arbitrary environment variables.

  **Note:** The `sudo-rs` module only takes configuration through `security.sudo-rs`,
  and in particular does not automatically use previously-set rules; this could be
  achieved with `security.sudo-rs.extraRules = security.sudo.extraRules;` for instance.


- There is a new NixOS option when writing NixOS tests
  `testing.initrdBackdoor`, that enables `backdoor.service` in initrd. Requires
  `boot.initrd.systemd.enable` to be enabled. Boot will pause in Stage 1 at
  `initrd.target`, and will listen for commands from the `Machine` python
  interface, just like Stage 2 normally does. This enables commands to be sent
  to test and debug Stage 1. Use `machine.switch_root()` to leave Stage 1 and
  proceed to Stage 2.

- The Linux kernel module `msr` (refer to
  [`msr(4)`](https://man7.org/linux/man-pages/man4/msr.4.html)), which provides
  an interface to read and write the model-specific registers (MSRs) of an x86
  CPU, can now be configured via `hardware.cpu.x86.msr`.

- The `qemu-vm.nix` module now supports disabling overriding `fileSystems` with
  `virtualisation.fileSystems`. This enables the user to boot VMs from
  "external" disk images not created by the qemu-vm module. You can stop the
  qemu-vm module from overriding `fileSystems` by setting
  `virtualisation.fileSystems = lib.mkForce { };`.

- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
  the snapraid-sync systemd service will no longer fail to run.

- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
  secrets (such as Pre-Shared Keys) can safely be passed via
  `networking.wireless.environmentFile`.

  The configuration file could previously be read, when `userControlled.enable` (non-default),
  by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)


## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}

### Breaking Changes {#sec-release-23.11-lib-breaking}

- [`lib.lists.foldl'`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl-prime)
  now always evaluates the initial accumulator argument first. If you depend on
  the lazier behavior, consider using
  [`lib.lists.foldl`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.lists.foldl)
  or
  [`builtins.foldl'`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-foldl')
  instead.
- [`lib.attrsets.foldlAttrs`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.attrsets.foldlAttrs)
  now always evaluates the initial accumulator argument first.
- Now that the internal NixOS transition to Markdown documentation is complete,
  `lib.options.literalDocBook` has been removed after deprecation in 22.11.
- `lib.types.string` is now fully deprecated and gives a warning when used.

### Additions and Improvements {#sec-release-23.11-lib-additions-improvements}

- [`lib.fileset`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-fileset):
  A new sub-library to select local files to use for sources, designed to be
  easy and safe to use.

  This aims to be a replacement for `lib.sources`-based filtering. To learn
  more about it, see [the blog
  post](https://www.tweag.io/blog/2023-11-28-file-sets/) or [the
  tutorial](https://nix.dev/tutorials/file-sets).

- [`lib.gvariant`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-gvariant):
  A partial and basic implementation of GVariant formatted strings. See
  [GVariant Format
  Strings](https://docs.gtk.org/glib/gvariant-format-strings.html) for details.

  :::{.warning}
  This API is not considered fully stable and it might therefore
  change in backwards incompatible ways without prior notice.
  :::

- [`lib.asserts`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-asserts):
  New function:
  [`assertEachOneOf`](https://nixos.org/manual/nixpkgs/stable#function-library-lib.asserts.assertEachOneOf).
- [`lib.attrsets`](https://nixos.org/manual/nixpkgs/stable#sec-functions-library-attrsets):