Home Explore Blog Models CI



nixpkgs
15th chunk of `nixos/doc/manual/release-notes/rl-2305.section.md`
d01c04285f44d054e97a387497bfd66283e0e32b258f2cf70000000100000fc6
  If undesired, the old behavior can be restored by overriding the builders with
  `{ installDocumentation = false; }`.

- The nftables module now validates its ruleset at build time. The new `networking.nftables.checkRuleset` option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The `networking.nftables.preCheckRuleset` option can be used to prepare the environment before the checks are run.

- The `services.mastodon` module now supports connection to a remote `PostgreSQL` database.

- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication.
  - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set).
  - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up.

- [`services.nextcloud.config.objectstore.s3.sseCKeyFile`](#opt-services.nextcloud.config.objectstore.s3.sseCKeyFile) is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.

- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:

  ```nix
  {
    swapDevices = [
      {
        device = "/dev/disk/by-partlabel/swapspace";
        randomEncryption = {
          enable = true;
          cipher = "aes-xts-plain64";
          keySize = 512;
          sectorSize = 4096;
        };
      }
    ];
  }
  ```

- New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login.

- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.  Before upgrading, check the release notes for [PeerTube v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0).And backup your data.

- `services.chronyd` is now started with additional systemd sandbox/hardening options for better security.

- PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this:
  ```nix
  { services.postgresql.enableJIT = true; }
  ```

- `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.

- `services.dhcpcd` service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
  If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter `networking.dhcpcd.IPv6rs = true;`.

- The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:

  - Most settings have been migrated below [services.headscale.settings](#opt-services.headscale.settings) which is a freeform attribute-set that will be converted into headscale's YAML config format. This means that the configuration from [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) can be directly written as attribute-set in Nix within this option.
Title: NixOS Module Updates, Security Enhancements, and Configuration Refinements
Summary
This NixOS update covers numerous service and system enhancements. `Nftables` now validates rulesets at build time. `services.mastodon` gained remote PostgreSQL support, and `services.nextcloud`'s local database creation now uses socket authentication, requiring adjustments for password-based setups, while also adding S3 SSE-C support. System security is improved with enhanced random encryption for swap partitions, a `security.pam.zfs` option for unlocking encrypted ZFS home datasets, and increased `chronyd` sandboxing. Service configurations were refined, with `services.headscale` adopting RFC 0042 for settings and `services.peertube` requiring a secret file. Other updates include opt-in JIT for PostgreSQL, a `deadlineBeforeStopSec` for `services.netdata` startup, and changes to `dhcpcd`'s IPv6 RA behavior. GHC wrappers allow disabling documentation symlinking.