- The remaining configuration flags can now be set directly on the `php` attribute. For example, instead of
```nix
php.override {
config.php.embed = true;
config.php.apxs2 = false;
}
```
you should now write
```nix
php.override {
embedSupport = true;
apxs2Support = false;
}
```
- The ACME module has been overhauled for simplicity and maintainability. Cert generation now implicitly uses the `acme` user, and the `security.acme.certs._name_.user` option has been removed. Instead, certificate access from other services is now managed through group permissions. The module no longer runs lego twice under certain conditions, and will correctly renew certificates if their configuration is changed. Services which reload nginx and httpd after certificate renewal are now properly configured too so you no longer have to do this manually if you are using HTTPS enabled virtual hosts. A mechanism for regenerating certs on demand has also been added and documented.
- Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found [here](https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki).
- Deluge 2.x was added and is used as default for new NixOS installations where stateVersion is \>= 20.09. If you are upgrading from a previous NixOS version, you can set `service.deluge.package = pkgs.deluge-2_x` to upgrade to Deluge 2.x and migrate the state to the new format. Be aware that backwards state migrations are not supported by Deluge.
- Nginx web server now starting with additional sandbox/hardening options. By default, write access to `/var/log/nginx` and `/var/cache/nginx` is allowed. To allow writing to other folders, use `systemd.services.nginx.serviceConfig.ReadWritePaths`
```nix
{
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
}
```
Nginx is also started with the systemd option `ProtectHome = mkDefault true;` which forbids it to read anything from `/home`, `/root` and `/run/user` (see [ProtectHome docs](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=) for details). If you require serving files from home directories, you may choose to set e.g.
```nix
{
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
}
```
- The NixOS options `nesting.clone` and `nesting.children` have been deleted, and replaced with named [specialisation](options.html#opt-specialisation) configurations.
Replace a `nesting.clone` entry with:
```nix
{
specialisation.example-sub-configuration = {
configuration = {
# ...
};
};
}
```
Replace a `nesting.children` entry with:
```nix
{
specialisation.example-sub-configuration = {
inheritParentConfig = false;
configuration = {
# ...
};
};
}
```
To switch to a specialised configuration at runtime you need to run:
```ShellSession
$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
```
Before you would have used:
```ShellSession
$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
```
- The Nginx log directory has been moved to `/var/log/nginx`, the cache directory to `/var/cache/nginx`. The option `services.nginx.stateDir` has been removed.
- The httpd web server previously started its main process as root privileged, then ran worker processes as a less privileged identity user. This was changed to start all of httpd as a less privileged user (defined by [services.httpd.user](options.html#opt-services.httpd.user) and [services.httpd.group](options.html#opt-services.httpd.group)). As a consequence, all files that are needed for httpd to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.
The default value for [services.httpd.mpm](options.html#opt-services.httpd.mpm) has been changed from `prefork` to `event`. Along with this change the default value for [services.httpd.virtualHosts.\<name\>.http2](options.html#opt-services.httpd.virtualHosts) has been set to `true`.