one, this unfortunately mean that there's no straightforward way
    to convert an old configuration to the new format and some
    settings may not even be available anymore.

  - `services.keycloak.frontendUrl` was removed and the frontend URL
    is now configured through the `hostname` family of settings in
    [`services.keycloak.settings`](#opt-services.keycloak.settings)
    instead. See the [Hostname section of the Keycloak Server
    Installation and Configuration
    Guide](https://www.keycloak.org/server/hostname) for more
    details. Additionally, `/auth` was removed from the default
    context path and needs to be added back in
    [`services.keycloak.settings.http-relative-path`](#opt-services.keycloak.settings.http-relative-path)
    if you want to keep compatibility with your current clients.

  - `services.keycloak.bindAddress`,
    `services.keycloak.forceBackendUrlToFrontendUrl`,
    `services.keycloak.httpPort` and `services.keycloak.httpsPort`
    have been removed in favor of their equivalent options in
    [`services.keycloak.settings`](#opt-services.keycloak.settings). `httpPort`
    and `httpsPort` have additionally had their types changed from
    `str` to `port`.

    The new names are as follows:
    - `bindAddress`: [`services.keycloak.settings.http-host`](#opt-services.keycloak.settings.http-host)
    - `forceBackendUrlToFrontendUrl`: `services.keycloak.settings.hostname-strict-backchannel`
    - `httpPort`: [`services.keycloak.settings.http-port`](#opt-services.keycloak.settings.http-port)
    - `httpsPort`: [`services.keycloak.settings.https-port`](#opt-services.keycloak.settings.https-port)

  For example, when using a reverse proxy the migration could look
  like this:

  Before:
  ```nix
  {
    services.keycloak = {
      enable = true;
      httpPort = "8080";
      frontendUrl = "https://keycloak.example.com/auth";
      database.passwordFile = "/run/keys/db_password";
      extraConfig = {
        "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding =
          true;
      };
    };
  }
  ```

  After:
  ```nix
  {
    services.keycloak = {
      enable = true;
      settings = {
        http-port = 8080;
        hostname = "keycloak.example.com";
        http-relative-path = "/auth";
        proxy = "edge";
      };
      database.passwordFile = "/run/keys/db_password";
    };
  }
  ```

- The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.

- Services in the `hadoop` module previously set `openFirewall` to true by default.
  This has now been changed to false. Node definitions for multi-node clusters would need
  `openFirewall = true;` to be added to to hadoop services when upgrading from NixOS 21.11.

- `services.hadoop.yarn.nodemanager` now uses cgroup-based CPU limit enforcement by default.
  Additionally, the option `useCGroups` was added to nodemanagers as an easy way to switch
  back to the old behavior.

- The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`.

- `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2.
  Please switch to `claws-mail`, which is Claws Mail's latest release based on GTK+3 and Python 3.

- The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
  Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used.

- `buildGoModule` was updated to use `go_1_17`, third party derivations that specify >= go 1.17 in the main `go.mod` will need to regenerate their `vendorSha256` hash.

- The `gnome-passwordsafe` package updated to [version 6.x](https://gitlab.gnome.org/World/secrets/-/tags/6.0) and renamed to `gnome-secrets`.