Home Explore Blog Models CI



nixpkgs
4th chunk of `nixos/doc/manual/release-notes/rl-1903.section.md`
c82541795e8f421c55dfc170397a053fb1d6bdd88f2961ad00000001000010a9
  If the old behaviour is desired, this can be restored by setting the `services.nscd.config` option with the desired caching parameters.

  ```nix
  {
    services.nscd.config = ''
      server-user             nscd
      threads                 1
      paranoia                no
      debug-level             0

      enable-cache            passwd          yes
      positive-time-to-live   passwd          600
      negative-time-to-live   passwd          20
      suggested-size          passwd          211
      check-files             passwd          yes
      persistent              passwd          no
      shared                  passwd          yes

      enable-cache            group           yes
      positive-time-to-live   group           3600
      negative-time-to-live   group           60
      suggested-size          group           211
      check-files             group           yes
      persistent              group           no
      shared                  group           yes

      enable-cache            hosts           yes
      positive-time-to-live   hosts           600
      negative-time-to-live   hosts           5
      suggested-size          hosts           211
      check-files             hosts           yes
      persistent              hosts           no
      shared                  hosts           yes
    '';
  }
  ```

  See [\#50316](https://github.com/NixOS/nixpkgs/pull/50316) for details.

- GitLab Shell previously used the nix store paths for the `gitlab-shell` command in its `authorized_keys` file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As `gitlab-shell` has now been changed to use `/var/run/current-system/sw/bin/gitlab-shell`, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the `authorized_keys` file via `sudo -u git -H gitlab-rake gitlab:shell:setup` in that case.

- The `pam_unix` account module is now loaded with its control field set to `required` instead of `sufficient`, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to `pam_unix`. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previously shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting `security.pam.services.<name?>.text`.

- The `pam_unix` password module is now loaded with its control field set to `sufficient` instead of `required`, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by `pam_unix`, preventing `pam_ldap` to manage the password as it should.

- `fish` has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the `fish` [release notes](https://github.com/fish-shell/fish-shell/releases/tag/3.0.0) for more information.

- The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See [this commit message](https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b) for details.

- NixOS module system type `types.optionSet` and `lib.mkOption` argument `options` are deprecated. Use `types.submodule` instead. ([\#54637](https://github.com/NixOS/nixpkgs/pull/54637))

- `matrix-synapse` has been updated to version 0.99. It will [no longer generate a self-signed certificate on first launch](https://github.com/matrix-org/synapse/pull/4509) and will be [the last version to accept self-signed certificates](https://matrix.org/blog/2019/02/05/synapse-0-99-0/). As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new [manual chapter on Matrix](#module-services-matrix) contains a working example of using nginx as a reverse proxy in front of `matrix-synapse`, using Let's Encrypt certificates.
Title: Service Updates, PAM Adjustments, and Deprecations
Summary
This chunk continues with updates, demonstrating how to re-enable `nscd` caching for `passwd`, `group`, and `hosts`. GitLab Shell has an updated `authorized_keys` path, potentially requiring user regeneration. The `pam_unix` account module is now `required`, ensuring all subsequent PAM account modules execute, while the `pam_unix` password module is `sufficient`, allowing later modules to manage passwords (e.g., for LDAP). Users are advised to review `fish` 3.0 release notes due to breaking changes, and note that `ibus-table`'s config format has changed, losing previous settings. NixOS module system types `types.optionSet` and `lib.mkOption`'s `options` argument are deprecated in favor of `types.submodule`. Finally, `matrix-synapse` 0.99 no longer generates or accepts self-signed certificates, recommending the use of CA-verified certificates (e.g., Let's Encrypt) and providing examples.