}
  ```

- `services.prometheus.alertManagerTimeout` has been removed as it has been deprecated upstream and has no effect.

- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened.
  The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
  The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed.
  If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. `systemd.services.dhcpd6.serviceConfig.AmbientCapabilities`.

- The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2.

- `services.ipfs.extraFlags` is now escaped with `utils.escapeSystemdExecArgs`. If you rely on systemd interpolating `extraFlags` in the service `ExecStart`, this will no longer work.

- `hbase` version 0.98.24 has been removed. The package now defaults to version 2.4.11. Versions 1.7.1 and 3.0.0-alpha-2 are also available.

- `services.paperless-ng` was renamed to `services.paperless`. Accordingly, the `paperless-ng-manage` script (located in `dataDir`) was renamed to `paperless-manage`. `services.paperless` now uses `paperless-ngx`.

- The `matrix-synapse` service (`services.matrix-synapse`) has been converted to use the `settings` option defined in RFC42.
  This means that options that are part of your `homeserver.yaml` configuration, and that were specified at the top-level of the
  module (`services.matrix-synapse`) now need to be moved into `services.matrix-synapse.settings`. And while not all options you
  may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.

  The `listeners.*.bind_address` option was renamed to `bind_addresses` in order to match the upstream `homeserver.yaml` option
  name. It is now also a list of strings instead of a string.

  An example to make the required migration clearer:

  Before:
  ```nix
  {
    services.matrix-synapse = {
      enable = true;

      server_name = "example.com";
      public_baseurl = "https://example.com:8448";

      enable_registration = false;
      registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
      macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";

      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

      listeners = [
        {
          port = 8448;
          bind_address = "";
          type = "http";
          tls = true;
          resources = [
            {
              names = [ "client" ];
              compress = true;
            }
            {
              names = [ "federation" ];
              compress = false;
            }
          ];
        }
      ];

    };
  }
  ```

  After:
  ```nix
  {
    services.matrix-synapse = {
      enable = true;

      # this attribute set holds all values that go into your homeserver.yaml configuration
      # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
      # possible values.
      settings = {
        server_name = "example.com";
        public_baseurl = "https://example.com:8448";

        enable_registration = false;
        # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

        tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
        tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

        listeners = [
          {
            port = 8448;
            bind_addresses = [
              "::"
              "0.0.0.0"
            ];
            type = "http";
            tls = true;
            resources = [
              {
                names = [ "client" ];