latter package is based on upstream's dedicated repository for sequoia's
  Python bindings, where the Python bindings from
  [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were
  removed long ago.

- `writeTextFile` requires `executable` to be boolean now, values like `null`
  or `""` will fail to evaluate now.

- The latest version of `clonehero` now stores custom content in
  `~/.clonehero`. Refer to the [migration
  instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html)
  for more details. Typically, these content files would exist along side the
  binary, but the previous build used a wrapper script that would store them in
  `~/.config/unity3d/srylain Inc_/Clone Hero`.

- `services.mastodon` doesn't support providing a TCP port to its `streaming`
  component anymore, as upstream implemented parallelization by running
  multiple instances instead of running multiple processes in one instance.
  Please create a PR if you are interested in this feature.\
  Due to this, the desired number of such instances
  {option}`services.mastodon.streamingProcesses` now needs to be declared explicitly.

- The `services.hostapd` module was rewritten to support `passwordFile` like
  options, WPA3-SAE, and management of multiple interfaces. This breaks
  compatibility with older configurations.
  - `hostapd` is now started with additional systemd sandbox/hardening options
    for better security.
  - `services.hostapd.interface` was replaced with a per-radio and per-bss
    configuration scheme using
    [services.hostapd.radios](#opt-services.hostapd.radios).
  - `services.hostapd.wpa` has been replaced by
    [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword)
    and
    [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords)
    which configure WPA2-PSK and WP3-SAE respectively.
  - The default authentication has been changed to WPA3-SAE. Options for other
    (legacy) schemes are still available.

- `python3.pkgs.fetchPypi` and `python3Packages.fetchPypi` have been
  deprecated in favor of top-level `fetchPypi`.

- xdg-desktop-portal has been updated to 1.18, which reworked how portal
  implementations are selected. If you roll your own desktop environment, you
  should either set `xdg.portal.config` or `xdg.portal.configPackages`, which
  allow fine-grained control over which portal backend to use for specific
  interfaces, as described in {manpage}`portals.conf(5)`.

  If you don't provide configurations, a portal backend will only be considered
  when the desktop you use matches its deprecated `UseIn` key. While some NixOS
  desktop modules should already ship one for you, it is suggested to test
  portal availability by trying [Door
  Knocker](https://flathub.org/apps/xyz.tytanium.DoorKnocker) and [ASHPD
  Demo](https://flathub.org/apps/com.belmoussaoui.ashpd.demo). If things
  regressed, you may run `G_MESSAGES_DEBUG=all
  /path/to/xdg-desktop-portal/libexec/xdg-desktop-portal` for ideas on which
  config file and which portals are chosen.

- `pass` now does not contain `password-store.el`. Users should get
  `password-store.el` from Emacs lisp package set `emacs.pkgs.password-store`.

- `services.knot` now supports `.settings` from RFC42.  The previous
  `.extraConfig` still works the same, but it displays a warning now.

- `services.invoiceplane` now supports `.settings` from RFC42. The previous
  `.extraConfig` still works the same way, but it displays a warning now.

- `mu` does not install `mu4e` files by default now. Users should get `mu4e`
  from Emacs lisp package set `emacs.pkgs.mu4e`.

- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning
  the default version was upgraded from v10.6.x to v10.11.x. Refer to the
  [upgrade