Home Explore Blog CI



nixpkgs
15th chunk of `nixos/doc/manual/release-notes/rl-2305.section.md`
4cd8fe3108fb8efba049154a511a4f49f282771b2098aa8f0000000100000fb2
  If undesired, the old behavior can be restored by overriding the builders with
  `{ installDocumentation = false; }`.

- The nftables module now validates its ruleset at build time. The new `networking.nftables.checkRuleset` option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The `networking.nftables.preCheckRuleset` option can be used to prepare the environment before the checks are run.

- The `services.mastodon` module now supports connection to a remote `PostgreSQL` database.

- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.

- [`services.nextcloud.config.objectstore.s3.sseCKeyFile`](#opt-services.nextcloud.config.objectstore.s3.sseCKeyFile) is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.

- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:

  ```nix
  {
    swapDevices = [ {
      device = "/dev/disk/by-partlabel/swapspace";
      randomEncryption = {
        enable = true;
        cipher = "aes-xts-plain64";
        keySize = 512;
        sectorSize = 4096;
      };
    } ];
  }
  ```

- New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login.

- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.  Before upgrading, check the release notes for [PeerTube v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0).And backup your data.

- `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.

- PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
  ```nix
  {
    services.postgresql.enableJIT = true;
  }
  ```

- `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.

- `services.dhcpcd` service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
  If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter `networking.dhcpcd.IPv6rs = true;`.

- The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:

  - Most settings have been migrated below [services.headscale.settings](#opt-services.headscale.settings) which is a freeform attribute-set that will be converted into headscale's YAML config format. This means that the configuration from [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) can be directly written as attribute-set in Nix within this option.
Title: NixOS 23.05: Configuration Updates for Various Services (Part 2)
Summary
This section continues detailing configuration updates for NixOS services, focusing on nftables, mastodon, and nextcloud. It explains how to disable nftables ruleset validation and configure remote PostgreSQL connections for mastodon. For Nextcloud, it covers the transition to socket authentication for local database creation and the new option for server-side encryption with customer-provided keys (SSE-C) for S3 object storage. The section also introduces options for customizing swap partition encryption, enabling ZFS home dataset unlocking at login, specifying the secret file for PeerTube, enhancing Chronyd security, enabling JIT compilation for PostgreSQL, configuring Netdata's startup deadline, and changes to dhcpcd's IPv6 Router Advertisement handling. Finally, it outlines the refactoring of the Headscale module to be RFC 0042 compliant.