more details.

- Mattermost has been upgraded to extended support version 8.1 as the previously
  packaged extended support version 7.8 is [reaching end-of-life](https://docs.mattermost.com/upgrade/extended-support-release.html).
  Migration may take some time, refer to the [changelog](https://docs.mattermost.com/install/self-managed-changelog.html#release-v8-1-extended-support-release)
  and [important upgrade notes](https://docs.mattermost.com/upgrade/important-upgrade-notes.html).

- The `netdata` package disables cloud support by default now. To enable it use the `netdataCloud` package.

- `networking.nftables` is no longer flushing all rulesets on every reload.
  Use `networking.nftables.flushRuleset = true;` to enable the previous behaviour.

- Node.js v14, v16 has been removed as they were end of life. Any dependent packages that contributors were not able to reasonably upgrade were dropped after a month of notice to their maintainers, were **removed**.
  - This includes VSCode Server.
  - This includes Kibana 7 as the ELK stack is unmaintained in nixpkgs and is marked for slow removal.

- The application firewall `opensnitch` uses the process monitor method eBPF as
  default now. This is recommended by upstream. The method may be changed with
  the setting
  [services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod).

- `paperwork` is updated to v2.2. Documents scanned with this version will not
  be visible to previous versions if you downgrade. Refer to the [upstream
  announcement](https://forum.openpaper.work/t/paperwork-2-2-testing-phase/316#important-switch-from-jpeg-to-png-for-new-pages-2)
  for details and workarounds.

- The latest available version of Nextcloud is v27 (available as
  `pkgs.nextcloud27`). The installation logic is as follows:
  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is
    specified explicitly, this package will be installed (**recommended**)
  - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11,
    `pkgs.nextcloud27` will be installed by default.
  - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.05,
    `pkgs.nextcloud26` will be installed by default.
  - Please note that an upgrade from v25 (or older) to v27 is not possible
    directly. Please upgrade to `nextcloud26` (or earlier) first. Nextcloud
    prohibits skipping major versions while upgrading. You may upgrade by
    declaring [`services.nextcloud.package =
    pkgs.nextcloud26;`](options.html#opt-services.nextcloud.package) inbetween.

- `postgresql_11` has been removed since it'll stop receiving fixes on November
  9th 2023.

- `programs.gnupg.agent.pinentryFlavor` is set in `/etc/gnupg/gpg-agent.conf`
  now. It will no longer take precedence over a `pinentry-program` set in
  `~/.gnupg/gpg-agent.conf`.

- `python3.pkgs.flitBuildHook` has been removed. Use `flit-core` and `format =
  "pyproject"` instead.

- Certificate generation via the `security.acme` limits the concurrent number
  of running certificate renewals and generation jobs now. This is to avoid
  spiking resource usage when processing many certificates at once. The limit
  defaults to *5* and can be adjusted via `maxConcurrentRenewals`. Setting the
  value to *0* disables the limits altogether.

- `services.borgmatic.settings.location` and
  `services.borgmatic.configurations.<name>.location` are deprecated, please
  move your options out of sections to the global scope.

- `services.fail2ban.jails` can be configured with attribute sets now, defining
  settings and filters instead of lines. The stringed options `daemonConfig`
  and `extraSettings` have respectively been replaced by `daemonSettings` and
  `jails.DEFAULT.settings`. Those  use attribute sets.

- The `services.mbpfan` module has the option `aggressive` enabled by default
  now. This is for better heat moderation. To get the upstream defaults you may
  disable this.

- Apptainer/Singularity defaults to using `"$out/var/lib"` for the