Configurations with `system.stateVersion` 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.
- `frr` was updated to 10.0, which introduces the default of `enforce-first-as` for BGP. Please disable again if needed.
- `services.aria2.rpcSecret` has been replaced with `services.aria2.rpcSecretFile`.
This was done so that secrets aren't stored in the world-readable Nix store.
To migrate, you will have to create a file with the same exact string, and change
your module options to point to that file. For example, `services.aria2.rpcSecret =
"mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
where the file `secret_file` contains the string `mysecret`.
- `services.avahi.nssmdns` was split into `services.avahi.nssmdns4` and `services.avahi.nssmdns6` which enable the mDNS NSS switches for IPv4 and IPv6 respectively.
Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.
- `services.frp.settings` now generates the frp configuration file in TOML format as [recommended by upstream](https://github.com/fatedier/frp#configuration-files), instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options:
- The `settings.common` section in the configuration is no longer valid and all the options form inside it now go directly under `settings`.
- Configuration option names have been changed from snake_case to camelCase. For example: `server_addr` becomes `serverAddr`, `server_port` becomes `serverPort` etc.
- Proxies are now defined with a new option, `settings.proxies`, which takes a list of proxies.
- Consult the [upstream documentation](https://github.com/fatedier/frp#example-usage) for more details on the changes.
- `services.hledger-web.capabilities` options has been replaced by a new option `services.hledger-web.allow`.
- `allow = "view"` means `capabilities = { view = true; }`;
- `allow = "add"` means `capabilities = { view = true; add = true; }`;