Table of Contents
This section lists the release notes for each stable version of NixOS and current unstable revision.
Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for
2.19,
2.20,
2.21,
2.22,
2.23,
2.24.
Notable changes include improvements to Git fetching, documentation comment support in nix-repl> :doc
, as well as many quality of life additions.
There have been significant changes to macOS support.
The build environment has been redesigned to be closer to a native Xcode toolchain, enabling us to provide all SDKs from macOS Sierra 10.12 to macOS Sequoia 15, simplify build definitions, and build more software without hacks or patching. Although compatibility shims for the old SDK scheme are provided, some builds may break, and the old mechanisms will be removed by 25.11 at the latest. See the Darwin section of the Nixpkgs manual for details of the new scheme and how to use it, and the announcement on Discourse for more information on the changes and benefits.
This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15. Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS. Users on old macOS versions should consider upgrading to a supported version (potentially using OpenCore Legacy Patcher for old hardware) or installing NixOS. If neither of those options are viable and you require new versions of software, MacPorts supports versions back to Mac OS X Snow Leopard 10.6.
This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0. These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release. In the future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
Convenience options for amdgpu
, the open source driver for Radeon cards, are now available under hardware.amdgpu
.
AMDVLK, AMD’s open source Vulkan driver, is now available to be configured under the hardware.amdgpu.amdvlk
option.
This also allows configuring runtime settings for AMDVLK, including enabling experimental features.
The moonlight-qt
package (for Moonlight game streaming) now has HDR support on Linux systems.
Sched-ext, a Linux kernel feature to run schedulers in userspace, is now available services.scx
.
Requires Linux kernel version 6.12 or later.
PostgreSQL now defaults to major version 16.
GNOME has been updated to version 47. Refer to the release notes for more details.
authelia
has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the release blog post.
This release also deprecates some configuration keys which are likely to be removed in version 5.0.0.
netbird
has been updated to 0.31.1. This adds a built-in relay server which is not yet supported by the NixOS module, as well as a metrics endpoint for both the management and signal services. The default metrics port for the signal
service has been changed from 9090
to 9091
to prevent a port conflict with the management server. This can be changed with their respective metricsPort
as needed. Refer to the release notes and this pull request for more information.
compressDrv
can compress selected files in a derivation. compressDrvWeb
compresses files for common web server usage (.gz
with zopfli
, .br
with brotli
).
hardware.display
is a new module implementing workarounds for misbehaving monitors
by setting up custom EDID files and forcing kernel/framebuffer modes.
services.displayManager.ly
is a new module for configuring the display manager ly,
a TUI-based replacement for SDDM and LightDM meant for window manager users.
srcOnly
was rewritten to be more readable, have additional warnings in the event that something is probably wrong, use the stdenv
provided by the derivation, and Noogle-compatible documentation was added.
The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire.
Users that want to keep using PulseAudio will want to set services.pipewire.enable = false;
and hardware.pulseaudio.enable = true;
.
There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.
The Rust rewrite of the switch-to-configuration
program is now used for system activation by default.
If you experience any issues, please report them.
The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting system.switch.enableNg
to false
.
Support for mounting filesystems from block devices protected with dm-verity
was added through the boot.initrd.systemd.dmVerity
option.
The Xen Project Hypervisor is once again available as a virtualisation option under virtualisation.xen
.
This release includes Xen 4.19.0 and support for booting the hypervisor on EFI systems.
Booting into the Xen Project Hypervisor through a legacy BIOS bootloader or with the legacy script-based Stage 1 initrd have been deprecated. Only EFI booting and the new systemd-based Stage 1 initrd are supported.
The qemu-xen-traditional
component has been deprecated by the upstream Xen Project, and is no longer included in the Xen build.
The OCaml-based Xen Store can now be configured using virtualisation.xen.store.settings
.
The virtualisation.xen.bridge
options have been deprecated in this release cycle. Users who need network bridges are encouraged to set up their own networking configurations.
A new option systemd.enableStrictShellChecks
has been added. When enabled, all systemd scripts generated by NixOS will
be checked with shellcheck and any errors or warnings will cause the build to fail.
This affects all scripts that have been created through the script
, reload
, preStart
, postStart
, preStop
and postStop
options for systemd services.
This does not affect commandlines passed directly to ExecStart
, ExecReload
, ExecStartPre
, ExecStartPost
, ExecStop
or ExecStopPost
.
It therefore also does not affect systemd units that are coming from packages and that are not defined through the NixOS config.
This option is disabled by default, and although some services have already been fixed, it is still likely that you will encounter build failures when enabling this.
We encourage people to enable this option when they are willing and able to submit fixes for potential build failures to nixpkgs.
The option can also be enabled or disabled for individual services using the enableStrictShellChecks
option on the service itself, which will take precedence over the global setting.
Coral, hardware support for Coral.ai Edge TPU devices. Available as hardware.coral.usb.enable and hardware.coral.pcie.enable.
Cyrus IMAP, an email, contacts and calendar server. Available as services.cyrus-imap service.
TaskChampion Sync-Server, a Taskwarrior 3 sync server. Available as services.taskchampion-sync-server.
FlareSolverr, a proxy server to bypass Cloudflare protection. Available as services.flaresolverr.
Gancio, a shared agenda for local communities. Available as services.gancio.
Goatcounter, an easy web analytics platform with no tracking of personal data. Available as services.goatcounter.
Privatebin, a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as services.privatebin.
UWSM, a wayland session manager to wrap Wayland compositors into useful systemd units such as graphical-session.target
. Available as programs.uwsm.
Open-WebUI, a user-friendly WebUI for LLMs. Available as services.open-webui.
Quickwit, a sub-second search & analytics engine on cloud storage. Available as services.quickwit.
Userborn, a service for declarative
user management. This can be used instead of the update-users-groups.pl
Perl script and/or systemd-sysusers. This is now recommended over
systemd-sysusers to achieve a system without Perl, as it can create normal
users and change passwords. Available as services.userborn.
g810-led, a LED controller for Logitech G keyboards. Available as services.g810-led.
Hatsu, a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as services.hatsu.
Soteria, a polkit authentication agent to handle elevated prompts for any desktop environment. Normally this should only be used on DEs or WMs that do not provide a graphical polkit frontend on their own. Available as security.soteria
.
Flood, a beautiful WebUI for various torrent clients. Available as services.flood.
Niri, a scrollable-tiling Wayland compositor. Available as programs.niri.
Firefly-iii Data Importer, a data importer for Firefly-III. Available as services.firefly-iii-data-importer.
Dashy, an open source, highly customizable, easy to use, privacy-respecting dashboard app. Available as services.dashy.
[QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as programs.qgroundcontrol.
Eintopf, a community event and calendar web application. Available as services.eintopf.
pay-respects
, a terminal command correction program, alternative to thefuck
, written in Rust. Available as programs.pay-respects.
Radicle, an open source, peer-to-peer code collaboration stack built on Git. Available as services.radicle.
Ordinal, A library for ordinal numbers in the Coq proof assistant.
ddns-updater, a service with a WebUI to update DNS records periodically for many providers. Available as services.ddns-updater.
Immersed, a closed-source coworking platform. Available as programs.immersed.
HomeBox, an inventory and organization system built for the home user. Available as services.homebox.
evremap, a keyboard input remapper for Linux/Wayland systems. Available as services.evremap.
matrix-hookshot, a Matrix bot for connecting to external services. Available as services.matrix-hookshot.
Renovate, a dependency updating tool for various Git forges and language ecosystems. Available as services.renovate.
Music Assistant, a music library manager for your offline and online music sources that can stream to a wide range of supported players. Available as services.music-assistant.
zeronsd, a DNS server for ZeroTier users. Available with services.zeronsd.servedNetworks.
Collabora Online, a collaborative online office suite based on LibreOffice technology. Available as services.collabora-online.
wg-access-server, an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as services.wg-access-server.
Pingvin Share, a self-hosted file sharing platform and an alternative for WeTransfer. Available as services.pingvin-share.
Envision, a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as programs.envision.
Localsend, an open source cross-platform alternative to AirDrop. Available as programs.localsend.
Gatus, an automated developer-oriented status page. Available as services.gatus.
cryptpad, a privacy-oriented collaborative office suite, has been added back. Available as services.cryptpad.
realm, a simple, high performance relay server written in Rust. Available as services.realm.
Gotenberg, an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as services.gotenberg.
Suricata, a free and open source, mature, fast and robust network threat detection engine. Available as services.suricata.
Playerctld, a daemon to track media player activity. Available as services.playerctld.
Glance, a self-hosted dashboard that puts all your feeds in one place. Available as services.glance.
Apache Tika, a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as services.tika.
Misskey, an interplanetary microblogging platform. Available as services.misskey.
Improved File Manager (IFM), a single-file web-based file manager. Available as services.ifm.
OpenGFW, an implementation of the Great Firewall on Linux. Available as services.opengfw.
Rathole, a lightweight and high-performance reverse proxy for NAT traversal. Available as services.rathole.
Proton Mail bridge, a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. Available as services.protonmail-bridge.
chromadb, an open-source AI application database with batteries included. Available as services.chromadb.
bitmagnet, a self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with WebUI, GraphQL API and Servarr stack integration. Available as services.bitmagnet.
Wakapi, a time tracking software for programmers. Available as services.wakapi.
foot, a fast, lightweight and minimalistic Wayland terminal emulator. Available as programs.foot.
ToDesk, a remote desktop application. Available as services.todesk.
Dependency Track, an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as services.dependency-track.
Immich, a self-hosted photo and video backup solution. Available as services.immich.
saunafs, a distributed POSIX file system. Available as services.saunafs.
obs-studio, a free and open source software for video recording and live streaming. Available as programs.obs-studio.
Veilid, a privacy-focused, headless server for data sharing and messaging on a peer-to-peer network. Available as services.veilid.
Fedimint, a module based system for building federated applications (Federated E-Cash Mint). Available as services.fedimintd.
tiny-dfr, a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as hardware.apple.touchBar.enable.
Swapspace, a dynamic swap space manager that turns your unused free space into swap automatically. Available as services.swapspace.
Zapret, a DPI bypass tool. Available as services.zapret.
Glances, an open-source system cross-platform monitoring tool. Available as services.glances.
Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.
The sound
options have been removed or renamed, as they had a lot of unintended side effects. See below for details.
The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set hardware.nvidia.open
to select the proprietary or open modules.
The (buildPythonPackage { ... }).override
and (buildPythonPackage { ... }).overrideDerivation
attributes is now deprecated and removed in favour of overridePythonAttrs
and lib.overrideDerivation
.
This change does not affect the override interface of most Python packages, as <pkg>.override
provided by callPackage
shadows such a locally-defined override
attribute.
The <pkg>.overrideDerivation
attribute of Python packages called with callPackage
will also remain available after this change.
All Cinnamon and XApp packages have been moved to top-level (i.e., cinnamon.nemo
is now nemo
).
All GNOME packages have been moved to top-level (i.e., gnome.nautilus
is now nautilus
).
transmission
has been aliased with a trace
warning to transmission_3
, since Transmission 4 has been released last year and Transmission 3 will eventually go away – this is meant to make people aware of the new version. services.transmission.package
now also defaults to transmission_3
, as the upgrade can cause data loss in some cases (examples: #5153, #6796). Please make sure to back up to your data directory if you may be affected:
transmission-gtk
: ~/.config/transmission
transmission-daemon
using NixOS module: ${config.services.transmission.home}/.config/transmission-daemon
(defaults to /var/lib/transmission/.config/transmission-daemon
)
The default mongodb
version has been updated from 5.0 to 7.0.
For more information, see the compatibility changes for MongoDB 6.0 and 7.0.
unifi
has been updated to UniFi 8.
unifi7
was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life.
androidenv.androidPkgs_9_0
has been removed. It is replaced with androidenv.androidPkgs
for a more complete Android SDK, including support for Android 9 and later.
The VirtualBox demo installer appliance has been removed. Please use the standard installer ISOs instead.
grafana
has been updated to version 11.3. This version doesn’t support setting http_addr
to a hostname anymore, an IP address is expected.
deno
has been updated to Deno 2, which has breaking changes.
See the migration guide for details.
gogs
has been removed. Upstream development has stalled and it has several
critical vulnerabilities that weren’t addressed
within a year. Consider migrating to forgejo
or gitea
.
knot-dns
has been updated to version 3.4.x. Check the migration guide for breaking changes.
mutmut
has been updated to version 3.0.5.
services.kubernetes.kubelet.clusterDns
now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
bluemap
has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2. Unless you are using an SQL storage backend, this should only entail deleting the contents of config.services.bluemap.coreSettings.data
(defaults to /var/lib/bluemap
) and config.services.bluemap.webRoot
(defaults to /var/lib/bluemap/web
).
wstunnel
has had a major version upgrade that entailed rewriting the program in Rust.
The module was updated to accommodate for breaking changes and breaking changes to the
module options were minimised as much as possible. Nonetheless, some were inevitable due
to changes in the upstream CLI. Certain options were moved from separate CLI arguments into
the forward specifications, and those options were also removed from the module’s options.
Please consult the wstunnel man page for more details.
Also be aware that if you have set additional options in services.wstunnel.{clients,servers}.<name>.extraArgs
,
they may have been modified or removed upstream.
gnat
and gnatPackages
now use GNAT 13 instead of GNAT 12. This matches
the default gcc
version.
percona-server_8_4
and mysql84
now have password authentication via the deprecated mysql_native_password
disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods see upstream documentation. The config file directive default_authentication_plugin
has been removed.
Percona has decided not to follow the LTS/ Innovation release scheme of upstream MySQL and thus will only create releases for MySQL LTS versions. Hence, the package names percona-server_lts
, percona-server_innovation
, percona-xtrabackup_lts
and percona-xtrabackup_innovation
are deprecated.
percona-server
and percona-server_lts
now point towards the new LTS release percona-server_8_4
. The previous LTS continues to be supported and is available as percona-server_8_0
. The same is true for the supporting percona-xtrabackup
tooling.
clang-tools_<version>
packages have been moved into llvmPackages_<version>
(i.e. clang-tools_18
is now llvmPackages_18.clang-tools
).
For convenience, the top-level clang-tools
attribute remains and is now bound to llvmPackages.clang-tools
.
Top-level clang_tools_<version>
attributes are now aliases; these will be removed in a future release.
buildbot
was updated to 4.0 and the AngularJS frontend replaced by a React frontend. See the upstream release notes.
headscale
has been updated to version 0.23.0 which reworked large parts of the configuration, including DNS, Magic DNS prefixes and ACL policy files. See the upstream changelog for details.
nginx
package no longer includes the gd
and geoip
dependencies. To re-enable them, override nginx
with the options withImageFilter = true;
and withGeoIP = true;
.
systemd.enableUnifiedCgroupHierarchy
has been removed.
In systemd 256, support for cgroup v1 (‘legacy’ and ‘hybrid’ hierarchies) is now considered obsolete and systemd will refuse to boot under it by default.
To forcibly re-enable cgroup v1 support, you can set boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]
.
This is not an officially supported configuration and might cause your system to become unbootable in future versions. You are on your own.
nrfutil
– which previously pointed to the now-deprecated pc-nrfutil
Python package – has been repackaged under the same name with the new nrfutil tool.
openssh
and openssh_hpn
are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components. Users needing this support can
use the new opensshWithKerberos
and openssh_hpnWithKerberos
package flavors (e.g. programs.ssh.package = pkgs.openssh_gssapi
).
security.ipa.ipaHostname
now defaults to the value of networking.fqdn
if
it is set, instead of the previous hardcoded default of
${networking.hostName}.${security.ipa.domain}
.
The MSMTP_QUEUE
and MSMTP_LOG
environment variables accepted by msmtpq
have been renamed to MSMTPQ_Q
and MSMTPQ_LOG
respectively.
The logrotate service has been hardened and now requires enabling allowNetworking
if network access is required.
mautrix-whatsapp
has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required.
qBittorrent has been updated to major version 5, which drops support for Qt 5.
The qbittorrent-qt5
package has been removed.
The fcgiwrap module now allows multiple instances running as distinct users.
The option services.fgciwrap
now takes an attribute set of the
configuration of each individual instance.
This requires migrating any previous configuration keys from
services.fcgiwrap.*
to services.fcgiwrap.instances.some-instance.*
.
The ownership and mode of the UNIX sockets created by this service are now
configurable and private by default.
Processes also now run as a dynamically allocated user by default instead of
root.
The mautrix-signal
module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration, make sure to check the NixOS manual.
cargo-tauri
has been updated to major version 2. Please review the migration guide.
v1 of cargo-tauri
is still available as cargo-tauri_1
, but will be removed in future releases.
The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set hardware.nvidia.open
to select the proprietary or open driver.
postgresql_12
has been removed since it reached its end of life.
postgresql
no longer accepts the enableSystemd
override. Use systemdSupport
instead.
postgresql
was split into default and -dev outputs. To make this work without circular dependencies, the output of the pg_config
system view has been removed. The pg_config
binary is provided in the -dev output and still works as expected.
The arguments from services.postgresql.initdbArgs
now get shell-escaped.
postgresql
is now hardened by default using the common systemd
settings for that.
The dhcpcd service (networking.useDHCP
) has been hardened and now runs exclusively as the “dhcpcd” user.
Users that were relying on the root privileges in networking.dhcpcd.runHook
will have to write specific sudo or polkit rules to allow dhcpcd to perform privileged actions.
As part of these changes, the DHCP lease files directory has also been moved from /var/db/dhcpcd
to /var/lib/dhcpcd
. This migration is performed automatically, but users may have to update their backup configuration.
singularity-tools
have the storeDir
argument removed from its override interface and use builtins.storeDir
instead.
The mkLayer
and shellScript
build helpers in singularity-tools
are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
The rust.toTargetArch
, rust.toTargetOs
, rust.toTargetFamily
, rust.toTargetVendor
, rust.toRustTarget
, rust.toRustTargetSpec
, rust.toRustTargetSpecShort
, and rust.IsNoStdTarget
functions are deprecated in favour of the rust.platform.arch
, rust.platform.os
, rust.platform.target-family
, rust.platform.vendor
, rust.rustcTarget
, rust.rustcTargetSpec
, rust.cargoShortTarget
, rust.cargoEnvVarTarget
, and rust.isNoStdTarget
platform attributes respectively.
All Budgie and budgiePlugins
packages have been moved to top-level (i.e.,
budgie.budgie-desktop
is now budgie-desktop
and budgiePlugins.budgie-media-player-applet
is now budgie-media-player-applet
).
The method of safely handling secrets in the networking.wireless
module has been changed to benefit from a new feature of wpa_supplicant
.
The syntax to refer to secrets has changed slightly and the option networking.wireless.environmentFile
has been replaced by networking.wireless.secretsFile
; see the description of the latter for how to upgrade.
NetBox was updated to >= 4.1.0
.
Have a look at the breaking changes
of the 4.0 release
and the 4.1 release,
make the required changes to your database, if needed,
then upgrade by setting services.netbox.package = pkgs.netbox_4_1;
in your configuration.
services.cgit
now runs as the cgit user by default instead of root.
This change requires granting access to the repositories to this user or
setting the appropriate one through services.cgit.some-instance.user
.
All Oracle JDKs and JREs (oraclejdk
, oraclejdk8
, oraclejre
, oraclejre8
,
jrePlugin
, jre8Plugin
, jdkdistro
, oraclejdk8distro
, and oraclejdk11
)
were dropped due to being unmaintained and heavily insecure. OpenJDK provides
compatible replacements for JDKs and JREs.
gradle_6
was removed due to being unsupported upstream as of 10 Feb 2023.
Additionally, it had numerous security vulnerabilities that were only patched
in later versions, such as CVE-2021-29429,
CVE-2021-29427, CVE-2021-29428, and CVE-2021-32751.
nvimpager
was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in -c
and --cmd
now override the
respective default settings because they are executed later.
javacard-devkit
was dropped due to having a dependency on the Oracle JDK,
as well as being several years out-of-date.
Kubernetes featureGates
have changed from a listOf str
to attrsOf bool
.
This refactor makes it possible to also disable feature gates, without having
to use extraOpts
flags.
A previous configuration may have looked like this:
{
featureGates = [ "EphemeralContainers" ];
extraOpts = pkgs.lib.concatStringsSep " " (
[
''--feature-gates="CSIMigration=false"''
]
);
}
Using an attribute set instead, the new configuration would be:
{
featureGates = {
EphemeralContainers = true;
CSIMigration=false;
};
}
pkgs.nextcloud27
has been removed as it has reached EOL.
The environment.noXlibs
option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose.
If you need to disable certain libraries, you’re encouraged to add your own overlay to your configuration that targets the packages you care about.
frigate
was updated past 0.14.0. This release includes various breaking changes, so please review the release notes.
Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created
admin account from the frigate.service
journal after upgrading.
nodePackages.coc-python
was dropped, as its upstream is unmaintained. The associated vimPlugins.coc-python
was also dropped.
The upstream project recommends using coc-pyright
or coc-jedi
as replacements.
forgejo
has been upgraded from version 7.0 to version 9.0, see the release notes for 8.0 and 9.0.
services.forgejo.mailerPasswordFile
has been deprecated by the drop-in replacement services.forgejo.secrets.mailer.PASSWD
,
which is part of the new free-form services.forgejo.secrets
option.
services.forgejo.secrets
is a small wrapper over systemd’s LoadCredential=
. It has the same structure (sections/keys) as
services.forgejo.settings
but takes file paths that will be read before service startup instead of some plaintext value.
services.forgejo.package
now defaults to forgejo-lts
, the Long Term Support version of Forgejo.
forgejo
and forgejo-lts
no longer support the opt-in feature PAM (Pluggable Authentication Module).
gitea
no longer supports the opt-in feature PAM (Pluggable Authentication Module).
vuze
was removed because it is unmaintained upstream and insecure (CVE-2018-13417).
BiglyBT is a maintained fork.
services.ddclient.use
has been deprecated: ddclient
now supports separate IPv4 and IPv6 configuration. Use services.ddclient.usev4
and services.ddclient.usev6
instead.
services.pgbouncer
systemd service is now configured with Type=notify-reload
and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under services.pgbouncer.settings
.
Docear was removed because it was unmaintained upstream. JabRef, Zotero, or Mendeley are potential replacements.
nodePackages.coc-metals
was removed due to being deprecated upstream.
vimPlugins.nvim-metals
is its official replacement.
matrix-sliding-sync
was removed because it has been replaced by the simplified sliding sync functionality introduced in matrix-synapse 114.0.
nodePackages.coc-tslint
, vimPlugins.coc-tslint
, nodePackages.coc-tslint-plugin
,
and vimPlugins.coc-tslint-plugin
were removed due to being deprecated upstream. The
nodePackages.coc-eslint
and vimPlugins.coc-eslint
packages offer comparable
features for eslint
, which replaced tslint
.
Tcl packages have been moved into the tclPackages
scope.
teleport
has been upgraded from major version 15 to major version 16.
Refer to upstream upgrade instructions
and release notes for v16.
tests.overriding
’s passthru.tests
has been restructured as an attribute set instead of a list, making individual tests accessible by their names.
skk-dict
was split into multiple packages under skkDictionaries
.
If in doubt of what to use, try skkDictionaries.l
. As part of this change, the dictionaries
were moved from $out/share
to $out/share/skk
. The dictionaries also won’t
be converted to UTF-8 unless the useUtf8
package option is enabled; UTF-8
converted dictionaries will have the .utf8 suffix appended to its filename.
vaultwarden
lost the capability to bind to privileged ports. If you rely on
this behavior, override the systemd unit to allow CAP_NET_BIND_SERVICE
in
your configuration.
services.invoiceplane.sites.<name>.extraConfig
was removed. Configuration must now be done
through the structured services.invoiceplane.sites.<name>.settings
option.
services.ollama.sandbox
has been replaced with options to configure
a static user
and group
. The writablePaths
option has also been removed and
the models directory is now always exempt from sandboxing.
The gns3-server
service now runs under the gns3
system user
instead of a dynamically created one via DynamicUser
.
The use of SUID wrappers is incompatible with SystemD’s DynamicUser
setting,
and GNS3 requires calling ubridge through its SUID wrapper to function properly.
This change requires to manually move the following directories:
from /var/lib/private/gns3
to /var/lib/gns3
from /var/log/private/gns3
to /var/log/gns3
and to change the ownership of these directories and their contents to gns3
(including /etc/gns3
).
Legacy package stalwart-mail_0_6
was dropped, please note the
manual upgrade process
before changing the package to pkgs.stalwart-mail
in
services.stalwart-mail.package
.
nomad_1_5
and nomad_1_6
were dropped, as they have reached end-of-life upstream. Evaluating them will throw an error.
The default nomad
package has been updated to 1.8.x. For more information, see breaking changes for Nomad 1.8
androidndkPkgs
has been updated to androidndkPkgs_26
.
Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
ankisyncd
package and its services.ankisyncd
have been removed. Use services.anki-sync-server
instead.
nodePackages.vscode-css-languageserver-bin
, nodePackages.vscode-html-languageserver-bin
,
and nodePackages.vscode-json-languageserver-bin
were dropped due to an unmaintained upstream.
The vscode-langservers-extracted
package is a maintained drop-in replacement.
nodePackages.prisma
has been replaced by prisma
.
fetchNextcloudApp
has been rewritten to use fetchurl
rather than
fetchzip
. This invalidates all existing hashes, but you can restore the old
behavior by passing it unpack = true
.
haskell.lib.compose.justStaticExecutables
now disallows references to GHC in its
output by default to alert users to closure size issues caused by
#164630. See “Packaging
Helpers” in the Haskell section of the Nixpkgs
manual
for information on working around output '...' is not allowed to refer to the following paths
errors caused by this change.
services.stalwart-mail
now runs under the stalwart-mail
system user
instead of a dynamic one via DynamicUser
in order to avoid automatic
ownership changes on its large file store on service restart.
This change requires to manually move the state directory from
/var/lib/private/stalwart-mail
to /var/lib/stalwart-mail
, and to
change the ownership of the directory and its content to stalwart-mail
.
services.stalwart-mail
now uses RocksDB as the default storage backend
for stateVersion
≥ 24.11. It was previously using SQLite for structured
data and the filesystem for blobs.
services.stargazer
has been hardened to improve security, but these
changes make break certain setups, particularly around traditional CGI.
services.stargazer.allowCgiUser
has been added, enabling
Stargazer’s cgi-user
option to work, which was previously broken.
services.shiori
now requires the HTTP secret value SHIORI_HTTP_SECRET_KEY
to be provided as an environment variable. services.shiori.environmentFile
has been introduced to handle this:
# This is how a environment file can be generated:
# $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file
services.shiori.environmentFile = "/path/to/env-file";
/share/nano
is now only linked when programs.nano.enable
is enabled.
PPD files for Utax printers were renamed (spaces replaced by underscores) in the newest foomatic-db
package. Users of Utax printers might need to adapt their hardware.printers.ensurePrinters.*.model
value to account for this.
sqldeveloper
was dropped due to being severely out-of-date and having a dependency on
JavaFX for Java 8, which we do not support.
The kvdo
kernel module package was removed as it was upstreamed in kernel version 6.9, where it is now called dm-vdo
.
libe57format
has been updated to >= 3.0.0
, which contains some backward-incompatible API changes. See the release note for more details.
gitlab
deprecated support for runner registration tokens in GitLab 16.0, disabled their support in GitLab 17.0 and will
ultimately remove it in GitLab 18.0 (as outlined in the
documentation).
After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0.
Refer to the manual on using registration tokens after GitLab 17.0.
GitLab administrators should migrate to the new runner registration workflow
with runner authentication tokens until the release of GitLab 18.0.
gitlab
has been updated from 16.x to 17.x and requires postgresql
>= 14.9, as stated in the documentation. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation.
gitaly
(part of gitlab
) is now using the bundled git
package instead of pkgs.git
, to maintain compatibility with GitLab.
nixos/gitlab
no longer adds pkgs.git
to environment.systemPackages
by default.
The replay-sorcery
package and module was removed as it unmaintained upstream. Consider using gpu-screen-recorder
or obs-studio
instead.
A few options of services.samba
have been moved from extraConfig
and configText
to the new freeform option settings
and renamed, e.g.:
services.samba.invalidUsers
to services.samba.settings.global."invalid users"
services.samba.securityType
to services.samba.settings.global."security type"
services.samba.shares
to services.samba.settings
services.samba.enableWinbindd
to services.samba.winbindd.enable
services.samba.enableNmbd
to services.samba.nmbd.enable
zx
was updated to v8, which introduces several breaking changes.
See the v8 changelog for more information.
feishin
removed support for Navidrome < v0.53.2
due to an API change. See the v0.10.0 release notes for more information.
services.dnscrypt-wrapper
was removed, as the project has been effectively unmaintained since 2018. Moreover, the NixOS module had to rely on an abandoned version of dnscrypt-proxy
v1 for the rotation of keys.
To wrap a resolver with DNSCrypt, you can instead use dnsdist
. See services.dnsdist.dnscrypt
The portunus
package and service do not support weak password hashes anymore.
If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes.
If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
The default value of services.kubernetes.kubelet.hostname
is now lowercased.
Explicitly set kubelet.hostname
to networking.fqdnOrHostName
to get back
the old default behavior.
Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after February 1, 2024.
keycloak
was updated to version 25, which introduces new hostname related options.
See Upgrading Guide for instructions.
programs.vim.defaultEditor
now only works if programs.vim.enable
is enabled.
services.mautrix-meta
was updated to 0.4. This release makes significant changes to the settings format. If you have custom settings you should migrate them to the new format. Unfortunately upstream provides little guidance for how to do this, but the auto-migration code may serve as a useful reference. The NixOS module should warn you if you still have any old settings configured.
The nodePackages.shout
package has been removed because it was deprecated upstream in favor of thelounge
.
The shout
top-level attribute was an alias to this package.
The associated services.shout
module has also been removed.
prometheus-openldap-exporter
was removed, as it was unmaintained both upstream and in nixpkgs.
The indi-full
package no longer contains non-free drivers.
To get the old collection of drivers use indi-full-nonfree
or create your own collection of drivers by overriding indi-with-drivers.
E.g.: pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}
/share/vim-plugins
now only gets linked if programs.vim.enable
is enabled
The services.guix
module now manages trusted substitute servers
declaratively. Instead of guix archive --authorize
, list keys with
services.guix.substituters.authorizedKeys
. Default substitute servers can be
set via services.guix.substituters.urls
.
The tracy
package no longer works on X11, since it’s moved to Wayland
support, which is the intended default behavior by Tracy maintainers.
X11 users have to switch to the new package tracy-x11
.
gollum
has been upgraded to major version 6. Please review their migration notes.
services.prometheus.exporters.minio
option has been removed, as it’s upstream implementation was broken and unmaintained.
Minio now has built-in Prometheus metrics exposure, which can be used instead.
The services.prometheus.exporters.tor
option has been removed, as its upstream implementation was broken and unmaintained.
services.patroni.raft
has been removed, as Raft has been deprecated by upstream since 3.0.0.
The jd-cli
package was removed due to an inactive upstream and a dependency on the shut down
JCenter JAR repository.
Java decompilers already packaged in Nixpkgs include bytecode-viewer
(GUI), cfr
(CLI), and procyon
(CLI).
The jd-gui
package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
Java decompilers already packaged in Nixpkgs include bytecode-viewer
(GUI), cfr
(CLI), and procyon
(CLI).
services.roundcube.maxAttachmentSize
will multiply the value set with 1.37
to offset overhead introduced by the base64 encoding applied to attachments.
services.mxisd
has been removed as both mxisd and ma1sd are no longer maintained.
Consequently, the package ma1sd
has also been removed.
The rss-bridge
service drops the support to load a configuration file from ${config.services.rss-bridge.dataDir}/config.ini.php
.
Consider using the services.rss-bridge.config
option instead.
mikutter
has been removed, as the package was broken and had no maintainers in nixpkgs.
xdg.portal.gtkUsePortal
has been removed, as it had been deprecated for over 2 years. Using the GTK_USE_PORTAL
environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via environment.sessionVariables
.
Support for the legacy CUPS browsing and LDAP have been removed from services.printing
. If cups
or ldap
are in the BrowseRemoteProtocols
setting in services.printing.browsedConf
, it needs to be removed.
services.trust-dns
has been renamed to services.hickory-dns
.
services.prometheus.exporters.pgbouncer.connectionStringFile
has been removed since
it leaked the connection string (and thus potentially the DB password) into the cmdline
of process making it effectively world-readable.
Use services.prometheus.exporters.pgbouncer.connectionEnvFile
instead.
lsh
and services.lshd
have been removed as they had no maintainer in Nixpkgs and no upstream release in over a decade. It is recommended to migrate to openssh
and services.openssh
.
ceph
has been upgraded to v19. See the Ceph “squid” release notes for details and recommended upgrade procedure.
services.frr
has been refactored to use upstream service scripts. The per-daemon configurations
have been removed in favour of an integrated-vtysh-config
style config. The daemon submodules
now use the daemon name (e.g. ospfd
) instead of the protocol name (ospf
). The daemons zebra
,
mgmtd
and staticd
are always enabled if a config is present. The vtyListenAddress
and
vtyListenPort
options have been removed; use options
or extraOptions
instead, respectively.
opencv2
and opencv3
have been removed, as they are obsolete and
were not used by any other package. External users are encouraged to
migrate to OpenCV 4.
tvheadend
package and the services.tvheadend
module have been
removed due to lack of maintenance in Nixpkgs and being stuck on
an unmaintained version that required FFmpeg 4. Please see the related pull
request #332259 if you
are interested in maintaining a newer version.
antennas
and services.antennas
have been removed as they only work with tvheadend
(see above).
system.build.brightboxImage
has been removed as it no longer built and has not seen any maintenance in over 7 years (excluding tree-wide changes).
services.syncplay
now exposes all currently available command-line arguments for syncplay-server
as options, as well as a useACMEHost
option for easy TLS setup.
The systemd service now uses DynamicUser
/StateDirectory
and the user
and group
options have been deprecated.
openlens
was removed. It is recommended to use lens-desktop
instead.
services.dnsmasq.extraConfig
has been removed, as it had been deprecated for over 2 years. This option has been replaced by services.dnsmasq.settings
.
The NixOS installation media no longer support the ReiserFS or JFS file systems by default.
Minimal installer ISOs are no longer built on the small channel. Please obtain installer images from the full release channels.
The default FFmpeg version is now 7.1, and FFmpeg 5 has been removed. Please prefer using the package variants without a version suffix, or pin FFmpeg 6 or 4 if necessary for compatibility. Note that we keep old versions around only as required to support packages in the tree, and FFmpeg 4 especially should be avoided in favour of newer versions as it may be removed soon.
openssl
now defaults to the latest version line 3.3.x
, instead of 3.0.x
before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: OpenSSL security level documentation.
isync
has been updated to version 1.5.0
, which introduces some breaking changes. See the compatibility concerns for more details.
Two new packages – gpauth
and gpclient
from the 2.x version of the
GlobalProtect-openconnect project – are added in parallel to
globalprotect-openconnect
. The GUI components related to the project are
non-free and not packaged.
Compatible string matching for hardware.deviceTree.overlays
has been changed to a more correct behavior. See below for details.
rustic
was upgraded to 0.9.0
, which contains breaking changes to the config file format.
pkgs.formats.ini
and pkgs.formats.iniWithGlobalSection
with
listsAsDuplicateKeys
or listToValue
no longer merge non-list values into
lists by default. Backwards-compatible behavior can be enabled with
atomsCoercedToLists
.
Atlassian Server products have been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements:
The atlassian-bamboo
package
The atlassian-confluence
package and its services.confluence
NixOS module
The atlassian-crowd
package and its services.crowd
NixOS module
The atlassian-jira
package and its services.jira
NixOS module
python3Packages.nose
has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
Please switch to pytest
or another test runner/framework.
torq has been removed because upstreamed went closed source.
dotnet-sdk
, dotnet-runtime
, and all other dotnet packages now use a
wrapper package containing bin/dotnet
, build hooks, etc. If you need to
reference the underlying dotnet distribution (DOTNET_ROOT) you should use e.g.
dotnet-runtime.unwrapped
.
The root of dotnet distribution packages (DOTNET_ROOT) is now under e.g.
${dotnet-sdk.unwrapped}/share/dotnet
instead of directly in the package
root. This is consistent with packaging guidelines and more friendly for FHS
environments.
dotnet-sdk
, dotnet-runtime
, and dotnet-aspnetcore
now point to dotnet 8
rather than dotnet 6. For packages that still need dotnet 6, use
dotnet-sdk_6
, etc.
The zerocallusedregs
hardening flag is enabled by default on compilers that support it.
The stackclashprotection
hardening flag has been added, though disabled by default.
The pacret
hardening flag has been added, though disabled by default.
cargoSha256
in rustPlatform.buildRustPackage
has been deprecated in favor
of cargoHash
which supports SRI hashes. See
buildRustPackage: Compiling Rust applications with Cargo
for more information.
The vendorHash
of Go packages built with buildGoModule
can now be overridden with overrideAttrs
.
goModules
, modRoot
, vendorHash
, deleteVendor
, and proxyVendor
are now passed as derivation attributes.
goModules
and vendorHash
are no longer placed under passthru
.
buildFlags
/buildFlagsArray
on buildGoModule
have been deprecated. 24.11 is the last release where buildGoModule
accepts these flags (while throwing a warning).
Use the ldflags
and/or tags
attributes or
the environment instead.
buildGoPackage
has been deprecated. 24.11 is the last release with buildGoPackage
available.
hareHook
has been added as the language framework for Hare. From now on, it,
not the hare
package, should be added to nativeBuildInputs
when building
Hare programs.
lib.options.mkPackageOptionMD
is now obsolete; use the identical lib.options.mkPackageOption
instead.
lib.misc.mapAttrsFlatten
is now formally deprecated and will be removed in future releases; use the identical lib.attrsets.mapAttrsToList
instead.
virtualisation.docker.liveRestore
has been renamed to virtualisation.docker.daemon.settings."live-restore"
and turned off by default for state versions of at least 24.11.
Tailscale’s authKeyFile
can now have its corresponding parameters set through config.services.tailscale.authKeyParameters
, allowing for non-ephemeral unsupervised deployment and more.
See Registering new nodes using OAuth credentials for the supported options.
nixosTests
now provide a working IPv6 setup for VLAN 1 by default.
Kanidm can now be provisioned using the new [services.kanidm.provision
] option, but requires using a patched version available via pkgs.kanidm.withSecretProvisioning
.
Kanidm previously had an incorrect systemd service type, causing dependent units with an after
and requires
directive to start before kanidm*
finished startup. The module has now been updated in line with upstream recommendations.
The kubelet configuration file can now be amended with arbitrary additional content using the services.kubernetes.kubelet.extraConfig
option.
The services.seafile
module was updated to major version 11.
As part of this upgrade, the database backend will be migrated to MySQL. This process should be automatic, but in case of a botched migration, old sqlite files are not removed and can be used to manually migrate the database.
Additionally, the updated CSRF protection may prevent some users from logging in.
Specific origin addresses can be whitelisted using the services.seafile.seahubExtraConf
option
(e.g. services.seafile.seahubExtraConf = ''CSRF_TRUSTED_ORIGINS = ["https://example.com"]'';
).
Note that first solution of the official FAQ answer
is not allowed by the services.nginx
module’s config-checker.
The new option boot.binfmt.addEmulatedSystemsToNixSandbox
allows you to skip adding the emulated systems to nix.settings.extra-platforms
. Now you can emulate foreign binaries locally while only building them on native remote builders.
The latest available version of Nextcloud is v30 (available as pkgs.nextcloud30
). The installation logic is as follows:
If services.nextcloud.package
is specified explicitly, this package will be installed (recommended)
If system.stateVersion
is >=24.05, pkgs.nextcloud29
will be installed by default.
If system.stateVersion
is >=24.11, pkgs.nextcloud30
will be installed by default.
Please note that an upgrade from v28 (or older) to v30 directly is not possible. Please upgrade to nextcloud29
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud29;
.
To facilitate dependency injection, the imgui
package now builds a static archive using vcpkg’ CMake rules.
The derivation now installs “impl” headers selectively instead of by a wildcard.
Use imgui.src
if you just want to access the unpacked sources.
The new boot.loader.systemd-boot.windows
option makes setting up dual-booting with Windows on a different drive easier.
The boot.loader.raspberryPi
options were marked as deprecated in 23.11 and have now been removed.
Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11.
Unprivileged access to the kernel syslog via dmesg
is now restricted by default. Users wanting to keep an
unrestricted access to it can set boot.kernel.sysctl."kernel.dmesg_restrict" = false
.
The i18n.inputMethod
module introduces two new properties:
enable
and type
, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in type
are the same as the existing enabled
option. enabled
is now deprecated, and will be removed in a future release.
security.pam.u2f
now uses freeform options; all module options are now configurable through security.pam.u2f.settings
.
mikutter
was removed as the package was broken and had no maintainers.
services.getty.autologinOnce
was added to limit the automatic login to once per boot and on the first tty only.
When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected.
Gollum was upgraded to major version 6. Read their migration notes.
The hooks yarnConfigHook
and yarnBuildHook
were added. These should replace yarn2nix.mkYarnPackage
and other yarn2nix
related tools. The motivation to get rid of yarn2nix
tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at #296856. The transition from mkYarnPackage
to yarn{Config,Build}Hook
is tracked at #324246.
services.timesyncd.servers
now defaults to null
, allowing systemd-timesyncd to use NTP servers advertised by DHCP.
services.timesyncd.fallbackServers
was added and defaults to networking.timeServers
.
Cinnamon has been updated to 6.2. Please check upstream announcement for more details.
Following Mint 22 defaults, the Cinnamon module no longer ships geary
and hexchat
by default.
zfs.latestCompatibleLinuxPackages
is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (default linuxPackages
is not possible then you must explicitly pin a specific kernel release. For example, boot.kernelPackages = pkgs.linuxPackages_6_6
. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention.
The shadowstack
hardening flag has been added, though disabled by default.
writeReferencesToFile
has been removed after its deprecation in 24.05. Use the trivial build helper writeClosure
instead.
xxd
is now provided by the tinyxxd
package rather than vim.xxd
to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim’s xxd
utility, there is no user impact. Vim’s xxd
remains available as the vim.xxd
package.
restic
module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as services.restic.backups.<name>.inhibitsSleep
.
Mattermost has been updated from 9.5 to 9.11 ESR. See the changelog for more details.
cargo-tauri.hook
was introduced to help users build Tauri projects. It is meant to be used alongside
rustPlatform.buildRustPackage
and Node hooks such as npmConfigHook
, pnpm.configHook
, and the new yarnConfig
power.ups
now powers off UPSs during a power outage event.
This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set power.ups.upsmon.settings.POWERDOWNFLAG = null;
.
nixos-firewall-tool
now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.
Support for runner registration tokens has been deprecated
in gitlab-runner
15.6 and is expected to be removed in gitlab-runner
18.0. Configuration of existing runners
should be changed to using runner authentication tokens by configuring
services.gitlab-runner.services.<name>.authenticationTokenConfigFile
instead of the former
services.gitlab-runner.services.<name>.registrationConfigFile
option.
iproute2
now has libbpf support.
If you use extensions that are not packaged in nixpkgs, please review whether it still works with the current settings and adjust accordingly if needed.
nix.channel.enable = false
no longer implies nix.settings.nix-path = []
.
Since Nix 2.13, a nix-path
set in nix.conf
cannot be overridden by the NIX_PATH
configuration variable.
ZFS now imports its pools in postResumeCommands
rather than postDeviceCommands
. If you had postDeviceCommands
scripts that depended on ZFS pools being imported, those now need to be in postResumeCommands
.
services.automatic-timezoned.enable = true
will now set time.timeZone = null
.
This is to avoid silently shadowing a user’s explicitly defined timezone without recognition on the user’s part.
services.localtimed.enable = true
will now set time.timeZone = null
.
This is to avoid silently shadowing a user’s explicitly defined timezone without recognition on the user’s part.
qgis
and qgis-ltr
are now built without grass
by default. grass
support can be enabled with qgis.override { withGrass = true; }
.
virtualisation.incus
module gained new incus-user.service
and incus-user.socket
systemd units. It is now possible to add a user to incus
group instead of incus-admin
for increased security.
freecad
now supports addons and custom configuration in nix-way, which can be used by calling freecad.customize
.
sound
options removal The sound
options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled.
If you set sound.enable
in your configuration:
If you are using Pulseaudio or PipeWire, simply remove that option
If you are not using an external sound server, and want volumes to be persisted across shutdowns, set hardware.alsa.enablePersistence = true
instead
If you set sound.enableOSSEmulation
in your configuration:
Make sure it is still necessary, as very few applications actually use OSS
If necessary, set boot.kernelModules = [ "snd_pcm_oss" ]
If you set sound.extraConfig
in your configuration:
If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that
If you are not using an external sound server, set environment.etc."asound.conf".text = yourExtraConfig
instead
If you set sound.mediaKeys
in your configuration:
Preferably switch to handling media keys in your desktop environment/compositor
If you want to maintain the exact behavior of the option, use the following snippet
services.actkbd = let
volumeStep = "1%";
in {
enable = true;
bindings = [
# "Mute" media key
{ keys = [ 113 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Master toggle"; }
# "Lower Volume" media key
{ keys = [ 114 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute"; }
# "Raise Volume" media key
{ keys = [ 115 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute"; }
# "Mic Mute" media key
{ keys = [ 190 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Capture toggle"; }
];
};
hardware.deviceTree.overlays
compatible string matching The original compatible string implementation in older NixOS versions relied on substring matching, which is incorrect for overlays with multiple compatible strings and other cases.
The new behavior is consistent with what other tools already do - the overlay is considered applicable if, and only if, any of the compatible strings in the overlay match any of the compatible strings in the DT.
To provide some examples:
Overlay compatible | DT compatible | Pre-24.11 behavior | Correct behavior | Notes |
---|---|---|---|---|
"foo" | "foo", "bar" | match | match | Most common use case does not change |
"foo" | "foobar" | match | no match | Substrings should not be matched |
"foo bar" | "foo", "bar" | match | no match | Separators should not be matched to spaces |
"foo", "bar" | "baz", "bar" | no match | match | One compatible string matching is enough |
Note that this also allows writing overlays that explicitly apply to multiple boards.
Support is planned until the end of December 2024, handing over to 24.11.
In addition to numerous new and upgraded packages, this release has the following highlights:
The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.
For each supporting version of the Linux kernel, firmware blobs are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however a significantly higher decompression speed.
NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
This can be disabled through the environment.stub-ld.enable
option.
If you use programs.nix-ld.enable
, no changes are needed. The stub will be disabled automatically.
On flake-based NixOS configurations using nixpkgs.lib.nixosSystem
, NixOS will automatically set NIX_PATH
and the system-wide flake registry (/etc/nix/registry.json
) to point <nixpkgs>
and the unqualified flake path nixpkgs
to the version of nixpkgs used to build the system.
This makes nix run nixpkgs#hello
and nix-build '<nixpkgs>' -A hello
work out of the box with no added configuration, reusing dependencies already on the system.
This may be undesirable if Nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
To disable it, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.
NixOS AMIs are now uploaded regularly to a new AWS Account.
Instructions on how to use them can be found on https://nixos.github.io/amis.
We are working on integrating the data into the NixOS homepage.
The list in nixos/modules/virtualisation/amazon-ec2-amis.nix
will stop
being updated and will be removed in the future.
It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:
{ modulesPath, ... }: {
imports = [ "${modulesPath}/profiles/perlless.nix" ];
}
Cinnamon has been updated to 6.0. Please be aware that the Wayland session is still experimental in this release and could potentially affect Xorg sessions. We suggest a reboot when switching between sessions.
GNOME has been updated to 46 “Kathmandu”. Refer to the release notes for more details. Notably this release brings experimental VRR support, default GTK renderer changes and WebDAV support in Online Accounts. This release we have also stopped including the legacy and unsupported Adwaita-Dark theme by default.
Lomiri (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with services.desktopManager.lomiri.enable = true
. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there.
LXQt has been updated to 2.0, which is based on Qt 6 and features Wayland support for many applications.
MATE has been updated to 1.28.
To properly support panel plugins built with Wayland (in-process) support, we are introducing the services.xserver.desktopManager.mate.extraPanelApplets
option, please use that for installing panel applets.
Similarly, please use the services.xserver.desktopManager.mate.extraCajaExtensions
option for installing Caja extensions.
To use the Wayland session, enable services.xserver.desktopManager.mate.enableWaylandSession
. This is opt-in for now as it is in early an stage and introduces a new set of Wayfire closures. Due to known issues with LightDM, we suggest using SDDM as the display manager.
Plasma 6 is now available and can be installed with services.desktopManager.plasma6.enable = true;
. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.
Anki Sync Server, the official sync server built into recent versions of Anki. Available as services.anki-sync-server.
The pre-existing services.ankisyncd
has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the ankisyncd software.
ALVR, a VR desktop streamer. Available as programs.alvr.
AppImage, a tool to package desktop applications, now has a binfmt
option to support running AppImages seamlessly on NixOS. Available as programs.appimage.binfmt.
armagetronad, a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using services.armagetronad.<server>.enable
.
BenchExec, a framework for reliable benchmarking and resource measurement, available as programs.benchexec, as well as related programs CPU Energy Meter, available as programs.cpu-energy-meter, and PQoS Wrapper, available as programs.pqos-wrapper.
Bluemap, a 3D minecraft map renderer. Available as services.bluemap.
clatd, a CLAT / SIIT-DC Edge Relay implementation for Linux.
Clevis, a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as boot.initrd.clevis.enable.
CommaFeed, a Google Reader-inspired self-hosted RSS reader. Available as services.commafeed.
davis, a simple CardDav and CalDav server inspired by Baïkal. Available as services.davis.
db-rest, a wrapper around Deutsche Bahn’s internal API for public transport data. Available as services.db-rest.
dnsproxy, a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as services.dnsproxy.
FCast Receiver, an open-source alternative to Chromecast and AirPlay. Available as programs.fcast-receiver.
FileSender, a file sharing software. Available as services.filesender.
Firefly-iii, a free and open source personal finance manager. Available as services.firefly-iii.
Flarum, a delightfully simple discussion platform for your website. Available as services.flarum.
fritz-exporter, a Prometheus exporter for extracting metrics from FRITZ! devices. Available as services.prometheus.exporters.fritz.
GNS3, a network software emulator. Available as services.gns3-server.
go-camo, a secure image proxy server. Available as services.go-camo.
Guix, a functional package manager inspired by Nix. Available as services.guix.
Handheld Daemon, support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as services.handheld-daemon.
hebbot, a Matrix bot to generate “This Week in X” like blog posts. Available as services.hebbot.
inadyn, a Dynamic DNS client with built-in support for multiple providers. Available as services.inadyn.
intel-gpu-tools, tools for development and testing of the Intel DRM driver. Available as hardware.intel-gpu-tools.
isolate, a sandbox for securely executing untrusted programs. Available as security.isolate.
Jottacloud Command-line Tool, a CLI for the Jottacloud cloud storage provider. Available as services.jotta-cli.
keto, a permission & access control server, the first open source implementation of Zanzibar: Google’s Consistent, Global Authorization System.
manticoresearch, easy to use open source fast database for search. Available as services.manticore.
maubot, a plugin-based Matrix bot framework. Available as services.maubot.
mautrix-meta, a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta.
mautrix-signal, a Matrix-Signal puppeting bridge. Available as services.mautrix-signal.
Mealie, a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as services.mealie.
MollySocket which allows getting Signal notifications via UnifiedPush.
microsocks, a tiny, portable SOCKS5 server with very moderate resource usage. Available as services.microsocks.
Mihomo, a rule-based proxy in Go. Available as services.mihomo.enable.
Monado, an open source XR runtime. Available as services.monado.
Netbird, an open-source VPN management platform, now has a self-hosted management server. Available as services.netbird.server.
nh, yet another Nix CLI helper. Available as programs.nh.
oink, a dynamic DNS client for Porkbun. Available as services.oink.
ollama, server for running large language models locally.
nextjs-ollama-llm-ui, light-weight frontend server to chat with Ollama models through a web app.
ownCloud Infinite Scale Stack, a modern and scalable rewrite of ownCloud.
PhotonVision, a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition.
ping_exporter, a Prometheus exporter for ICMP echo requests. Available as services.prometheus.exporters.ping.
Pretix, an open source ticketing software for events. Available as services.pretix.
pretalx, a conference planning tool. Available as services.pretalx.
private-gpt, a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as services.private-gpt.
Prometheus DNSSEC Exporter: check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as services.prometheus.exporters.dnssec.
prometheus-nats-exporter, a Prometheus exporter for NATS. Available as services.prometheus.exporters.nats.
pyLoad, a FOSS download manager written in Python. Available as services.pyload.
Python Matter Server, a Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. Available as services.matter-server.
RustDesk, a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. Available as services.rustdesk-server.
ryzen-monitor-ng, a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as programs.ryzen-monitor-ng.
ryzen-smu, Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program monitor_cpu
. Available at hardward.cpu.amd.ryzen-smu.
Scrutiny, a S.M.A.R.T monitoring tool for hard disks with a web frontend. Available as services.scrutiny.
SimpleSAMLphp, an application written in native PHP that deals with authentication (SQL, .htpasswd, YubiKey, LDAP, PAPI, Radius). Available as services.simplesamlphp.
systemd
’s gateway
, upload
, and remote
services, which provide ways of sending journals across the network. Enable using services.journald.gateway, services.journald.upload, and services.journald.remote.
systemd-lock-handler, a bridge between logind D-Bus events and systemd targets. Available as services.systemd-lock-handler.enable.
rspamd-trainer, script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.
Sunshine, a self-hosted game stream host for Moonlight. Available as services.sunshine.
Suwayomi Server, a free and open source manga reader server that runs extensions built for Tachiyomi. Available as services.suwayomi-server.
TigerBeetle, a distributed financial accounting database designed for mission critical safety and performance. Available as services.tigerbeetle.
transfer-sh, a tool that supports easy and fast file sharing from the command-line. Available as services.transfer-sh.
TuxClocker, a hardware control and monitoring program. Available as programs.tuxclocker.
Uni-Sync, a synchronization tool for Lian Li Uni Controllers. Available as hardware.uni-sync.
wastebin, a pastebin server written in rust. Available as services.wastebin.
watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.
WiVRn, an OpenXR streaming application. Available as services.wivrn.
Workout-tracker, a workout tracking web application for personal use.
wyoming-satellite, a voice assistant satellite for Home Assistant using the Wyoming protocol. Available as services.wyoming.satellite.
xdg-terminal-exec, the proposed Default Terminal Execution Specification.
Convenience options for amdgpu
, open source driver for Radeon cards, is now available under hardware.amdgpu
.
ydotool, a generic command-line automation tool now has a module. Available as programs.ydotool.
your_spotify, a self hosted Spotify tracking dashboard. Available as services.your_spotify
RKE2, also known as RKE Government, is Rancher’s next-generation Kubernetes distribution. Available as services.rke2.
akkoma
now requires explicitly setting the base URL for uploaded media (settings."Pleroma.Upload".base_url
), as well as for the media proxy if enabled (settings."Media"
).
This is recommended to be a separate (sub)domain to the one Akkoma is hosted at.
See here for more details.
appimageTools.wrapAppImage
now creates the binary at $out/bin/${pname}
rather than $out/bin/${pname}-${version}
, which will break downstream workarounds.
apptainer
and singularity
now prioritize system-wide PATH
over those constructed from dependent packages when searching for third-party utilities. The PATH
to search for third-party utilities, known as defaultPath
inside Apptainer/Singularity source code, is now constructed from the following sources, ordered by their precedence:
systemBinPaths
, a new argument introduced to specify system-wide "/**/bin"
directories.
The FHS defaultPath
value set by Apptainer/Singularity developers, making Apptainer/Singularity work out of the box in FHS systems.
defaultPathInputs
, a list of packages to form the fall-back PATH
.
This change is required to enable Sylabs SingularityCE (singularity
) to run images, as it requires a fusermount3
commant with the SUID bit set.
newuidmapPath
and newgidmapPath
arguments are deprecated in favour of systemBinPaths
. Their support will be removed in future releases.
programs.singularity.systemBinPaths
option is introduced to specify the systemBinPaths
argument of the overridden package. It includes "/run/wrappers/bin"
even if specified empty.
programs.singularity.enableFakeroot
option is deprecated and has no effect. --fakeroot
support is now always enabled as long as programs.singularity.systemBinPaths
is not forcefully overridden.
azure-cli
now has extension support. For example, to install the aks-preview
extension, use
environment.systemPackages = [
(azure-cli.withExtensions [ azure-cli.extensions.aks-preview ])
];
To make the azure-cli
immutable and prevent clashes in case azure-cli
is also installed via other package managers, some configuration files were moved into the derivation.
This can be disabled by overriding withImmutableConfig = false
when building azure-cli
.
boot.supportedFilesystems
and boot.initrd.supportedFilesystems
are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using supportedFilesystems.fs or false
instead of using lib.elem "fs" supportedFilesystems
as was done previously.
buildGoModule
now throws an error when vendorHash
is not specified. vendorSha256
, deprecated in Nixpkgs 23.11, is now ignored and is no longer a vendorHash
alias.
chromium
and ungoogled-chromium
had a long-standing issue regarding Widevine DRM handling in nixpkgs fixed.
chromium
now no longer automatically downloads Widevine when encountering DRM protected content.
To be able to play DRM protected content in chromium
, you now have to explicitly opt-in as originally intended using chromium.override { enableWideVine = true; }
.
This override was added almost 10 years ago.
craftos-pc
package has been updated to v2.8, which includes breaking changes.
Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
The ROM was updated to match ComputerCraft version v1.109.2.
The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
The WebSocket API was rewritten, which introduced breaking changes.
cryptsetup
has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption.
Take the time to review the release notes.
One of the highlights is that it is now possible to use hardware OPAL-based encryption of your disk with cryptsetup
. It has a lot of caveats, see the above notes for the full details.
crystal
package has been updated to 1.11.x, which has some breaking changes.
Refer to crystal’s changelog for more information. (v1.10, v1.11)
cudaPackages
package scope has been updated to cudaPackages_12
.
cudaPackages.autoAddOpenGLRunpathHook
and cudaPackages.autoAddDriverRunpath
have been deprecated for pkgs.autoAddDriverRunpath
. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope.
cudaPackages.cudatoolkit
has been deprecated and replaced with a
symlink-based wrapper for the splayed redistributable CUDA packages. The
wrapper only includes tools and libraries necessary to build common packages
such as tensorflow. The original runfile-based cudatoolkit
is still
available as cudatoolkit-legacy-runfile
.
cudaPackages.nsight_systems
now has most vendored third-party libraries removed, though we now only ship it for cudaPackages_11_8
and later, due to outdated dependencies. Users comfortable with the vendored dependencies may use overrideAttrs
to amend the postPatch
phase and the meta.broken
correspondingly. Alternatively, one could package the deprecated boost170
locally, as required for cudaPackages_11_4.nsight_systems
.
cudaPackages.autoFixElfFiles
has been deprecated for pkgs.autoFixElfFiles
. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope.
davfs2
’s services.davfs2.extraConfig
setting has been deprecated and converted to the free-form type option named services.davfs2.settings
according to RFC42.
dwarf-fortress
has been updated to version 50, which is identical to the version on Steam, but without the paid elements like tilepacks.
dfhack and Dwarf Therapist still work, and older versions are still packaged in case you’d like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier.
See Bay 12 Games for more details on what’s new in Dwarf Fortress.
Running an earlier version can be achieved through an override: dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }
Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes.
erlang-ls
package no longer ships the els_dap
binary as of v0.51.0.
erlang_node_short_name
, erlang_node_name
: port
and options
configuration parameters are gone, and have been replaced with an environment
parameter.
Use the appropriate environment variables inside environment
to configure the service instead.
firefox-devedition
, firefox-beta
, firefox-esr
executable file names for now match their package names, which is consistent with the firefox-*-bin
packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.
gauge
now supports installing plugins using Nix. For the old imperative approach, switch to gauge-unwrapped
.
You can load plugins from an existing gauge manifest file using gauge.fromManifest ./path/to/manifest.json
or
specify plugins in Nix using gauge.withPlugins (p: with p; [ js html-report xml-report ])
.
gitea
has been updated to 1.21, which introduces several breaking changes, including:
Custom themes and other assets that were previously stored in custom/public/*
now belong in custom/public/assets/*
New instances of Gitea using MySQL now ignore the [database].CHARSET
config option and always use the utf8mb4
charset, existing instances should migrate via the gitea doctor convert
CLI command.
git-town
was updated from version 11 to 13. See the changelog for breaking changes.
gonic
has been updated to v0.16.4. Config now requires playlists-path
to be set. See the rest of the v0.16.0 release notes for more details.
go-ethereum
has been updated to v1.14.3. Geth v1.14.0 introduced a brand new live-tracing feature,
which required a number of breaking internal API changes. If you had your own native tracers implemented before this change,
the changelog contains the necessary steps needed to update your old code for the new APIs.
Geth v1.14.0 drops support for running pre-merge networks (#29169).
It also stops automatically constructing the pending block (#28623),
removes support for filtering pending logs, switched to using Go v1.22 by default (#28946), which means we’ve dropped support for Go v1.20.
See the 1.14.0 release notes for more details.
grafana-loki
has been updated to 3.0.0, which includes breaking changes.
gtest
package has been updated past v1.13.0, which requires C++14 or higher.
hare
may now be cross-compiled. For that to work, however, haredoc
needed to stop being built together with it. Thus, the latter is now its own package with the name of haredoc
.
himalaya
has been updated to v1.0.0-beta.4, which introduces breaking changes. Check out the release note for details.
halloy
has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details.
hvm
was updated to version 2.
icu
no longer includes install-sh
and mkinstalldirs
in the shared folder.
idris2
was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details.
inetutils
now has a lower priority to avoid shadowing the commonly-used util-linux
. If one wishes to restore the default priority, simply use lib.setPrio 5 inetutils
or override with meta.priority = 5
.
jdt-language-server
package now uses upstream’s provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:
The main binary for the package is now named jdtls
instead of jdt-language-server
, equivalent to what most editors expect the binary to be named.
JVM arguments should now be provided with the --jvm-arg
flag instead of setting JAVA_OPTS
.
The -data
path is no longer required to run the package, and will be set to point to a folder in $TMP
if missing.
julia
environments can now be built with arbitrary packages from the ecosystem using the .withPackages
function. For example: julia.withPackages ["Plots"]
.
k3s
has been updated to version v1.30, previous supported versions are available under release-specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) in order to help you migrate to the latest supported version. See changelog and upgrade notes for more information.
k9s
was updated to v0.31. There have been various breaking changes in the config file format,
check out the changelog of v0.29,
v0.30 and
v0.31 for details. It is recommended
to back up your current configuration and let k9s recreate the new base configuration.
kanata
package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of v1.5.0 and v1.6.0 for details.
linuxPackages_testing_bcachefs
is now fully deprecated by linuxPackages_latest
, and is therefore no longer available.
livebook
package is now built as a mix release
instead of an escript
.
This means that configuration now has to be done using environment variables instead of command line arguments.
This has the further consequence that the livebook
service configuration has changed.
lua
interpreters default LUA_PATH and LUA_CPATH are not overridden by nixpkgs
anymore, we patch LUA_ROOT instead which is more respectful to upstream.
luarocks-packages-updater
’s .csv format, used to define lua packages to be updated, has changed: src
(URL of a git repository) has now become rockspec
(URL of a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation.
mkosi
was updated to v22. Parts of the user interface have changed. Consult the
release notes of v19,
v20,
v21 and
v22 for a list of changes.
mongodb-4_4
has been removed as it has reached end of life. Consequently, unifi7
and unifi8
now use MongoDB 5.0 by default.
mongodb-5_0
and newer requires a cpu with the AVX instruction set to run.
neo4j
has been updated to version 5. You may want to read the release notes for Neo4j 5.
netbox
was updated to v3.7. services.netbox.package
still defaults
to v3.6 if stateVersion
is earlier than 24.05. Refer to upstream’s breaking
changes for
v3.7.0 and
upgrade NetBox by changing services.netbox.package
. Database migrations
will be run automatically.
network-interfaces.target
system target was removed as it has been deprecated for a long time. Use network.target
instead.
networking.iproute2.enable
now does not set environment.etc."iproute2/rt_tables".text
.
Setting environment.etc."iproute2/{CONFIG_FILE_NAME}".text
will override the whole configuration file instead of appending it to the upstream configuration file.
CONFIG_FILE_NAME
includes bpf_pinning
, ematch_map
, group
, nl_protos
, rt_dsfield
, rt_protos
, rt_realms
, rt_scopes
, and rt_tables
.
nextcloud26
has been removed since it’s not maintained anymore by upstream. The latest available version of Nextcloud is now v29 (available as pkgs.nextcloud29
). The installation logic is as follows:
If services.nextcloud.package
is specified explicitly, this package will be installed (recommended).
If system.stateVersion
is >=24.05, pkgs.nextcloud29
will be installed by default.
If system.stateVersion
is >=23.11, pkgs.nextcloud27
will be installed by default.
Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to nextcloud28
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud28;
.
Known warnings after the upgrade are documented in the section called “Known warnings” from now on.
The “Photos” app only displays Media from inside the Photos
directory. This can be changed manually in the “Photos” tab below “Photos settings”.
nitter
requires a guest_accounts.jsonl
to be provided as a path or loaded into the default location at /var/lib/nitter/guest_accounts.jsonl
. See Guest Account Branch Deployment for details.
nixVersions.unstable
was removed. Instead the following attributes are provided:
nixVersions.git
which tracks the latest Nix master and is roughly updated once a week. This is intended to enable people to easily test unreleased changes of Nix to catch regressions earlier.
nixVersions.latest
which points to the latest Nix version packaged in nixpkgs.
nomad
has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.
nomad
is now Nomad 1.7.x.
nomad_1_4
has been removed, as it is now unsupported upstream.
nvtop
family of packages was reorganized into a nested attrset. nvtop
has been renamed to nvtopPackages.full
, and all nvtop-{amd,nvidia,intel,msm}
packages are renamed to nvtopPackages.{amd,nvidia,intel,msm}
.
openssh
, openssh_hpn
and openssh_gssapi
are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
to another signature algorithm. However, for the time being it is possible to restore DSA key support using override
to set dsaKeysSupport = true
.
optparse-bash
is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include argc
, argbash
, bashly
and gum
, to name a few.
paperless
’ services.paperless.extraConfig
setting has been removed and converted to the free-form type and option named services.paperless.settings
.
pdns
was updated to version v4.9.x, which introduces breaking changes. Check out the Upgrade Notes for details.
percona-server
now follows the same two-fold release cycle as Oracle MySQL and provides a Long-Term-Support (LTS) in parallel with a continuous-delivery Innovation release. percona-server
defaults to percona-server_lts
, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attribute percona-server_8_0
.
The percona-server_innovation
releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the Innovation releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format.
The same release scheme is applied to the supporting percona-xtrabackup
tool as well.
pipewire
and wireplumber
modules have removed support for using
environment.etc."pipewire/..."
and environment.etc."wireplumber/..."
.
Use services.pipewire.extraConfig
or services.pipewire.configPackages
for PipeWire and
services.pipewire.wireplumber.configPackages
for WirePlumber instead.
power.ups
now generates upsd.conf
, upsd.users
and upsmon.conf
automatically from a set of new configuration options. This breaks compatibility with existing power.ups
setups where these files were created manually. Back up these files before upgrading NixOS.
programs.nix-ld.libraries
no longer sets baseLibraries
via the option’s default but in config and now merges any additional libraries with the default ones.
This means that lib.mkForce
must be used to clear the list of default libraries.
screen
’s module has been cleaned, and will now require you to set programs.screen.enable
in order to populate screenrc
and add the program to the environment.
security.acme.defaults.server
now has a default value instead of null
.
This effectively uses the same server, the Let’s Encrypt production server,
but makes the default explicit, instead of relying on the Lego default.
A side effect of this is that the directory in which account data is stored
changes and the ACME module will request a new account and new certificates
for all domains. This may cause issues if you pin an acccounturl
in a CAA
DNS record. To avoid this, you
may set security.acme.defaults.server = null
to keep the old hashes.
security.pam.sshAgentAuth.enable
now requires services.openssh.authorizedKeysFiles
to be non-empty,
which is the case when services.openssh.enable
is true. Previously, pam_ssh_agent_auth
silently failed to work.
security.pam.enableSSHAgentAuth
was replaced by the sshAgentAuth
attrset, and only
authorized_keys
files listed in sshAgentAuth.authorizedKeysFiles
are trusted,
defaulting to /etc/ssh/authorized_keys.d/%u
.
Users of pam_ssh_agent_auth(8) must take care that the pubkeys they use (for instance with sudo
)
are listed in sshAgentAuth.authorizedKeysFiles
.
Previously, all services.openssh.authorizedKeysFiles
were trusted, including ~/.ssh/authorized_keys
,
which results in an insecure configuration; see #31611.
services.archisteamfarm
no longer uses the abbreviation asf
for its state directory (/var/lib/asf
), user and group (both asf
). Instead the long name archisteamfarm
is used.
Configurations with system.stateVersion
23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.
frr
was updated to 10.0, which introduces the default of enforce-first-as
for BGP. Please disable again if needed.
services.aria2.rpcSecret
has been replaced with services.aria2.rpcSecretFile
.
This was done so that secrets aren’t stored in the world-readable Nix store.
To migrate, you will have to create a file with the same exact string, and change
your module options to point to that file. For example, services.aria2.rpcSecret = "mysecret"
becomes services.aria2.rpcSecretFile = "/path/to/secret_file"
where the file secret_file
contains the string mysecret
.
services.avahi.nssmdns
was split into services.avahi.nssmdns4
and services.avahi.nssmdns6
which enable the mDNS NSS switches for IPv4 and IPv6 respectively.
Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.
services.frp.settings
now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options:
The settings.common
section in the configuration is no longer valid and all the options form inside it now go directly under settings
.
Configuration option names have been changed from snake_case to camelCase. For example: server_addr
becomes serverAddr
, server_port
becomes serverPort
etc.
Proxies are now defined with a new option, settings.proxies
, which takes a list of proxies.
Consult the upstream documentation for more details on the changes.
services.hledger-web.capabilities
options has been replaced by a new option services.hledger-web.allow
.
allow = "view"
means capabilities = { view = true; }
;
allow = "add"
means capabilities = { view = true; add = true; }
;
allow = "edit"
means capabilities = { view = true; add = true; edit = true }
;
allow = "sandstorm"
reads permissions from the X-Sandstorm-Permissions
request header.
services.homepage-dashboard
now takes its configuration using native Nix expressions, rather than dumping templated configurations into /var/lib/homepage-dashboard
where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix.
services.invidious.settings.db.user
, the default database username has changed from kemal
to invidious
. Setups involving an externally-provisioned database (i.e. services.invidious.database.createLocally == false
) should adjust their configuration accordingly. The old kemal
user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857).
services.oauth2_proxy
was renamed to services.oauth2-proxy
. Also the corresponding service, user and group were renamed.
services.smokeping
now has an option webService
. When enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences:
The default port for smokeping is now the nginx default port 80 instead of 8081.
The option services.smokeping.port
has been removed. To customize the port, use services.nginx.virtualHosts.smokeping.listen.*.port
.
services.neo4j.allowUpgrade
was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.
services.nextcloud
has the following options moved into services.nextcloud.settings
and renamed to match the name from Nextcloud’s config.php
:
logLevel
-> loglevel
,
logType
-> log_type
,
defaultPhoneRegion
-> default_phone_region
,
overwriteProtocol
-> overwriteprotocol
,
skeletonDirectory
-> skeletondirectory
,
globalProfiles
-> profile.enabled
,
extraTrustedDomains
-> trusted_domains
and
trustedProxies
-> trusted_proxies
.
services.nginx
will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block.
Example:
{
locations."/".extraConfig = ''
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
locations."^~ /assets/".extraConfig = ''
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
'';
}
services.pgbouncer
now has systemd support enabled and will log to journald. The default setting for services.pgbouncer.logFile
is now null
to disable logging to a separate log file.
services.postgresql.ensureUsers._.ensurePermissions
has been removed as it is
not declarative and is broken with newer postgresql versions. Consider using
services.postgresql.ensureUsers.*.ensureDBOwnership
instead or a tool that is more suited for managing the data inside a postgresql database.
services.redis.vmOverCommit
now defaults to true
and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured to madvise
which is the kernel’s default.
services.resolved.fallbackDns
can now be used to disable the upstream fallback servers entirely by setting it to []
to get previous behaviour of upstream defaults, set it to null
default value has changed from []
to null
, in order to preserve default behaviour
services.vikunja
systemd service now uses vikunja
as dynamic user instead of vikunja-api
. Database users might need to be changed.
services.vikunja.setupNginx
setting has been removed. Users now need to set up the webserver configuration on their own with a proxy pass to the vikunja service.
services.vmagent
module deprecates dataDir
, group
and user
settings in favor of the systemd-provided CacheDirectory and DynamicUser.
services.vmagent.remoteWriteUrl
setting has been renamed to services.vmagent.remoteWrite.url
and now defaults to null
.
services.zope2
has been removed, as zope2
is unmaintained and was relying on Python 2.
spark2014
has been renamed to gnatprove
. A version of gnatprove
matching different GNAT versions is available from the different gnatPackages
sets.
stalwart-mail
has been updated to v0.5.3, which includes breaking changes.
system.etc.overlay.enable
option was added. If enabled, /etc
is
mounted via an overlayfs instead of being created by a custom perl script.
system.forbiddenDependenciesRegex
has been renamed to system.forbiddenDependenciesRegexes
and now has the type of listOf string
instead of string
to accept multiple regexes.
systemd.oomd
module behavior has changed:
Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit.
Remove swap policy. This helps prevent killing processes when user’s swap is small.
Expand the memory pressure policy to system.slice
, user-.slice
, and all user-owned slices. Reference: commit.
Rename systemd.oomd.enableUserServices
to systemd.oomd.enableUserSlices
.
systemd.sysusers.enable
option was added. If enabled, users and
groups are created with systemd-sysusers instead of with a custom perl script.
teleport
has been upgraded from major version 14 to major version 15.
Refer to upstream upgrade instructions
and release notes for v15.
unifiLTS
, unifi5
and unifi6
have been removed, as they require MongoDB versions which are end-of-life. All these versions can be upgraded to unifi7
directly.
unrar
was updated to v7. See changelog for more information.
virtualisation.docker.enableNvidia
and virtualisation.podman.enableNvidia
options are deprecated. hardware.nvidia-container-toolkit.enable
should be used instead. This option will expose GPUs on containers with the --device
CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.
virtialisation.incus
now defaults to the newly-added incus-lts
release (v6.0.x). Users who wish to continue using the non-LTS release will need to set virtualisation.incus.package = pkgs.incus
. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported.
woodpecker-*
packages have been updated to v2 which includes breaking changes.
wpaperd
has been updated to 1.0.1, which has a breaking change: previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (wallpaper.toml
) to config.toml
.
writeReferencesToFile
is deprecated in favour of the new trivial build helper writeClosure
. The latter accepts a list of paths and has an unambiguous name and cleaner implementation.
xfsprogs
was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default.
Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5.
Format your filesystems with mkfs.xfs -i nrext64=0
, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19.
xxd
has been moved from vim
default output to its own output to reduce closure size. The canonical way to reference it across all platforms is unixtools.xxd
.
youtrack
was bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.
Ada packages (libraries and tools) have been moved into the gnatPackages
scope. gnatPackages
uses the default GNAT compiler, gnat12Packages
and gnat13Packages
use the respective matching compiler version.
Paths provided as restartTriggers
and reloadTriggers
for systemd units will now be copied into the Nix store to make the behavior consistent.
Previously, restartTriggers = [ ./config.txt ]
, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of config.txt
changed.
A warning has been added for services that are
after = [ "network-online.target" ]
but do not depend on it (e.g. using
wants
), because the dependency that multi-user.target
has on
network-online.target
is planned for removal.
switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.
services.prometheus.exporters.snmp
’s configuration format changed with release 0.23.0.
The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment.
More information about the configuration syntax change is available in the upstream repository.
addDriverRunpath
has been added to facilitate the deprecation of the old addOpenGLRunpath
setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.
appimage
, appimageTools.wrapAppImage
and buildFHSEnvBubblewrap
now properly accept pname
and version
.
bacula
now allows to configure TLS
for encrypted communication.
boot.initrd.network.ssh.authorizedKeyFiles
is a new option in the initrd ssh daemon module, for adding authorized keys via list of files.
boot.kernel.sysctl."net.core.wmem_max"
changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as boot.kernel.sysctl."net.core.rmem_max"
since 22.11.
boot.loader.systemd-boot.xbootldrMountPoint
is a new option for setting up a separate XBOOTLDR partition to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned.
boot.loader.systemd-boot
will now verify that efiSysMountPoint
(and xbootldrMountPoint
if configured) are mounted partitions.
buildDubPackage
can now be used to build Programs written in D using the dub
build system and package manager.
See the D section in the manual for more information.
castopod
has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See https://code.castopod.org/adaures/castopod/-/releases for more information.
documentation.man.mandoc
now, by default, uses MANPATH
to set the directories where mandoc will search for manual pages.
This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the mandoc.conf
configuration file like before, use documentation.man.mandoc.settings.manpath
instead.
drbd
out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver.
garage
has been updated to v1.x.x. Users should read the upstream release notes and follow the documentation when changing over their services.garage.package
and performing this manual upgrade.
hardware.pulseaudio
module now sets permissions of pulse user home directory to 755 when running in systemWide mode. It fixes issue 114399.
kavita
has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream’s release notes for details.
krb5
module has been rewritten and moved to security.krb5
, moving all options but security.krb5.enable
and security.krb5.package
into security.krb5.settings
.
libass
now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with mpv
, ffmpeg
, etc.
libjxl
version was bumped from 0.8.2 to 0.9.1 dropped support for the butteraugli API. You will no longer be able to set enableButteraugli
on libaom
.
lxd
has been upgraded to v5.21.x, an LTS release. The LTS release is now the only supported LXD release. Users are encouraged to migrate to Incus for better support on NixOS.
matrix-synapse
homeserver module now supports configuring UNIX domain socket listeners
through the path
option.
The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.
mockgen
has changed to the go.uber.org/mock fork because the original repository is no longer maintained.
mpich
now requires withPm
to be a list, e.g. "hydra:gforker"
becomes [ "hydra" "gforker" ]
.
nextcloud-setup.service
no longer changes the group of each file and directory inside /var/lib/nextcloud/{config,data,store-apps}
if one of these directories has the wrong owner group. This was part of transitioning the group used for /var/lib/nextcloud
, but isn’t necessary anymore.
oils-for-unix
, the oil shell’s C++ version is now available. The Python version is still available as oil
.
pkgsExtraHardening
, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).
portunus
has been updated to major version 2.
This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts.
After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes.
Support for weak password hashes will be removed in NixOS 24.11.
programs.fish.package
now allows you to override the package used in the fish
module.
qt6.qtmultimedia
has changed its default backend to QT_MEDIA_BACKEND=ffmpeg
(previously gstreamer
on Linux or darwin
on macOS).
The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.
services.btrbk
now automatically selects and provides required compression
program depending on the configured stream_compress
option.
services.github-runner
module has been removed. To configure a single GitHub Actions Runner refer to services.github-runners.*
. Note that this will trigger a new runner registration.
services.networkmanager.extraConfig
was renamed to services.networkmanager.settings
and changed to use the ini type instead of using a multiline string.
services.nextcloud.config.dbport
option of the Nextcloud module was removed to match upstream.
The port can be specified in services.nextcloud.config.dbhost
.
services.kavita
now uses the free-form option services.kavita.settings
for the application settings file.
The options services.kavita.ipAdresses
and services.kavita.port
now exist at services.kavita.settings.IpAddresses
and services.kavita.settings.IpAddresses
. The file at services.kavita.tokenKeyFile
now needs to contain a secret with
512+ bits instead of 128+ bits.
services.netbird
now allows running multiple tunnels in parallel through services.netbird.tunnels
.
services.nginx.virtualHosts
using forceSSL
or
globalRedirect
can now have redirect codes other than 301 through redirectCode
.
services.openssh
now has an option authorizedKeysInHomedir
, controlling whether ~/.ssh/authorizedKeys
is
added to authorizedKeysFiles
.
This option currently defaults to true
for NixOS 24.05, preserving the previous behaviour.
This is expected to change in NixOS 24.11.
Users should check that their SSH keys are in users.users.*.openssh
, or that they have another way to access
and administer the system, before setting this option to false
.
services.paperless
module no longer uses the previously downloaded NLTK data stored in /var/cache/paperless/nltk
. This directory can be removed.
services.postgresql.extraPlugins
’ type has expanded. Previously it was a list of packages, now it can also be a function that returns such a list.
For example a config line like services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];
is recommended to be changed to services.postgresql.extraPlugins = ps: with ps; [ postgis ];
;
services.slskd
has been refactored to include more configuration options in
the free-form services.slskd.settings
option, and some defaults (including listen ports)
have been changed to match the upstream defaults. Additionally, disk logging is now
disabled by default, and the log rotation timer has been removed.
The nginx virtualhost option is now of the vhost-options
type.
services.soju
now has a wrapper for the sojuctl
command, pointed at the service config file. It also has the new option adminSocket.enable
, which creates a unix admin socket at /run/soju/admin
.
services.stalwart-mail
uses the legacy version 0.6.X as default because newer stalwart-mail
versions require a manual upgrade process. Change services.stalwart-mail.package
to pkgs.stalwart-mail
if you wish to switch to the new version.
services.teeworlds
module now has a wealth of configuration options, including a new package
option.
services.xserver.desktopManager.budgie
installs gnome.gnome-terminal
by default (instead of mate.mate-terminal
).
services.zfs.zed.enableMail
now uses the global sendmail
wrapper defined by an email module
(such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.
sonarr
version was bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly.
stdenv
: The --replace
flag in substitute
, substituteInPlace
, substituteAll
, substituteAllStream
, and substituteStream
is now deprecated if favor of the new --replace-fail
, --replace-warn
and --replace-quiet
. The deprecated --replace
equates to --replace-warn
.
systemd
: when merging unit options (of type unitOption
),
if at least one definition is a list, all those which aren’t are now lifted into a list,
making it possible to accumulate definitions without resorting to mkForce
,
hence to retain the definitions not anticipating that need.
systemd
units can now specify the Upholds=
and UpheldBy=
unit dependencies via the aptly
named upholds
and upheldBy
options. These options get systemd to enforce that the
dependencies remain continuously running for as long as the dependent unit is in a running state.
A stdenv’s default set of hardening flags can now be set via its bintools-wrapper
’s defaultHardeningFlags
argument. A convenient stdenv adapter, withDefaultHardeningFlags
, can be used to override an existing stdenv’s defaultHardeningFlags
.
Programs written in Nim are built with libraries selected by lockfiles.
The nimPackages
and nim2Packages
sets have been removed.
See https://nixos.org/manual/nixpkgs/unstable#nim for more information.
The EC2 image module now enables the Amazon SSM Agent by default.
A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.
A new hardening flag, zerocallusedregs
was made available, corresponding to the gcc/clang option -fzero-call-used-regs=used-gpr
.
A new hardening flag, trivialautovarinit
was made available, corresponding to the gcc/clang option -ftrivial-auto-var-init=pattern
.
dnsdist
has new options to enable and configure a DNSCrypt endpoint (see services.dnsdist.dnscrypt.enable
, etc.).
The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime.
The kernel Yama LSM is now enabled by default, which prevents ptracing
non-child processes. This means you will not be able to attach gdb to an
existing process, but will need to start that process from gdb (so it is a
child). Or you can set boot.kernel.sysctl."kernel.yama.ptrace_scope"
to 0.
Lisp modules: previously deprecated interface based on common-lisp.sh
has now been removed.
The systemd-confinement
module extension is now compatible with DynamicUser=true
and thus ProtectSystem=strict
too.
New functions:
lib.asserts.assertEachOneOf
: Check that each value is one of the allowed ones.
lib.attrsets.longestValidPathPrefix
: The longest prefix of an attribute path that refers to an existing attribute in a nesting of attribute sets.
lib.attrsets.mapCartesianProduct
: Apply a function to the cartesian product of attribute set value combinations.
lib.trivial.xor
: Boolean “exclusive or”
lib.lists.ifilter0
: Filter a list for elements that satisfy a predicate function. The predicate function is called with both the index and value for each element.
lib.lists.sortOn
: Sort a list based on the default comparison of a derived property.
lib.path.hasStorePathPrefix
: Whether a path has a store path as a prefix.
lib.filesystem.packagesFromDirectoryRecursive
: Transform a directory tree containing package files suitable for callPackage
into a matching nested attribute set of derivations.
lib.fileset.toList
: The list of file paths contained in a given file set.
lib.fileset.maybeMissing
: Create a file set from a path that may or may not exist.
lib.derivations.optionalDrvAttr
: Conditionally set a derivation attribute.
lib.strings.makeIncludePath
: Construct an include search path (such as C_INCLUDE_PATH
) containing the header files for a set of packages or paths.
Improvements:
lib.fixedPoints.extends
: Better documentation
lib.customisation.makeScope
: Better documentation
lib.derivations.lazyDerivation
: Now supports multiple outputs with an outputs
argument
lib.gvariant
: Better error message for integers and attribute set values
lib.filesets.gitTracked
: Now works within store paths
Misc:
The lib/
directory is a self-contained flake now, including a working lib.trivial.version
(but note that fetching a subtree by itself is not supported in Nix yet)
Module System:
New types:
types.attrTag
: A tagged union type
types.nonEmptyListOf
: A non-empty list
Improved types:
types.uniq
/unique
now check the wrapped type
lib.options.mdDoc
is obsolete and now emits a warning. The core ecosystem has completely migrated to markdown, so marking markdown as markdown is redundant.
lib.attrsets.zipWithNames
is now a deprecated alias of lib.attrsets.zipAttrsWithNames
lib.attrsets.cartesianProductOfSets
has been renamed to lib.attrsets.cartesianProduct
lib
now has Readme for contributing.
Some function’s documentation is now written using the accepted doc comment syntax.
odoo
has been updated from 16.0.20231024
to 17.0.20240507
.
The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.11 (“Tapir”).
NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
Support is planned until the end of June 2024, handing over to NixOS 24.05.
To upgrade to the latest release, follow the upgrade chapter and check the Breaking Changes section for packages and services used in your configuration.
The team is excited about the many software updates and improvements in this release. Just to name a few, do check the updates
for GNOME
packages, systemd
, glibc
, the ROCM
package set, and hostapd
(which brings support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK).
Make sure to also check the many updates in the Nixpkgs library when developing your own packages.
services.postgresql.ensurePermissions
has been deprecated in favor of
services.postgresql.ensureUsers.*.ensureDBOwnership
which simplifies the
setup of database owned by a certain system user in local database contexts
(which make use of peer authentication via UNIX sockets), migration
guidelines were provided in the NixOS manual, please refer to them if you are
affected by a PostgreSQL 15 changing the way GRANT ALL PRIVILEGES
is
working. services.postgresql.ensurePermissions
will be removed in 24.05.
All NixOS modules were migrated using one of the strategy, e.g.
ensureDBOwnership
or postStart
. Refer to the PR
#266270 for more details.
network-online.target
has been fixed to no longer time out for systems with
networking.useDHCP = true
and networking.useNetworkd = true
. Workarounds
for this can be removed.
The boot.loader.raspberryPi
options have been marked deprecated, with
intent of removal for NixOS 24.11. They had a limited use-case, and do not
work like people expect. They required either very old installs from (before
mid-2019) or customized builds
out of scope of the standard and generic AArch64 support. That option set
never supported the Raspberry Pi 4 family of devices.
python3.pkgs.sequoia
was removed in favor of python3.pkgs.pysequoia
. The
latter package is based on upstream’s dedicated repository for sequoia’s
Python bindings, where the Python bindings from
gitlab:sequoia-pgp/sequoia were
removed long ago.
writeTextFile
requires executable
to be boolean now, values like null
or ""
will fail to evaluate now.
The latest version of clonehero
now stores custom content in
~/.clonehero
. Refer to the migration
instructions
for more details. Typically, these content files would exist along side the
binary, but the previous build used a wrapper script that would store them in
~/.config/unity3d/srylain Inc_/Clone Hero
.
services.mastodon
doesn’t support providing a TCP port to its streaming
component anymore, as upstream implemented parallelization by running
multiple instances instead of running multiple processes in one instance.
Please create a PR if you are interested in this feature.
Due to this, the desired number of such instances
services.mastodon.streamingProcesses
now needs to be declared explicitly.
The services.hostapd
module was rewritten to support passwordFile
like
options, WPA3-SAE, and management of multiple interfaces. This breaks
compatibility with older configurations.
hostapd
is now started with additional systemd sandbox/hardening options
for better security.
services.hostapd.interface
was replaced with a per-radio and per-bss
configuration scheme using
services.hostapd.radios.
services.hostapd.wpa
has been replaced by
services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword
and
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords
which configure WPA2-PSK and WP3-SAE respectively.
The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
python3.pkgs.fetchPypi
and python3Packages.fetchPypi
have been
deprecated in favor of top-level fetchPypi
.
xdg-desktop-portal has been updated to 1.18, which reworked how portal
implementations are selected. If you roll your own desktop environment, you
should either set xdg.portal.config
or xdg.portal.configPackages
, which
allow fine-grained control over which portal backend to use for specific
interfaces, as described in portals.conf(5).
If you don’t provide configurations, a portal backend will only be considered
when the desktop you use matches its deprecated UseIn
key. While some NixOS
desktop modules should already ship one for you, it is suggested to test
portal availability by trying Door
Knocker and ASHPD
Demo. If things
regressed, you may run G_MESSAGES_DEBUG=all /path/to/xdg-desktop-portal/libexec/xdg-desktop-portal
for ideas on which
config file and which portals are chosen.
pass
now does not contain password-store.el
. Users should get
password-store.el
from Emacs lisp package set emacs.pkgs.password-store
.
services.knot
now supports .settings
from RFC42. The previous
.extraConfig
still works the same, but it displays a warning now.
services.invoiceplane
now supports .settings
from RFC42. The previous
.extraConfig
still works the same way, but it displays a warning now.
mu
does not install mu4e
files by default now. Users should get mu4e
from Emacs lisp package set emacs.pkgs.mu4e
.
mariadb
now defaults to mariadb_1011
instead of mariadb_106
, meaning
the default version was upgraded from v10.6.x to v10.11.x. Refer to the
upgrade
notes
for potential issues.
getent
has been moved from glibc
’s bin
output to its own dedicated
output, reducing closure size for many dependents. Dependents using the
getent
alias should not be affected; others should move from using
glibc.bin
or getBin glibc
to getent
(which also improves compatibility
with non-glibc platforms).
maintainers/scripts/update-luarocks-packages
is now a proper package
luarocks-packages-updater
that can be run to maintain out-of-tree luarocks
packages.
The users.users.<name>.passwordFile
has been renamed to
users.users.<name>.hashedPasswordFile
to avoid possible confusions. The
option is in fact the file-based version of hashedPassword
, not password
,
and expects a file containing the crypt(3) hash of the user
password.
chromiumBeta
and chromiumDev
have been removed due to the lack of
maintenance in nixpkgs. Consider using chromium
instead.
google-chrome-beta
and google-chrome-dev
have been removed due to the
lack of maintenance in nixpkgs. Consider using google-chrome
instead.
The services.ananicy.extraRules
option now has the type of listOf attrs
instead of string
.
buildVimPluginFrom2Nix
has been renamed to buildVimPlugin
, which now
now skips configurePhase
and buildPhase
.
JACK tools (jack_*
except jack_control
) have moved from the jack2
package to jack-example-tools
.
The waagent
service does provisioning now.
The matrix-synapse
package & module have undergone some significant
internal changes, for most setups no intervention is needed, though:
The option
services.matrix-synapse.package
is read-only now. For modifying the package, use an overlay which modifies
matrix-synapse-unwrapped
instead. More on that below.
The enableSystemd
& enableRedis
arguments have been removed and
matrix-synapse
has been renamed to matrix-synapse-unwrapped
. Also,
several optional dependencies (such as psycopg2
or authlib
) have been
removed.
These optional dependencies are automatically added via a wrapper
(pkgs.matrix-synapse.override { extras = ["redis"]; }
for hiredis
&
txredisapi
for instance) if the relevant config section is declared in
services.matrix-synapse.settings
. For instance, if
services.matrix-synapse.settings.redis.enabled
is set to true
,
"redis"
will be automatically added to the extras
list of
pkgs.matrix-synapse
.
A list of all extras (and the extras enabled by default) can be found at
the option’s reference for
services.matrix-synapse.extras
.
In some cases (e.g. for running synapse workers) it was necessary to re-use
the PYTHONPATH
of matrix-synapse.service
’s environment to have all
plugins available. This isn’t necessary anymore, instead
config.services.matrix-synapse.package
can be used as it points to the
wrapper with properly configured extras
and also all plugins defined via
services.matrix-synapse.plugins
available. This is also the reason for why the option is read-only now,
it’s supposed to be set by the module only.
netbox
was updated to v3.6. services.netbox.package
still defaults
to v3.5 if stateVersion
is earlier than 23.11. Refer to upstream’s breaking
changes for
v3.6.0 and
upgrade NetBox by changing services.netbox.package
. Database migrations
will be run automatically.
etcd
has been updated to v3.5. Refer to upgrade guides for v3.3 to
v3.4 and v3.4 to
v3.5 for more details.
gitlab
installations created or updated between versions [15.11.0,
15.11.2] have an incorrect database schema. This will become a problem when
upgrading to gitlab
>=16.2.0. A workaround for affected users can be found
in the GitLab
docs.
consul
has been updated to v1.16.0. Refer to the release
note for more
details. Once a new Consul version has started and upgraded it’s data
directory, it generally cannot be downgraded to the previous version.
llvmPackages_rocm
has been moved to rocmPackages.llvm
.
hip
, rocm-opencl-runtime
, rocm-opencl-icd
, and rocclr
have been
combined into rocmPackages.clr
.
clang-ocl
, clr
, composable_kernel
, hipblas
, hipcc
, hip-common
, hipcub
,
hipfft
, hipfort
, hipify
, hipsolver
, hipsparse
, migraphx
, miopen
, miopengemm
,
rccl
, rdc
, rocalution
, rocblas
, rocdgbapi
, rocfft
, rocgdb
, rocm-cmake
,
rocm-comgr
, rocm-core
, rocm-device-libs
, rocminfo
, rocmlir
, rocm-runtime
,
rocm-smi
, rocm-thunk
, rocprim
, rocprofiler
, rocrand
, rocr-debug-agent
,
rocsolver
, rocsparse
, rocthrust
, roctracer
, rocwmma
, and tensile
have been moved to rocmPackages
.
himalaya
has been updated to v0.8.0, which drops the native TLS support
(in favor of Rustls) and add OAuth 2.0 support. Refer to the release
note for more
details.
nix-prefetch-git
now ignores global and user git config, to improve
reproducibility.
The services.caddy.acmeCA option defaults
to null
instead of "https://acme-v02.api.letsencrypt.org/directory"
now.
To use all of Caddy’s default ACME CAs and enable Caddy’s automatic issuer
fallback feature by default, as recommended by upstream.
The default priorities of
services.nextcloud.phpOptions
have
changed. This means that e.g.
services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23";
doesn’t discard all of the other defaults from this option anymore. The
attribute values of phpOptions
are still defaults, these can be overridden
as shown here.
To override all of the options (including including upload_max_filesize
,
post_max_size
and memory_limit
which all point to
services.nextcloud.maxUploadSize
by default) can be done like this:
{
services.nextcloud.phpOptions = lib.mkForce {
/* ... */
};
}
php80
is no longer supported due to upstream not supporting this version
anymore.
PHP defaults to PHP 8.2 now, updated from v8.1.
GraalVM has been updated to the latest version, and this brings significant
changes. Upstream don’t release multiple versions targeting different JVMs
anymore, so now we only have one GraalVM derivation (graalvm-ce
). While at
first glance the version may seem a downgrade (v22.3.1 -> v21.0.0), the major
version is now following the JVM it targets (so this latest version targets
JVM 21). Also some products like llvm-installable-svm
and
native-image-svm
were incorporate to the main GraalVM derivation, so
they’re included by default.
GraalPy (graalCEPackages.graalpy
), TruffleRuby
(graalCEPackages.truffleruby
), GraalJS (graalCEPackages.graaljs
) and
GraalNodeJS (grallCEPackages.graalnodejs
) are now independent from the main
GraalVM derivation.
The ISC DHCP package and corresponding module have been removed, because they are EOL upstream. Refer to this post for details and switch to a different DHCP implementation like kea or dnsmasq.
prometheus-unbound-exporter
has been replaced by the Let’s Encrypt
maintained version, since the previous version was archived. This requires
some changes to the module configuration, most notable controlInterface
needs migration towards unbound.host
and requires either the tcp://
or
unix://
URI scheme.
odoo
defaults to v16 now, updated from v15.
varnish
was upgraded from v7.2.x to v7.4.x. Refer to upgrade guides vor
v7.3 and
v7.4. The
current LTS version is still offered as varnish60
.
util-linux
is now supported on Darwin and is no longer an alias to
unixtools
. Use the unixtools.util-linux
package for access to the Apple
variants of the utilities.
services.keyd
changed API. Now you can create multiple configuration files.
baloo
, the file indexer and search engine used by KDE now has a patch to
prevent files from constantly being reindexed when the device IDs of the
their underlying storage change. This happens frequently when using btrfs or
LVM. The patch has not yet been accepted upstream but it provides a
significantly improved experience. When upgrading, reset baloo to get a clean
index: balooctl disable ; balooctl purge ; balooctl enable
.
The vlock
program from the kbd
package has been moved into its own
package output and should now be referenced explicitly as kbd.vlock
or
replaced with an alternative such as the standalone vlock
package or
physlock
.
fileSystems.<name>.autoFormat
now uses systemd-makefs
, which does not
accept formatting options. Therefore, fileSystems.<name>.formatOptions
has
been removed.
fileSystems.<name>.autoResize
uses systemd-growfs
to resize the file
system online in Stage 2 now. This means that f2fs
and ext2
can no longer
be auto resized, while xfs
and btrfs
now can be.
fuse3
has been updated from v3.11.0 to v3.16.2. Refer to the
changelog
for an overview of the changes.
Unsupported mount options are no longer silently accepted (since
3.15.0).
The affected mount
options
are: atime
, diratime
, lazytime
, nolazytime
, relatime
, norelatime
,
strictatime
.
For example,
$ sshfs 127.0.0.1:/home/test/testdir /home/test/sshfs_mnt -o atime
would previously terminate successfully with the mount point established, now
it outputs the error message fuse: unknown option(s): `-o atime'
and
terminates with exit status 1.
nixos-rebuild {switch,boot,test,dry-activate}
runs the system
activation inside systemd-run
now, creating an ephemeral systemd service
and protecting the system switch against issues like network disconnections
during remote (e.g. SSH) sessions. This has the side effect of running the
switch in an isolated environment, that could possible break post-switch
scripts that depends on things like environment variables being set. If you
want to opt-out from this behavior for now, you may set the
NIXOS_SWITCH_USE_DIRTY_ENV
environment variable before running
nixos-rebuild
. However, keep in mind that this option will be removed in
the future.
The services.vaultwarden.config
option default value was changed to make
Vaultwarden only listen on localhost, following the secure defaults for most
NixOS services.
services.lemmy.settings.federation
was removed in v0.17.0 and no longer has
any effect. To enable federation, the hostname must be set in the
configuration file and then federation must be enabled in the admin web UI.
Refer to the release
notes
for more details.
pict-rs
was upgraded from v0.3 to v0.4 and contains an incompatible database
& configuration change. To upgrade on systems with stateVersion = "23.05";
or older follow the migration steps from
https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide
and set services.pict-rs.package = pkgs.pict-rs;
.
The following packages in haskellPackages
have a separate bin output now:
cabal-fmt
, calligraphy
, eventlog2html
, ghc-debug-brick
, hindent
,
nixfmt
, releaser
. This means you need to replace e.g.
"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"
with "${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"
or "${lib.getExe pkgs.haskellPackages.nixfmt}"
. The binaries also won’t be in scope if you
rely on them being installed e.g. via ghcWithPackages
.
environment.packages
picks the bin
output automatically, so for normal
installation no intervention is required. Also, toplevel attributes like
pkgs.nixfmt
are not impacted negatively by this change.
spamassassin
no longer supports the Hashcash
module. The module needs to
be removed from the loadplugin
list if it was copied over from the default
initPreConf
option.
nano
was removed from environment.defaultPackages
. To not leave systems
without a editor, now programs.nano.enable
is enabled by default.
programs.nano.nanorc
and programs.nano.syntaxHighlight
no longer have an
effect unless programs.nano.enable
is set to true which is the default.
services.outline.sequelizeArguments
has been removed, as outline
no
longer executes database migrations via the sequelize
cli.
The binary of the package cloud-sql-proxy
has changed from
cloud_sql_proxy
to cloud-sql-proxy
.
The module services.apache-kafka
was largely rewritten and has certain
breaking changes. To be precise, this means that the following things have
changed:
Most settings have been migrated to services.apache-kafka.settings.
Care must be taken when adapting an existing cluster to these changes, see the section called “Migrating to settings”.
By virtue of being less opinionated, it is now possible to use the module to run Apache Kafka in KRaft mode instead of Zookeeper mode.
A few options have been added to assist in this mode.
Garage has been upgraded to v0.9.x. services.garage.package
needs to be
explicitly set now, so version upgrades can be done in a controlled fashion.
For this, we expose garage_x_y
attributes which can be set here.
voms
and xrootd
now moves the $out/etc
content to the $etc
output
instead of $out/etc.orig
, when input argument externalEtc
is not null
.
The woodpecker-*
CI packages have been updated to v1.0.0. This release is
wildly incompatible with the v0.15.x versions that were previously packaged.
Refer to upstream’s
documentation to learn
how to update your CI configurations.
Meilisearch was updated from v1.3.1 to v1.5.0. The update has breaking changes about backslashes and filtering. Refer to the release announcement for more details.
The Caddy module gained a new option named services.caddy.enableReload
which is enabled by default. It allows reloading the service instead of
restarting it, if only a config file has changed. This option must be
disabled if you have turned off the Caddy admin
API. If you keep this
option enabled, you should consider setting
grace_period
to a non-infinite value to prevent Caddy from delaying the reload
indefinitely.
mdraid support is optional now. This reduces initramfs size and prevents the
potentially undesired automatic detection and activation of software RAID
pools. It is disabled by default in new configurations (determined by
stateVersion
), but the appropriate settings will be generated by
nixos-generate-config
when installing to a software RAID device, so the
standard installation procedure should be unaffected. If you have custom
configs relying on mdraid, ensure that you use stateVersion
correctly or
set boot.swraid.enable
manually. On systems with an updated stateVersion
we now also emit warnings if mdadm.conf
does not contain the minimum
required configuration necessary to run the dynamically enabled monitoring
daemons.
The go-ethereum
package has been updated to v1.12.0. This drops support for
proof-of-work. Its GraphQL API now encodes all numeric values as hex strings
and the GraphQL UI is updated to v2.0. The default database has changed from
leveldb
to pebble
but leveldb
can be forced with the
–db.engine=leveldb flag. The checkpoint-admin
command was removed along
with trusted
checkpoints.
The aseprite-unfree
package has been upgraded from v1.2.16.3 to v1.2.40.
The free version of aseprite has been dropped because it is EOL and the
package attribute now points to the unfree version. A maintained fork of the
last free version of Aseprite, named ‘LibreSprite’, is available in the
libresprite
package.
The default kops
version is v1.28.0 now and support for v1.25 and older have
been dropped.
pharo
has been updated to latest stable v10.0.8, which is compatible with
the latest stable and oldstable images (Pharo 10 and 11). The VM in question
is the 64bit Spur. The 32bit version has been dropped due to lack of
maintenance. The Cog VM has been deleted because it is severily outdated.
Finally, the pharo-launcher
package has been deleted because it was not
compatible with the newer VM, and due to lack of maintenance.
Emacs mainline v29 was introduced. This new version includes many major
additions, most notably tree-sitter
support (enabled by default) and
the pgtk variant (useful for Wayland users), which is available under the
attribute emacs29-pgtk
.
Emacs macport version 29 was introduced.
The option services.networking.networkmanager.enableFccUnlock
was removed
in favor of networking.networkmanager.fccUnlockScripts
, which allows
specifying unlock scripts explicitly. The previous option enabled all unlock
scripts bundled with ModemManager, which is risky, and didn’t allow using
vendor-provided unlock scripts at all.
The html-proofer
package has been updated from major version 3 to major
version 5, which includes breaking
changes.
kratos
has been updated from v0.10.1 to the first stable v1.0.0, please
read the v0.10.1 to
v0.11.0, v0.11.0 to
v0.11.1, v0.11.1 to
v0.13.0 and v0.13.0 to
v1.0.0 upgrade guides.
The most notable breaking change is the introduction of one-time passwords
(code
) and update of the default recovery strategy from link
to code
.
The hail
module was removed, as hail
was unmaintained since 2017.
Package noto-fonts-emoji
was renamed to noto-fonts-color-emoji
. Refer to
PR #221181 for more
details.
Package cloud-sql-proxy
was renamed to google-cloud-sql-proxy
as it
cannot be used with other cloud providers.
Package pash
was removed due to being archived upstream. Use powershell
as an alternative.
The option services.plausible.releaseCookiePath
has been removed. Plausible
does not use any distributed Erlang features, and does not plan to (refer to
discussion),
Thus NixOS disables them now , and the Erlang cookie becomes unnecessary. You
may delete the file that releaseCookiePath
was set to.
security.sudo.extraRules
includes root
’s default rule now, with ordering
priority 400. This is functionally identical for users not specifying rule
order, or relying on mkBefore
and mkAfter
, but may impact users calling
mkOrder n
with n ≤ 400.
X keyboard extension (XKB) options have been reorganized into a single
attribute set, services.xserver.xkb
. Specifically,
services.xserver.layout
is services.xserver.xkb.layout
now,
services.xserver.extraLayouts
is services.xserver.xkb.extraLayouts
now,
services.xserver.xkbModel
is services.xserver.xkb.model
now,
services.xserver.xkbOptions
is services.xserver.xkb.options
now ,
services.xserver.xkbVariant
is services.xserver.xkb.variant
now, and
services.xserver.xkbDir
is services.xserver.xkb.dir
now.
networking.networkmanager.firewallBackend
was removed as NixOS is now using
iptables-nftables-compat even when using iptables, therefore Networkmanager
uses the nftables backend unconditionally now.
rome
was removed because it is no longer maintained and is succeeded by
biome
.
The prometheus-knot-exporter
was migrated to a version maintained by
CZ.NIC. Various metric names have changed, so checking existing rules is
recommended.
The services.mtr-exporter.target
has been removed in favor of
services.mtr-exporter.jobs
which allows specifying multiple targets.
blender-with-packages
has been deprecated in favor of
blender.withPackages
, for example blender.withPackages (ps: [ps.bpycv])
.
It behaves similarly to python3.withPackages
.
Setting nixpkgs.config
options while providing an external pkgs
instance
will now raise an error instead of silently ignoring the options. NixOS
modules no longer set nixpkgs.config
to accommodate this. This specifically
affects services.locate
,
services.xserver.displayManager.lightdm.greeters.tiny
and
programs.firefox
NixOS modules. No manual intervention should be required
in most cases, however, configurations relying on those modules affecting
packages outside the system environment should switch to explicit overlays.
privacyidea
(and the corresponding privacyidea-ldap-proxy
) has been
removed from nixpkgs because it has severely outdated dependencies that
became unmaintainable with nixpkgs’ python package-set.
dagger
was removed because using a package called dagger
and packaging it
from source violates their trademark policy.
win-virtio
package was renamed to virtio-win
to be consistent with the upstream package name.
ps3netsrv
has been replaced with the webman-mod fork, the executable has
been renamed from ps3netsrv++
to ps3netsrv
and cli parameters have
changed.
ssm-agent
package and module were renamed to amazon-ssm-agent
to be
consistent with the upstream package name.
services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}
now use separate runtime
directories instead of /run/kea
to work around the runtime directory being
cleared on service start.
mkDerivation
rejects MD5 hashes now.
The junicode
font package has been updated to major
v2, which is
a font family now. In particular, plain Junicode.ttf
no longer exists. In
addition, TrueType font files are now placed in font/truetype
instead of
font/junicode-ttf
; this change does not affect use via fonts.packages
option.
The prayer
package as well as services.prayer
have been removed because
it’s been unmaintained for several years and the author’s website has
vanished.
The chrony
NixOS module now tracks the real-time clock drift from the
system clock with rtcfile
and automatically adjusts it with rtcautotrim
when it exceeds the maximum error specified in
services.chrony.autotrimThreshold
(defaults to 30 seconds). If you enabled
rtcsync
in extraConfig
, you should remove RTC related options from
extraConfig
. If you do not want chrony configured to keep the RTC in check,
you can set services.chrony.enableRTCTrimming = false;
.
trilium-desktop
and trilium-server
have been updated to
v0.61. For existing
installations, upgrading to this version is supported only after running
v0.60.x at least once. If you are still on an older version, make sure to
update to v0.60 (available in NixOS 23.05) first and only then to v0.61
(available in NixOS 23.11).
Cassandra now defaults to v4.x, updated from v3.11.x.
FoundationDB now defaults to major version 7.
glibc has been updated from v2.37 to v2.38. Refer to the the release notes for more details.
linuxPackages_testing_bcachefs
is now soft-deprecated by
linuxPackages_testing
.
Please consider changing your NixOS configuration’s boot.kernelPackages
to linuxPackages_testing
until a stable kernel with bcachefs support is
released.
PostgreSQL now defaults to major version 15.
All ROCm packages have been updated to v5.7.0.
ROCm package attribute sets are
versioned: rocmPackages
-> rocmPackages_5
.
systemd has been updated from v253 to v254, refer to the release notes for more details.
boot.resumeDevice
must be specified when hibernating if not in EFI
mode.
systemd may warn your system about the permissions of your ESP partition
(often /boot
), this warning can be ignored for now, we are looking into
a satisfying solution regarding this problem.
Updating with nixos-rebuild boot
and rebooting is recommended, since in
some rare cases the nixos-rebuild switch
into the new generation on a
live system might fail due to missing mount units.
If the user has a custom shell enabled via users.users.${USERNAME}.shell = ${CUSTOMSHELL}
, the assertion will require them to also set
programs.${CUSTOMSHELL}.enable = true
. This is generally safe behavior, but
for anyone needing to opt out from the check
users.users.${USERNAME}.ignoreShellProgramCheck = true
will do the job.
yarn-berry
has been updated to v4.0.1. This means that NodeJS versions less
v18.12 are no longer supported by it. Refer to the upstream
changelog for
more details.
GNOME has been updated to v45. Refer to the release notes for more details. Notably, Loupe has replaced Eye of GNOME as the default image viewer, Snapshot has replaced Cheese as the default camera application, and Photos will no longer be installed.
The module services.ankisyncd
has been switched to
anki-sync-server-rs.
The former version written in Python was difficult to update, did not receive
updates in a while, and did not support recent versions of Anki.
Unfortunately all servers supporting new clients do not support the older sync protocol that was used in the old server. This includes newer version of anki-sync-server, Anki’s built in sync server and this new Rust package. Thus old clients will also need updating. In particular nixpkgs’s Anki package is also being updated in this release.
The module update takes care of the new config syntax. The data itself (i.e. user login and card information) is compatible. Thus users of the module will be able to simply log in again after updating both client and server without any extra action needed to be taken.
The argument vendorSha256
of buildGoModule
is deprecated. Use
vendorHash
instead. Refer to PR
#259999) for more details.
go-modules
in buildGoModule
attrs has been renamed to goModules
.
The package cawbird
is dropped from nixpkgs. It broke by the Twitter API
closing down and has been abandoned upstream.
The Cinnamon module now enables XDG desktop integration by default. If you
are experiencing collisions related to xdg-desktop-portal-gtk you can safely
remove xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
from your
NixOS configuration.
GNOME, Pantheon, Cinnamon modules no longer force Qt applications to use Adwaita style. This implemantion was buggy and is no longer maintained upstream. Specifically, Cinnamon defaults to the gtk2 style instead now, following the default in Linux Mint). If you still want Adwaita used, you may add the following options to your configuration. Please be aware, that it will probably be removed eventually.
{
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita";
};
}
DocBook option documentation is no longer supported, all module documentation now uses Markdown.
Docker defaults to v24 now, as 20.10 is stopping to receive security updates and bug fixes after December 10, 2023.
Elixir defaults to v1.15 now. Refer to their changelog for more details.
The extend
function of llvmPackages
has been removed due it coming from
the tools
attrset thus only extending the tool
attrset. A possible
replacement is to construct the set from libraries
and tools
, or patch
nixpkgs.
ffmpeg
defaults to ffmpeg_6
now, upgrading from ffmpeg_5
.
fontconfig
defaults to using greyscale antialiasing now. Previously
subpixel antialiasing was used because of a recommendation from one of the
downstreams.
You can change this value by configuring
fonts.fontconfig.subpixel.rgba
accordingly.
The fonts.fonts
and fonts.enableDefaultFonts
options have been renamed to
fonts.packages
and fonts.enableDefaultPackages
respectively.
services.hedgedoc
has been heavily refactored, reducing the amount of
declared options in the module. Most of the options should still work without
any changes to the configuration. Some options have been deprecated, as they
no longer have any effect. Refer to PR
#244941 for more details.
jq
was updated to v1.7. This is its first release in 5
years.
lib.attrsets.foldlAttrs
now always evaluates the initial accumulator argument first.
lib.lists.foldl'
now always evaluates the initial accumulator argument first. If you depend on
the lazier behavior, consider using
lib.lists.foldl
or
builtins.foldl'
instead.
Now magma
defaults to magma-hip
instead of magma-cuda
. It also
respects the config.cudaSupport
and config.rocmSupport
options.
The MariaDB C client library was upgraded from v3.2.x to v3.3.x. Refer to the upstream release notes for more details.
Mattermost has been upgraded to extended support version 8.1 as the previously packaged extended support version 7.8 is reaching end-of-life. Migration may take some time, refer to the changelog and important upgrade notes.
The netdata
package disables cloud support by default now. To enable it use the netdataCloud
package.
networking.nftables
is no longer flushing all rulesets on every reload.
Use networking.nftables.flushRuleset = true;
to enable the previous behaviour.
Node.js v14, v16 has been removed as they were end of life. Any dependent packages that contributors were not able to reasonably upgrade were dropped after a month of notice to their maintainers, were removed.
This includes VSCode Server.
This includes Kibana 7 as the ELK stack is unmaintained in nixpkgs and is marked for slow removal.
The application firewall opensnitch
uses the process monitor method eBPF as
default now. This is recommended by upstream. The method may be changed with
the setting
services.opensnitch.settings.ProcMonitorMethod.
paperwork
is updated to v2.2. Documents scanned with this version will not
be visible to previous versions if you downgrade. Refer to the upstream
announcement
for details and workarounds.
The latest available version of Nextcloud is v27 (available as
pkgs.nextcloud27
). The installation logic is as follows:
If services.nextcloud.package
is
specified explicitly, this package will be installed (recommended)
If system.stateVersion
is >=23.11,
pkgs.nextcloud27
will be installed by default.
If system.stateVersion
is >=23.05,
pkgs.nextcloud26
will be installed by default.
Please note that an upgrade from v25 (or older) to v27 is not possible
directly. Please upgrade to nextcloud26
(or earlier) first. Nextcloud
prohibits skipping major versions while upgrading. You may upgrade by
declaring services.nextcloud.package = pkgs.nextcloud26;
inbetween.
postgresql_11
has been removed since it’ll stop receiving fixes on November
9th 2023.
programs.gnupg.agent.pinentryFlavor
is set in /etc/gnupg/gpg-agent.conf
now. It will no longer take precedence over a pinentry-program
set in
~/.gnupg/gpg-agent.conf
.
python3.pkgs.flitBuildHook
has been removed. Use flit-core
and format = "pyproject"
instead.
Certificate generation via the security.acme
limits the concurrent number
of running certificate renewals and generation jobs now. This is to avoid
spiking resource usage when processing many certificates at once. The limit
defaults to 5 and can be adjusted via maxConcurrentRenewals
. Setting the
value to 0 disables the limits altogether.
services.borgmatic.settings.location
and
services.borgmatic.configurations.<name>.location
are deprecated, please
move your options out of sections to the global scope.
services.fail2ban.jails
can be configured with attribute sets now, defining
settings and filters instead of lines. The stringed options daemonConfig
and extraSettings
have respectively been replaced by daemonSettings
and
jails.DEFAULT.settings
. Those use attribute sets.
The services.mbpfan
module has the option aggressive
enabled by default
now. This is for better heat moderation. To get the upstream defaults you may
disable this.
Apptainer/Singularity defaults to using "$out/var/lib"
for the
LOCALSTATEDIR
configuration option instead of the top-level "/var/lib"
now. This change impacts the SESSIONDIR
(container-run-time mount point)
configuration, which is set to $LOCALSTATEDIR/<apptainer or singularity>/mnt/session
. This detaches the packages from the top-level
directory, rendering the NixOS module optional.
The default behavior of the NixOS module programs.singularity
stays
unchanged. We add a new option
programs.singularity.enableExternalSysConfDir
(default to true
) to
specify whether to set the top-level "/var/lib"
as LOCALSTATEDIR
or not.
The services.sslh
module has been updated to follow RFC
0042.
As such, several options have been moved to the freeform attribute set
services.sslh.settings, which allows to change
any of the settings in sslh(8).
In addition, the newly added option
services.sslh.method allows to switch between
the fork(2), select(2) and libev
-based connection
handling method. Refer to the sslh
docs
for a comparison.
Suricata was upgraded from v6.0 to v7.0 and no longer considers HTTP/2 support as experimental. Refer to upstream release notes for more details.
teleport
has been upgraded from major version 12 to major version 14.
Refer to upstream upgrade
instructions
and release notes for
v13 and
v14. Note that Teleport
does not officially support upgrades across more than one major version at a
time. If you’re running Teleport server components, it is recommended to
first upgrade to an intermediate v13.x version by setting
services.teleport.package = pkgs.teleport_13
. Afterwards, this option can
be removed to upgrade to the default version (14).
zfs
was updated from v2.1.x to v2.2.0, enabling newer kernel support and
adding new features.
The use of sourceRoot = "source";
, sourceRoot = "source/subdir";
, and
similar lines in package derivations using the default unpackPhase
is
deprecated as it requires unpackPhase
to always produce a directory named
“source”. Use sourceRoot = src.name
, sourceRoot = "${src.name}/subdir";
,
or setSourceRoot = "sourceRoot=$(echo */subdir)";
or similar instead.
The django
alias in the python package set was upgraded to Django v4.x.
Applications that consume Django should always pin their python environment
to a compatible major version, so they can move at their own pace.
{
python = python3.override {
packageOverrides = self: super: {
django = super.django_3;
};
};
}
The qemu-vm.nix
module by default now identifies block devices via
persistent names available in /dev/disk/by-*
. Because the rootDevice is
identified by its filesystem label, it needs to be formatted before the VM is
started. The functionality of automatically formatting the rootDevice in the
initrd is removed from the QEMU module. However, for tests that depend on
this functionality, a test utility for the scripted initrd is added
(nixos/tests/common/auto-format-root-device.nix
). To use this in a NixOS
test, import the module, e.g. imports = [ ./common/auto-format-root-device.nix ];
When you use the systemd initrd, you
can automatically format the root device by setting
virtualisation.fileSystems."/".autoFormat = true;
.
The electron
packages places its application files in
$out/libexec/electron
instead of $out/lib/electron
now. Packages using
electron-builder will fail to build and need to be adjusted by changing lib
to libexec
.
MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.
acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.
frp, a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as services.frp.
river, A dynamic tiling wayland compositor. Available as programs.river.
wayfire, a modular and extensible wayland compositor. Available as programs.wayfire.
mautrix-whatsapp, a Matrix-WhatsApp puppeting bridge. Available as services.mautrix-whatsapp.
hddfancontrol, a service to regulate fan speeds based on hard drive temperature. Available as services.hddfancontrol.
seatd, A minimal seat management daemon. Available as services.seatd.
GoToSocial, an ActivityPub social network server written in Golang. Available as services.gotosocial.
Castopod, an open-source hosting platform made for podcasters who want to engage and interact with their audience. Available as services.castopod.
Typesense, a fast, typo-tolerant search engine for building delightful search experiences. Available as services.typesense.
NS-USBLoader, an all-in-one tool for managing Nintendo Switch homebrew. Available as programs.ns-usbloader.
athens, a Go module datastore and proxy. Available as services.athens.
Mobilizon, a Fediverse platform for publishing events. Available as services.mobilizon.
Anuko Time Tracker, a simple, easy to use, open source time tracking system. Available as services.anuko-time-tracker.
Prometheus MySQL exporter, a MySQL server exporter for Prometheus. Available as services.prometheus.exporters.mysqld.
LibreNMS, a auto-discovering PHP/MySQL/SNMP based network monitoring. Available as services.librenms.
Livebook, an interactive notebook with support for Elixir, graphs, machine learning, and more. Available as services.livebook.
sitespeed-io, a tool that can generate metrics such as timings and diagnostics for websites. Available as services.sitespeed-io.
stalwart-mail, an all-in-one email server (SMTP, IMAP, JMAP). Available as services.stalwart-mail.
tang, a server for binding data to network presence. Available as services.tang.
Jool, a kernelspace NAT64 and SIIT implementation providing translation between IPv4 and IPv6. Available as networking.jool.enable.
Home Assistant
Satellite, a
streaming audio satellite for Home Assistant voice pipelines, where you can
reuse existing mic and speaker hardware. Available as
services.homeassistant-satellite
.
Apache Guacamole, a cross-platform, clientless remote desktop gateway. Available as services.guacamole-server and services.guacamole-client services.
pgBouncer, a PostgreSQL connection pooler. Available as services.pgbouncer.
Goss, a YAML based serverspec alternative tool for validating a server’s configuration. Available as services.goss.
trust-dns, a Rust based DNS server built to be safe
and secure from the ground up. Available as
services.trust-dns
.
osquery, a SQL powered operating system instrumentation, monitoring, and analytics. Available as services.osquery.
ebusd, a daemon for handling communication with eBUS devices connected to a 2-wire bus system (“energy bus” used by numerous heating systems). Available as services.ebusd.
systemd-sysupdate, atomically updates the host OS, container images, portable service images or other sources. Available as systemd.sysupdate.
eris-server, an implementation of the Encoding for Robust Immutable Storage (ERIS). Available as services.eris-server.
forgejo, a git forge and drop-in replacement for Gitea. Available as services.forgejo.
hardware/infiniband.nix
adds infiniband subnet manager support using an
opensm systemd-template service,
instantiated on card guids. The module also adds kernel modules and cli
tooling to help administrators debug and measure performance. Available as
hardware.infiniband.enable.
zwave-js, a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as services.zwave-js.
Honk, a complete ActivityPub server with minimal setup and support costs. Available as services.honk.
ferretdb, an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as services.ferretdb.
MicroBin, a feature rich, performant and secure text and file sharing web application, a “paste bin”. Available as services.microbin.
NNCP, nncp-daemon and nncp-caller services. Available as programs.nncp.settings and services.nncp.
FastNetMon Advanced, a commercial high performance DDoS detector and sensor. Available as services.fastnetmon-advanced.
tuxedo-rs, Rust utilities for interacting with hardware from TUXEDO Computers. Available as hardware.tuxedo-rs.
certspotter, a certificate transparency log monitor. Available as services.certspotter.
audiobookshelf, a self-hosted audiobook and podcast server. Available as services.audiobookshelf.
ZITADEL, a turnkey identity and access management platform. Available as services.zitadel.
exportarr, Prometheus Exporters for Bazarr, Lidarr, Prowlarr, Radarr, Readarr, and Sonarr. Available as services.prometheus.exporters.exportarr-bazarr/services.prometheus.exporters.exportarr-lidarr/services.prometheus.exporters.exportarr-prowlarr/services.prometheus.exporters.exportarr-radarr/services.prometheus.exporters.exportarr-readarr/services.prometheus.exporters.exportarr-sonarr.
netclient, an automated WireGuard Management Client. Available as services.netclient.
trunk-ng, A fork of trunk
: Build, bundle
& ship your Rust WASM application to the web
virt-manager, an UI for managing virtual machines in libvirt. Available as programs.virt-manager.
Soft Serve, a tasty, self-hostable Git server for the command line. Available as services.soft-serve.
Rosenpass, a service for post-quantum-secure VPNs with WireGuard. Available as services.rosenpass.
c2FmZQ, an application that can securely encrypt, store, and share files, including but not limited to pictures and videos. Available as services.c2fmzq-server.
preload, a service that makes applications run faster by prefetching binaries and shared objects. Available as services.preload.
The new option system.switch.enable
was added. It is enabled by default.
Disabling it makes the system unable to be reconfigured via nixos-rebuild
.
This is of advantage for image based appliances where updates are handled
outside the image.
services.searx
receives new options for better SearXNG support. This
includes options for the built-in rate limiter, bot protection and
automatically configuring a local Redis server.
The iptables firewall module installs the nixos-firewall-tool
now which
allows the user to easily temporarily open ports through the firewall.
A new option was added to the virtualisation module that enables specifying
explicitly named network interfaces in QEMU VMs. The existing
virtualisation.vlans
is still supported for cases where the name of the
network interface is irrelevant.
services.outline
can be configured to use local filesystem storage now.
Previously ony S3 storage was possible. This may be set using
services.outline.storage.storageType.
pkgs.openvpn3
optionally supports systemd-resolved now. programs.openvpn3
will automatically enable systemd-resolved support if
services.resolved.enable is set to true.
The services.woodpecker-server.environmentFile type was changed to list of paths to be more consistent to the woodpecker-agent module
services.matrix-synapse
has new options to configure worker processes for
matrix-synapse using
services.matrix-synapse.workers
.
Configuring a local redis server using
services.matrix-synapse.configureRedisLocally
is also possible now.
The services.nginx
module gained a defaultListen
option at server-level
with support for PROXY protocol listeners. Also proxyProtocol
is exposed in
the services.nginx.virtualHosts.<name>.listen
option now. This it is
possible to run PROXY listeners and non-PROXY listeners at a server-level.
Refer to PR #213510 for more
details.
services.restic.backups
adds wrapper scripts to your system path now. This
wrapper script sets the same environment variables as the service, so restic
operations can easily be run from the command line. This behavior can be
disabled by setting createWrapper
to false
, for each backup
configuration.
services.prometheus.exporters
has a new exporter to monitor electrical
power consumption based on PowercapRAPL sensor called
Scaphandre. Refer to PR
#239803 for more details.
The services.calibre-server
module has new options to configure the host
,
port
, auth.enable
, auth.mode
and auth.userDb
path. Refer to PR
#216497 for more details.
services.prometheus.exporters
has a new
exporter to monitor PHP-FPM
processes. Refer to PR
#240394 for more details.
services.github-runner
and services.github-runners.<name>
gained the
option nodeRuntimes
. This option defaults to [ "node20" ]
. I.e., the
service supports Node.js 20 GitHub Actions only. The list of Node.js versions
accepted by nodeRuntimes
tracks the versions the upstream GitHub Actions
runner supports. Refer to PR
#249103 for details.
programs.gnupg
has the option agent.settings
now. This allows setting
verbatim config values in /etc/gnupg/gpg-agent.conf
.
dockerTools.buildImage
, dockerTools.buildLayeredImage
and
dockerTools.streamLayeredImage
use lib.makeOverridable
now . This allows
dockerTools
-based images to be customized more efficiently at the Nix
level.
services.influxdb2
supports doing an automatic initial setup and
provisioning of users, organizations, buckets and authentication tokens now.
Refer to PR #249502 for more
details.
wrapHelm
exposes passthru.pluginsDir
now which can be passed to
helmfile
. For convenience, a top-level package helmfile-wrapped
has been
added, which inherits passthru.pluginsDir
from kubernetes-helm-wrapped
.
Refer to PR #217768 for
more details.
The boot.initrd.network.udhcp.enable
option allows control over DHCP during
Stage 1 regardless of what networking.useDHCP
is set to.
networking.nftables
has the option networking.nftables.table.<table>
now. This creates tables
and have them be updated atomically, instead of flushing the ruleset.
hardware.nvidia
gained datacenter
options for enabling NVIDIA Data Center
drivers and configuration of NVLink/NVSwitch topologies through
nv-fabricmanager
.
The new boot.bcache.enable
option allows completely removing bcache
mount support. It is enabled by default.
security.sudo
provides two extra options now, while not changing the
module’s default behaviour:
defaultOptions
controls the options used for the default rules;
keepTerminfo
controls whether TERMINFO
and TERMINFO_DIRS
are preserved
for root
and the wheel
group.
virtualisation.googleComputeImage
provides a efi
option to support UEFI
booting now.
CoreDNS may be built with external plugins now. This may be done by
overriding externalPlugins
and vendorHash
arguments like this:
{
services.coredns = {
enable = true;
package = pkgs.coredns.override {
externalPlugins = [
{name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";}
];
vendorHash = "<SRI hash>";
};
};
}
To get the necessary SRI hash, set vendorHash = "";
. The build will fail
and produce the correct vendorHash
in the error message.
If you use this feature, updates to CoreDNS may require updating vendorHash
by following these steps again.
Using fusuma
enables the following plugins now:
appmatcher,
keypress,
sendkey,
tap and
wmctrl.
The Home Assistant module offers support for installing custom components and
lovelace modules now. Available at
services.home-assistant.customComponents
and
services.home-assistant.customLovelaceModules
.
TeX Live environments can now be built with the new texlive.withPackages
.
The procedure for creating custom TeX packages has been changed. Refer to the
Nixpkgs
manual
for more details.
In wxGTK32
, the webkit module wxWebView
has been enabled on all builds.
Prior releases only enabled this on Darwin.
Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the
hostapd
package, along with a significant rework of the hostapd module.
LXD supports virtual machine instances now to complement the existing container support.
The nixos-rebuild
command has been given a list-generations
subcommand.
Refer to man nixos-rebuild
for more details.
sudo-rs
, a reimplementation of sudo
in Rust, is now supported.
An experimental new module security.sudo-rs
was added.
Switching to it (via security.sudo-rs.enable = true;
) introduces
slight changes in sudo behaviour, due to sudo-rs
’ current limitations:
terminfo-related environment variables aren’t preserved for root
and wheel
;
root
and wheel
are not given the ability to set (or preserve)
arbitrary environment variables.
Note: The sudo-rs
module only takes configuration through security.sudo-rs
,
and in particular does not automatically use previously-set rules; this could be
achieved with security.sudo-rs.extraRules = security.sudo.extraRules;
for instance.
There is a new NixOS option when writing NixOS tests
testing.initrdBackdoor
, that enables backdoor.service
in initrd. Requires
boot.initrd.systemd.enable
to be enabled. Boot will pause in Stage 1 at
initrd.target
, and will listen for commands from the Machine
python
interface, just like Stage 2 normally does. This enables commands to be sent
to test and debug Stage 1. Use machine.switch_root()
to leave Stage 1 and
proceed to Stage 2.
The Linux kernel module msr
(refer to
msr(4)
), which provides
an interface to read and write the model-specific registers (MSRs) of an x86
CPU, can now be configured via hardware.cpu.x86.msr
.
The qemu-vm.nix
module now supports disabling overriding fileSystems
with
virtualisation.fileSystems
. This enables the user to boot VMs from
“external” disk images not created by the qemu-vm module. You can stop the
qemu-vm module from overriding fileSystems
by setting
virtualisation.fileSystems = lib.mkForce { };
.
When using split parity files in snapraid
,
the snapraid-sync systemd service will no longer fail to run.
wpa_supplicant
’s configuration file cannot be read by non-root users, and
secrets (such as Pre-Shared Keys) can safely be passed via
networking.wireless.environmentFile
.
The configuration file could previously be read, when userControlled.enable
(non-default),
by users who are in both wheel
and userControlled.group
(defaults to wheel
)
lib.lists.foldl'
now always evaluates the initial accumulator argument first. If you depend on
the lazier behavior, consider using
lib.lists.foldl
or
builtins.foldl'
instead.
lib.attrsets.foldlAttrs
now always evaluates the initial accumulator argument first.
Now that the internal NixOS transition to Markdown documentation is complete,
lib.options.literalDocBook
has been removed after deprecation in 22.11.
lib.types.string
is now fully deprecated and gives a warning when used.
lib.fileset
:
A new sub-library to select local files to use for sources, designed to be
easy and safe to use.
This aims to be a replacement for lib.sources
-based filtering. To learn
more about it, see the blog
post or the
tutorial.
lib.gvariant
:
A partial and basic implementation of GVariant formatted strings. See
GVariant Format
Strings for details.
This API is not considered fully stable and it might therefore change in backwards incompatible ways without prior notice.
lib.asserts
:
New function:
assertEachOneOf
.
lib.attrsets
:
New function:
attrsToList
.
lib.customisation
:
New function:
makeScopeWithSplicing'
.
lib.fixedPoints
:
Documentation improvements for
lib.fixedPoints.fix
.
lib.generators
: New functions:
mkDconfKeyValue
,
toDconfINI
.
lib.generators.toKeyValue
now supports the indent
attribute in its first
argument.
lib.lists
:
New functions:
findFirstIndex
,
hasPrefix
,
removePrefix
,
commonPrefix
,
allUnique
.
Documentation improvements for
lib.lists.foldl'
.
lib.meta
:
Documentation of functions now gets rendered
lib.path
:
New functions:
hasPrefix
,
removePrefix
,
splitRoot
,
subpath.components
.
lib.strings
:
New functions:
replicate
,
cmakeOptionType
,
cmakeBool
,
cmakeFeature
.
lib.trivial
:
New function:
mirrorFunctionArgs
.
lib.systems
: New function:
equals
.
lib.options
:
Improved documentation for
mkPackageOption
.
mkPackageOption
.
now also supports the pkgsText
attribute.
Module system:
Options in the options
module argument now have the declarationPositions
attribute containing the position where the option was declared:
$ nix-repl -f '<nixpkgs/nixos>' [...]
nix-repl> :p options.environment.systemPackages.declarationPositions
[ {
column = 7;
file = "/nix/store/vm9zf9wvfd628cchj0hdij1g4hzjrcz9-source/nixos/modules/config/system-path.nix";
line = 62;
} ]
Not to be confused with definitionsWithLocations
, which is the same but for option definitions.
Improved error message for option declarations missing mkOption
lib.meta.getExe pkg
(also available as lib.getExe
) now gives a warning if
pkg.meta.mainProgram
is not set, but it continues to default to the
derivation name. Nixpkgs accepts PRs that set meta.mainProgram
on packages
where it makes sense. Use lib.getExe' pkg "some-command"
to avoid the
warning and/or select a different executable.
The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.05 (“Stoat”).
NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
Support is planned until the end of December 2023, handing over to NixOS 23.11.
To upgrade to the latest release, follow the upgrade chapter.
In addition to numerous new and updated packages, this release has the following highlights:
The default Nix version was updated from 2.11 to 2.13. In particular, this includes a small language alteration in the way floats are represented in builtins.toJSON
. See the release notes for 2.12 and 2.13 for more information.
The default Linux Kernel was updated from version 5.15 to 6.1, see Kernelnewbies for what has changed. All Kernels currently shown on kernel.org are available.
systemd has been updated from v252 to v253, see the release notes for more information on the changes.
Updating with nixos-rebuild boot
and rebooting is recommended, since in some rare cases the nixos-rebuild switch
into the new generation on a live system might fail due to missing mount units.
glibc has been updated from version 2.35 to 2.37, see the release notes for what was changed.
libxcrypt, the library providing the crypt(3)
password hashing function, is now built without support for algorithms not flagged strong
. This affects the availability of password hashing algorithms used for system login (login(1)
, passwd(1)
), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and many other packages.
NixOS now defaults to using nsncd, a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:
{
services.nscd.enableNsncd = false;
}
The internal option boot.bootspec.enable
is now enabled by default because RFC 0125 was merged. This means you will have a bootspec document called boot.json
generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot.
Two changes to nixos-rebuild
are important to highlight as well.
Support for an extra --specialisation
option was added that can be used to change specialisation for switch
and test
commands.
The --target-host
and --build-host
options no longer treat the localhost
value specially – to build on resp. deploy to a local machine, omit the relevant flag.
Python implements PEP 668, providing better feedback to users that try to run pip install
for system-wide or user home installations.
Cinnamon has been updated to version 5.6, see the pull request for what was changed.
GNOME has been updated to version 44, see the the release notes for details.
KDE Plasma has been updated to version 5.27, see the release notes for what was changed.
openra
was updated to 20230225
. Due to large scope of the update, currently only openraPackages.engines.release
and openraPackages.engines.latest
packages are available.
If you want to use the old engine versions or mods, they were moved to the openraPackages_2019
namespace.
Akkoma, an ActivityPub microblogging server. Available as services.akkoma.
alertmanager-irc-relay, a Prometheus Alertmanager IRC Relay. Available as services.prometheus.alertmanagerIrcRelay.
alice-lg, a looking-glass for BGP sessions. Available as services.alice-lg.
atuin, a sync server for shell history. Available as services.atuin.
authelia, an open-source authentication and authorization server. Available as services.authelia.
birdwatcher, a small HTTP server meant to provide an API defined by Barry O’Donovan’s birds-eye to the BIRD internet routing daemon. Available as services.birdwatcher.
blesh, a line editor written in pure bash. Available as programs.bash.blesh.
Budgie Desktop, a familiar, modern desktop environment. Available as services.xserver.desktopManager.budgie.
clash-verge, a Clash GUI based on tauri. Available as programs.clash-verge.
Cloudlog, a web-based Amateur Radio logging application. Available as services.cloudlog.
consul-template, a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data. Available as services.consul-template.
cups-pdf-to-pdf, a PDF-generating CUPS backend based on cups-pdf. Available as services.printing.cups-pdf.
Deepin Desktop Environment, an elegant, easy to use and reliable desktop environment. Available as services.xserver.desktopManager.deepin.
esphome, a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as services.esphome.
frigate, an open source NVR built around real-time AI object detection. Available as services.frigate.
fzf, a command line fuzzyfinder. Available as programs.fzf.
gemstash, a RubyGems.org cache and private gem server. Available as services.gemstash.
gitea-actions-runner, a CI runner for Gitea/Forgejo Actions. Available as services.gitea-actions-runner.
evdevremapkeys, a daemon to remap key events. Available as services.evdevremapkeys.
gmediarender, a simple, headless UPnP/DLNA renderer. Available as services.gmediarender.
go2rtc, a camera streaming application with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as services.go2rtc.
goeland, an alternative to rss2email written in Golang with many filters. Available as services.goeland.
gonic, a Subsonic music streaming server. Available as services.gonic.
hardware.ipu6, drivers for IPU6 based webcams on Intel Tiger Lake and Alder Lake.
harmonia, a Nix binary cache implemented in Rust using libnixstore. Available as services.harmonia.
hyprland, a dynamic tiling Wayland compositor that doesn’t sacrifice on its looks. Available as programs.hyprland.
imaginary, a microservice for high-level image processing that Nextcloud can use to generate previews. Available as services.imaginary.
ivpn, a secure, private VPN with fast WireGuard connections. Available as services.ivpn.
vmalert, an alerting engine for VictoriaMetrics. Available as services.vmalert.
jellyseerr, a web-based requests manager for Jellyfin, forked from Overseerr. Available as services.jellyseerr.
kavita, a self-hosted digital library. Available as services.kavita.
keyd, a key remapping daemon for Linux. Available as services.keyd.
lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as services.lldap.
minipro, an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as programs.minipro.
mmsd, a lower level daemon that transmits and receives MMSes. Available as services.mmsd.
monica, an open source personal CRM. Available as services.monica.
networkd-dispatcher, a dispatcher service for systemd-networkd connection status changes. Available as services.networkd-dispatcher.
nimdow, a window manager written in Nim, inspired by dwm. Available as services.xserver.windowManager.nimdow.enable.
opensearch, a search server alternative to Elasticsearch. Available as services.opensearch.
openvscode-server, run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as services.openvscode-server.
peroxide, a fork of the official ProtonMail bridge that aims to be similar to Hydroxide. Available as services.peroxide.
photoprism, a AI-powered photos app for the decentralized web. Available as services.photoprism.
Pixelfed, an Instagram-like ActivityPub server. Available as services.pixelfed.
PufferPanel, a game server management panel designed to be easy to use. Available as services.pufferpanel.
QDMR, a GUI application and command line tool for programming DMR radios programs.qdmr.
readarr, book manager and automation (Sonarr for ebooks). Available as services.readarr.
ReGreet, a clean and customizable greeter for greetd. Available as programs.regreet.
rshim, the user-space rshim driver for the BlueField SoC. Available as services.rshim.
SFTPGo, a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as services.sftpgo.
sharing, a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as programs.sharing.
sniffnet, an application to monitor your network traffic. Available as programs.sniffnet.
stargazer, a fast and easy to use Gemini server. Available as services.stargazer.
stevenblack-blocklist, a unified hosts file with base extensions for blocking unwanted websites. Available as networking.stevenblack.
systemd-repart, grow and add partitions to a partition table. Available as systemd.repart and boot.initrd.systemd.repart
trippy, a network diagnostic tool. Available as programs.trippy.
tts, a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below services.tts.servers.
ulogd, a userspace logging daemon for netfilter/iptables related logging. Available as services.ulogd.
v2rayA, a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as services.v2raya.
v4l2-relayd, a streaming relay for v4l2loopback using gstreamer. Available as services.v4l2-relayd.
vault-agent, a template renderer and API auth proxy for HashiCorp Vault, similar to consul-template
. Available as services.vault-agent.
webhook, a lightweight webhook server. Available as services.webhook.
wgautomesh, a simple utility to help connect wireguard nodes together in a full mesh topology. Available as services.wgautomesh.
woodpecker, a simple CI engine with great extensibility. Available as services.woodpecker-server and services.woodpecker-agents.
wstunnel, a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Available as services.wstunnel.
services.asusd
configuration now uses strings instead of structured configuration, as upstream switched to the RON configuration format. Support for structured configuration may return when RON generation is implemented in nixpkgs.
borgbackup
module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.borgbackup.jobs.<name>.inhibitsSleep
.
The openssh
client now comes with the ~C
escape sequence disabled by default. It can be re-enabled by setting EnableEscapeCommandline yes
The programs.ssh
client module does not read /etc/ssh/ssh_known_hosts2
anymore, since this location is deprecated since 2001.
The services.openssh
server module does not read ~/.ssh/authorized_keys2
anymore, since this location is deprecated since 2001.
MAC-then-encrypt algorithms were removed from the default selection of services.openssh.settings.Macs
. If you still require these MACs, for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this:
{
services.openssh.settings.Macs = [
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
}
podman
now uses the netavark
network stack. Users will need to delete all of their local containers, images, volumes, etc, by running podman system reset --force
once before upgrading their systems.
git-bug
has been updated to at least version 0.8.0, which includes backwards incompatible changes. The git-bug-migration
package can be used to upgrade existing repositories.
graylog
has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the upgrade path from 3.3 to 4.0 to 4.3 to 5.0.
buildFHSUserEnv
is now called buildFHSEnv
and uses FlatPak’s Bubblewrap sandboxing tool rather than Nixpkgs’ own chrootenv. The old chrootenv-based implementation is still available via buildFHSEnvChroot
but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
nushell
has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as old-alias
but it is recommended you migrate to the new format. See Reworked aliases.
gajim
has been updated to version 1.7.3 which has disabled legacy ciphers. See changelog for version 1.7.0.
keepassx
and keepassx2
have been removed, due to upstream stopping development. Consider KeePassXC as a maintained alternative.
The services.kubo.settings option is now no longer stateful. If you changed any of the options in services.kubo.settings in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you’re unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config
) and compare after the update.
The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the services.kubo.settings.Addresses.API option description for more information.
The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from /etc/ec2-metadata
should now have an after
dependency on fetch-ec2-metadata.service
The mailman service now defaults to using a randomly generated REST API password instead of a hard-coded one.
minio
removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately, minio doesn’t provide an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration, we keep around the last version that still supports the old filesystem backend as minio_legacy_fs
. Use it via services.minio.package = minio_legacy_fs;
to export your data before switching to the new version. See the corresponding issue for more details.
services.sourcehut.dispatch
and the corresponding package (sourcehut.dispatchsrht
) have been removed due to upstream deprecation.
The attributes used by services.snapper.configs.<name>
have changed. Migrate from this:
{
services.snapper.configs.example = {
subvolume = "/example";
extraConfig = ''
ALLOW_USERS="alice"
'';
};
}
to this:
{
services.snapper.configs.example = {
SUBVOLUME = "/example";
ALLOW_USERS = [ "alice" ];
};
}
The default module options for services.snapserver.openFirewall, services.tmate-ssh-server.openFirewall and services.unifi-video.openFirewall
have been changed from true
to false
. You will need to explicitly set this option to true
, or configure your firewall.
The option i18n.inputMethod.fcitx5.enableRimeData
has been removed. Default RIME data is now included in fcitx5-rime
by default, and can be customized using
fcitx5-rime.override {
rimeDataPkgs = [
pkgs.rime-data
# ...
];
}
The udev
hwdb.bin file is now built with systemd-hwdb rather than the deprecated “udevadm hwdb”. This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for “mute mic” is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.
Kime has been updated from 2.5.6 to 3.0.2 and the i18n.inputMethod.kime.config
option has been removed. Users should use daemonModules
, iconColor
, and extraConfig
options under i18n.inputMethod.kime
instead.
tut
has been updated from 1.0.34 to 2.0.0, and now uses the TOML format for the configuration file instead of INI. Additional information can be found here.
i3status-rust
has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found here.
The wordpress
derivation no longer contains any built-in plugins or themes. If you need them, you have to add them back to prevent your site from breaking. You can find them in wordpressPackages.{plugins,themes}
.
llvmPackages_rocm.llvm
will not contain clang
or compiler-rt
. llvmPackages_rocm.clang
will not contain llvm
. llvmPackages_rocm.clangNoCompilerRt
has been removed in favor of using llvmPackages_rocm.clang-unwrapped
.
services.xserver.desktopManager.plasma5.excludePackages
has been moved to environment.plasma5.excludePackages
, for consistency with other Desktop Environments.
teleport
has been updated from major version 10 to major version 12. Please see upstream upgrade instructions and release notes for versions 11 and 12. Note that Teleport does not officially support upgrades across more than one major version at a time. If you’re running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting services.teleport.package = pkgs.teleport_11
. Afterwards, this option can be removed to upgrade to the default version (12).
The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing /tmp
on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
gitlab
has been upgraded from major version 15 to major version 16 and requires at least PostgreSQL 13.6. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation.
gitlab
16 deprecates the use of external container registries, in our case pkgs.docker-distribution
. Module users who have services.gitlab.registry.enable
set to true
are advised to back up their state and switch to gitlab’s fork by setting services.gitlab.registry.package
to pkgs.gitlab-container-registry
.
fail2ban
has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 (changelog for 1.0.1, changelog for 1.0.2)
albert
has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins (changelog for 0.18.0)
dokuwiki
has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has completely removed the options to embed HTML and PHP for security reasons. The htmlok plugin can be used to regain this functionality.
The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead.
The cosmoc
package has been removed. The upstream scripts in cosmocc
should be used instead.
Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.
The services.wordpress.sites.<name>.plugins and services.wordpress.sites.<name>.themes options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.
protonmail-bridge
package has been updated to major version 3.
Nebula now runs as a system user and group created for each nebula network, using the CAP_NET_ADMIN
ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default nebula-${networkName}
.
The i18n.inputMethod.fcitx
option has been replaced with i18n.inputMethod.fcitx5
because fcitx 4 pkgs.fcitx
has been removed.
In mastodon
it is now necessary to specify location of file with PostgreSQL
database password. In services.mastodon.database.passwordFile
parameter default value /var/lib/mastodon/secrets/db-password
has been changed to null
.
The nix.readOnlyStore
option has been renamed to boot.readOnlyNixStore
to clarify that it configures the NixOS boot process, not the Nix daemon.
The latest available version of Nextcloud is v26 (available as pkgs.nextcloud26
) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:
If system.stateVersion
is >=23.05, pkgs.nextcloud26
will be installed by default.
If system.stateVersion
is >=22.11, pkgs.nextcloud25
will be installed by default.
Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to nextcloud25
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud25;
.
It’s recommended to use the latest version available (i.e. v26) and to specify that using services.nextcloud.package
.
.NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version. Visit the Support Policy for more information.
The iputils package, which is installed by default, no longer provides the
ninfod
, rarpd
and rdisc
tools. See upstream’s release notes for more details and available replacements.
The ppp plugin rp-pppoe.so
has been renamed to pppoe.so
in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer an alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from plugin rp-pppoe.so
to plugin pppoe.so
. See upstream change.
services.xserver.videoDrivers now defaults to the modesetting
driver over device-specific ones. The radeon
, amdgpu
and nouveau
drivers are still available, but effectively unmaintained and not recommended for use. Note that this does not affect your regular graphics drivers; this only concerns the DDX component of the driver, which most people are not relying on.
services.xserver.libinput.enable is now set by default, enabling the more actively maintained and consistently behaved input device driver.
To enable the HTTP3 (QUIC) protocol for a nginx virtual host, set the quic
attribute on it to true, e.g. services.nginx.virtualHosts.<name>.quic = true;
.
In services.fail2ban
, bantime-increment.<name>
options now default to null
(except bantime-increment.enable
) and are used to set the corresponding option in jail.local
only if not null
. Also, enforce that bantime-increment.formula
and bantime-increment.multipliers
are not both specified.
The default asterisk
package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in ${asterisk-20}/var/lib/asterisk
.
conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don’t silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.
The services.pipewire.config
options have been removed, as they have basically never worked correctly. All behavior defined by the default configuration can be overridden with drop-in files as necessary - see below for details.
The catch-all hardware.video.hidpi.enable
option was removed. Users on high density displays may want to:
Set services.xserver.upscaleDefaultCursor
to upscale the default X11 cursor for higher resolutions
Adjust settings under fonts.fontconfig
according to preference
Adjust console.font
according to preference, though the kernel will generally choose a reasonably sized font
services.pipewire.media-session
and the pipewire-media-session
package have been removed, as they are no longer supported upstream. Users are encouraged to use services.pipewire.wireplumber
instead.
The baget
package and module was removed due to being unmaintained.
The qlandkartegt
and garmindev
packages were removed due to being unmaintained and insecure.
The go-ethereum
package has been updated to v1.11.5 and the puppeth
command is no longer available as of v1.11.0.
The pnpm
package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required)
The zplug
package changes its output path from $out
to $out/share/zplug
. Users should update their dependency on ${pkgs.zplug}/init.zsh
to ${pkgs.zplug}/share/zplug/init.zsh
.
The pict-rs
package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one.
The shattered-pixel-dungeon
game was updated from 1.1.2 to 2.0.2.
The location of game data has changed. To migrate it, run mv ~/.shatteredpixel ~/.local/share/.shatteredpixel
The update will delete all your in-progress games.
espanso
has been updated to major version 2. Therefore, migration steps may need to be performed. See the official migration instructions for how to perform these migrations. Further, espanso-wayland
can now be used for Wayland support.
Only k3s
version 1.26 is included. Users of the k3s_1_24
or k3s_1_25
packages should upgrade to use the 1.26
version of the package.
The nerdfonts
package has been updated to major version 3, which includes potential breaking changes.
To follow RFC 0042 a few options of openssh
have been moved from extraConfig
to the new freeform option settings
and renamed, e.g.:
services.openssh.forwardX11
to services.openssh.settings.X11Forwarding
services.openssh.kbdInteractiveAuthentication
-> services.openssh.settings.KbdInteractiveAuthentication
services.openssh.passwordAuthentication
to services.openssh.settings.PasswordAuthentication
services.openssh.useDns
to services.openssh.settings.UseDns
services.openssh.permitRootLogin
to services.openssh.settings.PermitRootLogin
services.openssh.logLevel
to services.openssh.settings.LogLevel
services.openssh.kexAlgorithms
to services.openssh.settings.KexAlgorithms
services.openssh.macs
to services.openssh.settings.Macs
services.openssh.ciphers
to services.openssh.settings.Ciphers
services.openssh.gatewayPorts
to services.openssh.settings.GatewayPorts
vim_configurable
has been renamed to vim-full
to avoid confusion: vim-full
’s build-time features are configurable, but both vim
and vim-full
are customizable (in the sense of user configuration, like vimrc).
Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.
The module for the application firewall opensnitch
got the ability to configure rules. Available as services.opensnitch.rules
The module usbmuxd
now has the ability to change the package used by the daemon. In case you’re experiencing issues with usbmuxd
you can try an alternative program like usbmuxd2
. Available as services.usbmuxd.package
netbox
was updated to 3.5. NixOS’ services.netbox.package
still defaults to 3.3 if stateVersion
is earlier than 23.05. Please review upstream’s breaking changes for 3.4.0 and for 3.5.0, and upgrade NetBox by changing services.netbox.package
. Database migrations will be run automatically.
services.netbox
now support RFC42-style options, through services.netbox.settings
.
services.mastodon
gained a tootctl wrapped named mastodon-tootctl
similar to nextcloud-occ
which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.
services.borgmatic
now allows for multiple configurations, placed in /etc/borgmatic.d/
, you can define them with services.borgmatic.configurations
.
service.openafsServer
features a new backup server pkgs.fabs
as a
replacement for openafs’s own buserver
. See
FABS to check if this is an viable
replacement. It stores backups as volume dump files and thus better integrates
into contemporary backup solutions.
services.maddy
got several updates:
Configuration of users and their credentials using services.maddy.ensureCredentials
.
TLS configuration is now possible via services.maddy.tls
with two loaders present: ACME and file based.
The dnsmasq
service now takes configuration via the
services.dnsmasq.settings
attribute set. The option
services.dnsmasq.extraConfig
will be deprecated when NixOS 22.11 reaches
end of life.
The dokuwiki
service is now configured via services.dokuwiki.sites.<name>.settings
attribute set; extraConfig
has been removed.
The {aclUse,superUser,disableActions}
attributes have been renamed accordingly. pluginsConfig
now only accepts an attribute set of booleans.
Passing plain PHP is no longer possible.
Same applies to acl
which now also only accepts structured settings
.
The zsh
package changes the way to set environment variables on NixOS systems where programs.zsh.enable
equals false
. It now sources /etc/set-environment
when reading the system-level zshenv
file. Before, it sourced /etc/profile
when reading the system-level zprofile
file.
The wordpress
service now takes configuration via the services.wordpress.sites.<name>.settings
attribute set, extraConfig
is still available to append additional text to wp-config.php
.
To reduce closure size in nixos/modules/profiles/minimal.nix
profile disabled installation documentations and manuals. Also disabled logrotate
and udisks2
services.
To reduce closure size in nixos/modules/installer/netboot/netboot-minimal.nix
profile disabled load linux firmwares, pre-installing the complete stdenv and networking.wireless
service.
The minimal ISO image now uses the nixos/modules/profiles/minimal.nix
profile.
NixOS installer ISOs can now be built for powerpc64le-linux
; see nixos/modules/installer/sd-card/sd-image-powerpc64le.nix
and PR 192672. Hydra does not support this platform, so you must build the binaries yourself.
The ghcWithPackages
and ghcWithHoogle
wrappers will now also symlink GHC’s
and all included libraries’ documentation to $out/share/doc
for convenience.
If undesired, the old behavior can be restored by overriding the builders with
{ installDocumentation = false; }
.
The nftables module now validates its ruleset at build time. The new networking.nftables.checkRuleset
option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The networking.nftables.preCheckRuleset
option can be used to prepare the environment before the checks are run.
The services.mastodon
module now supports connection to a remote PostgreSQL
database.
services.nextcloud.database.createLocally
now uses socket authentication and is no longer compatible with password authentication.
If you want the module to manage the database for you, unset services.nextcloud.config.dbpassFile
(and services.nextcloud.config.dbhost
, if it’s set).
If you want to use password authentication and create the database locally, you will have to use services.mysql
to set it up.
services.nextcloud.config.objectstore.s3.sseCKeyFile
is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.
NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by cryptsetup(8)
. One can use these features like so:
{
swapDevices = [ {
device = "/dev/disk/by-partlabel/swapspace";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
} ];
}
New option security.pam.zfs
to enable unlocking and mounting of encrypted ZFS home dataset at login.
services.peertube
now requires you to specify the secret file secrets.secretsFile
. It can be generated by running openssl rand -hex 32
. Before upgrading, check the release notes for PeerTube v5.0.0.And backup your data.
services.chronyd
is now started with additional systemd sandbox/hardening options for better security.
PostgreSQL has added opt-in support for JIT compilation. It can be enabled like this:
{
services.postgresql.enableJIT = true;
}
services.netdata
offers a services.netdata.deadlineBeforeStopSec
option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn’t start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.
services.dhcpcd
service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses.
If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter networking.dhcpcd.IPv6rs = true;
.
The module services.headscale
was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:
Most settings have been migrated below services.headscale.settings which is a freeform attribute-set that will be converted into headscale’s YAML config format. This means that the configuration from headscale’s example configuration can be directly written as attribute-set in Nix within this option.
services.kubo
now unmounts ipfsMountDir
and ipnsMountDir
even if it is killed unexpectedly when autoMount
is enabled.
services.grafana
listens only on localhost by default again. This was changed to the upstream default of 0.0.0.0
by accident in the freeform setting conversion.
Grafana Tempo has been updated to version 2.0. See the upstream upgrade guide for migration instructions.
A new virtualisation.rosetta
module was added to allow running x86_64
binaries through Rosetta inside virtualised NixOS guests on Apple Silicon. This feature works by default with the UTM virtualisation package.
The new option users.motdFile
allows configuring a Message Of The Day that can be updated dynamically.
The root
package is now built with the "-Dgnuinstall=ON"
CMake flag, making the output conform the bin
lib
share
layout. In this layout, tutorials
is under share/doc/ROOT/
; cmake
, font
, icons
, js
and macro
under share/root
; Makefile.comp
and Makefile.config
under etc/root
.
There are various new options in the services.nginx
module:
Enabling global redirect in services.nginx.virtualHosts
now allows one to add exceptions with the locations
option.
The proxyCachePath
option has been added to services.nginx
. It allows configuring the proxy_cache_path
, that configures the storage path and various other settings for the cache.
A new option recommendedBrotliSettings
has been added to services.nginx
. Learn more about compression in Brotli format here.
services.nginx.recommendedProxySettings
now removes the Connection
header preventing clients from closing backend connections.
The nginx module also received an update to services.nginx.recommendedGzipSettings
:
Enables gzip compression for only certain proxied requests.
Allow checking and loading of precompressed files.
Updated gzip mime-types.
Increased the minimum length of a response that will be gzipped.
Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and configure services.garage.package.
Nebula now supports the services.nebula.networks.<name>.isRelay
and services.nebula.networks.<name>.relays
configuration options for setting up or allowing traffic relaying. See the announcement for more details about relays.
Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
The firewall
and nat
modules can now optionally rely on an nftables based implementation. Enable networking.nftables
to use it.
The services.fwupd
module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings
).
services.xserver.desktopManager.plasma5.phononBackend
now defaults to vlc according to upstrean recommendation
The zramSwap
is now implemented with zram-generator
, and the option zramSwap.numDevices
for using ZRAM devices as general purpose ephemeral block devices has been removed.
As Singularity has renamed to Apptainer to distinguish from an un-renamed fork by Sylabs Inc., there are now two packages of Singularity/Apptainer:
apptainer
: From github.com/apptainer/apptainer
, which is the new repo after renaming.
singularity
: From github.com/sylabs/singularity
, which is the fork by Sylabs Inc…
singularity-tools.buildImage
got a new input argument singularity
to specify which package to use.
The new option programs.singularity.enableFakeroot
, if set to true
, provides --fakeroot
support for apptainer
and singularity
.
The new option services.tailscale.useRoutingFeatures
controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to server
, otherwise if you wish to use an exit node you can set this setting to client
. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.
openjdk
from version 11 and above is not build with openjfx
(i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: openjdk11.override { enableJavaFX = true; };
.
Xastir can now access AX.25 interfaces via the libax25
package.
nixos-version
now accepts --configuration-revision
to display more information about the current generation revision
The option services.nomad.extraSettingsPlugins
has been fixed to allow more than one plugin in the path.
The option services.prometheus.exporters.pihole.interval
does not exist anymore and has been removed.
The option services.gpsd.device
has been replaced with services.gpsd.devices
, which supports multiple devices.
k3s
can now be configured with an EnvironmentFile
for its systemd service, allowing secrets to be provided without ending up in the Nix Store.
The gitea
module options have been moved into a freeform attribute set below services.gitea.settings
.
boot.initrd.luks.device.<name>
has a new tryEmptyPassphrase
option, this is useful for OEMs who need to install an encrypted disk with a future settable passphrase
The bind
module now allows the per-zone allow-query
setting to be configured (previously it was hard-coded to any
; it still defaults to any
to retain compatibility).
The option services.jitsi-videobridge.apis
has been renamed to colibriRestApi
and turned into a boolean. Setting it to true
will enable the private rest API, useful for monitoring using services.prometheus.exporters.jitsi.enable
. Learn more about the API: “The COLIBRI control interface (/colibri/)”.
Booting from a volume managed by the Stratis storage management daemon is now supported. Use fileSystems.<name>.stratis.poolUuid
to configure the pool containing the fs.
buildDunePackage
now defaults to strictDeps = true
which means that any library should go into buildInputs
or checkInputs
. Any executable that is run on the building machine should go into nativeBuildInputs
or nativeCheckInputs
respectively. Example of executables are ocaml
, findlib
and menhir
. PPXs are libraries which are built by dune and should therefore not go into nativeBuildInputs
.
buildFHSUserEnv
is now called buildFHSEnv
and uses FlatPak’s Bubblewrap sandboxing tool rather than Nixpkgs’ own chrootenv. The old chrootenv-based implementation is still available via buildFHSEnvChroot
but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.
Top-level buildPlatform
, hostPlatform
, targetPlatform
have been deprecated, use stdenv.X
instead.
carnix
and cratesIO
has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead.
checkInputs
have been renamed to nativeCheckInputs
, because they behave the same as nativeBuildInputs
when doCheck
is set. checkInputs
now denote a new type of dependencies, added to buildInputs
when doCheck
is set. As a rule of thumb, nativeCheckInputs
are tools on $PATH
used during the tests, and checkInputs
are libraries which are linked to executables built as part of the tests. Similarly, installCheckInputs
are renamed to nativeInstallCheckInputs
, corresponding to nativeBuildInputs
, and installCheckInputs
are a new type of dependencies added to buildInputs
when doInstallCheck
is set. (Note that this change will not cause breakage to derivations with strictDeps
unset, which are most packages except python, rust, ocaml and go packages).
DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in the section called “Option Declarations” to silence this warning.
DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
lib.systems.examples.ghcjs
and consequently pkgsCross.ghcjs
now use the target triplet javascript-unknown-ghcjs
instead of js-unknown-ghcjs
. This has been done to match an upstream decision to follow Cabal’s platform naming more closely. Nixpkgs will also reject js
as an architecture name.
Lisp gained a manual section, documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.
Calling makeSetupHook
without passing a name
argument is deprecated.
nixos/lib/make-disk-image.nix
handles contents
arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended target
.
nixos/lib/make-disk-image.nix
can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.
Nixpkgs now uses IEEE-standard floating point arithmetic on powerpc64le-linux
.
Deprecated xlibsWrapper
transitional package has been removed in favour of direct use of its constituents: xorg.libX11
, freetype
and others.
The Pipewire config semantics don’t really match the NixOS module semantics, so it’s extremely awkward to override the default config, especially when lists are involved. Vendoring the configuration files in nixpkgs also creates unnecessary maintenance overhead.
Also, upstream added a lot of accommodations to allow doing most of the things you’d want to do with a config edit in better ways.
Compare your settings to the defaults and where your configuration differs from them.
Then, create a drop-in JSON file in /etc/pipewire/<config file name>.d/99-custom.conf
(the actual filename can be anything) and migrate your changes to it according to the following sections.
Repeat for every file you’ve modified, changing the directory name accordingly.
If you are:
setting properties via *.properties
loading a new module to context.modules
creating new objects with context.objects
declaring SPA libraries with context.spa-libs
running custom commands with context.exec
adding new rules with *.rules
running custom PulseAudio commands with pulse.cmd
Move the definitions into the drop-in.
Note that the use of context.exec
is not recommended and other methods of running your thing are likely a better option.
{
"context.properties": {
"your.property.name": "your.property.value"
},
"context.modules": [
{ "name": "libpipewire-module-my-cool-thing" }
],
"context.objects": [
{ "factory": { ... } }
],
"alsa.rules": [
{ "matches: { ... }, "actions": { ... } }
]
}
context.modules
Look for an option to disable it via context.properties
("module.x11.bell": "false"
is likely the most common use case here).
If one is not available, proceed to Nuclear option.
context.modules
For most modules (e.g. libpipewire-module-rt
) it’s enough to load the module again with the new arguments, e.g.:
{
"context.modules": [
{
"name": "libpipewire-module-rt",
"args": {
"rt.prio": 90
}
}
]
}
Note that module-rt
specifically will generally use the highest values available by default, so setting limits on the pipewire
systemd service is preferable to reloading.
If reloading the module is not an option, proceed to Nuclear option.
If all else fails, you can still manually copy the contents of the default configuration file
from ${pkgs.pipewire}/share/pipewire
to /etc/pipewire
and edit it to fully override the default.
However, this should be done only as a last resort. Please talk to the Pipewire maintainers if you ever need to do this.
The NixOS release team is happy to announce a new version of NixOS 22.11. NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS.
This release is supported until the end of June 2023, handing over to NixOS 23.05.
To upgrade to the latest release follow the upgrade chapter.
In addition to numerous new and upgraded packages, this release includes the following highlights:
Software that uses the crypt
password hashing API is now using the implementation provided by libxcrypt
instead of glibc’s, which enables support for more secure algorithms.
Support for algorithms that libxcrypt
does not consider strong are deprecated as of this release, and will be removed in NixOS 23.05.
This includes system login passwords. Given this, we strongly encourage all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed.
When using users.users.<name>.hashedPassword
to configure user passwords, run mkpasswd
, and use the yescrypt hash that is provided as the new value.
On the other hand, for interactively configured user passwords, re-set the passwords for all users with passwd
.
This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run nixos-rebuild switch
.
The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it’s a big step towards the full migration.
aarch64-linux
is now included in the nixos-22.11
and nixos-22.11-small
channels. This means that when those channel update, both x86_64-linux
and aarch64-linux
will be available in the binary cache.
aarch64-linux
ISOs are now available on the downloads page.
nsncd
is now available as a replacement of nscd
.
nscd
is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes.
More context in this issue.
Help us test the new implementation by setting services.nscd.enableNsncd
to true
.
We plan to use nsncd
by default in NixOS 23.05.
Linode cloud images are now supported by importing ${modulesPath}/virtualisation/linode-image.nix
and accessing system.build.linodeImage
on the output.
hardware.nvidia
has a new option, hardware.nvidia.open
, that can be used to enable the usage of NVIDIA’s open-source kernel driver. Note that the driver’s support for GeForce and Workstation GPUs is still alpha quality, see the release announcement for more information.
The emacs
package now makes use of native compilation which means:
Emacs packages from Nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
Emacs packages from somewhere else, e.g. package-install
, will perform asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use (setq native-comp-deferred-compilation nil)
to disable it while still benefiting from native compilation for packages from Nixpkgs.
Haskell ghcWithPackages
is now up to 15 times faster to evaluate, thanks to changing lib.closePropagation
from a quadratic to linear complexity. Please see backward incompatibilities notes below. https://github.com/NixOS/nixpkgs/pull/194391
For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the pkgsStatic
and pkgsLLVM
package sets or i686 packages on x86_64
machines.
To simplify cross-compilation in NixOS, this release introduces the nixpkgs.hostPlatform
and nixpkgs.buildPlatform
options. These cover and override the nixpkgs.{system,localSystem,crossSystem}
options.
hostPlatform
is the platform or “system
” string of the NixOS system
described by the configuration.
buildPlatform
is the platform that is responsible for building the NixOS
configuration. It defaults to the hostPlatform
, for a non-cross
build configuration. To cross compile, set buildPlatform
to a different
value.
The new options convey the same information, but with fewer options, and following the Nixpkgs terminology.
The existing options nixpkgs.{system,localSystem,crossSystem}
have not
been formally deprecated, to allow for evaluation of the change and to allow
for a transition period so that in time the ecosystem can switch without
breaking compatibility with any supported NixOS release.
Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for 2.9, 2.10 and 2.11.
OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
GNOME has been upgraded to version 43. Please see the release notes for details.
KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for v5.25 and v5.26 for more details on the included changes.
Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream.
PHP now defaults to PHP 8.1, updated from 8.0.
Perl has been updated to 5.36, and its core module HTTP::Tiny
was patched to verify SSL/TLS certificates by default.
Python now defaults to 3.10, updated from 3.9.
Nixpkgs now requires Nix 2.3 or newer.
The isCompatible
predicate checking CPU compatibility is no longer exposed
by the platform sets generated using lib.systems.elaborate
. In most cases
you will want to use the new canExecute
predicate instead which also
takes the kernel / syscall interface into account.
lib.systems.parse.isCompatible
still exists, but has changed semantically:
Architectures with differing endianness modes are no longer considered compatible.
ngrok
has been upgraded from 2.3.40 to 3.0.4. Please see the upgrade guide
and changelog. Notably, breaking changes are that the config file format has
changed and support for single hyphen arguments was dropped.
i18n.supportedLocales
is now only generated with the locales set in i18n.defaultLocale
and i18n.extraLocaleSettings
.
This reduces the final system closure size by up to 200MB.
If you require all locales installed, set the option to [ "all" ]
.
Deprecated settings logrotate.paths
and logrotate.extraConfig
have
been removed. Please convert any uses to
services.logrotate.settings instead.
The isPowerPC
predicate, found on platform
attrsets (hostPlatform
, buildPlatform
, targetPlatform
, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace foo.isPowerPC
with (with foo; isPower && is32bit && isBigEndian)
.
The fetchgit
fetcher now uses cone mode by default for sparse checkouts. Non-cone mode can be enabled by passing nonConeMode = true
, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice.
The fetchgit
fetcher supports sparse checkouts via the sparseCheckout
option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings.
openssh
was updated to version 9.1, disabling the generation of DSA keys when using ssh-keygen -A
as they are insecure. Also, SetEnv
directives in ssh_config
and sshd_config
are now first-match-wins.
bsp-layout
no longer uses the command cycle
to switch to other window layouts, as it got replaced by the commands previous
and next
.
The Barco ClickShare driver/client package pkgs.clickshare-csc1
and the option programs.clickshare-csc1.enable
have been removed,
as it requires qt4
, which reached its end-of-life 2015 and will no longer be supported by nixpkgs.
According to Barco many of their base unit models can be used with Google Chrome and the Google Cast extension.
services.hbase
has been renamed to services.hbase-standalone
.
For production HBase clusters, use services.hadoop.hbase
instead.
The p4
package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries p4d
, p4broker
, and p4p
. To install the Helix Core Server binaries, use the p4d
package instead.
The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
system.stateVersion
is below 22.11
. This is to make sure that people using server-side encryption
don’t lose access to their files.
In any other case, it’s safe to use OpenSSL 3 for PHP’s OpenSSL extension. This can be done by setting
services.nextcloud.enableBrokenCiphersForSSE
to false
.
The coq
package and versioned variants starting at coq_8_14
no
longer include CoqIDE, which is now available through
coqPackages.coqide
. It is still possible to get CoqIDE as part of
the coq
package by overriding the buildIde
argument of the
derivation.
PHP 7.4 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 22.11 release.
The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style settings
option instead of extraConfig
and the gatewayAddress
, apiAddress
and swarmAddress
options were renamed. Using the old names will print a warning but still work.
pkgs.cosign
does not provide the cosigned
binary anymore. The sget
binary has been moved into its own package.
Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
Users who still wish to remain using GTK can do so by using emacs-gtk
.
kanidm
has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start https
and-–-if enabled-–-an LDAPS server and no HTTP and LDAP server anymore.
riak package removed along with services.riak
module, due to lack of maintainer to update the package.
ppd files in pkgs.cups-drv-rastertosag-gdi
are now gzipped. If you refer to such a ppd file with its path (e.g. via hardware.printers.ensurePrinters) you will need to append .gz
to the path.
xow package removed along with the hardware.xow
module, due to the project being deprecated in favor of xone
, which is available via the hardware.xone
module.
dd-agent package removed along with the services.dd-agent
module, due to the project being deprecated in favor of datadog-agent
, which is available via the services.datadog-agent
module.
teleport
has been upgraded to major version 10. Please see upstream upgrade instructions and release notes.
lib.closePropagation
now needs that all gathered sets have an outPath
attribute.
lemmy module option services.lemmy.settings.database.createLocally
moved to services.lemmy.database.createLocally
.
virtlyst package and services.virtlyst
module removed, due to lack of maintainers.
The nix.checkConfig
option now fully disables the config check. The new nix.checkAllErrors
option behaves like nix.checkConfig
previously did.
generateOptparseApplicativeCompletions
and generateOptparseApplicativeCompletion
from haskell.lib.compose
(and haskell.lib
) have been deprecated in favor of generateOptparseApplicativeCompletions
(plural!) as
provided by the haskell package sets (so haskellPackages.generateOptparseApplicativeCompletions
etc.).
The latter allows for cross-compilation (by automatically disabling generation of completion in the cross case).
For it to work properly you need to make sure that the function comes from the same context as the package
you are trying to override, i.e. always use the same package set as your package is coming from or – even
better – use self.generateOptparseApplicativeCompletions
if you are overriding a haskell package set.
The old functions are retained for backwards compatibility, but yield are warning.
The services.graphite.api
and services.graphite.beacon
NixOS options, and
the python3.pkgs.graphite_api
, python3.pkgs.graphite_beacon
and
python3.pkgs.influxgraph
packages, have been removed due to lack of upstream
maintenance.
The trace
binary from perf-linux
package has been removed, due to being a duplicate of the perf
binary.
The aws
package has been removed due to being abandoned by the upstream. It is recommended to use awscli
or awscli2
instead.
The CEmu TI-84 Plus CE emulator package has been renamed to cemu-ti
. The Cemu Wii U emulator is now packaged as cemu
.
systemd-networkd
v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes:
systemd.network.networks.<name>.dhcpV6PrefixDelegationConfig
is renamed to systemd.network.networks.<name>.dhcpPrefixDelegationConfig
.
systemd.network.networks.<name>.dhcpV6Config
no longer accepts the ForceDHCPv6PDOtherInformation=
setting. Please use the WithoutRA=
and UseDelegatedPrefix=
settings in your systemd.network.networks.<name>.dhcpV6Config
and the DHCPv6Client=
setting in your systemd.network.networks.<name>.ipv6AcceptRAConfig
to control when the DHCPv6 client is started and how the delegated prefixes are handled by the DHCPv6 client.
systemd.network.networks.<name>.networkConfig
no longer accepts the IPv6Token=
setting. Use the Token=
setting in your systemd.network.networks.<name>.ipv6AcceptRAConfig
instead. The systemd.network.networks.<name>.ipv6Prefixes.*.ipv6PrefixConfig
now also accepts the Token=
setting.
arangodb
versions 3.3, 3.4, and 3.5 have been removed because they are at EOL upstream. The default is now 3.10.0. Support for aarch64-linux has been removed since the target cannot be built reproducibly. By default arangodb
is now built for the haswell
architecture. If you wish to build for a different architecture, you may override the targetArchitecture
argument with a value from this list supported upstream. Some architecture specific optimizations are also conditionally enabled. You may alter this behavior by overriding the asmOptimizations
parameter. You may also add additional architecture support by adding more -DHAS_XYZ
flags to cmakeFlags
via overrideAttrs
.
The meta.mainProgram
attribute of packages in wineWowPackages
now defaults to "wine64"
.
The paperless
module now defaults PAPERLESS_TIME_ZONE
to your configured system timezone.
The top-level termonad-with-packages
alias for termonad
has been removed.
Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11.
(Neo)Vim can not be configured with configure.pathogen
anymore to reduce maintenance burden.
Use configure.packages
instead.
Neovim can not be configured with plug anymore (still works for vim).
The adguardhome
module no longer uses host
and port
options, use settings.bind_host
and settings.bind_port
instead.
The default kops
version is now 1.25.1 and support for 1.22 and older has been dropped.
The zrepl
package has been updated from 0.5.0 to 0.6.0. See the changelog for details.
k3s
no longer supports Docker as runtime due to upstream dropping support.
cassandra_2_1
and cassandra_2_2
have been removed. Please update to cassandra_3_11
or cassandra_3_0
. See the changelog for more information about the upgrade process.
mysql57
has been removed. Please update to mysql80
or mariadb
. See the upgrade guide for more information.
Consequently, cqrlog
and amorok
now use mariadb
instead of mysql57
for their embedded databases. Running mysql_upgrade
may be necessary.
k3s
supports clusterInit
option, and it is enabled by default, for servers.
percona-server56
has been removed. Please migrate to mysql
or mariadb
if possible.
obs-studio
hase been updated to version 28. If you have packaged custom plugins, check if they are compatible. obs-websocket
has been integrated into obs-studio
.
signald
has been bumped to 0.23.0
. For the upgrade, a migration process is necessary. It can be
done by running a command like this before starting signald.service
:
signald -d /var/lib/signald/db \
--database sqlite:/var/lib/signald/db \
--migrate-data
For further information, please read the upstream changelogs.
stylua
no longer accepts lua52Support
and luauSupport
overrides. Use features
instead, which defaults to [ "lua54" "luau" ]
.
ocamlPackages.ocaml_extlib
has been renamed to ocamlPackages.extlib
.
pkgs.fetchNextcloudApp
has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to
apply patches. This means that your hashes are out-of-date and the (previously required) attributes name
and version
are no longer accepted.
The Syncthing service now only allows absolute paths—starting with /
or
~/
—for services.syncthing.folders.<name>.path
.
In a future release other paths will be allowed again and interpreted
relative to services.syncthing.dataDir
.
services.github-runner
and services.github-runners.<name>
gained the option serviceOverrides
which allows overriding the systemd serviceConfig
. If you have been overriding the systemd service configuration (i.e., by defining systemd.services.github-runner.serviceConfig
), you have to use the serviceOverrides
option now. Example:
{
services.github-runner.serviceOverrides.SupplementaryGroups = [
"docker"
];
}
PHP is now built in NTS
(Non-Thread Safe) mode by default.
For Apache and mod_php
usage, we enable ZTS
(Zend Thread Safe) mode. This has been a
common practice for a long time in other distributions.
firefox
, thunderbird
and librewolf
now come with Wayland support by default. The firefox-wayland
, firefox-esr-wayland
, thunderbird-wayland
and librewolf-wayland
attributes are obsolete and have been aliased to their generic attribute.
The xplr
package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the upstream release notes for more details.
Configuring multiple GitHub runners is now possible through services.github-runners.<name>
. The options under services.github-runner
remain, to configure a single runner.
github-runner
gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See services.github-runner.ephemeral
and services.github-runner.tokenFile
for details.
A new module was added to provide hardware support for the Saleae Logic device family, providing the options hardware.saleae-logic.enable
and hardware.saleae-logic.package
.
ZFS module will no longer allow hibernation by default.
This is a safety measure to prevent data loss cases like the ones described at OpenZFS/260 and OpenZFS/12842.
Use the boot.zfs.allowHibernation
option to configure this behaviour.
Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through services.mastodon.mediaAutoRemove
.
The Redis module now disables RDB persistence when services.redis.servers.<name>.save = []
instead of using the Redis default.
Neo4j was updated from version 3 to version 4. See upstream’s migration guide for information on how to migrate your instance.
The networking.wireguard
module now can set the mtu on interfaces and tag its packets with an fwmark.
The option overrideStrategy
was added to the different systemd unit options (systemd.services.<name>
, systemd.sockets.<name>
, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to asDropin
.
This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to systemd.packages
.
See the fix proposed in NixOS’s systemd abstraction doesn’t work with systemd template units for an example.
The polymc
package has been removed due to a rogue maintainer. It has been
replaced by prismlauncher
, a fork by the rest of the maintainers. For more
details, see the PR that made this change and
the issue detailing the vulnerability.
Users with existing installations should rename ~/.local/share/polymc
to
~/.local/share/PrismLauncher
. The main config file’s path has also moved
from ~/.local/share/polymc/polymc.cfg
to
~/.local/share/PrismLauncher/prismlauncher.cfg
.
The bloat
package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See this upstream commit message for details.
Synapse’s systemd unit has been hardened.
The module services.grafana
was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:
The newly introduced option services.grafana.settings
is an attribute-set that
will be converted into Grafana’s INI format. This means that the configuration from
Grafana’s configuration reference
can be directly written as attribute-set in Nix within this option.
The option services.grafana.extraOptions
has been removed. This option was an association
of environment variables for Grafana. If you had an expression like
{
services.grafana.extraOptions.SECURITY_ADMIN_USER = "foobar";
}
your Grafana instance was running with GF_SECURITY_ADMIN_USER=foobar
in its environment.
For the migration, it is recommended to turn it into the INI format, i.e. to declare
{
services.grafana.settings.security.admin_user = "foobar";
}
instead.
The keys in services.grafana.extraOptions
have the format <INI section name>_<Key Name>
.
Further details are outlined in the configuration reference.
Alternatively you can also set all your values from extraOptions
to
systemd.services.grafana.environment
, make sure you don’t forget to add
the GF_
prefix though!
Previously, the options services.grafana.provision.datasources and services.grafana.provision.dashboards expected lists of datasources or dashboards for the declarative provisioning.
To declare lists of
datasources, please rename your declarations to services.grafana.provision.datasources.settings.datasources.
dashboards, please rename your declarations to services.grafana.provision.dashboards.settings.providers.
This change was made to support more features for that:
It’s possible to declare the apiVersion
of your dashboards and datasources
by services.grafana.provision.datasources.settings.apiVersion (or
services.grafana.provision.dashboards.settings.apiVersion).
Instead of declaring datasources and dashboards in pure Nix, it’s also possible to specify configuration files (or directories) with YAML instead using services.grafana.provision.datasources.path (or services.grafana.provision.dashboards.path. This is useful when having provisioning files from non-NixOS Grafana instances that you also want to deploy to NixOS.
Note: secrets from these files will be leaked into the store unless you use a file-provider or env-var for secrets!
services.grafana.provision.notifiers
is not affected by this change because
this feature is deprecated by Grafana and will probably be removed in Grafana 10.
It’s recommended to use services.grafana.provision.alerting.contactPoints
instead.
The services.grafana.provision.alerting
option was added. It includes suboptions for every alerting-related objects (with the exception of notifiers
), which means it’s now possible to configure modern Grafana alerting declaratively.
Synapse now requires entries in the state_group_edges
table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
The diamond
package has been update from 0.8.36 to 2.0.15. See the upstream release notes for more details.
The guake
package has been updated from 3.6.3 to 3.9.0, see the changelog for more details.
The netlify-cli
package has been updated from 6.13.2 to 12.2.4, see the changelog for more details.
dockerTools.buildImage
’s contents
parameter has been deprecated in favor of copyToRoot
.
Use copyToRoot = buildEnv { ... };
or similar if you intend to add packages to /bin
.
The proxmox.qemuConf.bios
option was added, it corresponds to Hardware->BIOS
field in Proxmox web interface. Use "ovmf"
value to build UEFI image, default value remains "bios"
. New option proxmox.partitionTableType
defaults to either "legacy"
or "efi"
, depending on the bios
value. Setting partitionTableType
to "hybrid"
results in an image, which supports both methods ("bios"
and "ovmf"
), thereby remaining bootable after change to Proxmox Hardware->BIOS
field.
memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot’s fork is no longer available.
Option descriptions, examples, and defaults writing in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release.
The documentation.nixos.options.allowDocBook
option was added to ease the transition to CommonMark option documentation. Setting this option to false
causes an error for every option included in the manual that uses DocBook documentation; it defaults to true
to preserve the previous behavior and will be removed once the transition to CommonMark is complete.
The Redis module now persists each instance’s configuration file in the state directory, in order to support some more advanced use cases like Sentinel.
protonup
has been aliased to and replaced by protonup-ng
due to upstream not maintaining it.
The udisks2 service, available at services.udisks2.enable
, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
This also means that polkit will now actually be disabled by default. The default for security.polkit.enable
was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
Nextcloud has been updated to version 25. Additionally the following things have changed for Nextcloud in NixOS:
For Nextcloud >=24, the default PHP version is 8.1.
Nextcloud 23 has been removed since it will reach its end of life in December 2022.
If system.stateVersion
is >=22.11, Nextcloud 25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
Please ensure that you only upgrade one major release at a time! Nextcloud doesn’t support upgrades across multiple versions, i.e. an upgrade from 23 to 25 is only possible when upgrading to 24 first.
systemd-oomd is enabled by default. Depending on which systemd units have
ManagedOOMSwap=kill
or ManagedOOMMemoryPressure=kill
, systemd-oomd will
SIGKILL all the processes under the appropriate descendant cgroups when the
configured limits are exceeded. NixOS does currently not configure cgroups
with oomd by default, this can be enabled using
systemd.oomd.enableRootSlice,
systemd.oomd.enableSystemSlice,
and systemd.oomd.enableUserServices.
The tt-rss
service performs two database migrations when you first use its web UI after upgrade. Consider backing up its database before updating.
The pass-secret-service
package now includes systemd units from upstream, so adding it to the NixOS services.dbus.packages
option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
The Wordpress module now has support for installing language packs through a new option, services.wordpress.sites.<site>.languages
.
The default package for services.mullvad-vpn.package
was changed to pkgs.mullvad
, allowing cross-platform usage of Mullvad. pkgs.mullvad
only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to pkgs.mullvad-vpn
, or add pkgs.mullvad-vpn
to their environment.
PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied.
There is a new module for the thunar
program (the Xfce file manager), which depends on the xfconf
dbus service, and also has a dbus service and a systemd unit. The option services.xserver.desktopManager.xfce.thunarPlugins
has been renamed to programs.thunar.plugins
, and may be removed in a future release.
There is a new module for xfconf
(the Xfce configuration storage system), which has a dbus service.
The Mastodon package has been upgraded to v4.0.0. See the v4.0.0 release notes for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.
The nomad
package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older.
The nodePackages
package set now defaults to the LTS release in the nodejs
package again, instead of being pinned to nodejs-14_x
. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new postRebuild
hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies.
boot.kernel.sysctl
is defined as a freeformType and adds a custom merge option for net.core.rmem_max
(taking the highest value defined to avoid conflicts between 2 services trying to set that value).
The mame
package does not ship with its tools anymore in the default output. They were moved to a separate tools
output instead. For convenience, mame-tools
package was added for those who want to use it.
A NixOS module for Firefox has been added which allows preferences and policies to be set. This also allows extensions to be installed via the ExtensionSettings
policy. The new options are under programs.firefox
.
The option services.picom.experimentalBackends
was removed since it is now the default and the option will cause picom
to quit instead.
haskellPackages.callHackage
is not always invalidated if all-cabal-hashes
changes, leading to less rebuilds of haskell dependencies.
haskellPackages.callHackage
and haskellPackages.callCabal2nix
(and related functions) no longer keep a reference to the cabal2nix
call used to generate them. As a result, they will be garbage collected more often.
alps, a simple and extensible webmail. Available as services.alps.
appvm, Nix based app VMs. Available as virtualisation.appvm.
AusweisApp2, the authentication software for the German ID card. Available as programs.ausweisapp.
automatic-timezoned. a Linux daemon to automatically update the system timezone based on location. Available as services.automatic-timezoned.
Dolibarr, an enterprise resource planning and customer relationship manager. Enable using services.dolibarr.
dragonflydb, a modern replacement for Redis and Memcached. Available as services.dragonflydb.
endlessh-go, an SSH tarpit that exposes Prometheus metrics. Available as services.endlessh-go.
endlessh, an SSH tarpit. Available as services.endlessh.
EVCC is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as services.evcc.
expressvpn, the CLI client for ExpressVPN. Available as services.expressvpn.
FreshRSS, a free, self-hostable RSS feed aggregator. Available as services.freshrss.
Garage, a simple object storage server for geodistributed deployments, alternative to MinIO. Available as services.garage.
go-autoconfig, IMAP/SMTP autodiscover server. Available as services.go-autoconfig.
Grafana Tempo, a distributed tracing store. Available as services.tempo.
HBase cluster, a distributed, scalable, big data store. Available as services.hadoop.hbase.
infnoise, a hardware True Random Number Generator dongle. Available as services.infnoise.
kanata, a tool to improve keyboard comfort and usability with advanced customization. Available as services.kanata.
karma, an alert dashboard for Prometheus Alertmanager. Available as services.karma
Komga, a free and open source comics/mangas media server. Available as services.komga.
kthxbye, an alert acknowledgement management daemon for Prometheus Alertmanager. Available as services.kthxbye
languagetool, a multilingual grammar, style, and spell checker. Available as services.languagetool.
Listmonk, a self-hosted newsletter manager. Enable using services.listmonk.
Mepo, a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as programs.mepo.enable.
merecat, a small and easy HTTP server based on thttpd. Available as services.merecat
netbird, a zero configuration VPN. Available as services.netbird.
ntfy.sh, a push notification service. Available as services.ntfy-sh
OpenRGB, a FOSS tool for controlling RGB lighting. Available as services.hardware.openrgb.enable.
Outline, a wiki and knowledge base similar to Notion. Available as services.outline.
Patroni, a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as services.patroni.
persistent-evdev, a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as services.persistent-evdev.
Please, a Sudo clone written in Rust. Available as security.please.
Prometheus IPMI exporter, an IPMI exporter for Prometheus. Available as services.prometheus.exporters.ipmi.
Sachet, an SMS alerting tool for the Prometheus Alertmanager. Available as services.prometheus.sachet.
schleuder, a mailing list manager with PGP support. Enable using services.schleuder.
syncstorage-rs, a self-hostable sync server for Firefox. Available as services.firefox-syncserver.
Tandoor Recipes, a self-hosted multi-tenant recipe collection. Available as services.tandoor-recipes.
TAYGA, an out-of-kernel stateless NAT64 implementation. Available as services.tayga.
tmate-ssh-server, server side part of tmate. Available as services.tmate-ssh-server.
Uptime Kuma, a fancy self-hosted monitoring tool. Available as services.uptime-kuma.
WriteFreely, a simple blogging platform with ActivityPub support. Available as services.writefreely.
xray, a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as services.xray.
Support is planned until the end of December 2022, handing over to 22.11.
In addition to numerous new and upgraded packages, this release has the following highlights:
Nix has been updated from 2.3 to 2.8. This mainly brings experimental support
for Flakes, but also marks the nix
command as experimental which now has to
be enabled via the configuration explicitly. For more information and
instructions for upgrades, see the
release notes for nix-2.4,
nix-2.5,
nix-2.6,
nix-2.7 and
nix-2.8
The firefox
browser on x86_64-linux
now makes use of profile-guided
optimisation, resulting in a much more responsive browsing experience.
GNOME has been upgraded to 42. Please take a look at their Release Notes for details. In particular, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross) and GNOME Screenshot by a tool integrated into the Shell.
PHP 8.1 is now available.
systemd services can now set systemd.services.<name>.reloadTriggers instead of reloadIfChanged
for a more granular distinction between reloads and restarts.
Systemd has been upgraded to the version 250.
Pulseaudio has been updated to version 15.0 and now optionally
supports additional Bluetooth audio codecs
such as aptX or LDAC, with codec switching available in pavucontrol
. This
feature is disabled by default, but can be enabled with the option
hardware.pulseaudio.package = pkgs.pulseaudioFull;
. Existing third-party
modules that offered similar functions, such as pulseaudio-modules-bt
or
pulseaudio-hsphfpd
, are obsolete and have been removed.
PostgreSQL now defaults to major version 14.
Module authors can use mkRenamedOptionModuleWith
to automate the deprecation cycle without annoying out-of-tree module authors and their users.
The default GHC version has been updated from 8.10.7 to 9.0.2. pkgs.haskellPackages
and pkgs.ghc
will now use this version by default.
The GNOME and Plasma installation CDs now use pkgs.calamares
and pkgs.calamares-nixos-extensions
to allow users to easily install and set up NixOS with a GUI.
security.acme.defaults
has been added to simplify the configuration of
settings for many certificates at once. This also opens up the option to use
DNS-01 validation when using enableACME
web server virtual hosts (e.g.
services.nginx.virtualHosts.*.enableACME
).
1password, command-lines and graphic interface for 1Password. Available as programs._1password and programs._1password-gui.
aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd.
agate, a very simple server for the Gemini hypertext protocol. Available as services.agate.
apfs, a kernel module for mounting the Apple File System (APFS).
argonone, a replacement daemon for the Raspberry Pi Argon One power button and cooler. Available at services.hardware.argonone.
ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm.
BaGet, a lightweight NuGet and symbol server. Available at services.baget.
bird-lg, a BGP looking glass for Bird Routing. Available as services.bird-lg.
blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as services.blocky.
cloudflare-dyndns, CloudFlare Dynamic DNS client. Available as services.cloudflare-dyndns.
Corosync and Pacemaker, A open-source high availability resource manager. Available as services.corosync and services.pacemaker.
create_ap, a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as services.create_ap.
Envoy, a high-performance reverse proxy. Available as services.envoy.
ergochat, a modern IRC with IRCv3 features. Available as services.ergochat.
ethercalc, an online collaborative spreadsheet. Available as services.ethercalc.
filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.
FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as services.frr.
Grafana Mimir, an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as services.mimir.
Haste, a pastebin written in node.js. Available as services.haste.
headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale.
heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge.
https-dns-proxy, DNS to DNS over HTTPS (DoH) proxy. Available as services.https-dns-proxy.
input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper.
InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane.
k3b, the KDE disk burning application. Available as programs.k3b.
K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the k40
group to be able to access the device.
kanidm, an identity management server written in Rust. Available as services.kanidm
Maddy, a free an open source mail server. Available as services.maddy.
matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.
Moosefs, fault tolerant petabyte distributed file system. Available as moosefs.
mozillavpn, the client for the Mozilla VPN service. Available as services.mozillavpn.
mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter.
nbd, a Network Block Device server. Available as services.nbd.
netbox, infrastructure resource modeling (IRM) tool. Available as services.netbox.
nethoscope, listen to your network traffic. Available as programs.nethoscope.
nifi, an easy to use, powerful, and reliable system to process and distribute data. Available as services.nifi.
nix-ld, Run unpatched dynamic binaries on NixOS. Available as programs.nix-ld.
NNCP, NNCP (Node to Node copy) utilities and configuration, Available as programs.nncp.
pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin.
PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin.
prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve.
prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer.
Public Inbox, an “archives first” approach to mailing lists. Available as services.public-inbox.
r53-ddns, a small tool to run your own DDNS service via AWS Route53. Available as services.r53-ddns.
rmfakecloud, a clone of the cloud sync the remarkable tablet. Available as services.rmfakecloud.
rootless Docker, a systemd --user
Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable.
rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server.
mediamtx, ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as services.mediamtx.
Snipe-IT, a free open source IT asset/license management system. Available as services.snipe-it.
snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy.
sslmate-agent, a daemon for managing SSL/TLS certificates on a server. Available as services.sslmate-agent.
starship, a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at programs.startship.
systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.
teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport.
tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd.
uptermd, an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at services.uptermd.
usbrelayd, an USB Relay MQTT daemon. Available as services.usbrelayd.
webdav-server-rs, Webdav server in rust. Available as services.webdav-server-rs.
wg-netmanager, the Wireguard network manager. Available as services.wg-netmanager.
Zammad, a web-based, open source user support/ticketing solution. Available as services.zammad.
pkgs.ghc
now refers to pkgs.targetPackages.haskellPackages.ghc
.
This only makes a difference if you are cross-compiling and will
ensure that pkgs.ghc
always runs on the host platform and compiles
for the target platform (similar to pkgs.gcc
for example).
haskellPackages.ghc
still behaves as before, running on the build
platform and compiling for the host platform (similar to stdenv.cc
).
This means you don’t have to adjust your derivations if you use
haskellPackages.callPackage
, but when using pkgs.callPackage
and
taking ghc
as an input, you should now use buildPackages.ghc
instead to ensure cross compilation keeps working (or switch to
haskellPackages.callPackage
).
pkgs.ghc.withPackages
as well as haskellPackages.ghcWithPackages
etc.
now needs be overridden directly, as opposed to overriding the result of
calling it. Additionally, the withLLVM
parameter has been renamed to
useLLVM
. So instead of (ghc.withPackages (p: [])).override { withLLVM = true; }
,
one needs to use (ghc.withPackages.override { useLLVM = true; }) (p: [])
.
The update of the haskell package set brings with it a new version of the xmonad
module, which will break your configuration if you use launch
as entrypoint. The
example code the corresponding nixos module was adjusted, you may want to have a look at it.
The home-assistant
module now requires users that don’t want their
configuration to be managed declaratively to set
services.home-assistant.config = null;
. This is required
due to the way default settings are handled with the new settings style.
Additionally the default list of extraComponents
now includes the minimal
dependencies to successfully complete the onboarding
procedure.
pkgs.emacsPackages.orgPackages
is removed because org elpa is deprecated.
The packages in the top level of pkgs.emacsPackages
, such as org and
org-contrib, refer to the ones in pkgs.emacsPackages.elpaPackages
and
pkgs.emacsPackages.nongnuPackages
where the new versions will release.
The configuration and state directories used by nixos-containers
have been
moved from /etc/containers
and /var/lib/containers
to
/etc/nixos-containers
and /var/lib/nixos-containers
.
If you are changing system.stateVersion
to "22.05"
manually on an existing
system you are responsible for migrating these directories yourself.
This is to improve compatibility with libcontainer
based software such as Podman and Skopeo
which assumes they have ownership over /etc/containers
.
lib.systems.supported
has been removed, as it was overengineered for determining the systems to support in the nixpkgs flake. The list of systems exposed by the nixpkgs flake can now be accessed as lib.systems.flakeExposed
.
For new installations virtualisation.oci-containers.backend
is now set to podman
by default.
If you still want to use Docker on systems where system.stateVersion
is set to to "22.05"
set virtualisation.oci-containers.backend = "docker";
.Old systems with older stateVersion
s stay with “docker”.
security.klogd
was removed. Logging of kernel messages is handled
by systemd since Linux 3.5.
pkgs.ssmtp
has been dropped due to the program being unmaintained.
pkgs.msmtp
can be used instead as a substitute sendmail
implementation.
The corresponding options services.ssmtp.*
have been removed as well.
programs.msmtp.*
can be used instead for an equivalent setup. For example:
{
# Original ssmtp configuration:
services.ssmtp = {
enable = true;
useTLS = true;
useSTARTTLS = true;
hostName = "smtp.example:587";
authUser = "someone";
authPassFile = "/secrets/password.txt";
};
# Equivalent msmtp configuration:
programs.msmtp = {
enable = true;
accounts.default = {
tls = true;
tls_starttls = true;
auth = true;
host = "smtp.example";
port = 587;
user = "someone";
passwordeval = "cat /secrets/password.txt";
};
};
}
services.kubernetes.addons.dashboard
was removed due to it being an outdated version.
services.kubernetes.scheduler.{port,address}
now set --secure-port
and --bind-address
instead of --port
and --address
, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading.
In the PowerDNS Recursor module (services.pdns-recursor
), default values of several IP address-related NixOS options have been updated to match the default upstream behavior.
In particular, Recursor by default will:
listen on (and allows connections from) both IPv4 and IPv6 addresses
(services.pdns-recursor.dns.address
, services.pdns-recursor.dns.allowFrom
);
allow only local connections to the REST API server (services.pdns-recursor.api.allowFrom
).
In the ncdns module, the default value of services.ncdns.address
has been changed to the IPv6 loopback address (::1
).
openldap
(and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database slapcat -n 1
in LDIF format, and reimport it after updating your services.openldap.settings
, which represents your cn=config
.
Additionally with 2.5 the argon2 module was included in the standard distribution and renamed from pw-argon2
to argon2
. Remember to update your olcModuleLoad
entry in cn=config
.
openssh
has been update to 8.9p1, changing the FIDO security key middleware interface.
git
no longer hardcodes the path to openssh’ ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your environment consider adding openssh
to it or switching to gitFull
.
services.k3s.enable
no longer implies systemd.enableUnifiedCgroupHierarchy = false
, and will default to the ‘systemd’ cgroup driver when using services.k3s.docker = true
.
This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration.
The previous behavior may be retained by explicitly setting systemd.enableUnifiedCgroupHierarchy = false
in your configuration.
fonts.fonts
no longer includes ancient bitmap fonts when both config.services.xserver.enable
and config.nixpkgs.config.allowUnfree
are enabled.
If you still want these fonts, use:
{
fonts.fonts = [
pkgs.xorg.fontbhlucidatypewriter100dpi
pkgs.xorg.fontbhlucidatypewriter75dpi
pkgs.xorg.fontbh100dpi
];
}
services.prometheus.alertManagerTimeout
has been removed as it has been deprecated upstream and has no effect.
The DHCP server (services.dhcpd4
, services.dhcpd6
) has been hardened.
The service is now using the systemd’s DynamicUser
mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
The dhcpd state files are now always stored in /var/lib/dhcpd{4,6}
and the services.dhcpd4.stateDir
and service.dhcpd6.stateDir
options have been removed.
If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. systemd.services.dhcpd6.serviceConfig.AmbientCapabilities
.
The mailpile
email webclient (services.mailpile
) has been removed due to its reliance on python2.
services.ipfs.extraFlags
is now escaped with utils.escapeSystemdExecArgs
. If you rely on systemd interpolating extraFlags
in the service ExecStart
, this will no longer work.
hbase
version 0.98.24 has been removed. The package now defaults to version 2.4.11. Versions 1.7.1 and 3.0.0-alpha-2 are also available.
services.paperless-ng
was renamed to services.paperless
. Accordingly, the paperless-ng-manage
script (located in dataDir
) was renamed to paperless-manage
. services.paperless
now uses paperless-ngx
.
The matrix-synapse
service (services.matrix-synapse
) has been converted to use the settings
option defined in RFC42.
This means that options that are part of your homeserver.yaml
configuration, and that were specified at the top-level of the
module (services.matrix-synapse
) now need to be moved into services.matrix-synapse.settings
. And while not all options you
may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.
The listeners.*.bind_address
option was renamed to bind_addresses
in order to match the upstream homeserver.yaml
option
name. It is now also a list of strings instead of a string.
An example to make the required migration clearer:
Before:
{
services.matrix-synapse = {
enable = true;
server_name = "example.com";
public_baseurl = "https://example.com:8448";
enable_registration = false;
registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
listeners = [ {
port = 8448;
bind_address = "";
type = "http";
tls = true;
resources = [ {
names = [ "client" ];
compress = true;
} {
names = [ "federation" ];
compress = false;
} ];
} ];
};
}
After:
{
services.matrix-synapse = {
enable = true;
# this attribute set holds all values that go into your homeserver.yaml configuration
# See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
# possible values.
settings = {
server_name = "example.com";
public_baseurl = "https://example.com:8448";
enable_registration = false;
# pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
listeners = [ {
port = 8448;
bind_addresses = [
"::"
"0.0.0.0"
];
type = "http";
tls = true;
resources = [ {
names = [ "client" ];
compress = true;
} {
names = [ "federation" ];
compress = false;
} ];
} ];
};
extraConfigFiles = [
"/run/keys/matrix-synapse/secrets.yaml"
];
};
}
The secrets in your original config should be migrated into a YAML file that is included via extraConfigFiles
. The filename must be quoted to prevent nix from copying it to the (world readable) store.
Additionally a few option defaults have been synced up with upstream default values, for example the max_upload_size
grew from 10M
to 50M
. For the same reason, the default
media_store_path
was changed from ${dataDir}/media
to ${dataDir}/media_store
if system.stateVersion
is at least 22.05
. Files will need to be manually moved to the new
location if the stateVersion
is updated.
As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0.
The Keycloak package (pkgs.keycloak
) has been switched from the
Wildfly version, which will soon be deprecated, to the Quarkus based
version. The Keycloak service (services.keycloak
) has been updated
to accommodate the change and now differs from the previous version
in a few ways:
services.keycloak.extraConfig
has been removed in favor of the
new settings-style
services.keycloak.settings
option. The available options correspond directly to parameters in
conf/keycloak.conf
. Some of the most important parameters are
documented as suboptions, the rest can be found in the All
configuration section of the Keycloak Server Installation and
Configuration
Guide. While the new
configuration is much simpler and cleaner than the old JBoss CLI
one, this unfortunately mean that there’s no straightforward way
to convert an old configuration to the new format and some
settings may not even be available anymore.
services.keycloak.frontendUrl
was removed and the frontend URL
is now configured through the hostname
family of settings in
services.keycloak.settings
instead. See the Hostname section of the Keycloak Server
Installation and Configuration
Guide for more
details. Additionally, /auth
was removed from the default
context path and needs to be added back in
services.keycloak.settings.http-relative-path
if you want to keep compatibility with your current clients.
services.keycloak.bindAddress
,
services.keycloak.forceBackendUrlToFrontendUrl
,
services.keycloak.httpPort
and services.keycloak.httpsPort
have been removed in favor of their equivalent options in
services.keycloak.settings
. httpPort
and httpsPort
have additionally had their types changed from
str
to port
.
The new names are as follows:
bindAddress
: services.keycloak.settings.http-host
forceBackendUrlToFrontendUrl
: services.keycloak.settings.hostname-strict-backchannel
httpPort
: services.keycloak.settings.http-port
httpsPort
: services.keycloak.settings.https-port
For example, when using a reverse proxy the migration could look like this:
Before:
{
services.keycloak = {
enable = true;
httpPort = "8080";
frontendUrl = "https://keycloak.example.com/auth";
database.passwordFile = "/run/keys/db_password";
extraConfig = {
"subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
};
};
}
After:
{
services.keycloak = {
enable = true;
settings = {
http-port = 8080;
hostname = "keycloak.example.com";
http-relative-path = "/auth";
proxy = "edge";
};
database.passwordFile = "/run/keys/db_password";
};
}
The MoinMoin wiki engine (services.moinmoin
) has been removed, because Python 2 is being retired from nixpkgs.
Services in the hadoop
module previously set openFirewall
to true by default.
This has now been changed to false. Node definitions for multi-node clusters would need
openFirewall = true;
to be added to to hadoop services when upgrading from NixOS 21.11.
services.hadoop.yarn.nodemanager
now uses cgroup-based CPU limit enforcement by default.
Additionally, the option useCGroups
was added to nodemanagers as an easy way to switch
back to the old behavior.
The wafHook
hook now honors NIX_BUILD_CORES
when enableParallelBuilding
is not set explicitly. Packages can restore the old behaviour by setting enableParallelBuilding=false
.
pkgs.claws-mail-gtk2
, representing Claws Mail’s older release version three, was removed in order to get rid of Python 2.
Please switch to claws-mail
, which is Claws Mail’s latest release based on GTK+3 and Python 3.
The writers.writePython2
and corresponding writers.writePython2Bin
convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
Scripts have to be converted to Python 3 for use with writers.writePython3
or writers.writePyPy2
needs to be used.
buildGoModule
was updated to use go_1_17
, third party derivations that specify >= go 1.17 in the main go.mod
will need to regenerate their vendorSha256
hash.
The gnome-passwordsafe
package updated to version 6.x and renamed to gnome-secrets
.
services.gnome.experimental-features.realtime-scheduling
option has been removed, as GNOME Shell now uses rtkit. Use security.rtkit.enable = true;
instead. As before, you will need to have it enabled using GSettings.
services.telepathy
will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari.
If you previously used /etc/docker/daemon.json
, you need to incorporate the changes into the new option virtualisation.docker.daemon.settings
.
Ntopng (services.ntopng
) is updated to 5.2.1 and uses a separate Redis instance if system.stateVersion
is at least 22.05
. Existing setups shouldn’t be affected.
The backward compatibility in services.wordpress
to configure sites with
the old interface has been removed. Please use services.wordpress.sites
instead.
The backward compatibility in services.dokuwiki
to configure sites with the
old interface has been removed. Please use services.dokuwiki.sites
instead.
opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
services.miniflux.adminCredentialFiles
is now required, instead of defaulting to admin
and password
.
The taskserver
module no longer implicitly opens ports in the firewall
configuration. This is now controlled through the option
services.taskserver.openFirewall
.
The autorestic
package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details.
teleport
has been upgraded to major version 9. Please see upstream upgrade instructions and release notes.
For pkgs.python3.pkgs.ipython
, its direct dependency pkgs.python3.pkgs.matplotlib-inline
(which is really an adapter to integrate matplotlib in ipython if it is installed) does
not depend on pkgs.python3.pkgs.matplotlib
anymore.
This is closer to a non-Nix install of ipython.
This has the added benefit to reduce the closure size of ipython
from ~400MB to ~160MB
(including ~100MB for python itself).
documentation.man
has been refactored to support choosing a man implementation other than GNU’s man-db
. For this, documentation.man.manualPages
has been renamed to documentation.man.man-db.manualPages
. If you want to use the new alternative man implementation mandoc
, add documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }
to your configuration.
Normal users (with isNormalUser = true
) which have non-empty subUidRanges
or subGidRanges
set no longer have additional implicit ranges allocated. To enable automatic allocation back set autoSubUidGidRange = true
.
idris2
now requires --package
when using packages contrib
and network
, while previously these idris2 packages were automatically loaded.
The iputils package, which is installed by default, no longer provides the
legacy tools tftpd
and traceroute6
. More tools (ninfod
, rarpd
, and
rdisc
) are going to be removed in the next release. See
upstream’s release notes
for more details and available replacements.
services.thelounge.private
was removed in favor of services.thelounge.public
, to follow with upstream changes.
pkgs.docbookrx
was removed since it’s unmaintained
pkgs._7zz
is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code
The vim.customize
function produced by vimUtils.makeCustomizable
now has a slightly different interface:
The wrapper now includes everything in the given Vim derivation if name
is "vim"
(the default). This makes the wrapManual
argument obsolete, but this behavior can be overridden by setting the standalone
argument.
All the executables present in the given derivation (or, in standalone
mode, only the *vim
ones) are wrapped. This makes the wrapGui
argument obsolete.
The vimExecutableName
and gvimExecutableName
arguments were replaced by a single executableName
argument in which the shell variable $exe
can be used to refer to the wrapped executable’s name.
See the comments in pkgs/applications/editors/vim/plugins/vim-utils.nix
for more details.
vimUtils.vimWithRC
was removed. You should instead use customize
on a Vim derivation, which now accepts vimrcFile
and gvimrcFile
arguments.
tilp2
was removed together with its module
The F-PROT antivirus (fprot
package) and its service module were removed because it
reached end-of-life.
bird1
and its modules services.bird
as well as services.bird6
have been removed. Upgrade to services.bird2
.
The options networking.interfaces.<name>.ipv4.routes
and networking.interfaces.<name>.ipv6.routes
are no longer ignored when using networkd instead of the default scripted network backend by setting networking.useNetworkd
to true
.
The miller
package has been upgraded from 5.10.3 to 6.2.0. See What’s new in Miller 6.
MultiMC has been replaced with the fork PrismLauncher due to upstream
developers being hostile to 3rd party package maintainers. PrismLauncher
removes all MultiMC branding and is aimed at providing proper 3rd party
packages like the one contained in Nixpkgs. This change affects the data
folder where game instances and other save and configuration files are stored.
Users with existing installations should rename ~/.local/share/multimc
to
~/.local/share/PrismLauncher
. The main config file’s path has also moved
from ~/.local/share/multimc/multimc.cfg
to
~/.local/share/PrismLauncher/prismlauncher.cfg
.
systemd-nspawn@.service
settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set systemd.nspawn.<name>.execConfig.PrivateUsers = false
systemd-shutdown
is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using systemd.shutdownRamfs.enable
.
The Tor SOCKS proxy is now actually disabled if services.tor.client.enable
is set to false
(the default). If you are using this functionality but didn’t change the setting or set it to false
, you now need to set it to true
.
services.github-runner
has been hardened. Notably address families and
system calls have been restricted, which may adversely affect some kinds of
testing, e.g. using AF_BLUETOOTH
to test bluetooth devices.
The terraform 0.12 compatibility has been removed and the terraform.withPlugins
and terraform-providers.mkProvider
implementations simplified. Providers now need to be stored under
$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>
(which mkProvider does).
This breaks back-compat so it’s not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly.
The dendrite
package has been upgraded from 0.5.1 to
0.6.5. Instances
configured with split sqlite databases, which has been the default
in NixOS, require merging of the federation sender and signing key
databases. See upstream release
notes
on version 0.6.0 for details on database changes.
The existing pkgs.opentelemetry-collector
has been moved to
pkgs.opentelemetry-collector-contrib
to match the actual source being the
“contrib” edition. pkgs.opentelemetry-collector
is now the actual core
release of opentelemetry-collector. If you use the community contributions
you should change the package you refer to. If you don’t need them update your
commands from otelcontribcol
to otelcorecol
and enjoy a 7x smaller binary.
services.zookeeper
has a new option jre
for specifying the JRE to start
zookeeper with. It defaults to the JRE that pkgs.zookeeper
was wrapped with,
instead of pkgs.jre
. This changes the JRE to pkgs.jdk11_headless
by default.
pkgs.pgadmin
now refers to pkgs.pgadmin4
. pgadmin3
has been removed.
pkgs.minetestclient_4
and pkgs.minetestserver_4
have been removed, as the last 4.x release was in 2018. pkgs.minetestclient
(equivalent to pkgs.minetest
) and pkgs.minetestserver
can be used instead.
pkgs.noto-fonts-cjk
is now deprecated in favor of pkgs.noto-fonts-cjk-sans
and pkgs.noto-fonts-cjk-serif
because they each have different release
schedules. To maintain compatibility with prior releases of Nixpkgs,
pkgs.noto-fonts-cjk
is currently an alias of pkgs.noto-fonts-cjk-sans
and
doesn’t include serif fonts.
pkgs.epgstation
has been upgraded from v1 to v2, resulting in incompatible
changes in the database scheme and configuration format.
Some top-level settings under services.epgstation is now deprecated because it was redundant due to the same options being present in services.epgstation.settings.
The option services.epgstation.basicAuth
was removed because basic
authentication support was dropped by upstream.
The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary.
The services.epgstation.settings
option now expects options for config.yml
in EPGStation v2.
Existing data for the services.epgstation
module would have to be backed up prior to the upgrade. To back up existing
data to /tmp/epgstation.bak
, run
sudo -u epgstation epgstation run backup /tmp/epgstation.bak
.
To import that data after to the upgrade, run
sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak
switch-to-configuration
(the script that is run when running nixos-rebuild switch
for example) has been reworked
The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file /run/nixos/activation-restart-list
that honors restartIfChanged
and reloadIfChanged
of the units.
Preferring to reload instead of restarting can still be achieved using /run/nixos/activation-reload-list
.
The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don’t use the NixOS systemd moule.
RefuseManualStop
, X-OnlyManualStart
, X-StopOnRemoval
, X-StopOnReconfiguration
are only searched in the [Unit]
section
X-ReloadIfChanged
, X-RestartIfChanged
, X-StopIfChanged
are only searched in the [Service]
section
The services.bookstack.cacheDir
option has been removed, since the
cache directory is now handled by systemd.
The services.bookstack.extraConfig
option has been replaced by
services.bookstack.config
which implements a
settings-style
configuration.
lib.assertMsg
and lib.assertOneOf
no longer return false
if the passed condition is false
, throw
ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for assert
conditions.
The vpnc
package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons.
The default version of nextcloud
is nextcloud24. Please note that it’s not possible to upgrade
nextcloud
across multiple major versions! This means it’s e.g. not possible to upgrade from nextcloud22
to nextcloud24
in a single deploy and most 21.11
users will have to upgrade to nextcloud23
first.
pkgs.vimPlugins.onedark-nvim
now refers to navarasu/onedark.nvim
(formerly refers to olimorris/onedarkpro.nvim).
services.pipewire.enable
will default to enabling the WirePlumber session manager instead of pipewire-media-session.
pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting
services.pipewire.media-session.enable
to true
and services.pipewire.wireplumber.enable
to false
.
pkgs.makeDesktopItem
has been refactored to provide a more idiomatic API. Specifically:
All valid options as of FDO Desktop Entry specification version 1.4 can now be passed in as explicit arguments
exec
can now be null, for entries that are not of type Application
mimeType
argument is renamed to mimeTypes
for consistency
mimeTypes
, categories
, implements
, keywords
, onlyShowIn
and notShowIn
take lists of strings instead of one string with semicolon separators
extraDesktopEntries
renamed to extraConfig
for consistency
Actions should now be provided as an attrset actions
, the Actions
line will be autogenerated.
extraEntries
is removed.
Additional validation is added both at eval time and at build time.
See the vscode
package for a more detailed example.
Existing resholve*
functions have been renamed and nested under pkgs.resholve
. Update uses to:
resholvePackage
-> resholve.mkDerivation
resholveScript
-> resholve.writeScript
resholveScriptBin
-> resholve.writeScriptBin
pkgs.cosmopolitan
no longer provides the cosmoc
command. It has been moved to pkgs.cosmoc
.
pkgs.graalvmXX-ce
packages no longer provide support for Python/Ruby/WASM, instead focusing only in Java and Native Image Support. If you need to add support back, please see the pkgs.graalvmCEPackages.mkGraal
function to create your own customized version of GraalVM with support for what you need.
The option services.redis.servers was added
to support per-application redis-server
which is more secure since Redis databases
are only mere key prefixes without any configuration or ACL of their own.
Backward-compatibility is preserved by mapping old services.redis.settings
to services.redis.servers."".settings
, but you are strongly encouraged
to name each redis-server
instance after the application using it,
instead of keeping that nameless one.
Except for the nameless services.redis.servers.""
still accessible at 127.0.0.1:6379
,
and to the members of the Unix group redis
through the Unix socket /run/redis/redis.sock
,
all other services.redis.servers.${serverName}
are only accessible by default
to the members of the Unix group redis-${serverName}
through the Unix socket /run/redis-${serverName}/redis.sock
.
The option virtualisation.vmVariant was added
to allow users to make changes to the nixos-rebuild build-vm
configuration
that do not apply to their normal system.
The config.system.build.vm
attribute now always exists and defaults to the
value from vmVariant
. Configurations that import the virtualisation/qemu-vm.nix
module themselves will override this value, such that vmVariant
is not used.
Similarly virtualisation.vmVariantWithBootloader was added.
The configuration portion of the nix-daemon
module has been reworked and exposed as nix.settings:
Legacy options have been mapped to the corresponding options under under nix.settings and will be deprecated when NixOS 21.11 reaches end of life.
nix.buildMachines.publicHostKey has been added.
kops
defaults to 1.23.2, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS
has changed from true
to false
. Cilium now has disable-cnp-status-updates: true
by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the 1.22 release notes and 1.23 release notes for more details, including other significant changes.
Mattermost has been upgraded to extended support version 6.3 as the previously packaged extended support version 5.37 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.
The writers.writePyPy2
/writers.writePyPy3
and corresponding writers.writePyPy2Bin
/writers.writePyPy3Bin
convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.
Some improvements have been made to the hadoop
module:
A gatewayRole
option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services
Support for older versions of hadoop have been added to the module
Overriding and extending site XML files has been made easier
The auto-upgrade service now accepts persistent (default: true) parameter. By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive.
Mastodon now uses services.redis.servers
to start a new redis server, instead of using a global redis server.
This improves compatibility with other services that use redis.
Note that this will recreate the redis database, although according to the Mastodon docs, this is almost harmless:
Losing the Redis database is almost harmless: The only irrecoverable data will be the contents of the Sidekiq queues and scheduled retries of previously failed jobs. The home and list feeds are stored in Redis, but can be regenerated with tootctl.
If you do want to save the redis database, you can use the following commands:
redis-cli save
cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.
Redis database is used for storage only cache and job queue. More information can be found here - Peertube architecture.
If you do want to save the redis database, you can use the following commands before upgrade OS:
redis-cli save
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
Added the keter
NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.
If you are using Wayland you can choose to use the Ozone Wayland support
in Chrome and several Electron apps by setting the environment variable
NIXOS_OZONE_WL=1
(for example via
environment.sessionVariables.NIXOS_OZONE_WL = "1"
).
This is not enabled by default because Ozone Wayland is
still under heavy development and behavior is not always flawless.
Furthermore, not all Electron apps use the latest Electron versions.
A new option group systemd.network.wait-online
was added, with options to configure systemd-networkd-wait-online.service
:
anyInterface
allows specifying that the network should be considered online when at least one interface is online (useful on laptops)
timeout
defines how long to wait for the network to come online
extraArgs
for everything else
The influxdb2
package was split into influxdb2-server
and
influxdb2-cli
, matching the split that took place upstream. A
combined influxdb2
package is still provided in this release for
backwards compatibility, but will be removed at a later date.
The unifi
package was switched from unifi6
to unifi7
.
Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6.
programs.zsh.autosuggestions.strategy
now takes a list of strings instead of a string.
The asterisk
and asterisk-stable
packages were switched from asterisk_18
to the newly-packaged asterisk_19
. Asterisk 13 and 17 have been removed as they have reached their end of life.
The services.unifi.openPorts
option default value of true
is now deprecated and will be changed to false
in 22.11.
Configurations using this default will print a warning when rebuilt.
The services.unifi-video.openPorts
option default value of true
is now deprecated and will be changed to false
in 22.11.
Configurations using this default will print a warning when rebuilt.
security.acme
certificates will now correctly check for CA
revocation before reaching their minimum age.
Removing domains from security.acme.certs._name_.extraDomainNames
will now correctly remove those domains during rebuild/renew.
MariaDB is now offered in several versions, not just the newest one.
So if you have a need for running MariaDB 10.4 for example, you can now just set services.mysql.package = pkgs.mariadb_104;
.
In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience.
Sometimes software is also incompatible with the newest version of MariaDB.
The option
programs.ssh.enableAskPassword was
added, decoupling the setting of SSH_ASKPASS
from
services.xserver.enable
. This allows easy usage in non-X11 environments,
e.g. Wayland.
programs.ssh.knownHosts has gained an extraHostNames
option to augment hostNames
. It is now possible to use the attribute name of a knownHosts
entry as the primary host name and specify secondary host names using extraHostNames
without
having to duplicate the primary host name.
The services.stubby
module was converted to a settings-style configuration.
The option
services.xserver.desktopManager.runXdgAutostartIfNone
was added in order to automatically run XDG autostart files for sessions without a desktop manager.
This replaces helpers like the dex
package.
When setting i18n.inputMethod.enabled to fcitx5
,
it no longer creates corresponding systemd user services.
It now relies on XDG autostart files to start and work properly in your desktop sessions.
If you are using only a window manager without a desktop manager, you need to enable
services.xserver.desktopManager.runXdgAutostartIfNone
or using the dex
package to make fcitx5
work.
The option services.duplicati.dataDir
has been added to allow changing the location of duplicati’s files.
The options boot.extraModprobeConfig
and boot.blacklistedKernelModules
now also take effect in the initrd by copying the file /etc/modprobe.d/nixos.conf
into the initrd.
nixos-generate-config
now puts the dhcp configuration in hardware-configuration.nix
instead of configuration.nix
.
ORY Kratos was updated to version 0.9.0-alpha.3, which introduces some breaking changes:
All endpoints at the Admin API are now exposed at /admin/
. For example, endpoint https://kratos:4434/identities
is now exposed at https://kratos:4434/admin/identities
Configuration key selfservice.whitelisted_return_urls
has been renamed to allowed_return_urls
The password_identifier
form field of the password login strategy has been renamed to identifier
to make compatibility with passwordless flows possible.
Instead of having a global default_schema_url
which developers used to update their schema, you now need to define the default_schema_id
which must reference schema ID in your config.
Calling /self-service/recovery
without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page.
If you are relying on the SQLite images, update your Docker Pull commands as follows:
docker pull oryd/kratos:{version}
Additionally, all passwords now have to be at least 8 characters long.
For more details, see:
fetchFromSourcehut
now allows fetching repositories recursively
using fetchgit
or fetchhg
if the argument fetchSubmodules
is set to true
.
A module for declarative configuration of openconnect VPN profiles was added under networking.openconnect
.
The element-desktop
package now has an useKeytar
option (defaults to true
),
which allows disabling keytar
and in turn libsecret
usage
(which binds to native credential managers / keychain libraries).
The option services.thelounge.plugins
has been added to allow installing plugins for The Lounge. Plugins can be found in pkgs.theLoungePlugins.plugins
and pkgs.theLoungePlugins.themes
.
The option services.xserver.videoDriver = [ "nvidia" ];
will now also install nvidia VA-API drivers by default.
The firmwareLinuxNonfree
package has been renamed to linux-firmware
.
It is now possible to specify wordlists to include as handy to access environment variables using the config.environment.wordlist
configuration options.
The services.mbpfan
module was converted to a RFC 0042 configuration.
The default value for programs.spacefm.settings.graphical_su
got unset. It previously pointed to gksu
which has been removed.
The Dino XMPP client was updated to 0.3, adding support for audio and video calls.
services.mattermost.plugins
has been added to allow the declarative installation of Mattermost plugins.
Plugins are automatically repackaged using autoPatchelf.
services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default.
The logrotate module also has been updated to freeform syntax: services.logrotate.paths
and services.logrotate.extraConfig
will work, but issue deprecation
warnings and services.logrotate.settings should now be used instead.
security.pam.ussh
has been added, which allows authorizing PAM sessions based on SSH certificates held within an SSH agent, using pam-ussh.
The vscode-extensions.ionide.ionide-fsharp
package has been updated to 6.0.0 and now requires .NET 6.0.
The phpPackages.box
package has been updated from 2.7.5 to 3.16.0. See the upgrade guide for more details.
The zrepl
package has been updated from 0.4.0 to 0.5:
The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
A bug involving encrypt-on-receive has been fixed. Read the zrepl documentation and check the output of zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS
on the receiver.
The polybar
package has been updated from 3.5.7 to 3.6.2. See the changelog for more details.
Breaking changes include changes to escaping rules in configuration values, changes in behavior when encountering invalid tag names, and changes to inter-process-messaging (IPC).
Renamed option services.openssh.challengeResponseAuthentication
to services.openssh.kbdInteractiveAuthentication
.
Reason is that the old name has been deprecated upstream.
Using the old option name will still work, but produce a warning.
services.autorandr
now allows for adding hooks and profiles declaratively.
The pomerium-cli
command has been moved out of the pomerium
package into
the pomerium-cli
package, following upstream’s repository split. If you are
using the pomerium-cli
command, you should now install the pomerium-cli
package.
The option services.networking.networkmanager.enableFccUnlock
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
daemon no longer automatically performs the FCC unlock procedure by default. See
the docs for more details.
programs.tmux
has a new option plugins
that accepts a list of packages from the tmuxPlugins
group. The specified packages are added to the system and loaded by tmux
.
The polkit service, available at security.polkit.enable
, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
mercury
was updated to 22.01.1, which has some breaking changes (Mercury 22.01 news).
xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15.
If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with mkfs.xfs -m bigtime=0 -m inobtcount=0
.
services.xserver.desktopManager.xfce
now includes Xfce’s screen locker, xfce4-screensaver
that is enabled by default. You can disable it by setting false
to services.xserver.desktopManager.xfce.enableScreensaver.
The hadoop
package has added support for aarch64-linux
and aarch64-darwin
as of 3.3.1 (#158613).
The R
package now builds again on aarch64-darwin
(#158992).
The nss
package was split into nss_esr
and nss_latest
, with nss
being an alias for nss_esr
. This was done to ease maintenance of nss
and dependent high-profile packages like firefox
.
The default scribus
version is now 1.5, while version 1.4 is still available as scribus_1_4
(#172700).
The Nextcloud module now supports to create a Mysql database automatically
with services.nextcloud.database.createLocally
enabled.
The Nextcloud module now allows setting the value of the max-age
directive of the Strict-Transport-Security
HTTP header, which is now controlled by the services.nextcloud.https
option, rather than services.nginx.recommendedHttpHeaders
.
The spark3
package has been updated from 3.1.2 to 3.2.1 (#160075):
The option services.snapserver.openFirewall
will no longer default to
true
starting with NixOS 22.11. Enable it explicitly if you need to control
Snapserver remotely or connect streamig clients from other hosts.
The option networking.useDHCP isn’t deprecated anymore.
When using systemd-networkd
, a generic
.network
-unit is added which enables DHCP for each interface matching en*
, eth*
or wl*
with priority 99 (which means that it doesn’t have any effect if such an interface is matched
by a .network-
unit with a lower priority). In case of scripted networking, no behavior
was changed.
The new postgresqlTestHook
runs a PostgreSQL server for the duration of package checks.
zfs
was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18.
stdenv.mkDerivation
now supports a self-referencing finalAttrs:
parameter
containing the final mkDerivation
arguments including overrides.
drv.overrideAttrs
now supports two parameters finalAttrs: previousAttrs:
.
This allows packaging configuration to be overridden in a consistent manner by
providing an alternative to rec {}
syntax.
Additionally, passthru
can now reference finalAttrs.finalPackage
containing
the final package, including attributes such as the output paths and
overrideAttrs
.
New language integrations can be simplified by overriding a “prototype” package containing the language-specific logic. This removes the need for a extra layer of overriding for the “generic builder” arguments, thus removing a usability problem and source of error.
Support is planned until the end of June 2022, handing over to 22.05.
In addition to numerous new and upgraded packages, this release has the following highlights:
Nix has been updated to version 2.4, reference its release notes for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the nix_2_3
package.
iptables
is now using nf_tables
under the hood, by using iptables-nft
,
similar to Debian and
Fedora.
This means, ip[6]tables
, arptables
and ebtables
commands will actually
show rules from some specific tables in the nf_tables
kernel subsystem.
In case you’re migrating from an older release without rebooting, there might
be cases where you end up with iptable rules configured both in the legacy
iptables
kernel backend, as well as in the nf_tables
backend.
This can lead to confusing firewall behaviour. An iptables-save
after
switching will complain about “iptables-legacy tables present”.
It’s probably best to reboot after the upgrade, or manually removing all
legacy iptables rules (via the iptables-legacy
package).
systemd got an nftables
backend, and configures (networkd) rules in their
own io.systemd.*
tables. Check nft list ruleset
to see these rules, not
iptables-save
(which only shows iptables
-created rules.
PHP now defaults to PHP 8.0, updated from 7.4.
kops now defaults to 1.21.1, which uses containerd as the default runtime.
python3
now defaults to Python 3.9, updated from Python 3.8.
PostgreSQL now defaults to major version 13.
spark now defaults to spark 3, updated from 2. A migration guide is available.
Improvements have been made to the Hadoop module and package:
HDFS and YARN now support production-ready highly available deployments with automatic failover.
Hadoop now defaults to Hadoop 3, updated from 2.
JournalNode, ZKFS and HTTPFS services have been added.
Activation scripts can now, optionally, be run during a nixos-rebuild dry-activate
and can detect the dry activation by reading $NIXOS_ACTION
.
This allows activation scripts to output what they would change if the activation was really run.
The users/modules activation script supports this and outputs some of is actions.
KDE Plasma now finally works on Wayland.
bash now defaults to major version 5.
Systemd was updated to version 249 (from 247).
Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn’t work for you, please try gsettings set org.gnome.desktop.lockdown disable-lock-screen false
.
kubernetes-helm
now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details.
helmfile
also defaults to 0.141.0, which is the minimum compatible version.
GNOME has been upgraded to 41. Please take a look at their Release Notes for details.
LXD support was greatly improved:
building LXD images from configurations is now directly possible with just nixpkgs
hydra is now building nixOS LXD images that can be used standalone with full nixos-rebuild support
OpenSSH was updated to version 8.8p1
This breaks connections to old SSH daemons as ssh-rsa host keys and ssh-rsa public keys that were signed with SHA-1 are disabled by default now
These can be re-enabled, see the OpenSSH changelog for details
ORY Kratos was updated to version 0.8.0-alpha.3
This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.
The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
for more details, see Release Notes.
btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.
clipcat, an X11 clipboard manager written in Rust. Available at services.clipcat.
dex, an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at services.dex.
geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.
Jibri, a service for recording or streaming a Jitsi Meet conference. Available as services.jibri.
Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.
owncast, self-hosted video live streaming solution. Available at services.owncast.
PeerTube, developed by Framasoft, is the free and decentralized alternative to video platforms. Available at services.peertube.
sourcehut, a collection of tools useful for software development. Available as services.sourcehut.
ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.
Users of flashrom should migrate to programs.flashrom.enable and add themselves to the flashrom
group to be able to access programmers supported by flashrom.
vikunja, a to-do list app. Available as services.vikunja.
opensnitch, an application firewall. Available as services.opensnitch.
snapraid, a backup program for disk arrays. Available as snapraid.
Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.
buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.
influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.
mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.
MeshCentral, a remote administration service (“TeamViewer but self-hosted and with more features”) is now available with a package and a module: services.meshcentral.enable
moonraker, an API web server for Klipper. Available as moonraker.
influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.
isso, a commenting server similar to Disqus. Available as isso
navidrome, a personal music streaming server with subsonic-compatible api. Available as navidrome.
fluidd, a Klipper web interface for managing 3d printers using moonraker. Available as fluidd.
sx, a simple alternative to both xinit and startx for starting a Xorg server. Available as services.xserver.displayManager.sx
postfixadmin, a web based virtual user administration interface for Postfix mail servers. Available as postfixadmin.
prowlarr, an indexer manager/proxy built on the popular arr .net/reactjs base stack services.prowlarr.
soju, a user-friendly IRC bouncer. Available as services.soju.
nats, a high performance cloud and edge messaging system. Available as services.nats.
git, a distributed version control system. Available as programs.git.
parsedmarc, a service which parses incoming DMARC reports and stores or sends them to a downstream service for further analysis. Documented in its manual entry.
spark, a unified analytics engine for large-scale data processing.
touchegg, a multi-touch gesture recognizer. Available as services.touchegg.
pantheon-tweaks, an unofficial system settings panel for Pantheon. Available as programs.pantheon-tweaks
.
joycond, a service that uses hid-nintendo
to provide nintendo joycond pairing and better nintendo switch pro controller support.
multipath, the device mapper multipath (DM-MP) daemon. Available as services.multipath.
seafile, an open source file syncing & sharing software. Available as services.seafile.
rasdaemon, a hardware error logging daemon. Available as hardware.rasdaemon.
code-server
-module now available
xmrig, a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark.
Auto nice daemons ananicy and ananicy-cpp. Available as services.ananicy.
smartctl_exporter, a Prometheus exporter for S.M.A.R.T. data. Available as services.prometheus.exporters.smartctl.
twingate, a high performance, easy to use zero trust solution that enables access to private resources from any device with better security than a VPN.
The NixOS VM test framework, pkgs.nixosTest
/make-test-python.nix
(pkgs.testers.nixosTest
since 22.05), now requires detaching commands such as succeed("foo &")
and succeed("foo | xclip -i")
to close stdout.
This can be done with a redirect such as succeed("foo >&2 &")
. This breaking change was necessitated by a race condition causing tests to fail or hang.
It applies to all methods that invoke commands on the nodes, including execute
, succeed
, fail
, wait_until_succeeds
, wait_until_fails
.
The services.wakeonlan
option was removed, and replaced with networking.interfaces.<name>.wakeOnLan
.
The security.wrappers
option now requires to always specify an owner, group and whether the setuid/setgid bit should be set.
This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.
Since iptables
now uses nf_tables
backend and ipset
doesn’t support it, some applications (ferm, shorewall, firehol) may have limited functionality.
The paperless
module and package have been removed. All users should migrate to the
successor paperless-ng
instead. The Paperless project has been
archived
and advises all users to use paperless-ng
instead.
Users can use the services.paperless-ng
module as a replacement while noting the following incompatibilities:
services.paperless.ocrLanguages
has no replacement. Users should migrate to services.paperless-ng.extraConfig
instead:
{
services.paperless-ng.extraConfig = {
# Provide languages as ISO 639-2 codes
# separated by a plus (+) sign.
# https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
};
}
If you previously specified PAPERLESS_CONSUME_MAIL_*
settings in
services.paperless.extraConfig
you should remove those options now. You
now must define those settings in the admin interface of paperless-ng.
Option services.paperless.manage
no longer exists.
Use the script at ${services.paperless-ng.dataDir}/paperless-ng-manage
instead.
Note that this script only exists after the paperless-ng
service has been
started at least once.
After switching to the new system configuration you should run the Django management command to reindex your documents and optionally create a user, if you don’t have one already.
To do so, enter the data directory (the value of
services.paperless-ng.dataDir
, /var/lib/paperless
by default), switch
to the paperless user and execute the management command like below:
$ cd /var/lib/paperless
$ su paperless -s /bin/sh
$ ./paperless-ng-manage document_index reindex
# if not already done create a user account, paperless-ng requires a login
$ ./paperless-ng-manage createsuperuser
Username (leave blank to use 'paperless'): my-user-name
Email address: me@example.com
Password: **********
Password (again): **********
Superuser created successfully.
The staticjinja
package has been upgraded from 1.0.4 to 4.1.1
Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.
The erigon
ethereum node has moved to a new database format in 2021-05-04
, and requires a full resync
The erigon
ethereum node has moved its database location in 2021-08-03
, users upgrading must manually move their chaindata (see release notes).
users.users.<name>.group no longer defaults to nogroup
, which was insecure. Out-of-tree modules are likely to require adaptation: instead of
{
users.users.foo = {
isSystemUser = true;
};
}
also create a group for your user:
{
users.users.foo = {
isSystemUser = true;
group = "foo";
};
users.groups.foo = {};
}
services.geoip-updater
was broken and has been replaced by services.geoipupdate.
ihatemoney
has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie to false
.
PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.
Those making use of buildBazelPackage
will need to regenerate the fetch hashes (preferred), or set fetchConfigured = false;
.
consul
was upgraded to a new major release with breaking changes, see upstream changelog.
fsharp41 has been removed in preference to use the latest dotnet-sdk
The following F#-related packages have been removed for being unmaintaned. Please use fetchNuGet
for specific packages.
ExtCore
Fake
Fantomas
FsCheck
FsCheck262
FsCheckNunit
FSharpAutoComplete
FSharpCompilerCodeDom
FSharpCompilerService
FSharpCompilerTools
FSharpCore302
FSharpCore3125
FSharpCore4001
FSharpCore4117
FSharpData
FSharpData225
FSharpDataSQLProvider
FSharpFormatting
FsLexYacc
FsLexYacc706
FsLexYaccRuntime
FsPickler
FsUnit
Projekt
Suave
UnionArgParser
ExcelDnaRegistration
MathNetNumerics
programs.x2goserver
is now services.x2goserver
The following dotnet-related packages have been removed for being unmaintaned. Please use fetchNuGet
for specific packages.
Autofac
SystemValueTuple
MicrosoftDiaSymReader
MicrosoftDiaSymReaderPortablePdb
SystemCollectionsImmutable
SystemCollectionsImmutable131
SystemReflectionMetadata
NUnit350
Deedle
ExcelDna
GitVersionTree
NDeskOptions
The antlr
package now defaults to the 4.x release instead of the
old 2.7.7 version.
The pulseeffects
package updated to version 4.x and renamed to easyeffects
.
The libwnck
package now defaults to the 3.x release instead of the
old 2.31.0 version.
The bitwarden_rs
packages and modules were renamed to vaultwarden
following upstream. More specifically,
pkgs.bitwarden_rs
, pkgs.bitwarden_rs-sqlite
, pkgs.bitwarden_rs-mysql
and
pkgs.bitwarden_rs-postgresql
were renamed to pkgs.vaultwarden
, pkgs.vaultwarden-sqlite
,
pkgs.vaultwarden-mysql
and pkgs.vaultwarden-postgresql
, respectively.
Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
The bitwarden_rs
executable was also renamed to vaultwarden
in all packages.
pkgs.bitwarden_rs-vault
was renamed to pkgs.vaultwarden-vault
.
pkgs.bitwarden_rs-vault
is preserved as an alias for backwards compatibility, but may be removed in the future.
The static files were moved from /usr/share/bitwarden_rs
to /usr/share/vaultwarden
.
The services.bitwarden_rs
config module was renamed to services.vaultwarden
.
services.bitwarden_rs
is preserved as an alias for backwards compatibility, but may be removed in the future.
systemd.services.bitwarden_rs
, systemd.services.backup-bitwarden_rs
and systemd.timers.backup-bitwarden_rs
were renamed to systemd.services.vaultwarden
, systemd.services.backup-vaultwarden
and
systemd.timers.backup-vaultwarden
, respectively.
Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
users.users.bitwarden_rs
and users.groups.bitwarden_rs
were renamed to users.users.vaultwarden
and
users.groups.vaultwarden
, respectively.
The data directory remains located at /var/lib/bitwarden_rs
, for backwards compatibility.
yggdrasil
was upgraded to a new major release with breaking changes, see upstream changelog.
icingaweb2
was upgraded to a new release which requires a manual database upgrade, see upstream changelog.
The isabelle
package has been upgraded from 2020 to 2021
the mingw-64
package has been upgraded from 6.0.0 to 9.0.0
tt-rss
was upgraded to the commit on 2021-06-21, which has breaking changes. If you use services.tt-rss.extraConfig
you should migrate to the putenv
-style configuration. See this Discourse post in the tt-rss forums for more details.
The following Visual Studio Code extensions were renamed to keep the naming convention uniform.
bbenoist.Nix
-> bbenoist.nix
CoenraadS.bracket-pair-colorizer
-> coenraads.bracket-pair-colorizer
golang.Go
-> golang.go
services.uptimed
now uses /var/lib/uptimed
as its stateDirectory instead of /var/spool/uptimed
. Make sure to move all files to the new directory.
Deprecated package aliases in emacs.pkgs.*
have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible.
programs.neovim.runtime
switched to a linkFarm
internally, making it impossible to use wildcards in the source
argument.
The openrazer
and openrazer-daemon
packages as well as the hardware.openrazer
module now require users to be members of the openrazer
group instead of plugdev
. With this change, users no longer need be granted the entire set of plugdev
group permissions, which can include permissions other than those required by openrazer
. This is desirable from a security point of view. The setting hardware.openrazer.users
can be used to add users to the openrazer
group.
The fontconfig service’s dpi option has been removed.
Fontconfig should use Xft settings by default so there’s no need to override one value in multiple places.
The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with services.xserver.dpi
.
The yambar
package has been split into yambar
and yambar-wayland
, corresponding to the xorg and wayland backend respectively. Please switch to yambar-wayland
if you are on wayland.
The services.minio
module gained an additional option consoleAddress
, that
configures the address and port the web UI is listening, it defaults to :9001
.
To be able to access the web UI this port needs to be opened in the firewall.
The varnish
package was upgraded from 6.3.x to 7.x. varnish60
for the last LTS release is also still available.
The kubernetes
package was upgraded to 1.22. The kubernetes.apiserver.kubeletHttps
option was removed and HTTPS is always used.
The attribute linuxPackages_latest_hardened
was dropped because the hardened patches
lag behind the upstream kernel which made version bumps harder. If you want to use
a hardened kernel, please pin it explicitly with a versioned attribute such as
linuxPackages_5_10_hardened
.
The nomad
package now defaults to a 1.1.x release instead of 1.0.x
If exfat
is included in boot.supportedFilesystems
and when using kernel 5.7
or later, the exfatprogs
user-space utilities are used instead of exfat
.
The todoman
package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format.
The datadog-agent
, datadog-integrations-core
and datadog-process-agent
packages
were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2,
respectively. As a result services.datadog-agent
has had breaking changes to the
configuration file. For details, see the upstream changelog.
opencv2
no longer includes the non-free libraries by default, and consequently pfstools
no longer includes OpenCV support by default. Both packages now support an enableUnfree
option to re-enable this functionality.
services.xserver.displayManager.defaultSession = "plasma5"
does not work anymore, instead use either "plasma"
for the Plasma X11 session or "plasmawayland"
for the Plasma Wayland sesison.
boot.kernelParams
now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like “param = 12”, which would be parsed as 3 parameters.
nix.daemonNiceLevel
and nix.daemonIONiceLevel
have been removed in favour of the new options nix.daemonCPUSchedPolicy
, nix.daemonIOSchedClass
and nix.daemonIOSchedPriority
. Please refer to the options documentation and the sched(7)
and ioprio_set(2)
man pages for guidance on how to use them.
The coursier
package’s binary was renamed from coursier
to cs
. Completions which haven’t worked for a while should now work with the renamed binary. To keep using coursier
, you can create a shell alias.
The services.mosquitto
module has been rewritten to support multiple listeners and per-listener configuration.
Module configurations from previous releases will no longer work and must be updated.
The fluidsynth_1
attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available as fluidsynth
unchanged.
Nextcloud 20 (pkgs.nextcloud20
) has been dropped because it was EOLed by upstream in 2021-10.
The virtualisation.pathsInNixDB
option was renamed
virtualisation.additionalPaths
.
The services.ddclient.password
option was removed, and replaced with services.ddclient.passwordFile
.
The default GNAT version has been changed: The gnat
attribute now points to gnat12
instead of gnat9
.
retroArchCores
has been removed. This means that using nixpkgs.config.retroarch
to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: retroarch.override { cores = with libretro; [ citra snes9x ]; };
. Also, retroarchFull
derivation is available for those who want to have all RetroArch cores available.
The Linux kernel for security reasons now restricts access to BPF syscalls via BPF_UNPRIV_DEFAULT_OFF=y
. Unprivileged access can be reenabled via the kernel.unprivileged_bpf_disabled
sysctl knob.
/usr
will always be included in the initial ramdisk. See the fileSystems.<name>.neededForBoot
option.
If any files exist under /usr
(which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent.
pkgs.haskell-language-server
will now by default be linked dynamically to improve TemplateHaskell compatibility. To mitigate the increased closure size it will now by default only support our current default ghc (at the moment 9.0.2). Add other ghc versions via e.g. pkgs.haskell-language-server.override { supportedGhcVersions = [ "90" "92" ]; }
.
pkgs.redis
is now built using the system jemalloc. This disables the experimental active defragmentation feature of redis. Users who require this feature can switch back to redis’ vendored version of jemalloc by setting services.redis.package = pkgs.redis.override { useSystemJemalloc = false; };
.
The linux kernel package infrastructure was moved out of all-packages.nix
, and restructured. Linux related functions and attributes now live under the pkgs.linuxKernel
attribute set.
In particular the versioned linuxPackages_*
package sets (such as linuxPackages_5_4
) and kernels from pkgs
were moved there and now live under pkgs.linuxKernel.packages.*
. The unversioned ones (such as linuxPackages_latest
) remain untouched.
In NixOS virtual machines (QEMU), the virtualisation
module has been updated with new options:
forwardPorts
to configure IPv4 port forwarding,
sharedDirectories
to set up shared host directories,
resolution
to set the screen resolution,
useNixStoreImage
to use a disk image for the Nix store instead of 9P.
In addition, the default msize
parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance.
The setting services.openssh.logLevel
"VERBOSE"
"INFO"
. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
However, if services.fail2ban.enable
is true
, the fail2ban
will override the verbosity to "VERBOSE"
, so that fail2ban
can observe the failed login attempts from the SSH logs.
The services.xserver.extraLayouts
no longer cause additional rebuilds when a layout is added or modified.
Sway: The terminal emulator rxvt-unicode
is no longer installed by default via programs.sway.extraPackages
. The current default configuration uses alacritty
(and soon foot
) so this is only an issue when using a customized configuration and not installing rxvt-unicode
explicitly.
python3
now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What’s New In Python 3.9 post for more information.
qtile
hase been updated from ‘0.16.0’ to ‘0.18.0’, please check qtile changelog for changes.
The claws-mail
package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the claws-mail-gtk2
package.
The wordpress module provides a new interface which allows to use different webservers with the new option services.wordpress.webserver
. Currently httpd
, caddy
and nginx
are supported. The definitions of wordpress sites should now be set in services.wordpress.sites
.
Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
The dokuwiki module provides a new interface which allows to use different webservers with the new option services.dokuwiki.webserver
. Currently caddy
and nginx
are supported. The definitions of dokuwiki sites should now be set in services.dokuwiki.sites
.
Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
The order of NSS (host) modules has been brought in line with upstream recommendations:
The myhostname
module is placed before the resolve
(optional) and dns
entries, but after file
(to allow overriding via /etc/hosts
/
networking.extraHosts
, and prevent ISPs with catchall-DNS resolvers from
hijacking .localhost
domains)
The mymachines
module, which provides hostname resolution for local
containers (registered with systemd-machined
) is placed to the front, to
make sure its mappings are preferred over other resolvers.
If systemd-networkd is enabled, the resolve
module is placed before
files
and myhostname
, as it provides the same logic internally, with
caching.
The mdns(_minimal)
module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities according to these rules:
NSS modules which should be queried before resolved
DNS resolution should
use mkBefore.
NSS modules which should be queried after resolved
, files
and
myhostname
, but before dns
should use the default priority
NSS modules which should come after dns
should use mkAfter.
The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:
The automatic discovery of wireless interfaces at boot has been made reliable again (issues #101963, #23196).
WPA3 and Fast BSS Transition (802.11r) are now enabled by default for all networks.
Secrets like pre-shared keys and passwords can now be handled safely, meaning without including them in a world-readable file (wpa_supplicant.conf
under /nix/store).
This is achieved by storing the secrets in a secured environmentFile and referring to them though environment variables that are expanded inside the configuration.
With multiple interfaces declared, independent wpa_supplicant daemons are started, one for each interface (the services are named wpa_supplicant-wlan0
, wpa_supplicant-wlan1
, etc.).
The generated wpa_supplicant.conf
file is now formatted for easier reading.
A new scanOnLowSignal option has been added to facilitate fast roaming between access points (enabled by default).
A new networks.<name>.authProtocols option has been added to change the authentication protocols used when connecting to a network.
The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.
The services.smokeping.host option was added and defaulted to localhost
. Before, smokeping
listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service for smokeping
got reworked defaults for increased operational stability, see PR #144127 for details.
The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn’t clean up after execution. You can manually look this up for your pools by running zfs allow your-pool-name
and use zfs unallow syncoid your-pool-name
to clean this up.
Zfs: latestCompatibleLinuxPackages
is now exported on the zfs package. One can use boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
to always track the latest compatible kernel with a given version of zfs.
Nginx will use the value of sslTrustedCertificate
if provided for a virtual host, even if enableACME
is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.
lib.formats.yaml
’s generate
will not generate JSON anymore, but instead use more of the YAML-specific syntax.
MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.
The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.
GNOME desktop environment now enables QGnomePlatform
as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually.
rofi
has been updated from ‘1.6.1’ to ‘1.7.0’, one important thing is the removal of the old xresources based configuration setup. Read more in rofi’s changelog.
ipfs now defaults to not listening on you local network. This setting was change as server providers won’t accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting ipfs.localDiscovery = true;
. localDiscovery enables different instances to discover each other and share data.
lua
and luajit
interpreters have been patched to avoid looking into /usr/lib
directories, thus increasing the purity of the build.
Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of /etc/xdg/mimeapps.list
.
Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.
The systemd.network
module has gained support for the FooOverUDP link type.
The networking
module has a new networking.fooOverUDP
option to configure Foo-over-UDP encapsulations.
networking.sits
now supports Foo-over-UDP encapsulation.
The virtualisation.libvirtd
module has been refactored and updated with new options:
virtualisation.libvirtd.qemu*
options (e.g.: virtualisation.libvirtd.qemuRunAsRoot
) were moved to virtualisation.libvirtd.qemu
submodule,
software TPM1/TPM2 support (e.g.: Windows 11 guests) (virtualisation.libvirtd.qemu.swtpm
),
custom OVMF package (e.g.: pkgs.OVMFFull
with HTTP, CSM and Secure Boot support) (virtualisation.libvirtd.qemu.ovmf.package
).
The cawbird
Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change.
A new option services.prometheus.enableReload
has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting.
The option services.prometheus.environmentFile
has been removed since it was causing issues and Prometheus now has native support for secret files, i.e. basic_auth.password_file
and authorization.credentials_file
.
Dokuwiki now supports caddy! However
the nginx option has been removed, in the new configuration, please use the dokuwiki.webserver = "nginx"
instead.
The “${hostname}” option has been deprecated, please use dokuwiki.sites = [ "${hostname}" ]
instead
The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:
The services.unifi.dataDir
option is removed and the data is now always located under /var/lib/unifi/data
. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable.
The unifi logs can now be found under: /var/log/unifi
instead of /var/lib/unifi/logs
.
The unifi run directory can now be found under: /run/unifi
instead of /var/lib/unifi/run
.
security.pam.services.<name>.makeHomeDir
now uses umask=0077
instead of umask=0022
when creating the home directory.
Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.
julia
now refers to julia-stable
instead of julia-lts
. In practice this means it has been upgraded from 1.0.4
to 1.5.4
.
RetroArch has been upgraded from version 1.8.5
to 1.9.13.2
. Since the previous release was quite old, if you’re having issues after the upgrade, please delete your $XDG_CONFIG_HOME/retroarch/retroarch.cfg
file.
hydrus has been upgraded from version 438
to 463
. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual.
More jdk and jre versions are now exposed via java-packages.compiler
.
The sets haskell.packages
and haskell.compiler
now contain for every ghc version an attribute with the minor version dropped. E.g. for ghc8107
there also now exists ghc810
. Those attributes point to the same compilers and packagesets but have the advantage that e.g. ghc92
stays stable when we update from ghc925
to ghc926
.
Support is planned until the end of December 2021, handing over to 21.11.
In addition to numerous new and upgraded packages, this release has the following highlights:
Core version changes:
gcc: 9.3.0 -> 10.3.0
glibc: 2.30 -> 2.32
default linux: 5.4 -> 5.10, all supported kernels available
mesa: 20.1.7 -> 21.0.1
Desktop Environments:
GNOME: 3.36 -> 40, see its release notes
Plasma5: 5.18.5 -> 5.21.3
kdeApplications: 20.08.1 -> 20.12.3
cinnamon: 4.6 -> 4.8.1
Programming Languages and Frameworks:
Python optimizations were disabled again. Builds with optimizations enabled are not reproducible. Optimizations can now be enabled with an option.
The linux_latest kernel was updated to the 5.13 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one).
The following new services were added since the last release:
GNURadio 3.8 and 3.9 were finally packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute gnuradio
(3.9), gnuradio3_8
and gnuradio3_7
now point to an externally wrapped by default derivations, that allow you to also add `extraPythonPackages` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added (#75478).
Keycloak, an open source identity and access management server with support for OpenID Connect, OAUTH 2.0 and SAML 2.0.
See the Keycloak section of the NixOS manual for more information.
services.samba-wsdd.enable Web Services Dynamic Discovery host daemon
Discourse, a modern and open source discussion platform.
See the Discourse section of the NixOS manual for more information.
When upgrading from a previous release, please be aware of the following incompatible changes:
GNOME desktop environment was upgraded to 40, see the release notes for 40.0 and 3.38. The gnome3
attribute set has been renamed to gnome
and so have been the NixOS options.
If you are using services.udev.extraRules
to assign custom names to network interfaces, this may stop working due to a change in the initialisation of dhcpcd and systemd networkd. To avoid this, either move them to services.udev.initrdRules
or see the new Assigning custom names section of the NixOS manual for an example using networkd links.
The security.hideProcessInformation
module has been removed. It was broken since the switch to cgroups-v2.
The linuxPackages.ati_drivers_x11
kernel modules have been removed. The drivers only supported kernels prior to 4.2, and thus have become obsolete.
The systemConfig
kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.
systemd-journal2gelf
no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue.
If the services.dbus
module is enabled, then the user D-Bus session is now always socket activated. The associated options services.dbus.socketActivated
and services.xserver.startDbusSession
have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins.
The networking.wireless.iwd
module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to “keep kernel”, to avoid race conditions between iwd and networkd. If you don’t want this, you can set systemd.network.links."80-iwd" = lib.mkForce {}
.
rubyMinimal
was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it’s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting jitSupport = false;
in an overlay. See #90151 for more info.
Setting services.openssh.authorizedKeysFiles
now also affects which keys security.pam.enableSSHAgentAuth
will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in services.openssh.authorizedKeysFiles
!
The option fonts.enableFontDir
has been renamed to fonts.fontDir.enable. The path of font directory has also been changed to /run/current-system/sw/share/X11/fonts
, for consistency with other X11 resources.
A number of options have been renamed in the kicad interface. oceSupport
has been renamed to withOCE
, withOCCT
has been renamed to withOCC
, ngspiceSupport
has been renamed to withNgspice
, and scriptingSupport
has been renamed to withScripting
. Additionally, kicad/base.nix
no longer provides default argument values since these are provided by kicad/default.nix
.
The socket for the pdns-recursor
module was moved from /var/lib/pdns-recursor
to /run/pdns-recursor
to match upstream.
Paperwork was updated to version 2. The on-disk format slightly changed, and it is not possible to downgrade from Paperwork 2 back to Paperwork 1.3. Back your documents up before upgrading. See this thread for more details.
PowerDNS has been updated from 4.2.x
to 4.3.x
. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the service now runs entirely as a dedicated pdns
user, instead of starting as root
and dropping privileges, as well as the default socket-dir
location changing from /var/lib/powerdns
to /run/pdns
.
The mediatomb
service is now using by default the new and maintained fork gerbera
package instead of the unmaintained mediatomb
package. If you want to keep the old behavior, you must declare it with:
{
services.mediatomb.package = pkgs.mediatomb;
}
One new option openFirewall
has been introduced which defaults to false. If you relied on the service declaration to add the firewall rules itself before, you should now declare it with:
{
services.mediatomb.openFirewall = true;
}
xfsprogs was update from 4.19 to 5.11. It now enables reflink support by default on filesystem creation. Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them with mkfs.xfs -m reflink=0
.
The uWSGI server is now built with POSIX capabilities. As a consequence, root is no longer required in emperor mode and the service defaults to running as the unprivileged uwsgi
user. Any additional capability can be added via the new option services.uwsgi.capabilities. The previous behaviour can be restored by setting:
{
services.uwsgi.user = "root";
services.uwsgi.group = "root";
services.uwsgi.instance =
{
uid = "uwsgi";
gid = "uwsgi";
};
}
Another incompatibility from the previous release is that vassals running under a different user or group need to use immediate-{uid,gid}
instead of the usual uid,gid
options.
btc1 has been abandoned upstream, and removed.
cpp_ethereum (aleth) has been abandoned upstream, and removed.
riak-cs package removed along with services.riak-cs
module.
stanchion package removed along with services.stanchion
module.
mutt has been updated to a new major version (2.x), which comes with some backward incompatible changes that are described in the release notes for Mutt 2.0.
vim
and neovim
switched to Python 3, dropping all Python 2 support.
networking.wireguard.interfaces.<name>.generatePrivateKeyFile, which is off by default, had a chmod
race condition fixed. As an aside, the parent directory’s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read #121294.
boot.zfs.forceImportAll previously did nothing, but has been fixed. However its default has been changed to false
to preserve the existing default behaviour. If you have this explicitly set to true
, please note that your non-root pools will now be forcibly imported.
openafs now points to openafs_1_8, which is the new stable release. OpenAFS 1.6 was removed.
The WireGuard module gained a new option networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds
that implements refreshing the IP of DNS-based endpoints periodically (which WireGuard itself cannot do).
MariaDB has been updated to 10.5. Before you upgrade, it would be best to take a backup of your database and read Incompatible Changes Between 10.4 and 10.5. After the upgrade you will need to run mysql_upgrade
.
The TokuDB storage engine dropped in mariadb 10.5 and removed in mariadb 10.6. It is recommended to switch to RocksDB. See also TokuDB and MDEV-19780: Remove the TokuDB storage engine.
The openldap
module now has support for OLC-style configuration, users of the configDir
option may wish to migrate. If you continue to use configDir
, ensure that olcPidFile
is set to /run/slapd/slapd.pid
.
As a result, extraConfig
and extraDatabaseConfig
are removed. To help with migration, you can convert your slapd.conf
file to OLC configuration with the following script (find the location of this configuration file by running systemctl status openldap
, it is the -f
option.
$ TMPDIR=$(mktemp -d)
$ slaptest -f /path/to/slapd.conf -F $TMPDIR
$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
This will dump your current configuration in LDIF format, which should be straightforward to convert into Nix settings. This does not show your schema configuration, as this is unnecessarily verbose for users of the default schemas and slaptest
is buggy with schemas directly in the config file.
Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data.
Specifically, /etc/ec2-metadata
is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: root
’s SSH key is only added if /root/.ssh/authorized_keys
does not exist, and SSH host keys are only set from user data if they do not exist in /etc/ssh
.
The rspamd
services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in /run/rspamd
instead of /run
.
Enabling the Tor client no longer silently also enables and configures Privoxy, and the services.tor.client.privoxy.enable
option has been removed. To enable Privoxy, and to configure it to use Tor’s faster port, use the following configuration:
{
opt-services.privoxy.enable = true;
opt-services.privoxy.enableTor = true;
}
The services.tor
module has a new exhaustively typed services.tor.settings option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. The corresponding systemd service has been hardened, but there is a chance that the service still requires more permissions, so please report any related trouble on the bugtracker. Onion services v3 are now supported in services.tor.relay.onionServices. A new services.tor.openFirewall option as been introduced for allowing connections on all the TCP ports configured.
The options services.slurm.dbdserver.storagePass
and services.slurm.dbdserver.configFile
have been removed. Use services.slurm.dbdserver.storagePassFile
instead to provide the database password. Extra config options can be given via the option services.slurm.dbdserver.extraConfig
. The actual configuration file is created on the fly on startup of the service. This avoids that the password gets exposed in the nix store.
The wafHook
hook does not wrap Python anymore. Packages depending on wafHook
need to include any Python into their nativeBuildInputs
.
Starting with version 1.7.0, the project formerly named CodiMD
is now named HedgeDoc
. New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. Based on system.stateVersion, existing installations will continue to work.
The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the vendor_functions.d
directory to be loaded automatically.
The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter’s /probe
endpoint. In the prometheus scrape configuration the scrape target might look like this:
http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
Existing configuration for the exporter needs to be updated, but can partially be re-used. Documentation is available in the upstream repository and a small example for NixOS is available in the corresponding NixOS test.
These changes also affect services.prometheus.exporters.rspamd.enable, which is just a preconfigured instance of the json exporter.
For more information, take a look at the official documentation of the json_exporter.
Androidenv was updated, removing the includeDocs
and lldbVersions
arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, and both are no longer available to download from the Android package repositories. Additionally, since the package lists have been updated, some older versions of Android packages may not be bundled. If you depend on older versions of Android packages, we recommend overriding the repo.
Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments repoJson
and repoXmls
have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the extraLicenses
argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.
The attribute mpi
is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used mpi ? null
in the input for optional MPI builds, have been changed to the boolean input parameter useMpi
to enable building with MPI. Building all packages with mpich
instead of the default openmpi
can now be achieved like this:
self: super:
{
mpi = super.mpich;
}
The Searx module has been updated with the ability to configure the service declaratively and uWSGI integration. The option services.searx.configFile
has been renamed to services.searx.settingsFile for consistency with the new services.searx.settings. In addition, the searx
uid and gid reservations have been removed since they were not necessary: the service is now running with a dynamically allocated uid.
The libinput module has been updated with the ability to configure mouse and touchpad settings separately. The options in services.xserver.libinput
have been renamed to services.xserver.libinput.touchpad
, while there is a new services.xserver.libinput.mouse
for mouse related configuration.
Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in mouse section.
ALSA OSS emulation (sound.enableOSSEmulation
) is now disabled by default.
Thinkfan as been updated to 1.2.x
, which comes with a new YAML based configuration format. For this reason, several NixOS options of the thinkfan module have been changed to non-backward compatible types. In addition, a new services.thinkfan.settings option has been added.
Please read the thinkfan documentation before updating.
Adobe Flash Player support has been dropped from the tree. In particular, the following packages no longer support it:
chromium
firefox
qt48
qt5.qtwebkit
Additionally, packages flashplayer and hal-flash were removed along with the services.flashpolicyd
module.
The security.rngd
module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel’s RNG.
The default SMTP port for GitLab has been changed to 25
from its previous default of 465
. If you depended on this default, you should now set the services.gitlab.smtp.port option.
The default version of ImageMagick has been updated from 6 to 7. You can use imagemagick6, imagemagick6_light, and imagemagick6Big if you need the older version.
services.xserver.videoDrivers no longer uses the deprecated cirrus
and vesa
device dependent X drivers by default. It also enables both amdgpu
and nouveau
drivers by default now.
The kindlegen
package is gone, because it is no longer supported or hosted by Amazon. Sadly, its replacement, Kindle Previewer, has no Linux support. However, there are other ways to generate MOBI files. See the discussion for more info.
The apacheKafka packages are now built with version-matched JREs. Versions 2.6 and above, the ones that recommend it, use jdk11, while versions below remain on jdk8. The NixOS service has been adjusted to start the service using the same version as the package, adjustable with the new services.apache-kafka.jre option. Furthermore, the default list of services.apache-kafka.jvmOptions have been removed. You should set your own according to the upstream documentation for your Kafka version.
The kodi package has been modified to allow concise addon management. Consider the following configuration from previous releases of NixOS to install kodi, including the kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons:
{
environment.systemPackages = [
pkgs.kodi
];
nixpkgs.config.kodi = {
enableInputStreamAdaptive = true;
enableVFSSFTP = true;
};
}
All Kodi config
flags have been removed, and as a result the above configuration should now be written as:
{
environment.systemPackages = [
(pkgs.kodi.withPackages (p: with p; [
inputstream-adaptive
vfs-sftp
]))
];
}
environment.defaultPackages
now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the EDITOR
environment variable is set to it. Environment variables can be set using environment.variables
.
services.minio.dataDir
changed type to a list of paths, required for specifying multiple data directories for using with erasure coding. Currently, the service doesn’t enforce nor checks the correct number of paths to correspond to minio requirements.
All CUDA toolkit versions prior to CUDA 10 have been removed.
The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use dvorak-programmer
in console.keyMap
now instead of dvp
. In services.xserver.xkbVariant
it’s still dvp
.
The babeld service is now being run as an unprivileged user. To achieve that the module configures skip-kernel-setup true
and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface in services.babeld.interfaces
.
The services.zigbee2mqtt.config
option has been renamed to services.zigbee2mqtt.settings
and now follows RFC 0042.
The yadm dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly.
Instead of determining services.radicale.package
automatically based on system.stateVersion
, the latest version is always used because old versions are not officially supported.
Furthermore, Radicale’s systemd unit was hardened which might break some deployments. In particular, a non-default filesystem_folder
has to be added to systemd.services.radicale.serviceConfig.ReadWritePaths
if the deprecated services.radicale.config
is used.
In the security.acme
module, use of --reuse-key
parameter for Lego has been removed. It was introduced for HKPK, but this security feature is now deprecated. It is a better security practice to rotate key pairs instead of always keeping the same. If you need to keep this parameter, you can add it back using extraLegoRenewFlags
as an option for the appropriate certificate.
stdenv.lib
has been deprecated and will break eval in 21.11. Please use pkgs.lib
instead. See #108938 for details.
GNURadio has a pkgs
attribute set, and there’s a gnuradio.callPackage
function that extends pkgs
with a mkDerivation
, and a mkDerivationWith
, like Qt5. Now all gnuradio.pkgs
are defined with gnuradio.callPackage
and some packages that depend on gnuradio are defined with this as well.
Privoxy has been updated to version 3.0.32 (See announcement). Compared to the previous release, Privoxy has gained support for HTTPS inspection (still experimental), Brotli decompression, several new filters and lots of bug fixes, including security ones. In addition, the package is now built with compression and external filters support, which were previously disabled.
Regarding the NixOS module, new options for HTTPS inspection have been added and services.privoxy.extraConfig
has been replaced by the new services.privoxy.settings (See RFC 0042 for the motivation).
Kodi has been updated to version 19.1 “Matrix”. See the announcement for further details.
The services.packagekit.backend
option has been removed as it only supported a single setting which would always be the default. Instead new RFC 0042 compliant services.packagekit.settings and services.packagekit.vendorSettings options have been introduced.
Nginx has been updated to stable version 1.20.0. Now nginx uses the zlib-ng library by default.
KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its release notes for details.
The kdeApplications
package set is now kdeGear
, in keeping with the new name. The old name remains for compatibility, but it is deprecated.
Libreswan has been updated to version 4.4. The package now includes example configurations and manual pages by default. The NixOS module has been changed to use the upstream systemd units and write the configuration in the /etc/ipsec.d/
directory. In addition, two new options have been added to specify connection policies (services.libreswan.policies) and disable send/receive redirects (services.libreswan.disableRedirects).
The Mailman NixOS module (services.mailman
) has a new option services.mailman.enablePostfix, defaulting to true, that controls integration with Postfix.
If this option is disabled, default MTA config becomes not set and you should set the options in services.mailman.settings.mta
according to the desired configuration as described in Mailman documentation.
The default-version of nextcloud
is nextcloud21. Please note that it’s not possible to upgrade nextcloud
across multiple major versions! This means that it’s e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most 20.09
users will have to upgrade to nextcloud20 first.
The package can be manually upgraded by setting services.nextcloud.package to nextcloud21.
The setting services.redis.bind defaults to 127.0.0.1
now, making Redis listen on the loopback interface only, and not all public network interfaces.
NixOS now emits a deprecation warning if systemd’s StartLimitInterval
setting is used in a serviceConfig
section instead of in a unitConfig
; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details.
All services should use systemd.services.name.startLimitIntervalSec or StartLimitIntervalSec
in systemd.services.name.unitConfig instead.
The mediatomb
service declares new options. It also adapts existing options so the configuration generation is now lazy. The existing option customCfg
(defaults to false), when enabled, stops the service configuration generation completely. It then expects the users to provide their own correct configuration at the right location (whereas the configuration was generated and not used at all before). The new option transcodingOption
(defaults to no) allows a generated configuration. It makes the mediatomb service pulls the necessary runtime dependencies in the nix store (whereas it was generated with hardcoded values before). The new option mediaDirectories
allows the users to declare autoscan media directories from their nixos configuration:
{
services.mediatomb.mediaDirectories = [
{ path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
{ path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
];
}
The Unbound DNS resolver service (services.unbound
) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
It is now possible to enable a local UNIX control socket for unbound by setting the services.unbound.localControlSocketPath option.
Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities.
As of this we are (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound as unbound
user with the required capabilities instead of letting unbound do the chroot & uid/gid changes.
The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the Type
set to notify
, therefore we are now also using the unbound-with-systemd
package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit active (running)
. This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Services depending on nss-lookup.target
or unbound.service
are now be able to use unbound when those targets have been reached.
Additionally to the much stricter runtime environment the /dev/urandom
mount lines we previously had in the code (that randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
The preStart
script is now only required if we enabled the trust anchor updates (which are still enabled by default).
Another benefit of the refactoring is that we can now issue reloads via either pkill -HUP unbound
and systemctl reload unbound
to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. We are using the path /etc/unbound/unbound.conf
as that is the default in the CLI tooling which in turn enables us to use unbound-control
without passing a custom configuration location.
The module has also been reworked to be RFC 0042 compliant. As such, services.unbound.extraConfig
has been removed and replaced by services.unbound.settings. services.unbound.interfaces
has been renamed to services.unbound.settings.server.interface
.
services.unbound.forwardAddresses
and services.unbound.allowedAccess
have also been changed to use the new settings interface. You can follow the instructions when executing nixos-rebuild
to upgrade your configuration to use the new interface.
The services.dnscrypt-proxy2
module now takes the upstream’s example configuration and updates it with the user’s settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch.
NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the Fedora Article for 31 for details on why this is desirable, and how it impacts containers.
If you want to run containers with a runtime that does not yet support cgroupsv2, you can switch back to the old behaviour by setting systemd.enableUnifiedCgroupHierarchy = false
; and rebooting.
PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. See its release notes.
GNOME users may wish to delete their ~/.config/pulse
due to the changes to stream routing logic. See PulseAudio bug 832 for more information.
The zookeeper package does not provide zooInspector.sh
anymore, as that “contrib” has been dropped from upstream releases.
In the ACME module, the data used to build the hash for the account directory has changed to accommodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling.
users.users.name.createHome now always ensures home directory permissions to be 0700
. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option’s description was incorrect regarding ownership management and has been simplified greatly.
When defining a new user, one of users.users.name.isNormalUser and users.users.name.isSystemUser is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as users.users.name.isSystemUser has no effect for those.
The security.apparmor
module, for the AppArmor Mandatory Access Control system, has been substantially improved along with related tools, so that module maintainers can now more easily write AppArmor profiles for NixOS. The most notable change on the user-side is the new option security.apparmor.policies, replacing the previous profiles
option to provide a way to disable a profile and to select whether to confine in enforce mode (default) or in complain mode (see journalctl -b --grep apparmor
). Security-minded users may also want to enable security.apparmor.killUnconfinedConfinables, at the cost of having some of their processes killed when updating to a NixOS version introducing new AppArmor profiles.
The GNOME desktop manager once again installs gnome.epiphany by default.
NixOS now generates empty /etc/netgroup
. /etc/netgroup
defines network-wide groups and may affect to setups using NIS.
Platforms, like stdenv.hostPlatform
, no longer have a platform
attribute. It has been (mostly) flattened away:
platform.gcc
is now gcc
platform.kernel*
is now linux-kernel.*
Additionally, platform.kernelArch
moved to the top level as linuxArch
to match the other *Arch
variables.
The platform
grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.
services.restic
now uses a dedicated cache directory for every backup defined in services.restic.backups
. The old global cache directory, /root/.cache/restic
, is now unused and can be removed to free up disk space.
isync
: The isync
compatibility wrapper was removed and the Master/Slave terminology has been deprecated and should be replaced with Far/Near in the configuration file.
The nix-gc service now accepts randomizedDelaySec (default: 0) and persistent (default: true) parameters. By default nix-gc will now run immediately if it would have been triggered at least once during the time when the timer was inactive.
The rustPlatform.buildRustPackage
function is split into several hooks: cargoSetupHook to set up vendoring for Cargo-based projects, cargoBuildHook to build a project using Cargo, cargoInstallHook to install a project using Cargo, and cargoCheckHook to run tests in Cargo-based projects. With this change, mixed-language projects can use the relevant hooks within builders other than buildRustPackage
. However, these changes also required several API changes to buildRustPackage
itself:
The target
argument was removed. Instead, buildRustPackage
will always use the same target as the C/C++ compiler that is used.
The cargoParallelTestThreads
argument was removed. Parallel tests are now disabled through dontUseCargoParallelTests
.
The rustPlatform.maturinBuildHook
hook was added. This hook can be used with buildPythonPackage
to build Python packages that are written in Rust and use Maturin as their build tool.
Kubernetes has deprecated docker as container runtime. As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default. Note that containerd is more strict regarding container image OCI-compliance. As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker. Please test your setup and container images with containerd prior to upgrading.
The GitLab module now has support for automatic backups. A schedule can be set with the services.gitlab.backup.startAt option.
Prior to this release, systemd would also read system units from an undocumented /etc/systemd-mutable/system
path. This path has been dropped from the defaults. That path (or others) can be re-enabled by adding it to the boot.extraSystemdUnitPaths list.
PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle and has been removed.
Xfce4 relies on GIO/GVfs for userspace virtual filesystem access in applications like thunar and gigolo. For that to work, the gvfs nixos service is enabled by default, and it can be configured with the specific package that provides GVfs. Until now Xfce4 was setting it to use a lighter version of GVfs (without support for samba). To avoid conflicts with other desktop environments this setting has been dropped. Users that still want it should add the following to their system configuration:
{
services.gvfs.package = pkgs.gvfs.override { samba = null; };
}
The newly enabled systemd-pstore.service
now automatically evacuates crashdumps and panic logs from the persistent storage to /var/lib/systemd/pstore
. This prevents NVRAM from filling up, which ensures the latest diagnostic data is always stored and alleviates problems with writing new boot configurations.
Nixpkgs now contains automatically packaged GNOME Shell extensions from the GNOME Extensions portal. You can find them, filed by their UUID, under gnome38Extensions
attribute for GNOME 3.38 and under gnome40Extensions
for GNOME 40. Finally, the gnomeExtensions
attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work.
Erlang/OTP versions older than R21 got dropped. We also dropped the cuter package, as it was purely an example of how to build a package. We also dropped lfe_1_2
as it could not build with R21+. Moving forward, we expect to only support 3 yearly releases of OTP.
Support is planned until the end of June 2021, handing over to 21.05. (Plans have shifted by two months since release of 20.09.)
In addition to 7349 new, 14442 updated, and 8181 removed packages, this release has the following highlights:
Core version changes:
gcc: 9.2.0 -> 9.3.0
glibc: 2.30 -> 2.31
linux: still defaults to 5.4.x, all supported kernels available
mesa: 19.3.5 -> 20.1.7
Desktop Environments:
plasma5: 5.17.5 -> 5.18.5
kdeApplications: 19.12.3 -> 20.08.1
gnome3: 3.34 -> 3.36, see its release notes
cinnamon: added at 4.6
NixOS now distributes an official GNOME ISO
Programming Languages and Frameworks:
Agda ecosystem was heavily reworked (see more details below)
PHP now defaults to PHP 7.4, updated from 7.3
PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release
Python 3 now defaults to Python 3.8 instead of 3.7
Python 3.5 reached its upstream EOL at the end of September 2020: it has been removed from the list of available packages
Databases and Service Monitoring:
MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Please read the related upgrade instructions under backwards incompatibilities before upgrading.
Zabbix now defaults to 5.0, updated from 4.4. Please read related sections under backwards compatibilities before upgrading.
Major module changes:
Quickly configure a complete, private, self-hosted video conferencing solution with the new Jitsi Meet module.
Two new options, authorizedKeysCommand and authorizedKeysCommandUser, have been added to the openssh
module. If you have AuthorizedKeysCommand
in your services.openssh.extraConfig you should make use of these new options instead.
There is a new module for Podman (virtualisation.podman
), a drop-in replacement for the Docker command line.
The new virtualisation.containers
module manages configuration shared by the CRI-O and Podman modules.
Declarative Docker containers are renamed from docker-containers
to virtualisation.oci-containers.containers
. This is to make it possible to use podman
instead of docker
.
The new option documentation.man.generateCaches has been added to automatically generate the man-db
caches, which are needed by utilities like whatis
and apropos
. The caches are generated during the build of the NixOS configuration: since this can be expensive when a large number of packages are installed, the feature is disabled by default.
services.postfix.sslCACert
was replaced by services.postfix.tlsTrustedAuthorities
which now defaults to system certificate authorities.
The various documented workarounds to use steam have been converted to a module. programs.steam.enable
enables steam, controller support and the workarounds.
Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). hardware.logitech.lcd.enable
enables support for all hardware supported by the g15daemon project.
The GRUB module gained support for basic password protection, which allows to restrict non-default entries in the boot menu to one or more users. The users and passwords are defined via the option boot.loader.grub.users
. Note: Password support is only available in GRUB version 2.
NixOS module changes:
The NixOS module system now supports freeform modules as a mix between types.attrsOf
and types.submodule
. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See the section called “Freeform modules” for how to use them.
Following its deprecation in 20.03, the Perl NixOS test driver has been removed. All remaining tests have been ported to the Python test framework. Code outside nixpkgs using make-test.nix
or testing.nix
needs to be ported to make-test-python.nix
and testing-python.nix
respectively.
Subordinate GID and UID mappings are now set up automatically for all normal users. This will make container tools like Podman work as non-root users out of the box.
Starting with this release, the hydra-build-result nixos-YY.MM
branches no longer exist in the deprecated nixpkgs-channels repository. These branches are now in the main nixpkgs repository.
In addition to 1119 new, 118 updated, and 476 removed options; 61 new modules were added since the last release:
Hardware:
hardware.system76.firmware-daemon.enable adds easy support of system76 firmware
hardware.uinput.enable loads uinput kernel module
hardware.video.hidpi.enable enable good defaults for HiDPI displays
hardware.wooting.enable support for Wooting keyboards
hardware.xpadneo.enable xpadneo driver for Xbox One wireless controllers
Programs:
programs.hamster.enable enable hamster time tracking
programs.steam.enable adds easy enablement of steam and related system configuration
Security:
security.doas.enable alternative to sudo, allows non-root users to execute commands as root
security.tpm2.enable add Trusted Platform Module 2 support
System:
boot.initrd.network.openvpn.enable start an OpenVPN client during initrd boot
Virtualization:
boot.enableContainers use nixos-containers
virtualisation.oci-containers.containers run OCI (Docker) containers
virtualisation.podman.enable daemonless container engine
Services:
services.ankisyncd.enable
Anki sync server
services.bazarr.enable Subtitle manager for Sonarr and Radarr
services.biboumi.enable Biboumi XMPP gateway to IRC
services.blockbook-frontend Blockbook-frontend, a service for the Trezor wallet
services.cage.enable Wayland cage service
services.convos.enable IRC daemon, which can be accessed through the browser
services.engelsystem.enable Tool for coordinating volunteers and shifts on large events
services.espanso.enable text-expander written in rust
services.foldingathome.enable Folding@home client
services.gerrit.enable Web-based team code collaboration tool
services.go-neb.enable Matrix bot
services.hardware.xow.enable xow as a systemd service
services.hercules-ci-agent.enable Hercules CI build agent
services.jicofo.enable Jitsi Conference Focus, component of Jitsi Meet
services.jirafeau.enable A web file repository
services.jitsi-meet.enable Secure, simple and scalable video conferences
services.jitsi-videobridge.enable Jitsi Videobridge, a WebRTC compatible router
services.jupyterhub.enable Jupyterhub development server
services.k3s.enable Lightweight Kubernetes distribution
services.magic-wormhole-mailbox-server.enable Magic Wormhole Mailbox Server
services.malcontent.enable Parental Control support
services.matrix-appservice-discord.enable Matrix and Discord bridge
services.mautrix-telegram.enable Matrix-Telegram puppeting/relaybot bridge
services.mirakurun.enable Japanese DTV Tuner Server Service
services.molly-brown.enable Molly-Brown Gemini server
services.mullvad-vpn.enable Mullvad VPN daemon
services.ncdns.enable Namecoin to DNS bridge
services.nextdns.enable NextDNS to DoH Proxy service
services.nix-store-gcs-proxy Google storage bucket to be used as a nix store
services.onedrive.enable OneDrive sync service
services.pinnwand.enable Pastebin-like service
services.pixiecore.enable Manage network booting of machines
services.privacyidea.enable Privacy authentication server
services.quorum.enable Quorum blockchain daemon
services.robustirc-bridge.enable RobustIRC bridge
services.rss-bridge.enable Generate RSS and Atom feeds
services.rtorrent.enable rTorrent service
services.smartdns.enable SmartDNS DNS server
services.sogo.enable SOGo groupware
services.teeworlds.enable Teeworlds game server
services.torque.mom.enable torque computing node
services.torque.server.enable torque server
services.tuptime.enable A total uptime service
services.urserver.enable X11 remote server
services.wasabibackend.enable Wasabi backend service
services.yubikey-agent.enable Yubikey agent
services.zigbee2mqtt.enable Zigbee to MQTT bridge
When upgrading from a previous release, please be aware of the following incompatible changes:
MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster instead. Before doing the upgrade read Incompatible Changes Between 10.3 and 10.4. After the upgrade you will need to run mysql_upgrade
. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See Authentication from MariaDB 10.4. unix_socket auth plugin does not use a password, and uses the connecting user’s UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following:
{
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
'';
}
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when calling LOAD DATA INFILE or SELECT * INTO OUTFILE
. In this scenario a variant of the following may be required: - allow MySQL to read from /home and /tmp directories when using LOAD DATA INFILE
{
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
}
- allow MySQL to write to custom folder /var/data
when using SELECT * INTO OUTFILE
, assuming the mysql user has write access to /var/data
{
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
}
The MySQL service no longer runs its systemd
service startup script as root
anymore. A dedicated non root
super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements as a super admin user before upgrading:
CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
If you use MySQL instead of MariaDB please replace unix_socket
with auth_socket
. If you have changed the value of services.mysql.user from the default of mysql
to a different user please change 'mysql'@'localhost'
to the corresponding user instead.
Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through the upgrade guide and apply any changes required. Be sure to take special note of the section on enabling extended range of numeric (float) values as you will need to apply this database migration manually.
If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of utf8
and a collate of utf8_bin
has become mandatory with this release. See the upstream issue for further discussion. Before upgrading you should check the character set and collation used by your database and ensure they are correct:
SELECT
default_character_set_name,
default_collation_name
FROM
information_schema.schemata
WHERE
schema_name = 'zabbix';
If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an example of how to do so, taken from the Zabbix forums:
ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;
-- the following will produce a list of SQL commands you should subsequently execute
SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString
FROM information_schema.`COLUMNS`
WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";
maxx package removed along with services.xserver.desktopManager.maxx
module. Please migrate to cdesktopenv and services.xserver.desktopManager.cde
module.
The matrix-synapse module no longer includes optional dependencies by default, they have to be added through the plugins option.
buildGoModule
now internally creates a vendor directory in the source tree for downloaded modules instead of using go’s module proxy protocol. This storage format is simpler and therefore less likely to break with future versions of go. As a result buildGoModule
switched from modSha256
to the vendorSha256
attribute to pin fetched version data.
Grafana is now built without support for phantomjs by default. Phantomjs support has been deprecated in Grafana and the phantomjs project is currently unmaintained. It can still be enabled by providing phantomJsSupport = true
to the package instantiation:
{
services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
phantomJsSupport = true;
});
}
The supybot module now uses /var/lib/supybot
as its default stateDir path if stateVersion
is 20.09 or higher. It also enables a number of systemd sandboxing options which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in systemd.services.supybot.serviceConfig
.
The security.duosec.skey
option, which stored a secret in the nix store, has been replaced by a new security.duosec.secretKeyFile option for better security.
security.duosec.ikey
has been renamed to security.duosec.integrationKey.
vmware
has been removed from the services.x11.videoDrivers
defaults. For VMWare guests set virtualisation.vmware.guest.enable
to true
which will include the appropriate drivers.
The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified.
If you used the boot.initrd.network.ssh.host*Key
options, you’ll get an error explaining how to convert your host keys and migrate to the new boot.initrd.network.ssh.hostKeys
option. Otherwise, if you don’t have any host keys set, you’ll need to generate some; see the hostKeys
option documentation for instructions.
Since this release there’s an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions imagick
, opcache
, pdo
and pdo_mysql
loaded:
{
environment.systemPackages = [
(pkgs.php.withExtensions
({ all, ... }: with all; [
imagick
opcache
pdo
pdo_mysql
])
)
];
}
The default php
attribute hasn’t lost any extensions. The opcache
extension has been added. All upstream PHP extensions are available under php.extensions.<name?>.
All PHP config
flags have been removed for the following reasons:
The updated php
attribute is now easily customizable to your liking by using php.withExtensions
or php.buildEnv
instead of writing config files or changing configure flags.
The remaining configuration flags can now be set directly on the php
attribute. For example, instead of
php.override {
config.php.embed = true;
config.php.apxs2 = false;
}
you should now write
php.override {
embedSupport = true;
apxs2Support = false;
}
The ACME module has been overhauled for simplicity and maintainability. Cert generation now implicitly uses the acme
user, and the security.acme.certs._name_.user
option has been removed. Instead, certificate access from other services is now managed through group permissions. The module no longer runs lego twice under certain conditions, and will correctly renew certificates if their configuration is changed. Services which reload nginx and httpd after certificate renewal are now properly configured too so you no longer have to do this manually if you are using HTTPS enabled virtual hosts. A mechanism for regenerating certs on demand has also been added and documented.
Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found here.
Deluge 2.x was added and is used as default for new NixOS installations where stateVersion is >= 20.09. If you are upgrading from a previous NixOS version, you can set service.deluge.package = pkgs.deluge-2_x
to upgrade to Deluge 2.x and migrate the state to the new format. Be aware that backwards state migrations are not supported by Deluge.
Nginx web server now starting with additional sandbox/hardening options. By default, write access to /var/log/nginx
and /var/cache/nginx
is allowed. To allow writing to other folders, use systemd.services.nginx.serviceConfig.ReadWritePaths
{
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
}
Nginx is also started with the systemd option ProtectHome = mkDefault true;
which forbids it to read anything from /home
, /root
and /run/user
(see ProtectHome docs for details). If you require serving files from home directories, you may choose to set e.g.
{
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
}
The NixOS options nesting.clone
and nesting.children
have been deleted, and replaced with named specialisation configurations.
Replace a nesting.clone
entry with:
{
specialisation.example-sub-configuration = {
configuration = {
# ...
};
};
}
Replace a nesting.children
entry with:
{
specialisation.example-sub-configuration = {
inheritParentConfig = false;
configuration = {
# ...
};
};
}
To switch to a specialised configuration at runtime you need to run:
$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
Before you would have used:
$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
The Nginx log directory has been moved to /var/log/nginx
, the cache directory to /var/cache/nginx
. The option services.nginx.stateDir
has been removed.
The httpd web server previously started its main process as root privileged, then ran worker processes as a less privileged identity user. This was changed to start all of httpd as a less privileged user (defined by services.httpd.user and services.httpd.group). As a consequence, all files that are needed for httpd to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.
The default value for services.httpd.mpm has been changed from prefork
to event
. Along with this change the default value for services.httpd.virtualHosts.<name>.http2 has been set to true
.
The systemd-networkd
option systemd.network.networks.<name>.dhcp.CriticalConnection
has been removed following upstream systemd’s deprecation of the same. It is recommended to use systemd.network.networks.<name>.networkConfig.KeepConfiguration
instead. See systemd.network 5 for details.
The systemd-networkd
option systemd.network.networks._name_.dhcpConfig
has been renamed to systemd.network.networks.name.dhcpV4Config following upstream systemd’s documentation change. See systemd.network 5 for details.
In the picom
module, several options that accepted floating point numbers encoded as strings (for example services.picom.activeOpacity) have been changed to the (relatively) new native float
type. To migrate your configuration remove the quotes around the numbers.
When using buildBazelPackage
from Nixpkgs, flat
hash mode is now used for dependencies instead of recursive
. This is to better allow using hashed mirrors where needed. As a result, these hashes will have changed.
The syntax of the PostgreSQL configuration file is now checked at build time. If your configuration includes a file inaccessible inside the build sandbox, set services.postgresql.checkConfig
to false
.
The rkt module has been removed, it was archived by upstream.
The Bazaar VCS is unmaintained and, as consequence of the Python 2 EOL, the packages bazaar
and bazaarTools
were removed. Breezy, the backward compatible fork of Bazaar (see the announcement), was packaged as breezy
and can be used instead.
Regarding Nixpkgs, fetchbzr
, nix-prefetch-bzr
and Bazaar support in Hydra will continue to work through Breezy.
In addition to the hostname, the fully qualified domain name (FQDN), which consists of ${networking.hostName}
and ${networking.domain}
is now added to /etc/hosts
, to allow local FQDN resolution, as used by the hostname --fqdn
command and other applications that try to determine the FQDN. These new entries take precedence over entries from the DNS which could cause regressions in some very specific setups. Additionally the hostname is now resolved to 127.0.0.2
instead of 127.0.1.1
to be consistent with what nss-myhostname
(from systemd) returns. The old behaviour can e.g. be restored by using networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };
.
The hostname (networking.hostName
) must now be a valid DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part. This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname (uname --nodename
) the option boot.kernel.sysctl."kernel.hostname"
can be used as a workaround (but be aware of the 64 character limit).
The GRUB specific option boot.loader.grub.extraInitrd
has been replaced with the generic option boot.initrd.secrets
. This option creates a secondary initrd from the specified files, rather than using a manually created initrd file. Due to an existing bug with boot.loader.grub.extraInitrd
, it is not possible to directly boot an older generation that used that option. It is still possible to rollback to that generation if the required initrd file has not been deleted.
The DNSChain package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can’t be built. For more information see issue #89205.
In the resilio
module, services.resilio.httpListenAddr has been changed to listen to [::1]
instead of 0.0.0.0
.
sslh
has been updated to version 1.21
. The ssl
probe must be renamed to tls
in services.sslh.appendConfig.
Users of OpenAFS 1.6 must upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package version 1.6.24 is marked broken but can be used during transition to OpenAFS 1.8.x. Use the options services.openafsClient.packages.module
, services.openafsClient.packages.programs
and services.openafsServer.package
to select a different OpenAFS package. OpenAFS 1.6 will be removed in the next release. The package openafs
and the service options will then silently point to the OpenAFS 1.8 release.
See also the OpenAFS Administrator Guide for instructions. Beware of the following when updating servers:
The storage format of the server key has changed and the key must be converted before running the new release.
When updating multiple database servers, turn off the database servers from the highest IP down to the lowest with resting periods in between. Start up in reverse order. Do not concurrently run database servers working with different OpenAFS releases!
Update servers first, then clients.
Radicale’s default package has changed from 2.x to 3.x. An upgrade checklist can be found here. You can use the newer version in the NixOS service by setting the package
to radicale3
, which is done automatically if stateVersion
is 20.09 or higher.
udpt
experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. The new configuration documentation can be found at the official website and example configuration is packaged in ${udpt}/share/udpt/udpt.toml
.
We now have a unified services.xserver.displayManager.autoLogin option interface to be used for every display-manager in NixOS.
The bitcoind
module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. To use this new multi-instance config with an existing bitcoind data directory and user, you have to adjust the original config, e.g.:
{
services.bitcoind = {
enable = true;
extraConfig = "...";
# ...
};
}
To something similar:
{
services.bitcoind.mainnet = {
enable = true;
dataDir = "/var/lib/bitcoind";
user = "bitcoin";
extraConfig = "...";
# ...
};
}
The key settings are:
dataDir
- to continue using the same data directory.
user
- to continue using the same user so that bitcoind maintains access to its files.
Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. When updating Graylog from a version before 3.3.3 make sure to check the Graylog release info for information on how to avoid the issue.
The dokuwiki
module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so nginx.forceSSL
and nginx.enableACME
are no longer set to true
. To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:
{
services.dokuwiki = {
enable = true;
# ...
};
}
To something similar:
{
services.dokuwiki."mywiki" = {
enable = true;
nginx = {
forceSSL = true;
enableACME = true;
};
# ...
};
}
The base package has also been upgraded to the 2020-07-29 “Hogfather” release. Plugins might be incompatible or require upgrading.
The services.postgresql.dataDir option is now set to "/var/lib/postgresql/${cfg.package.psqlSchema}"
regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of 17.03
or below should double check what the value of their services.postgresql.dataDir option is (/var/db/postgresql
) and then explicitly set this value to maintain compatibility:
{
services.postgresql.dataDir = "/var/db/postgresql";
}
The postgresql module now expects there to be a database super user account called postgres
regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of 17.03
or below should run the following SQL statements as a database super admin user before upgrading:
CREATE ROLE postgres LOGIN SUPERUSER;
The USBGuard module now removes options and instead hardcodes values for IPCAccessControlFiles
, ruleFiles
, and auditFilePath
. Audit logs can be found in the journal.
The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. As a result, what previously evaluated may not do so anymore. See the PR that changed this for more info.
For NixOS configuration options, the type loaOf
, after its initial deprecation in release 20.03, has been removed. In NixOS and Nixpkgs options using this type have been converted to attrsOf
. For more information on this change have look at these links: issue #1800, PR #63103.
config.systemd.services.${name}.path
now returns a list of paths instead of a colon-separated string.
Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting services.caddy.package to pkgs.caddy1
.
New option services.caddy.adapter has been added.
The jellyfin module will use and stay on the Jellyfin version 10.5.5
if stateVersion
is lower than 20.09
. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your stateVersion
to 20.09
or higher, or set the services.jellyfin.package
to pkgs.jellyfin
. If you do not wish to upgrade Jellyfin, but want to change your stateVersion
, you can set the value of services.jellyfin.package
to pkgs.jellyfin_10_5
.
The security.rngd
service is now disabled by default. This choice was made because there’s krngd in the linux kernel space making it (for most usecases) functionally redundant.
The hardware.nvidia.optimus_prime.enable
service has been renamed to hardware.nvidia.prime.sync.enable
and has many new enhancements. Related nvidia prime settings may have also changed.
The package nextcloud17 has been removed and nextcloud18 was marked as insecure since both of them will will be EOL (end of life) within the lifetime of 20.09.
It’s necessary to upgrade to nextcloud19:
From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn’t allow going multiple major revisions forward in a single upgrade. This is possible by setting services.nextcloud.package to nextcloud18.
From nextcloud18, it’s possible to directly upgrade to nextcloud19 by setting services.nextcloud.package to nextcloud19.
The GNOME desktop manager no longer default installs gnome3.epiphany. It was chosen to do this as it has a usability breaking issue (see issue #98819) that makes it unsuitable to be a default app.
Issue #98819 is now fixed and gnome3.epiphany is once again installed by default.
If you want to manage the configuration of wpa_supplicant outside of NixOS you must ensure that none of networking.wireless.networks, networking.wireless.extraConfig or networking.wireless.userControlled.enable is being used or true
. Using any of those options will cause wpa_supplicant to be started with a NixOS generated configuration file instead of your own.
SD images are now compressed by default using zstd
. The compression for ISO images has also been changed to zstd
, but ISO images are still not compressed by default.
services.journald.rateLimitBurst
was updated from 1000
to 10000
to follow the new upstream systemd default.
The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They’re not part of the default out
output anymore - if you relied on the notmuch-emacs-mua
binary or the emacs lisp files, access them via the notmuch.emacs
output.
Device tree overlay support was improved in #79370 and now uses hardware.deviceTree.kernelPackage instead of hardware.deviceTree.base
. hardware.deviceTree.overlays configuration was extended to support .dts
files with symbols. Device trees can now be filtered by setting hardware.deviceTree.filter option.
The default output of buildGoPackage
is now $out
instead of $bin
.
buildGoModule
doCheck
now defaults to true
.
Packages built using buildRustPackage
now use release
mode for the checkPhase
by default.
Please note that Rust packages utilizing a custom build/install procedure (e.g. by using a Makefile
) or test suites that rely on the structure of the target/
directory may break due to those assumptions. For further information, please read the Rust section in the Nixpkgs manual.
The cc- and binutils-wrapper’s “infix salt” and _BUILD_
and _TARGET_
user infixes have been replaced with with a “suffix salt” and suffixes and _FOR_BUILD
and _FOR_TARGET
. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
Additional Git documentation (HTML and text files) is now available via the git-doc
package.
Default algorithm for ZRAM swap was changed to zstd
.
The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
The scripted networking system now uses .link
files in /etc/systemd/network
to configure mac address and link MTU, instead of the sometimes buggy network-link-*
units, which have been removed. Bringing the interface up has been moved to the beginning of the network-addresses-*
unit. Note this doesn’t require systemd-networkd
- it’s udev that parses .link
files. Extra care needs to be taken in the presence of legacy udev rules to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a 10-*.link
file through systemd.network.links and set both name and MAC Address / MTU there.
Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found in the Grafana documentation.
The hardware.u2f
module, which was installing udev rules was removed, as udev gained native support to handle FIDO security tokens.
The services.transmission
module was enhanced with the new options: services.transmission.credentialsFile, services.transmission.openFirewall, and services.transmission.performanceNetParameters.
transmission-daemon
is now started with additional systemd sandbox/hardening options for better security. Please report any use case where this is not working well. In particular, the RootDirectory
option newly set forbids uploading or downloading a torrent outside of the default directory configured at settings.download-dir. If you really need Transmission to access other directories, you must include those directories into the BindPaths
of the service:
{
systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
}
Also, connection to the RPC (Remote Procedure Call) of transmission-daemon
is now only available on the local network interface by default. Use:
{
services.transmission.settings.rpc-bind-address = "0.0.0.0";
}
to get the previous behavior of listening on all network interfaces.
With this release systemd-networkd
(when enabled through networking.useNetworkd) has it’s netlink socket created through a systemd.socket
unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough.
On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available.
By having systemd-networkd
start with a netlink socket created by systemd
we can configure the ReceiveBufferSize=
parameter in the socket options (i.e. systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize
) without recompiling systemd-networkd
.
Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn’t currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of systemd-networkd
for rtnl: kernel receive buffer overrun
spam and increase the memory limit as they see fit.
Note: Increasing the ReceiveBufferSize=
doesn’t allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket.
Specifying mailboxes in the dovecot2 module as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the name
should be the key of the attribute.
This means that a configuration like this
{
services.dovecot2.mailboxes = [
{ name = "Junk";
auto = "create";
}
];
}
should now look like this:
{
services.dovecot2.mailboxes = {
Junk.auto = "create";
};
}
netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
nextcloud has been updated to v19.
If you have an existing installation, please make sure that you’re on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn’t support upgrades across multiple major versions.
The nixos-run-vms
script now deletes the previous run machines states on test startup. You can use the --keep-vm-state
flag to match the previous behaviour and keep the same VM state between different test runs.
The nix.buildMachines option is now type-checked. There are no functional changes, however this may require updating some configurations to use correct types for all attributes.
The fontconfig
module stopped generating config and cache files for fontconfig 2.10.x, the /etc/fonts/fonts.conf
now belongs to the latest fontconfig, just like on other Linux distributions, and we will no longer be versioning the config directories.
Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t been used in any Nixpkgs package for years now.
Nginx module nginxModules.fastcgi-cache-purge
renamed to official name nginxModules.cache-purge
. Nginx module nginxModules.ngx_aws_auth
renamed to official name nginxModules.aws-auth
.
The option defaultPackages
was added. It installs the packages perl, rsync and strace for now. They were added unconditionally to systemPackages
before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break.
The undervolt
option no longer needs to apply its settings every 30s. If they still become undone, open an issue and restore the previous behaviour using undervolt.useTimer
.
Agda has been heavily reworked.
agda.mkDerivation
has been heavily changed and is now located at agdaPackages.mkDerivation.
New top-level packages agda and agda.withPackages
have been added, the second of which sets up agda with access to chosen libraries.
All agda libraries now live under agdaPackages
.
Many broken libraries have been removed.
See the new documentation for more information.
The deepin
package set has been removed from nixpkgs. It was a work in progress to package the Deepin Desktop Environment (DDE), including libraries, tools and applications, and it was still missing a service to launch the desktop environment. It has shown to no longer be a feasible goal due to reasons discussed in issue #94870. The package netease-cloud-music
has also been removed, as it depends on libraries from deepin.
The opendkim
module now uses systemd sandboxing features to limit the exposure of the system towards the opendkim service.
Kubernetes has been upgraded to 1.19.1, which also means that the golang version to build it has been bumped to 1.15. This may have consequences for your existing clusters and their certificates. Please consider the release notes for Kubernetes 1.19 carefully before upgrading.
For AMD GPUs, Vulkan can now be used by adding amdvlk
to hardware.opengl.extraPackages
.
Similarly, still for AMD GPUs, the ROCm OpenCL stack can now be used by adding rocm-opencl-icd
to hardware.opengl.extraPackages
.
I, Jonathan Ringer, would like to thank the following individuals for their work on nixpkgs. This release could not be done without the hard work of the NixOS community. There were 31282 contributions across 1313 contributors.
2288 Mario Rodas
1837 Frederik Rietdijk
946 Jörg Thalheim
925 Maximilian Bosch
687 Jonathan Ringer
651 Jan Tojnar
622 Daniël de Kok
605 WORLDofPEACE
597 Florian Klink
528 José Romildo Malaquias
281 volth
101 Robert Scott
86 Tim Steinbach
76 WORLDofPEACE
49 Maximilian Bosch
42 Thomas Tuegel
37 Doron Behar
36 Vladimír Čunát
27 Jonathan Ringer
27 Maciej Krüger
I, Jonathan Ringer, would also like to personally thank @WORLDofPEACE for their help in mentoring me on the release process. Special thanks also goes to Thomas Tuegel for helping immensely with stabilizing Qt, KDE, and Plasma5; I would also like to thank Robert Scott for his numerous fixes and pull request reviews.
In addition to numerous new and upgraded packages, this release has the following highlights:
Support is planned until the end of October 2020, handing over to 20.09.
Core version changes:
gcc: 8.3.0 -> 9.2.0
glibc: 2.27 -> 2.30
linux: 4.19 -> 5.4
mesa: 19.1.5 -> 19.3.3
openssl: 1.0.2u -> 1.1.1d
Desktop version changes:
plasma5: 5.16.5 -> 5.17.5
kdeApplications: 19.08.2 -> 19.12.3
gnome3: 3.32 -> 3.34
pantheon: 5.0 -> 5.1.3
Linux kernel is updated to branch 5.4 by default (from 4.19).
Grub is updated to 2.04, adding support for booting from F2FS filesystems and Btrfs volumes using zstd compression. Note that some users have been unable to boot after upgrading to 2.04 - for more information, please see this discussion.
Postgresql for NixOS service now defaults to v11.
The graphical installer image starts the graphical session automatically. Before you’d be greeted by a tty and asked to enter systemctl start display-manager
. It is now possible to disable the display-manager from running by selecting the Disable display-manager
quirk in the boot menu.
GNOME 3 has been upgraded to 3.34. Please take a look at their Release Notes for details.
If you enable the Pantheon Desktop Manager via services.xserver.desktopManager.pantheon.enable, we now default to also use Pantheon’s newly designed greeter . Contrary to NixOS’s usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible.
By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the services.zfs.trim.enable
varname. The zfs scrub service (services.zfs.autoScrub.enable
) and the zfs autosnapshot service (services.zfs.autoSnapshot.enable
) are now only enabled if zfs is set in config.boot.initrd.supportedFilesystems
or config.boot.supportedFilesystems
. These lists will automatically contain zfs as soon as any zfs mountpoint is configured in fileSystems
.
nixos-option
has been rewritten in C++, speeding it up, improving correctness, and adding a -r
option which prints all options and their values recursively.
services.xserver.desktopManager.default
and services.xserver.windowManager.default
options were replaced by a single services.xserver.displayManager.defaultSession option to improve support for upstream session files. If you used something like:
{
services.xserver.desktopManager.default = "xfce";
services.xserver.windowManager.default = "icewm";
}
you should change it to:
{
services.xserver.displayManager.defaultSession = "xfce+icewm";
}
The testing driver implementation in NixOS is now in Python make-test-python.nix
. This was done by Jacek Galowicz (@tfc), and with the collaboration of Julian Stecklina (@blitz) and Jana Traue (@jtraue). All documentation has been updated to use this testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation, make-test.nix
, is slated for removal. This should give users of the NixOS integration framework a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see this warning everytime they use it:
$ warning: Perl VM tests are deprecated and will be removed for 20.09.
Please update your tests to use the python test driver.
See https://github.com/NixOS/nixpkgs/pull/71684 for details.
API compatibility is planned to be kept for at least the next release with the perl driver.
The following new services were added since the last release:
The kubernetes kube-proxy now supports a new hostname configuration services.kubernetes.proxy.hostname
which has to be set if the hostname of the node should be non default.
UPower’s configuration is now managed by NixOS and can be customized via services.upower
.
To use Geary you should enable programs.geary.enable instead of just adding it to environment.systemPackages. It was created so Geary could function properly outside of GNOME.
./config/console.nix
./hardware/brillo.nix
./hardware/tuxedo-keyboard.nix
./programs/bandwhich.nix
./programs/bash-my-aws.nix
./programs/liboping.nix
./programs/traceroute.nix
./services/backup/sanoid.nix
./services/backup/syncoid.nix
./services/backup/zfs-replication.nix
./services/continuous-integration/buildkite-agents.nix
./services/databases/victoriametrics.nix
./services/desktops/gnome3/gnome-initial-setup.nix
./services/desktops/neard.nix
./services/games/openarena.nix
./services/hardware/fancontrol.nix
./services/mail/sympa.nix
./services/misc/freeswitch.nix
./services/misc/mame.nix
./services/monitoring/do-agent.nix
./services/monitoring/prometheus/xmpp-alerts.nix
./services/network-filesystems/orangefs/server.nix
./services/network-filesystems/orangefs/client.nix
./services/networking/3proxy.nix
./services/networking/corerad.nix
./services/networking/go-shadowsocks2.nix
./services/networking/ntp/openntpd.nix
./services/networking/shorewall.nix
./services/networking/shorewall6.nix
./services/networking/spacecookie.nix
./services/networking/trickster.nix
./services/networking/v2ray.nix
./services/networking/xandikos.nix
./services/networking/yggdrasil.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/gotify-server.nix
./services/web-apps/grocy.nix
./services/web-apps/ihatemoney
./services/web-apps/moinmoin.nix
./services/web-apps/trac.nix
./services/web-apps/trilium.nix
./services/web-apps/shiori.nix
./services/web-servers/ttyd.nix
./services/x11/picom.nix
./services/x11/hardware/digimend.nix
./services/x11/imwheel.nix
./virtualisation/cri-o.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
The dhcpcd package does not request IPv4 addresses for tap and bridge interfaces anymore by default. In order to still get an address on a bridge interface, one has to disable networking.useDHCP
and explicitly enable networking.interfaces.<name>.useDHCP
on every interface, that should get an address via DHCP. This way, dhcpcd is configured in an explicit way about which interface to run on.
GnuPG is now built without support for a graphical passphrase entry by default. Please enable the gpg-agent
user service via the NixOS option programs.gnupg.agent.enable
. Note that upstream recommends using gpg-agent
and will spawn a gpg-agent
on the first invocation of GnuPG anyway.
The dynamicHosts
option has been removed from the NetworkManager module. Allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. Consider setting system-wide host entries using networking.hosts, provide them via the DNS server in your network, or use environment.etc to add a file into /etc/NetworkManager/dnsmasq.d
reconfiguring hostsdir
.
The 99-main.network
file was removed. Matching all network interfaces caused many breakages, see #18962 and #71106.
We already don’t support the global networking.useDHCP, networking.defaultGateway and networking.defaultGateway6 options if networking.useNetworkd is enabled, but direct users to configure the per-device networking.interfaces.<name>… options.
The stdenv now runs all bash with set -u
, to catch the use of undefined variables. Before, it itself used set -u
but was careful to unset it so other packages’ code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc.
The Way Cooler wayland compositor has been removed, as the project has been officially canceled. There are no more way-cooler
attribute and programs.way-cooler
options.
The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled.
There is now only one Xfce package-set and module. This means that attributes xfce4-14
and xfceUnstable
all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release’s development (if viable).
The phpfpm module now sets PrivateTmp=true
in its systemd units for better process isolation. If you rely on /tmp
being shared with other services, explicitly override this by setting serviceConfig.PrivateTmp
to false
for each phpfpm unit.
KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have enableQt4Support
option any more.
The BeeGFS module has been removed.
The osquery module has been removed.
Going forward, ~/bin
in the users home directory will no longer be in PATH
by default. If you depend on this you should set the option environment.homeBinInPath
to true
. The aforementioned option was added this release.
The buildRustCrate
infrastructure now produces lib
outputs in addition to the out
output. This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the lib
output.
Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 and bitmap fonts are no longer supported in applications relying on Pango for font rendering (notably, GTK application). See upstream issue for more information.
The roundcube
module has been hardened.
The password of the database is not written world readable in the store any more. If database.host
is set to localhost
, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option database.passwordFile
, which should be set to the path of a file containing the password and readable by the user nginx
only. The database.password
option is insecure and deprecated. Usage of this option will print a warning.
A random des_key
is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
The packages openobex
and obexftp
are no longer installed when enabling Bluetooth via hardware.bluetooth.enable
.
The dump1090
derivation has been changed to use FlightAware’s dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the share/dump1090
directory of the derivation can be used in conjunction with an external webserver to replace this functionality.
The fourStore and fourStoreEndpoint modules have been removed.
Polkit no longer has the user of uid 0 (root) as an admin identity. We now follow the upstream default of only having every member of the wheel group admin privileged. Before it was root and members of wheel. The positive outcome of this is pkexec GUI popups or terminal prompts will no longer require the user to choose between two essentially equivalent choices (whether to perform the action as themselves with wheel permissions, or as the root user).
NixOS containers no longer build NixOS manual by default. This saves evaluation time, especially if there are many declarative containers defined. Note that this is already done when <nixos/modules/profiles/minimal.nix>
module is included in container config.
The kresd
services deprecates the interfaces
option in favor of the listenPlain
option which requires full systemd.socket compatible declaration which always include a port.
Virtual console options have been reorganized and can be found under a single top-level attribute: console
. The full set of changes is as follows:
i18n.consoleFont
renamed to console.font
i18n.consoleKeyMap
renamed to console.keyMap
i18n.consoleColors
renamed to console.colors
i18n.consolePackages
renamed to console.packages
i18n.consoleUseXkbConfig
renamed to console.useXkbConfig
boot.earlyVconsoleSetup
renamed to console.earlySetup
boot.extraTTYs
renamed to console.extraTTYs
.
The awstats module has been rewritten to serve stats via static html pages, updated on a timer, over nginx, instead of dynamic cgi pages over apache.
Minor changes will be required to migrate existing configurations. Details of the required changes can seen by looking through the awstats module.
The httpd module no longer provides options to support serving web content without defining a virtual host. As a result of this the services.httpd.logPerVirtualHost option now defaults to true
instead of false
. Please update your configuration to make use of services.httpd.virtualHosts.
The services.httpd.virtualHosts.<name> option has changed type from a list of submodules to an attribute set of submodules, better matching services.nginx.virtualHosts.<name>.
This change comes with the addition of the following options which mimic the functionality of their nginx
counterparts: services.httpd.virtualHosts.<name>.addSSL, services.httpd.virtualHosts.<name>.forceSSL, services.httpd.virtualHosts.<name>.onlySSL, services.httpd.virtualHosts.<name>.enableACME, services.httpd.virtualHosts.<name>.acmeRoot, and services.httpd.virtualHosts.<name>.useACMEHost.
For NixOS configuration options, the loaOf
type has been deprecated and will be removed in a future release. In nixpkgs, options of this type will be changed to attrsOf
instead. If you were using one of these in your configuration, you will see a warning suggesting what changes will be required.
For example, users.users is a loaOf
option that is commonly used as follows:
{
users.users =
[ { name = "me";
description = "My personal user.";
isNormalUser = true;
}
];
}
This should be rewritten by removing the list and using the value of name
as the name of the attribute set:
{
users.users.me =
{ description = "My personal user.";
isNormalUser = true;
};
}
For more information on this change have look at these links: issue #1800, PR #63103.
For NixOS modules, the types types.submodule
and types.submoduleWith
now support paths as allowed values, similar to how imports
supports paths. Because of this, if you have a module that defines an option of type either (submodule ...) path
, it will break since a path is now treated as the first type instead of the second. To fix this, change the type to either path (submodule ...)
.
The Buildkite Agent module and corresponding packages have been updated to 3.x, and to support multiple instances of the agent running at the same time. This means you will have to rename services.buildkite-agent
to services.buildkite-agents.<name>
. Furthermore, the following options have been changed:
services.buildkite-agent.meta-data
has been renamed to services.buildkite-agents.<name>.tags, to match upstreams naming for 3.x. Its type has also changed - it now accepts an attrset of strings.
Theservices.buildkite-agent.openssh.publicKeyPath
option has been removed, as it’s not necessary to deploy public keys to clone private repositories.
services.buildkite-agent.openssh.privateKeyPath
has been renamed to buildkite-agents.<name>.privateSshKeyPath, as the whole openssh
now only contained that single option.
services.buildkite-agents.<name>.shell has been introduced, allowing to specify a custom shell to be used.
The citrix_workspace_19_3_0
package has been removed as it will be EOLed within the lifespan of 20.03. For further information, please refer to the support and maintenance information from upstream.
The gcc5
and gfortran5
packages have been removed.
The services.xserver.displayManager.auto
module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it’s actually LightDM. Please use the services.xserver.displayManager.lightdm.autoLogin
options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like:
{
security.pam.services.lightdm-autologin.text = lib.mkForce ''
auth requisite pam_nologin.so
auth required pam_succeed_if.so quiet
auth required pam_permit.so
account include lightdm
password include lightdm
session include lightdm
'';
}
The difference is the:
auth required pam_succeed_if.so quiet
line, where default it’s:
auth required pam_succeed_if.so uid >= 1000 quiet
not permitting users with uid’s below 1000 (like root). All other display managers in NixOS are configured like this.
There have been lots of improvements to the Mailman module. As a result,
The services.mailman.hyperkittyBaseUrl
option has been renamed to services.mailman.hyperkitty.baseUrl.
The services.mailman.hyperkittyApiKey
option has been removed. This is because having an option for the Hyperkitty API key meant that the API key would be stored in the world-readable Nix store, which was a security vulnerability. A new Hyperkitty API key will be generated the first time the new Hyperkitty service is run, and it will then be persisted outside of the Nix store. To continue using Hyperkitty, you must set services.mailman.hyperkitty.enable to true
.
Additionally, some Postfix configuration must now be set manually instead of automatically by the Mailman module:
{
services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
services.postfix.config.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
}
This is because some users may want to include other values in these lists as well, and this was not possible if they were set automatically by the Mailman module. It would not have been possible to just concatenate values from multiple modules each setting the values they needed, because the order of elements in the list is significant.
The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.
The networking.interfaces.*.preferTempAddress
option has been replaced by networking.interfaces.*.tempAddress
. The new option allows better control of the IPv6 temporary addresses, including completely disabling them for interfaces where they are not needed.
Rspamd was updated to version 2.2. Read the upstream migration notes carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis.
The *psu
versions of oraclejdk8 have been removed as they aren’t provided by upstream anymore.
The services.dnscrypt-proxy
module has been removed as it used the deprecated version of dnscrypt-proxy. We’ve added services.dnscrypt-proxy2.enable to use the supported version. This module supports configuration via the Nix attribute set services.dnscrypt-proxy2.settings, or by passing a TOML configuration file via services.dnscrypt-proxy2.configFile.
{
# Example configuration:
services.dnscrypt-proxy2.enable = true;
services.dnscrypt-proxy2.settings = {
listen_addresses = [ "127.0.0.1:43" ];
sources.public-resolvers = {
urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
cache_file = "public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
refresh_delay = 72;
};
};
services.dnsmasq.enable = true;
services.dnsmasq.servers = [ "127.0.0.1#43" ];
}
qesteidutil
has been deprecated in favor of qdigidoc
.
sqldeveloper_18 has been removed as it’s not maintained anymore, sqldeveloper has been updated to version 19.4
. Please note that this means that this means that the oraclejdk is now required. For further information please read the release notes.
Haskell env
and shellFor
dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don’t need to algorithmically partition anything.
This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a buildDepends
or run-time Haskell dependency as a setupDepends
, whereas things would have worked before they may not work now.
The gcc-snapshot-package has been removed. It’s marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch.
The nixos-build-vms8 -script now uses the python test-driver.
The riot-web package now accepts configuration overrides as an attribute set instead of a string. A formerly used JSON configuration can be converted to an attribute set with builtins.fromJSON
.
The new default configuration also disables automatic guest account registration and analytics to improve privacy. The previous behavior can be restored by setting config.riot-web.conf = { disable_guests = false; piwik = true; }
.
Stand-alone usage of Upower
now requires services.upower.enable
instead of just installing into environment.systemPackages.
nextcloud has been updated to v18.0.2
. This means that users from NixOS 19.09 can’t upgrade directly since you can only move one version forward and 19.09 uses v16.0.8
.
To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken:
The pkgs.nextcloud-attribute has been removed and replaced with versioned attributes (currently pkgs.nextcloud17 and pkgs.nextcloud18). With this change major-releases can be backported without breaking stuff and to make upgrade-paths easier.
Existing setups will be detected using system.stateVersion: by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it’s recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting services.nextcloud.package.
Users with an overlay (e.g. to use nextcloud at version v18
on 19.09
) will get an evaluation error by default. This is done to ensure that our package-option doesn’t select an older version by accident. It’s recommended to use pkgs.nextcloud18 or to set package to pkgs.nextcloud explicitly.
Please note that if you’re coming from 19.03
or older, you have to manually upgrade to 19.09
first to upgrade your server to Nextcloud v16.
Hydra has gained a massive performance improvement due to some database schema changes by adding several IDs and better indexing. However, it’s necessary to upgrade Hydra in multiple steps:
At first, an older version of Hydra needs to be deployed which adds those (nullable) columns. When having set stateVersion to a value older than 20.03
, this package will be selected by default from the module when upgrading. Otherwise, the package can be deployed using the following config:
{ pkgs, ... }: {
services.hydra.package = pkgs.hydra-migration;
}
Automatically fill the newly added ID columns on the server by running the following command:
$ hydra-backfill-ids
Please note that this process can take a while depending on your database-size!
Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes flake-support and is therefore compiled against pkgs.nixFlakes.
If your stateVersion is set to 20.03
or greater, hydra-unstable will be used automatically! This will break your setup if you didn’t run the migration.
Please note that Hydra is currently not available with nixStable as this doesn’t compile anymore.
pkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set services.hydra.package to pkgs.hydra explicitly and make sure you know what you’re doing!
The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also TokuDB.
SD images are now compressed by default using bzip2
.
The nginx web server previously started its master process as root privileged, then ran worker processes as a less privileged identity user (the nginx
user). This was changed to start all of nginx as a less privileged user (defined by services.nginx.user
and services.nginx.group
). As a consequence, all files that are needed for nginx to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.
To continue to use the old approach, you can configure:
{
services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
}
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features but with potential incompatibilities. Consult the release announcement for more information.
PRETTY_NAME
in /etc/os-release
now uses the short rather than full version string.
The ACME module has switched from simp-le to lego which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added: security.acme.acceptTerms, security.acme.certs.<name>.dnsProvider, security.acme.certs.<name>.credentialsFile, security.acme.certs.<name>.dnsPropagationCheck. As well as this, the options security.acme.acceptTerms
and either security.acme.email
or security.acme.certs.<name>.email
must be set in order to use the ACME module. Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le. In particular private keys will not be preserved. However, the credentials for simp-le are preserved and thus it is possible to roll back to previous versions without breaking certificate generation. Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can have consequences if you embed your public key in apps.
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token via boot.initrd.luks.fido2Support
.
Predictably named network interfaces get renamed in stage-1. This means that it is possible to use the proper interface name for e.g. Dropbear setups.
For further reference, please read #68953 or the corresponding discourse thread.
The matrix-synapse-package has been updated to v1.11.1. Due to stricter requirements for database configuration when using postgresql, the automated database setup of the module has been removed to avoid any further edge-cases.
matrix-synapse expects postgresql
-databases to have the options LC_COLLATE
and LC_CTYPE
set to 'C'
which basically instructs postgresql
to ignore any locale-based preferences.
Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03:
If you use sqlite3
you don’t need to do anything.
If you use postgresql
on a different server, you don’t need to change anything as well since this module was never designed to configure remote databases.
If you use postgresql
and configured your synapse initially on 19.09
or older, you need to enable postgresql-support explicitly:
{ ... }: {
services.matrix-synapse = {
enable = true;
/* and all the other config you've defined here */
};
services.postgresql.enable = true;
}
If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the services.postgresql.initialScript option). An example for this can be found in the documentation of the Matrix module.
If you initially deployed your matrix-synapse on nixos-unstable
after the 19.09
-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it’s recommended to reconfigure the database to set the values LC_COLLATE
and LC_CTYPE
to 'C'
.
The systemd.network.links option is now respected even when systemd-networkd is disabled. This mirrors the behaviour of systemd - It’s udev that parses .link
files, not systemd-networkd
.
mongodb has been updated to version 3.4.24
.
Please note that mongodb has been relicensed under their own sspl
-license. Since it’s not entirely free and not OSI-approved, it’s listed as non-free. This means that Hydra doesn’t provide prebuilt mongodb-packages and needs to be built locally.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of April 2020, handing over to 20.03.
Nix has been updated to 2.3; see its release notes.
Core version changes:
systemd: 239 -> 243
gcc: 7 -> 8
glibc: 2.27 (unchanged)
linux: 4.19 LTS (unchanged)
openssl: 1.0 -> 1.1
Desktop version changes:
plasma5: 5.14 -> 5.16
gnome3: 3.30 -> 3.32
PHP now defaults to PHP 7.3, updated from 7.2.
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
The binfmt module is now easier to use. Additional systems can be added through boot.binfmt.emulatedSystems
. For instance, boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];
will set up binfmt interpreters for each of those listed systems.
The installer now uses a less privileged nixos
user whereas before we logged in as root. To gain root privileges use sudo -i
without a password.
We’ve updated to Xfce 4.14, which brings a new module services.xserver.desktopManager.xfce4-14
. If you’d like to upgrade, please switch from the services.xserver.desktopManager.xfce
module as it will be deprecated in a future release. They’re incompatibilities with the current Xfce module; it doesn’t support thunarPlugins
and it isn’t recommended to use services.xserver.desktopManager.xfce
and services.xserver.desktopManager.xfce4-14
simultaneously or to downgrade from Xfce 4.14 after upgrading.
The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.
services.gnome3.core-os-services.enable
services.gnome3.core-shell.enable
services.gnome3.core-utilities.enable
services.gnome3.games.enable
With these options we hope to give users finer grained control over their systems. Prior to this change you’d either have to manually disable options or use environment.gnome3.excludePackages
which only excluded the optional applications. environment.gnome3.excludePackages
is now unguarded, it can exclude any package installed with environment.systemPackages
in the GNOME 3 module.
Orthogonal to the previous changes to the GNOME 3 desktop manager module, we’ve updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.
The following changes were enacted in services.gnome3.core-utilities.enable
accerciser
dconf-editor
evolution
gnome-documents
gnome-nettool
gnome-power-manager
gnome-todo
gnome-tweaks
gnome-usage
gucharmap
nautilus-sendto
vinagre
cheese
geary
The following changes were enacted in services.gnome3.core-shell.enable
gnome-color-manager
orca
services.avahi.enable
The following new services were added since the last release:
./programs/dwm-status.nix
The new hardware.printers
module allows to declaratively configure CUPS printers via the ensurePrinters
and ensureDefaultPrinter
options. ensurePrinters
will never delete existing printers, but will make sure that the given printers are configured as declared.
There is a new services.system-config-printer.enable and programs.system-config-printer.enable module for the program of the same name. If you previously had system-config-printer
enabled through some other means you should migrate to using one of these modules.
services.xserver.desktopManager.plasma5
services.xserver.desktopManager.gnome3
services.xserver.desktopManager.pantheon
services.xserver.desktopManager.mate
Note Mate uses programs.system-config-printer
as it doesn’t use it as a service, but its graphical interface directly.
services.blueman.enable has been added. If you previously had blueman installed via environment.systemPackages
please migrate to using the NixOS module, as this would result in an insufficiently configured blueman.
When upgrading from a previous release, please be aware of the following incompatible changes:
Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.
PostgreSQL now uses /run/postgresql
as its socket directory instead of /tmp
. So if you run an application like eg. Nextcloud, where you need to use the Unix socket path as the database host name, you need to change it accordingly.
PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.
The options services.prometheus.alertmanager.user
and services.prometheus.alertmanager.group
have been removed because the alertmanager service is now using systemd’s DynamicUser mechanism which obviates these options.
The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
The services.nzbget.configFile
and services.nzbget.openFirewall
options were removed as they are managed internally by the nzbget. The services.nzbget.dataDir
option hadn’t actually been used by the module for some time and so was removed as cleanup.
The services.mysql.pidDir
option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) /run/mysqld/mysql.sock
file to appear.
The services.emby.enable
module has been removed, see services.jellyfin.enable
instead for a free software fork of Emby. See the Jellyfin documentation: Migrating from Emby to Jellyfin
IPv6 Privacy Extensions are now enabled by default for undeclared interfaces. The previous behaviour was quite misleading — even though the default value for networking.interfaces.*.preferTempAddress
was true
, undeclared interfaces would not prefer temporary addresses. Now, interfaces not mentioned in the config will prefer temporary addresses. EUI64 addresses can still be set as preferred by explicitly setting the option to false
for the interface in question.
Since Bittorrent Sync was superseded by Resilio Sync in 2016, the bittorrentSync
, bittorrentSync14
, and bittorrentSync16
packages have been removed in favor of resilio-sync
.
The corresponding module, services.btsync
has been replaced by the services.resilio
module.
The httpd service no longer attempts to start the postgresql service. If you have come to depend on this behaviour then you can preserve the behavior with the following configuration: systemd.services.httpd.after = [ "postgresql.service" ];
The option services.httpd.extraSubservices
has been marked as deprecated. You may still use this feature, but it will be removed in a future release of NixOS. You are encouraged to convert any httpd subservices you may have written to a full NixOS module.
Most of the httpd subservices packaged with NixOS have been replaced with full NixOS modules including LimeSurvey, WordPress, and Zabbix. These modules can be enabled using the services.limesurvey.enable
, services.mediawiki.enable
, services.wordpress.enable
, and services.zabbixWeb.enable
options.
The option systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink
was renamed to systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink
(capital L
). This follows upstreams renaming of the setting.
As of this release the NixOps feature autoLuks
is deprecated. It no longer works with our systemd version without manual intervention.
Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.
A new knob named nixops.enableDeprecatedAutoLuks
has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates.
Make sure you set the _netdev
option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn’t boot anymore.
If you are actively using the autoLuks
module please let us know in issue #62211.
The setopt declarations will be evaluated at the end of /etc/zshrc
, so any code in programs.zsh.interactiveShellInit, programs.zsh.loginShellInit and programs.zsh.promptInit may break if it relies on those options being set.
The prometheus-nginx-exporter
package now uses the official exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the official repo.
The shibboleth-sp
package has been updated to version 3. It is largely backward compatible, for further information refer to the release notes and upgrade guide.
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
By default, prometheus exporters are now run with DynamicUser
enabled. Exporters that need a real user, now run under a separate user and group which follow the pattern <exporter-name>-exporter
, instead of the previous default nobody
and nogroup
. Only some exporters are affected by the latter, namely the exporters dovecot
, node
, postfix
and varnish
.
The ibus-qt
package is not installed by default anymore when i18n.inputMethod.enabled is set to ibus
. If IBus support in Qt 4.x applications is required, add the ibus-qt
package to your environment.systemPackages manually.
The CUPS Printing service now uses socket-based activation by default, only starting when needed. The previous behavior can be restored by setting services.cups.startWhenNeeded
to false
.
The services.systemhealth
module has been removed from nixpkgs due to lack of maintainer.
The services.mantisbt
module has been removed from nixpkgs due to lack of maintainer.
Squid 3 has been removed and the squid
derivation now refers to Squid 4.
The services.pdns-recursor.extraConfig
option has been replaced by services.pdns-recursor.settings
. The new option allows setting extra configuration while being better type-checked and mergeable.
No service depends on keys.target
anymore which is a systemd target that indicates if all NixOps keys were successfully uploaded. Instead, <key-name>-key.service
should be used to define a dependency of a key in a service. The full issue behind the keys.target
dependency is described at NixOS/nixpkgs#67265.
The following services are affected by this:
The security.acme.directory
option has been replaced by a read-only security.acme.certs.<cert>.directory
option for each certificate you define. This will be a subdirectory of /var/lib/acme
. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example, the services.nginx.virtualhosts.<name>.enableACME
option will use this directory option to find the certs for the virtual host.
security.acme.preDelay
and security.acme.activationDelay
options have been removed. To execute a service before certificates are provisioned or renewed add a RequiredBy=acme-${cert}.service
to any service.
Furthermore, the acme module will not automatically add a dependency on lighttpd.service
anymore. If you are using certificates provided by letsencrypt for lighttpd, then you should depend on the certificate service acme-${cert}.service>
manually.
For nginx, the dependencies are still automatically managed when services.nginx.virtualhosts.<name>.enableACME
is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all acme-certificates.target
. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn’t explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at NixOS/nixpkgs#60180.
The old deprecated emacs
package sets have been dropped. What used to be called emacsPackagesNg
is now called emacsPackages
.
services.xserver.desktopManager.xterm
is now disabled by default if stateVersion
is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn’t useful for all people so it didn’t make sense to have any desktopManager enabled default.
The WeeChat plugin pkgs.weechatScripts.weechat-xmpp
has been removed as it doesn’t receive any updates from upstream and depends on outdated Python2-based modules.
Old unsupported versions (logstash5
, kibana5
, filebeat5
, heartbeat5
, metricbeat5
, packetbeat5
) of the ELK-stack and Elastic beats have been removed.
For NixOS 19.03, both Prometheus 1 and 2 were available to allow for a seamless transition from version 1 to 2 with existing setups. Because Prometheus 1 is no longer developed, it was removed. Prometheus 2 is now configured with services.prometheus
.
Citrix Receiver (citrix_receiver
) has been dropped in favor of Citrix Workspace (citrix_workspace
).
The services.gitlab
module has had its literal secret options (services.gitlab.smtp.password
, services.gitlab.databasePassword
, services.gitlab.initialRootPassword
, services.gitlab.secrets.secret
, services.gitlab.secrets.db
, services.gitlab.secrets.otp
and services.gitlab.secrets.jws
) replaced by file-based versions (services.gitlab.smtp.passwordFile
, services.gitlab.databasePasswordFile
, services.gitlab.initialRootPasswordFile
, services.gitlab.secrets.secretFile
, services.gitlab.secrets.dbFile
, services.gitlab.secrets.otpFile
and services.gitlab.secrets.jwsFile
). This was done so that secrets aren’t stored in the world-readable nix store, but means that for each option you’ll have to create a file with the same exact string, add “File” to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword"
becomes services.gitlab.databasePasswordFile = "/path/to/secret_file"
where the file secret_file
contains the string supersecurepassword
.
The state path (services.gitlab.statePath
) now has the following restriction: no parent directory can be owned by any other user than root
or the user specified in services.gitlab.user
; i.e. if services.gitlab.statePath
is set to /var/lib/gitlab/state
, gitlab
and all parent directories must be owned by either root
or the user specified in services.gitlab.user
.
The networking.useDHCP
option is unsupported in combination with networking.useNetworkd
in anticipation of defaulting to it. It has to be set to false
and enabled per interface with networking.interfaces.<name>.useDHCP = true;
The Twitter client corebird
has been dropped as it is discontinued and does not work against the new Twitter API. Please use the fork cawbird
instead which has been adapted to the API changes and is still maintained.
The nodejs-11_x
package has been removed as it’s EOLed by upstream.
Because of the systemd upgrade, systemd-timesyncd will no longer work if system.stateVersion
is not set correctly. When upgrading from NixOS 19.03, please make sure that system.stateVersion
is set to "19.03"
, or lower if the installation dates back to an earlier version of NixOS.
Due to the short lifetime of non-LTS kernel releases package attributes like linux_5_1
, linux_5_2
and linux_5_3
have been removed to discourage dependence on specific non-LTS kernel versions in stable NixOS releases. Going forward, versioned attributes like linux_4_9
will exist for LTS versions only. Please use linux_latest
or linux_testing
if you depend on non-LTS releases. Keep in mind that linux_latest
and linux_testing
will change versions under the hood during the lifetime of a stable release and might include breaking changes.
Because of the systemd upgrade, some network interfaces might change their name. For details see upstream docs or our ticket.
The documentation
module gained an option named documentation.nixos.includeAllModules
which makes the generated configuration.nix 5 manual page include all options from all NixOS modules included in a given configuration.nix
configuration file. Currently, it is set to false
by default as enabling it frequently prevents evaluation. But the plan is to eventually have it set to true
by default. Please set it to true
now in your configuration.nix
and fix all the bugs it uncovers.
The vlc
package gained support for Chromecast streaming, enabled by default. TCP port 8010 must be open for it to work, so something like networking.firewall.allowedTCPPorts = [ 8010 ];
may be required in your configuration. Also consider enabling Accelerated Video Playback for better transcoding performance.
The following changes apply if the stateVersion
is changed to 19.09 or higher. For stateVersion = "19.03"
or lower the old behavior is preserved.
solr.package
defaults to pkgs.solr_8
.
The hunspellDicts.fr-any
dictionary now ships with fr_FR.{aff,dic}
which is linked to fr-toutesvariantes.{aff,dic}
.
The mysql
service now runs as mysql
user. Previously, systemd did execute it as root, and mysql dropped privileges itself. This includes ExecStartPre=
and ExecStartPost=
phases. To accomplish that, runtime and data directory setup was delegated to RuntimeDirectory and tmpfiles.
With the upgrade to systemd version 242 the systemd-timesyncd
service is no longer using DynamicUser=yes
. In order for the upgrade to work we rely on an activation script to move the state from the old to the new directory. The older directory (prior 19.09
) was /var/lib/private/systemd/timesync
.
As long as the system.config.stateVersion
is below 19.09
the state folder will migrated to its proper location (/var/lib/systemd/timesync
), if required.
The package avahi
is now built to look up service definitions from /etc/avahi/services
instead of its output directory in the nix store. Accordingly the module avahi
now supports custom service definitions via services.avahi.extraServiceFiles
, which are then placed in the aforementioned directory. See avahi.service5 for more information on custom service definitions.
Since version 0.1.19, cargo-vendor
honors package includes that are specified in the Cargo.toml
file of Rust crates. rustPlatform.buildRustPackage
uses cargo-vendor
to collect and build dependent crates. Since this change in cargo-vendor
changes the set of vendored files for most Rust packages, the hash that use used to verify the dependencies, cargoSha256
, also changes.
The cargoSha256
hashes of all in-tree derivations that use buildRustPackage
have been updated to reflect this change. However, third-party derivations that use buildRustPackage
may have to be updated as well.
The consul
package was upgraded past version 1.5
, so its deprecated legacy UI is no longer available.
The default resample-method for PulseAudio has been changed from the upstream default speex-float-1
to speex-float-5
. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you’ll need to set hardware.pulseaudio.daemon.config.resample-method
back to speex-float-1
.
The phabricator
package and associated httpd.extraSubservice
, as well as the phd
service have been removed from nixpkgs due to lack of maintainer.
The mercurial
httpd.extraSubservice
has been removed from nixpkgs due to lack of maintainer.
The trac
httpd.extraSubservice
has been removed from nixpkgs because it was unmaintained.
The foswiki
package and associated httpd.extraSubservice
have been removed from nixpkgs due to lack of maintainer.
The tomcat-connector
httpd.extraSubservice
has been removed from nixpkgs.
It’s now possible to change configuration in services.nextcloud after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating /var/lib/nextcloud
.
There exists now lib.forEach
, which is like map
, but with arguments flipped. When mapping function body spans many lines (or has nested map
s), it is often hard to follow which list is modified.
Previous solution to this problem was either to use lib.flip map
idiom or extract that anonymous mapping function to a named one. Both can still be used but lib.forEach
is preferred over lib.flip map
.
The /etc/sysctl.d/nixos.conf
file containing all the options set via boot.kernel.sysctl was moved to /etc/sysctl.d/60-nixos.conf
, as sysctl.d5 recommends prefixing all filenames in /etc/sysctl.d
with a two-digit number and a dash to simplify the ordering of the files.
We now install the sysctl snippets shipped with systemd.
Loose reverse path filtering
Source route filtering
fq_codel
as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass core dumps to systemd-coredump
, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in /etc/sysctl.d/50-*.conf
, and overridden via boot.kernel.sysctl (which will place the parameters in /etc/sysctl.d/60-nixos.conf
).
Core dumps are now processed by systemd-coredump
by default. systemd-coredump
behaviour can still be modified via systemd.coredump.extraConfig
. To stick to the old behaviour (having the kernel dump to a file called core
in the working directory), without piping it through systemd-coredump
, set systemd.coredump.enable
to false
.
systemd.packages
option now also supports generators and shutdown scripts. Old systemd.generator-packages
option has been removed.
The rmilter
package was removed with associated module and options due deprecation by upstream developer. Use rspamd
in proxy mode instead.
systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.
We no longer enable custom font rendering settings with fonts.fontconfig.penultimate.enable
by default. The defaults from fontconfig are sufficient.
The crashplan
package and the crashplan
service have been removed from nixpkgs due to crashplan shutting down the service, while the crashplansb
package and crashplan-small-business
service have been removed from nixpkgs due to lack of maintainer.
The redis module was hardcoded to use the redis
user, /run/redis
as runtime directory and /var/lib/redis
as state directory. Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).
Using fonts.enableDefaultFonts
adds a default emoji font noto-fonts-emoji
.
services.xserver.enable
programs.sway.enable
programs.way-cooler.enable
services.xrdp.enable
The altcoins
categorization of packages has been removed. You now access these packages at the top level, ie. nix-shell -p dogecoin
instead of nix-shell -p altcoins.dogecoin
, etc.
Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There’s been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.
pkgs.weechat
is now compiled against pkgs.python3
. Weechat also recommends to use Python3 in their docs.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2019, handing over to 19.09.
The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.
Added the Pantheon desktop environment. It can be enabled through services.xserver.desktopManager.pantheon.enable
.
By default, services.xserver.desktopManager.pantheon
enables LightDM as a display manager, as pantheon’s screen locking implementation relies on it.
Because of that it is recommended to leave LightDM enabled. If you’d like to disable it anyway, set services.xserver.displayManager.lightdm.enable
to false
and enable your preferred display manager.
Also note that Pantheon’s LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn’t optimal for use here yet.
A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: Kubernetes for details.
There is now a set of confinement
options for systemd.services
, which allows to restrict services into a chroot 2 ed environment that only contains the store paths from the runtime closure of the service.
The following new services were added since the last release:
./programs/nm-applet.nix
There is a new security.googleOsLogin
module for using OS Login to manage SSH access to Google Compute Engine instances, which supersedes the imperative and broken google-accounts-daemon
used in nixos/modules/virtualisation/google-compute-config.nix
.
./services/misc/beanstalkd.nix
There is a new services.cockroachdb
module for running CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available on x86_64-linux
and aarch64-linux
.
./security/duosec.nix
The PAM module for Duo Security has been enabled for use. One can configure it using the security.duosec
options along with the corresponding PAM option in security.pam.services.<name?>.duoSecurity.enable
.
When upgrading from a previous release, please be aware of the following incompatible changes:
The minimum version of Nix required to evaluate Nixpkgs is now 2.0.
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix 2.0, but supports using Nix 1.11 by setting nix.package = pkgs.nix1;
. If this option is set to a Nix 1.11 package, you will need to either unset the option or upgrade it to Nix 2.0.
For users of NixOS 17.09, you will first need to upgrade Nix by setting nix.package = pkgs.nixStable2;
and run nixos-rebuild switch
as the root
user.
For users of a daemon-less Nix installation on Linux or macOS, you can upgrade Nix by running curl -L https://nixos.org/nix/install | sh
, or prior to doing a channel update, running nix-env -iA nix
. If you have already run a channel update and Nix is no longer able to evaluate Nixpkgs, the error message printed should provide adequate directions for upgrading Nix.
For users of the Nix daemon on macOS, you can upgrade Nix by running sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon
.
The buildPythonPackage
function now sets strictDeps = true
to help distinguish between native and non-native dependencies in order to improve cross-compilation compatibility. Note however that this may break user expressions.
The buildPythonPackage
function now sets LANG = C.UTF-8
to enable Unicode support. The glibcLocales
package is no longer needed as a build input.
The Syncthing state and configuration data has been moved from services.syncthing.dataDir
to the newly defined services.syncthing.configDir
, which default to /var/lib/syncthing/.config/syncthing
. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start.
The ntp
module now has sane default restrictions. If you’re relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set services.ntp.restrictDefault
and services.ntp.restrictSource
to []
.
Package rabbitmq_server
is renamed to rabbitmq-server
.
The light
module no longer uses setuid binaries, but udev rules. As a consequence users of that module have to belong to the video
group in order to use the executable (i.e. users.users.yourusername.extraGroups = ["video"];
).
Buildbot now supports Python 3 and its packages have been moved to pythonPackages
. The options services.buildbot-master.package
and services.buildbot-worker.package
can be used to select the Python 2 or 3 version of the package.
Options services.znc.confOptions.networks.name.userName
and services.znc.confOptions.networks.name.modulePackages
were removed. They were never used for anything and can therefore safely be removed.
Package wasm
has been renamed proglodyte-wasm
. The package wasm
will be pointed to ocamlPackages.wasm
in 19.09, so make sure to update your configuration if you want to keep proglodyte-wasm
When the nixpkgs.pkgs
option is set, NixOS will no longer ignore the nixpkgs.overlays
option. The old behavior can be recovered by setting nixpkgs.overlays = lib.mkForce [];
.
OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See man smtpd.conf
for more information on the new file format.
The versioned postgresql
have been renamed to use underscore number separators. For example, postgresql96
has been renamed to postgresql_9_6
.
Package consul-ui
and passthrough consul.ui
have been removed. The package consul
now uses upstream releases that vendor the UI into the binary. See #48714 for details.
Slurm introduces the new option services.slurm.stateSaveLocation
, which is now set to /var/spool/slurm
by default (instead of /var/spool
). Make sure to move all files to the new directory or to set the option accordingly.
The slurmctld now runs as user slurm
instead of root
. If you want to keep slurmctld running as root
, set services.slurm.user = root
.
The options services.slurm.nodeName
and services.slurm.partitionName
are now sets of strings to correctly reflect that fact that each of these options can occur more than once in the configuration.
The solr
package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. The services.solr
module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.
Package ckb
is renamed to ckb-next
, and options hardware.ckb.*
are renamed to hardware.ckb-next.*
.
The option services.xserver.displayManager.job.logToFile
which was previously set to true
when using the display managers lightdm
, sddm
or xpra
has been reset to the default value (false
).
Network interface indiscriminate NixOS firewall options (networking.firewall.allow*
) are now preserved when also setting interface specific rules such as networking.firewall.interfaces.en0.allow*
. These rules continue to use the pseudo device “default” (networking.firewall.interfaces.default.*
), and assigning to this pseudo device will override the (networking.firewall.allow*
) options.
The nscd
service now disables all caching of passwd
and group
databases by default. This was interfering with the correct functioning of the libnss_systemd.so
module which is used by systemd
to manage uids and usernames in the presence of DynamicUser=
in systemd services. This was already the default behaviour in presence of services.sssd.enable = true
because nscd caching would interfere with sssd
in unpredictable ways as well. Because we’re using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it’s usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.
If the old behaviour is desired, this can be restored by setting the services.nscd.config
option with the desired caching parameters.
{
services.nscd.config =
''
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group no
shared group yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
'';
}
See #50316 for details.
GitLab Shell previously used the nix store paths for the gitlab-shell
command in its authorized_keys
file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As gitlab-shell
has now been changed to use /var/run/current-system/sw/bin/gitlab-shell
, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the authorized_keys
file via sudo -u git -H gitlab-rake gitlab:shell:setup
in that case.
The pam_unix
account module is now loaded with its control field set to required
instead of sufficient
, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to pam_unix
. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previously shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting security.pam.services.<name?>.text
.
The pam_unix
password module is now loaded with its control field set to sufficient
instead of required
, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account’s password through PAM was not possible: the whole password module verification was exited prematurely by pam_unix
, preventing pam_ldap
to manage the password as it should.
fish
has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the fish
release notes for more information.
The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See this commit message for details.
NixOS module system type types.optionSet
and lib.mkOption
argument options
are deprecated. Use types.submodule
instead. (#54637)
matrix-synapse
has been updated to version 0.99. It will no longer generate a self-signed certificate on first launch and will be the last version to accept self-signed certificates. As such, it is now recommended to use a proper certificate verified by a root CA (for example Let’s Encrypt). The new manual chapter on Matrix contains a working example of using nginx as a reverse proxy in front of matrix-synapse
, using Let’s Encrypt certificates.
mailutils
now works by default when sendmail
is not in a setuid wrapper. As a consequence, the sendmailPath
argument, having lost its main use, has been removed.
graylog
has been upgraded from version 2.* to 3.*. Some setups making use of extraConfig (especially those exposing Graylog via reverse proxies) need to be updated as upstream removed/replaced some settings. See Upgrading Graylog for details.
The option users.ldap.bind.password
was renamed to users.ldap.bind.passwordFile
, and needs to be readable by the nslcd
user. Same applies to the new users.ldap.daemon.rootpwmodpwFile
option.
nodejs-6_x
is end-of-life. nodejs-6_x
, nodejs-slim-6_x
and nodePackages_6_x
are removed.
The services.matomo
module gained the option services.matomo.package
which determines the used Matomo version.
The Matomo module now also comes with the systemd service matomo-archive-processing.service
and a timer that automatically triggers archive processing every hour. This means that you can safely disable browser triggers for Matomo archiving at Administration > System > General Settings
.
Additionally, you can enable to delete old visitor logs at Administration > System > Privacy
, but make sure that you run systemctl start matomo-archive-processing.service
at least once without errors if you have already collected data before, so that the reports get archived before the source data gets deleted.
composableDerivation
along with supporting library functions has been removed.
The deprecated truecrypt
package has been removed and truecrypt
attribute is now an alias for veracrypt
. VeraCrypt is backward-compatible with TrueCrypt volumes. Note that cryptsetup
also supports loading TrueCrypt volumes.
The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This change is made in accordance with Kubernetes making CoreDNS the official default starting from Kubernetes v1.11. Please beware that upgrading DNS-addon on existing clusters might induce minor downtime while the DNS-addon terminates and re-initializes. Also note that the DNS-service now runs with 2 pod replicas by default. The desired number of replicas can be configured using: services.kubernetes.addons.dns.replicas
.
The quassel-webserver package and module was removed from nixpkgs due to the lack of maintainers.
The manual gained a new chapter on self-hosting matrix-synapse
and riot-web
, the most prevalent server and client implementations for the Matrix federated communication network.
The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
The httpd service now saves log files with a .log file extension by default for easier integration with the logrotate service.
The owncloud server packages and httpd subservice module were removed from nixpkgs due to the lack of maintainers.
It is possible now to uze ZRAM devices as general purpose ephemeral block devices, not only as swap. Using more than 1 device as ZRAM swap is no longer recommended, but is still possible by setting zramSwap.swapDevices
explicitly.
ZRAM algorithm can be changed now.
Changes to ZRAM algorithm are applied during nixos-rebuild switch
, so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively, use nixos-rebuild boot; reboot
.
Flat volumes are now disabled by default in hardware.pulseaudio
. This has been done to prevent applications, which are unaware of this feature, setting their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.
With this change application specific volumes are relative to the master volume which can be adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the device-volume with the volume of the loudest application.
The ndppd
module now supports all config options provided by the current upstream version as service options. Additionally the ndppd
package doesn’t contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.
New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in services.redmine.package
while existing installs of NixOS will default to the Redmine 3.x series.
The Grafana module now supports declarative datasource and dashboard provisioning.
The use of insecure ports on kubernetes has been deprecated. Thus options: services.kubernetes.apiserver.port
and services.kubernetes.controllerManager.port
has been renamed to .insecurePort
, and default of both options has changed to 0 (disabled).
Note that the default value of services.kubernetes.apiserver.bindAddress
has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from outside the master node itself. If the apiserver insecurePort is enabled, it is strongly recommended to only bind on the loopback interface. See: services.kubernetes.apiserver.insecurebindAddress
.
The option services.kubernetes.apiserver.allowPrivileged
and services.kubernetes.kubelet.allowPrivileged
now defaults to false. Disallowing privileged containers on the cluster.
The kubernetes module does no longer add the kubernetes package to environment.systemPackages
implicitly.
The intel
driver has been removed from the default list of X.org video drivers. The modesetting
driver should take over automatically, it is better maintained upstream and has less problems with advanced X11 features. This can lead to a change in the output names used by xrandr
. Some performance regressions on some GPU models might happen. Some OpenCL and VA-API applications might also break (Beignet seems to provide OpenCL support with modesetting
driver, too). Kernel mode setting API does not support backlight control, so xbacklight
tool will not work; backlight level can be controlled directly via /sys/
or with brightnessctl
. Users who need this functionality more than multi-output XRandR are advised to add `intel` to `videoDrivers` and report an issue (or provide additional details in an existing one)
Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols. This may break some older applications that still rely on those symbols. An upgrade guide can be found here.
The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using services.nginx.sslProtocols.
A new subcommand nixos-rebuild edit
was added.
In addition to numerous new and upgraded packages, this release has the following notable updates:
End of support is planned for end of April 2019, handing over to 19.03.
Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.
Nix has been updated to 2.1; see its release notes.
Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.
Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.
Notable changes and additions for 18.09 include:
Support for wrapping binaries using firejail
has been added through programs.firejail.wrappedBinaries
.
For example
{
programs.firejail = {
enable = true;
wrappedBinaries = {
firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
};
};
}
This will place firefox
and mpv
binaries in the global path wrapped by firejail.
User channels are now in the default NIX_PATH
, allowing users to use their personal nix-channel
defined channels in nix-build
and nix-shell
commands, as well as in imports like import <mychannel>
.
For example
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
$ nix-channel --update
$ nix-build '<nixpkgsunstable>' -A gitFull
$ nix run -f '<nixpkgsunstable>' gitFull
$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
A curated selection of new services that were added since the last release:
The services.cassandra
module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of Apache Cassandra.
There is a new services.foundationdb
module for deploying FoundationDB clusters.
When enabled the iproute2
will copy the files expected by ip route (e.g., rt_tables
) in /etc/iproute2
. This allows to write aliases for routing tables for instance.
services.strongswan-swanctl
is a modern replacement for services.strongswan
. You can use either one of them to setup IPsec VPNs but not both at the same time.
services.strongswan-swanctl
uses the swanctl command which uses the modern vici Versatile IKE Configuration Interface. The deprecated ipsec
command used in services.strongswan
is using the legacy stroke configuration interface.
The new services.elasticsearch-curator
service periodically curates or manages, your Elasticsearch indices and snapshots.
Every new services:
./config/xdg/autostart.nix
./config/xdg/icons.nix
./config/xdg/menus.nix
./config/xdg/mime.nix
./hardware/brightnessctl.nix
./hardware/onlykey.nix
./hardware/video/uvcvideo/default.nix
./misc/documentation.nix
./programs/firejail.nix
./programs/iftop.nix
./programs/sedutil.nix
./programs/singularity.nix
./programs/xss-lock.nix
./programs/zsh/zsh-autosuggestions.nix
./services/admin/oxidized.nix
./services/backup/duplicati.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/cluster/hadoop/default.nix
./services/databases/aerospike.nix
./services/databases/monetdb.nix
./services/desktops/bamf.nix
./services/desktops/flatpak.nix
./services/desktops/zeitgeist.nix
./services/development/bloop.nix
./services/development/jupyter/default.nix
./services/hardware/lcd.nix
./services/hardware/undervolt.nix
./services/misc/clipmenu.nix
./services/misc/gitweb.nix
./services/misc/serviio.nix
./services/misc/safeeyes.nix
./services/misc/sysprof.nix
./services/misc/weechat.nix
./services/monitoring/datadog-agent.nix
./services/monitoring/incron.nix
./services/networking/dnsdist.nix
./services/networking/freeradius.nix
./services/networking/hans.nix
./services/networking/morty.nix
./services/networking/ndppd.nix
./services/networking/ocserv.nix
./services/networking/owamp.nix
./services/networking/quagga.nix
./services/networking/shadowsocks.nix
./services/networking/stubby.nix
./services/networking/zeronet.nix
./services/security/certmgr.nix
./services/security/cfssl.nix
./services/security/oauth2_proxy_nginx.nix
./services/web-apps/virtlyst.nix
./services/web-apps/youtrack.nix
./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix
./services/web-servers/meguca.nix
./services/web-servers/nginx/gitweb.nix
./virtualisation/kvmgt.nix
./virtualisation/qemu-guest-agent.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
Some licenses that were incorrectly not marked as unfree now are. This is the case for:
cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike 2.0
cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike 2.5
cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike 3.0
cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike 4.0
cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00
msrla: Microsoft Research License Agreement
The deprecated services.cassandra
module has seen a complete rewrite. (See above.)
lib.strict
is removed. Use builtins.seq
instead.
The clementine
package points now to the free derivation. clementineFree
is removed now and clementineUnfree
points to the package which is bundled with the unfree libspotify
package.
The netcat
package is now taken directly from OpenBSD’s libressl
, instead of relying on Debian’s fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command.
The services.docker-registry.extraConfig
object doesn’t contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in the docker/distribution
docs.
gnucash
has changed from version 2.4 to 3.x. If you’ve been using gnucash
(version 2.4) instead of gnucash26
(version 2.6) you must open your Gnucash data file(s) with gnucash26
and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade documentation. Gnucash 2.4 is still available under the attribute gnucash24
.
services.munge
now runs as user (and group) munge
instead of root. Make sure the key file is accessible to the daemon.
dockerTools.buildImage
now uses null
as default value for tag
, which indicates that the nix output hash will be used as tag.
The ELK stack: elasticsearch
, logstash
and kibana
has been upgraded from 2.* to 6.3.*. The 2.* versions have been unsupported since last year so they have been removed. You can still use the 5.* versions under the names elasticsearch5
, logstash5
and kibana5
.
The elastic beats: filebeat
, heartbeat
, metricbeat
and packetbeat
have had the same treatment: they now target 6.3.* as well. The 5.* versions are available under the names: filebeat5
, heartbeat5
, metricbeat5
and packetbeat5
The ELK-6.3 stack now comes with X-Pack by default. Since X-Pack is licensed under the Elastic License the ELK packages now have an unfree license. To use them you need to specify allowUnfree = true;
in your nixpkgs configuration.
Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names: elasticsearch-oss
, logstash-oss
and kibana-oss
.
Options boot.initrd.luks.devices.name.yubikey.ramfsMountPoint
boot.initrd.luks.devices.name.yubikey.storage.mountPoint
were removed. luksroot.nix
module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues.
stdenv.system
and system
in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, and stdenv.buildPlatform.system
can be used instead for the old behavior. They should be using that anyways for clarity.
Groups kvm
and render
are introduced now, as systemd requires them.
dockerTools.pullImage
relies on image digest instead of image tag to download the image. The sha256
of a pulled image has to be updated.
lib.attrNamesToStr
has been deprecated. Use more specific concatenation (lib.concat(Map)StringsSep
) instead.
lib.addErrorContextToAttrs
has been deprecated. Use builtins.addErrorContext
directly.
lib.showVal
has been deprecated. Use lib.traceSeqN
instead.
lib.traceXMLVal
has been deprecated. Use lib.traceValFn builtins.toXml
instead.
lib.traceXMLValMarked
has been deprecated. Use lib.traceValFn (x: str + builtins.toXML x)
instead.
The pkgs
argument to NixOS modules can now be set directly using nixpkgs.pkgs
. Previously, only the system
, config
and overlays
arguments could be used to influence pkgs
.
A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
{
inherit (pkgs.nixos {
boot.loader.grub.enable = false;
fileSystems."/".device = "/dev/xvda1";
}) toplevel kernel initialRamdisk manual;
}
This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
lib.traceValIfNot
has been deprecated. Use if/then/else
and lib.traceValSeq
instead.
lib.traceCallXml
has been deprecated. Please complain if you use the function regularly.
The attribute lib.nixpkgsVersion
has been deprecated in favor of lib.version
. Please refer to the discussion in NixOS/nixpkgs#39416 for further reference.
lib.recursiveUpdateUntil
was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added.
The module for security.dhparams
has two new options now:
security.dhparams.stateless
Puts the generated Diffie-Hellman parameters into the Nix store instead of managing them in a stateful manner in /var/lib/dhparams
.
security.dhparams.defaultBitSize
The default bit size to use for the generated Diffie-Hellman parameters.
The path to the actual generated parameter files should now be queried using config.security.dhparams.params.name.path
because it might be either in the Nix store or in a directory configured by security.dhparams.path
.
For developers:
Module implementers should not set a specific bit size in order to let users configure it by themselves if they want to have a different bit size than the default (2048).
An example usage of this would be:
{ config, ... }:
{
security.dhparams.params.myservice = {};
environment.etc."myservice.conf".text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
networking.networkmanager.useDnsmasq
has been deprecated. Use networking.networkmanager.dns
instead.
The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.
The option services.kubernetes.apiserver.admissionControl
was renamed to services.kubernetes.apiserver.enableAdmissionPlugins
.
Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.
The option services.kubernetes.apiserver.address
was renamed to services.kubernetes.apiserver.bindAddress
. Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
The option services.kubernetes.apiserver.publicAddress
was not used and thus has been removed.
The option services.kubernetes.addons.dashboard.enableRBAC
was renamed to services.kubernetes.addons.dashboard.rbac.enable
.
The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set services.kubernetes.addons.dashboard.rbac.clusterAdmin
to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: kubectl delete clusterrolebinding kubernetes-dashboard
The programs.screen
module provides allows to configure /etc/screenrc
, however the module behaved fairly counterintuitive as the config exists, but the package wasn’t available. Since 18.09 pkgs.screen
will be added to environment.systemPackages
.
The module services.networking.hostapd
now uses WPA2 by default.
s6Dns
, s6Networking
, s6LinuxUtils
and s6PortableUtils
renamed to s6-dns
, s6-networking
, s6-linux-utils
and s6-portable-utils
respectively.
The module option nix.useSandbox
is now defaulted to true
.
The config activation script of nixos-rebuild
now reloads all user units for each authenticated user.
The default display manager is now LightDM. To use SLiM set services.xserver.displayManager.slim.enable
to true
.
NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it’s no longer necessary to use </para><para>
to start a new paragraph.
Top-level buildPlatform
, hostPlatform
, and targetPlatform
in Nixpkgs are deprecated. Please use their equivalents in stdenv
instead: stdenv.buildPlatform
, stdenv.hostPlatform
, and stdenv.targetPlatform
.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2018, handing over to 18.09.
Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn’t NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it’s waiting for some test fixes, etc.
Nix now defaults to 2.0; see its release notes.
Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.
Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.
MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:
libmysql
has been deprecated, please use mysql.connector-c
instead, a compatibility passthru has been added to the MySQL packages.
The mysql57
package has a new static
output containing the static libraries including libmysqld.a
PHP now defaults to PHP 7.2, updated from 7.1.
The following new services were added since the last release:
./config/krb5/default.nix
./hardware/digitalbitbox.nix
./misc/label.nix
./programs/ccache.nix
./programs/criu.nix
./programs/digitalbitbox/default.nix
./programs/less.nix
./programs/npm.nix
./programs/plotinus.nix
./programs/rootston.nix
./programs/systemtap.nix
./programs/sway.nix
./programs/udevil.nix
./programs/way-cooler.nix
./programs/yabar.nix
./programs/zsh/zsh-autoenv.nix
./services/backup/borgbackup.nix
./services/backup/crashplan-small-business.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/tracker-miners.nix
./services/hardware/fwupd.nix
./services/hardware/interception-tools.nix
./services/hardware/u2f.nix
./services/hardware/usbmuxd.nix
./services/mail/clamsmtp.nix
./services/mail/dkimproxy-out.nix
./services/mail/pfix-srsd.nix
./services/misc/gitea.nix
./services/misc/home-assistant.nix
./services/misc/ihaskell.nix
./services/misc/logkeys.nix
./services/misc/novacomd.nix
./services/misc/osrm.nix
./services/misc/plexpy.nix
./services/misc/pykms.nix
./services/misc/tzupdate.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/prometheus/exporters.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/davfs2.nix
./services/network-filesystems/openafs/client.nix
./services/network-filesystems/openafs/server.nix
./services/network-filesystems/ceph.nix
./services/networking/aria2.nix
./services/networking/monero.nix
./services/networking/nghttpx/default.nix
./services/networking/nixops-dns.nix
./services/networking/rxe.nix
./services/networking/stunnel.nix
./services/web-apps/matomo.nix
./services/web-apps/restya-board.nix
./services/web-servers/mighttpd2.nix
./services/x11/fractalart.nix
./system/boot/binfmt.nix
./system/boot/grow-partition.nix
./tasks/filesystems/ecryptfs.nix
./virtualisation/hyperv-guest.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sound.enable
now defaults to false.
Dollar signs in options under services.postfix
are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options in the previous release, but not for list-valued options. If you need to pass literal dollar signs through Postfix, double them.
The postage
package (for web-based PostgreSQL administration) has been renamed to pgmanage
. The corresponding module has also been renamed. To migrate please rename all services.postage
options to services.pgmanage
.
Package attributes starting with a digit have been prefixed with an underscore sign. This is to avoid quoting in the configuration and other issues with command-line tools like nix-env
. The change affects the following packages:
2048-in-terminal
→ _2048-in-terminal
90secondportraits
→ _90secondportraits
2bwm
→ _2bwm
389-ds-base
→ _389-ds-base
The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.
DSA support was deprecated in OpenSSH 7.0, due to it being too weak. To re-enable support, add PubkeyAcceptedKeyTypes +ssh-dss
to the end of your services.openssh.extraConfig
.
After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.
The openssh
package now includes Kerberos support by default; the openssh_with_kerberos
package is now a deprecated alias. If you do not want Kerberos support, you can do openssh.override { withKerberos = false; }
. Note, this also applies to the openssh_hpn
package.
cc-wrapper
has been split in two; there is now also a bintools-wrapper
. The most commonly used files in nix-support
are now split between the two wrappers. Some commonly used ones, like nix-support/dynamic-linker
, are duplicated for backwards compatibility, even though they rightly belong only in bintools-wrapper
. Other more obscure ones are just moved.
The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the “Specifying dependencies” section of the “Standard Environment” chapter of the nixpkgs manual. The old logic isn’t but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many propagatedNativeBuildInputs
should instead be propagatedBuildInputs
. Thankfully, that was and is the least used type of dependency. Also, it means that some propagatedBuildInputs
should instead be depsTargetTargetPropagated
. Other types dependencies should be unaffected.
lib.addPassthru drv passthru
is removed. Use lib.extendDerivation true passthru drv
instead.
The memcached
service no longer accept dynamic socket paths via services.memcached.socket
. Unix sockets can be still enabled by services.memcached.enableUnixSocket
and will be accessible at /run/memcached/memcached.sock
.
The hardware.amdHybridGraphics.disable
option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.
The merging of config options for services.postfix.config
was buggy. Previously, if other options in the Postfix module like services.postfix.useSrs
were set and the user set config options that were also set by such options, the resulting config wouldn’t include all options that were needed. They are now merged correctly. If config options need to be overridden, lib.mkForce
or lib.mkOverride
can be used.
The following changes apply if the stateVersion
is changed to 18.03 or higher. For stateVersion = "17.09"
or lower the old behavior is preserved.
matrix-synapse
uses postgresql by default instead of sqlite. Migration instructions can be found here .
The jid
package has been removed, due to maintenance overhead of a go package having non-versioned dependencies.
When using services.xserver.libinput
(enabled by default in GNOME), it now handles all input devices, not just touchpads. As a result, you might need to re-evaluate any custom Xorg configuration. In particular, Option "XkbRules" "base"
may result in broken keyboard layout.
The attic
package was removed. A maintained fork called Borg should be used instead. Migration instructions can be found here.
The Piwik analytics software was renamed to Matomo:
The package pkgs.piwik
was renamed to pkgs.matomo
.
The service services.piwik
was renamed to services.matomo
.
The data directory /var/lib/piwik
was renamed to /var/lib/matomo
. All files will be moved automatically on first startup, but you might need to adjust your backup scripts.
The default serverName
for the nginx configuration changed from piwik.${config.networking.hostName}
to matomo.${config.networking.hostName}.${config.networking.domain}
if config.networking.domain
is set, matomo.${config.networking.hostName}
if it is not set. If you change your serverName
, remember you’ll need to update the trustedHosts[]
array in /var/lib/matomo/config/config.ini.php
as well.
The piwik
user was renamed to matomo
. The service will adjust ownership automatically for files in the data directory. If you use unix socket authentication, remember to give the new matomo
user access to the database and to change the username
to matomo
in the [database]
section of /var/lib/matomo/config/config.ini.php
.
If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, but this is neither enforced nor required.
nodejs-4_x
is end-of-life. nodejs-4_x
, nodejs-slim-4_x
and nodePackages_4_x
are removed.
The pump.io
NixOS module was removed. It is now maintained as an external module.
The Prosody XMPP server has received a major update. The following modules were renamed:
services.prosody.modules.httpserver
is now services.prosody.modules.http_files
services.prosody.modules.console
is now services.prosody.modules.admin_telnet
Many new modules are now core modules, most notably services.prosody.modules.carbons
and services.prosody.modules.mam
.
The better-performing libevent
backend is now enabled by default.
withCommunityModules
now passes through the modules to services.prosody.extraModules
. Use withOnlyInstalledCommunityModules
for modules that should not be enabled directly, e.g lib_ldap
.
All prometheus exporter modules are now defined as submodules. The exporters are configured using services.prometheus.exporters
.
ZNC option services.znc.mutable
now defaults to true
. That means that old configuration is not overwritten by default when update to the znc options are made.
The option networking.wireless.networks.<name>.auth
has been added for wireless networks with WPA-Enterprise authentication. There is also a new extraConfig
option to directly configure wpa_supplicant
and hidden
to connect to hidden networks.
In the module networking.interfaces.<name>
the following options have been removed:
ipAddress
ipv6Address
prefixLength
ipv6PrefixLength
subnetMask
To assign static addresses to an interface the options ipv4.addresses
and ipv6.addresses
should be used instead. The options ip4
and ip6
have been renamed to ipv4.addresses
ipv6.addresses
respectively. The new options ipv4.routes
and ipv6.routes
have been added to set up static routing.
The option services.logstash.listenAddress
is now 127.0.0.1
by default. Previously the default behaviour was to listen on all interfaces.
services.btrfs.autoScrub
has been added, to periodically check btrfs filesystems for data corruption. If there’s a correct copy available, it will automatically repair corrupted blocks.
displayManager.lightdm.greeters.gtk.clock-format.
has been added, the clock format string (as expected by strftime, e.g. %H:%M
) to use with the lightdm gtk greeter panel.
If set to null the default clock format is used.
displayManager.lightdm.greeters.gtk.indicators
has been added, a list of allowed indicator modules to use with the lightdm gtk greeter panel.
Built-in indicators include ~a11y
, ~language
, ~session
, ~power
, ~clock
, ~host
, ~spacer
. Unity indicators can be represented by short name (e.g. sound
, power
), service file name, or absolute path.
If set to null
the default indicators are used.
In order to have the previous default configuration add
{
services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
"~host" "~spacer"
"~clock" "~spacer"
"~session"
"~language"
"~a11y"
"~power"
];
}
to your configuration.nix
.
The NixOS test driver supports user services declared by systemd.user.services
. The methods waitForUnit
, getUnitInfo
, startJob
and stopJob
provide an optional $user
argument for that purpose.
Enabling bash completion on NixOS, programs.bash.enableCompletion
, will now also enable completion for the Nix command line tools by installing the nix-bash-completions package.
The vim/kakoune plugin updater now reads from a CSV file: check pkgs/applications/editors/vim/plugins/vim-plugin-names
out to see the new format
In addition to numerous new and upgraded packages, this release has the following highlights:
The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.
The module option services.xserver.xrandrHeads
now causes the first head specified in this list to be set as the primary head. Apart from that, it’s now possible to also set additional options by using an attribute set, for example:
{ services.xserver.xrandrHeads = [
"HDMI-0"
{
output = "DVI-0";
primary = true;
monitorConfig = ''
Option "Rotate" "right"
'';
}
];
}
This will set the DVI-0
output to be the primary head, even though HDMI-0
is the first head in the list.
The handling of SSL in the services.nginx
module has been cleaned up, renaming the misnamed enableSSL
to onlySSL
which reflects its original intention. This is not to be used with the already existing forceSSL
which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove the enableSSL
option to keep the previous behaviour.
Another addSSL
option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.
Options to configure resolver
options and upstream
blocks have been introduced. See their information for further details.
The port
option has been replaced by a more generic listen
option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.
The following new services were added since the last release:
config/fonts/fontconfig-penultimate.nix
config/fonts/fontconfig-ultimate.nix
config/terminfo.nix
hardware/sensor/iio.nix
hardware/nitrokey.nix
hardware/raid/hpsa.nix
programs/browserpass.nix
programs/gnupg.nix
programs/qt5ct.nix
programs/slock.nix
programs/thefuck.nix
security/auditd.nix
security/lock-kernel-modules.nix
service-managers/docker.nix
service-managers/trivial.nix
services/admin/salt/master.nix
services/admin/salt/minion.nix
services/audio/slimserver.nix
services/cluster/kubernetes/default.nix
services/cluster/kubernetes/dns.nix
services/cluster/kubernetes/dashboard.nix
services/continuous-integration/hail.nix
services/databases/clickhouse.nix
services/databases/postage.nix
services/desktops/gnome3/gnome-disks.nix
services/desktops/gnome3/gpaste.nix
services/logging/SystemdJournal2Gelf.nix
services/logging/heartbeat.nix
services/logging/journalwatch.nix
services/logging/syslogd.nix
services/mail/mailhog.nix
services/mail/nullmailer.nix
services/misc/airsonic.nix
services/misc/autorandr.nix
services/misc/exhibitor.nix
services/misc/fstrim.nix
services/misc/gollum.nix
services/misc/irkerd.nix
services/misc/jackett.nix
services/misc/radarr.nix
services/misc/snapper.nix
services/monitoring/osquery.nix
services/monitoring/prometheus/collectd-exporter.nix
services/monitoring/prometheus/fritzbox-exporter.nix
services/network-filesystems/kbfs.nix
services/networking/dnscache.nix
services/networking/fireqos.nix
services/networking/iwd.nix
services/networking/keepalived/default.nix
services/networking/keybase.nix
services/networking/lldpd.nix
services/networking/matterbridge.nix
services/networking/squid.nix
services/networking/tinydns.nix
services/networking/xrdp.nix
services/security/shibboleth-sp.nix
services/security/sks.nix
services/security/sshguard.nix
services/security/torify.nix
services/security/usbguard.nix
services/security/vault.nix
services/system/earlyoom.nix
services/system/saslauthd.nix
services/web-apps/nexus.nix
services/web-apps/pgpkeyserver-lite.nix
services/web-apps/piwik.nix
services/web-servers/lighttpd/collectd.nix
services/web-servers/minio.nix
services/x11/display-managers/xpra.nix
services/x11/xautolock.nix
tasks/filesystems/bcachefs.nix
tasks/powertop.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
In an Qemu-based virtualization environment, the network interface names changed from i.e. enp0s3
to ens3
.
This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.
A machine is affected if the virt-what
tool either returns qemu
or kvm
and has interface names used in any part of its NixOS configuration, in particular if a static network configuration with networking.interfaces
is used.
Before rebooting affected machines, please ensure:
Change the interface names in your NixOS configuration. The first interface will be called ens3
, the second one ens8
and starting from there incremented by 1.
After changing the interface names, rebuild your system with nixos-rebuild boot
to activate the new configuration after a reboot. If you switch to the new configuration right away you might lose network connectivity! If using nixops
, deploy with nixops deploy --force-reboot
.
The following changes apply if the stateVersion
is changed to 17.09 or higher. For stateVersion = "17.03"
or lower the old behavior is preserved.
The postgres
default version was changed from 9.5 to 9.6.
The postgres
superuser name has changed from root
to postgres
to more closely follow what other Linux distributions are doing.
The postgres
default dataDir
has changed from /var/db/postgres
to /var/lib/postgresql/$psqlSchema
where $psqlSchema is 9.6 for example.
The mysql
default dataDir
has changed from /var/mysql
to /var/lib/mysql
.
Radicale’s default package has changed from 1.x to 2.x. Instructions to migrate can be found here . It is also possible to use the newer version by setting the package
to radicale2
, which is done automatically when stateVersion
is 17.09 or higher. The extraArgs
option has been added to allow passing the data migration arguments specified in the instructions; see the radicale.nix
NixOS test for an example migration.
The aiccu
package was removed. This is due to SixXS sunsetting its IPv6 tunnel.
The fanctl
package and fan
module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.
Top-level idea
package collection was renamed. All JetBrains IDEs are now at jetbrains
.
flexget
’s state database cannot be upgraded to its new internal format, requiring removal of any existing db-config.sqlite
which will be automatically recreated.
The ipfs
service now doesn’t ignore the dataDir
option anymore. If you’ve ever set this option to anything other than the default you’ll have to either unset it (so the default gets used) or migrate the old data manually with
dataDir=<valueOfDataDir>
mv /var/lib/ipfs/.ipfs/* $dataDir
rmdir /var/lib/ipfs/.ipfs
The caddy
service was previously using an extra .caddy
directory in the data directory specified with the dataDir
option. The contents of the .caddy
directory are now expected to be in the dataDir
.
The ssh-agent
user service is not started by default anymore. Use programs.ssh.startAgent
to enable it if needed. There is also a new programs.gnupg.agent
module that creates a gpg-agent
user service. It can also serve as a SSH agent if enableSSHSupport
is set.
The services.tinc.networks.<name>.listenAddress
option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, use services.tinc.networks.<name>.bindToAddress
instead. Refer to the description of the options for more details.
tlsdate
package and module were removed. This is due to the project being dead and not building with openssl 1.1.
wvdial
package and module were removed. This is due to the project being dead and not building with openssl 1.1.
cc-wrapper
’s setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. LD
, STRIP
, RANLIB
, etc). This is done to prevent packages’ build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.
services.firefox.syncserver
now runs by default as a non-root user. To accommodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.
The compiz
window manager and package was removed. The system support had been broken for several years.
Touchpad support should now be enabled through libinput
as synaptics
is now deprecated. See the option services.xserver.libinput.enable
.
grsecurity/PaX support has been dropped, following upstream’s decision to cease free support. See upstream’s announcement for more information. No complete replacement for grsecurity/PaX is available presently.
services.mysql
now has declarative configuration of databases and users with the ensureDatabases
and ensureUsers
options.
These options will never delete existing databases and users, especially not when the value of the options are changed.
The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.
If you have previously created a MySQL root
user with a password, you will need to add root
user for unix socket authentication before using the new options. This can be done by running the following SQL script:
CREATE USER 'root'@'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
-- Optionally, delete the password-authenticated user:
-- DROP USER 'root'@'localhost';
services.mysqlBackup
now works by default without any user setup, including for users other than mysql
.
By default, the mysql
user is no longer the user which performs the backup. Instead a system account mysqlbackup
is used.
The mysqlBackup
service is also now using systemd timers instead of cron
.
Therefore, the services.mysqlBackup.period
option no longer exists, and has been replaced with services.mysqlBackup.calendar
, which is in the format of systemd.time(7).
If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.
You can check that backups still work by running systemctl start mysql-backup
then systemctl status mysql-backup
.
Templated systemd services e.g container@name
are now handled correctly when switching to a new configuration, resulting in them being reloaded.
Steam: the newStdcpp
parameter was removed and should not be needed anymore.
Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.
Modules can now be disabled by using disabledModules, allowing another to take it’s place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.
Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer’s intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.
ZFS/SPL have been updated to 0.7.0, zfsUnstable, splUnstable
have therefore been removed.
The time.timeZone
option now allows the value null
in addition to timezone strings. This value allows changing the timezone of a system imperatively using timedatectl set-timezone
. The default timezone is still UTC.
Nixpkgs overlays may now be specified with a file as well as a directory. The value of <nixpkgs-overlays>
may be a file, and ~/.config/nixpkgs/overlays.nix
can be used instead of the ~/.config/nixpkgs/overlays
directory.
See the overlays chapter of the Nixpkgs manual for more details.
Definitions for /etc/hosts
can now be specified declaratively with networking.hosts
.
Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.
This therefore leads to adding a new debug
option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.
Additionally a copytoram
option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.
services.gitlab-runner.configOptions
has been added to specify the configuration of gitlab-runners declaratively.
services.jenkins.plugins
has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.
services.postfix.config
has been added to specify the main.cf with NixOS options. Additionally other options have been added to the postfix module and has been improved further.
The GitLab package and module have been updated to the latest 10.0 release.
The systemd-boot
boot loader now lists the NixOS version, kernel version and build date of all bootable generations.
The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the services.dnscrypt-proxy.resolverName
option or setting it to "random"
.
In addition to numerous new and upgraded packages, this release has the following highlights:
Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.
This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
The default desktop environment now is KDE’s Plasma 5. KDE 4 has been removed
The setuid wrapper functionality now supports setting capabilities.
X.org server uses branch 1.19. Due to ABI incompatibilities, ati_unfree
keeps forcing 1.17 and amdgpu-pro
starts forcing 1.18.
Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv
nor .crossDrv
are now cross by default, not native.
The overridePackages
function has been rewritten to be replaced by overlays
Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.
PHP now defaults to PHP 7.1
The following new services were added since the last release:
hardware/ckb.nix
hardware/mcelog.nix
hardware/usb-wwan.nix
hardware/video/capture/mwprocapture.nix
programs/adb.nix
programs/chromium.nix
programs/gphoto2.nix
programs/java.nix
programs/mtr.nix
programs/oblogout.nix
programs/vim.nix
programs/wireshark.nix
security/dhparams.nix
services/audio/ympd.nix
services/computing/boinc/client.nix
services/continuous-integration/buildbot/master.nix
services/continuous-integration/buildbot/worker.nix
services/continuous-integration/gitlab-runner.nix
services/databases/riak-cs.nix
services/databases/stanchion.nix
services/desktops/gnome3/gnome-terminal-server.nix
services/editors/infinoted.nix
services/hardware/illum.nix
services/hardware/trezord.nix
services/logging/journalbeat.nix
services/mail/offlineimap.nix
services/mail/postgrey.nix
services/misc/couchpotato.nix
services/misc/docker-registry.nix
services/misc/errbot.nix
services/misc/geoip-updater.nix
services/misc/gogs.nix
services/misc/leaps.nix
services/misc/nix-optimise.nix
services/misc/ssm-agent.nix
services/misc/sssd.nix
services/monitoring/arbtt.nix
services/monitoring/netdata.nix
services/monitoring/prometheus/default.nix
services/monitoring/prometheus/alertmanager.nix
services/monitoring/prometheus/blackbox-exporter.nix
services/monitoring/prometheus/json-exporter.nix
services/monitoring/prometheus/nginx-exporter.nix
services/monitoring/prometheus/node-exporter.nix
services/monitoring/prometheus/snmp-exporter.nix
services/monitoring/prometheus/unifi-exporter.nix
services/monitoring/prometheus/varnish-exporter.nix
services/monitoring/sysstat.nix
services/monitoring/telegraf.nix
services/monitoring/vnstat.nix
services/network-filesystems/cachefilesd.nix
services/network-filesystems/glusterfs.nix
services/network-filesystems/ipfs.nix
services/networking/dante.nix
services/networking/dnscrypt-wrapper.nix
services/networking/fakeroute.nix
services/networking/flannel.nix
services/networking/htpdate.nix
services/networking/miredo.nix
services/networking/nftables.nix
services/networking/powerdns.nix
services/networking/pdns-recursor.nix
services/networking/quagga.nix
services/networking/redsocks.nix
services/networking/wireguard.nix
services/system/cgmanager.nix
services/torrent/opentracker.nix
services/web-apps/atlassian/confluence.nix
services/web-apps/atlassian/crowd.nix
services/web-apps/atlassian/jira.nix
services/web-apps/frab.nix
services/web-apps/nixbot.nix
services/web-apps/selfoss.nix
services/web-apps/quassel-webserver.nix
services/x11/unclutter-xfixes.nix
services/x11/urxvtd.nix
system/boot/systemd-nspawn.nix
virtualisation/ecs-agent.nix
virtualisation/lxcfs.nix
virtualisation/openstack/keystone.nix
virtualisation/openstack/glance.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
Derivations have no .nativeDrv
nor .crossDrv
and are now cross by default, not native.
stdenv.overrides
is now expected to take self
and super
arguments. See lib.trivial.extends
for what those parameters represent.
ansible
now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.
gnome
alias has been removed along with gtk
, gtkmm
and several others. Now you need to use versioned attributes, like gnome3
.
The attribute name of the Radicale daemon has been changed from pythonPackages.radicale
to radicale
.
The stripHash
bash function in stdenv
changed according to its documentation; it now outputs the stripped name to stdout
instead of putting it in the variable strippedName
.
PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.
Two lone top-level dict dbs moved into dictdDBs
. This affects: dictdWordnet
which is now at dictdDBs.wordnet
and dictdWiktionary
which is now at dictdDBs.wiktionary
Parsoid service now uses YAML configuration format. service.parsoid.interwikis
is now called service.parsoid.wikis
and is a list of either API URLs or attribute sets as specified in parsoid’s documentation.
Ntpd
was replaced by systemd-timesyncd
as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting services.ntp.enable
to true
. Upstream time servers for all NTP implementations are now configured using networking.timeServers
.
service.nylon
is now declared using named instances. As an example:
{
services.nylon = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
}
should be replaced with:
{
services.nylon.myvpn = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
}
this enables you to declare a SOCKS proxy for each uplink.
overridePackages
function no longer exists. It is replaced by overlays. For example, the following code:
let
pkgs = import <nixpkgs> {};
in
pkgs.overridePackages (self: super: { /* ... */ })
should be replaced by:
let
pkgs = import <nixpkgs> {};
in
import pkgs.path { overlays = [(self: super: { /* ... */ })]; }
Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable networking.firewall.autoLoadConntrackHelpers
and tune networking.firewall.connectionTrackingModules
to suit your needs.
local_recipient_maps
is not set to empty value by Postfix service. It’s an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via services.postfix.extraConfig
.
Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags -4
and -6
have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the -I
flag, but by encoding the interface into the address (ping fe80::1%eth0
).
The socket handling of the services.rmilter
module has been fixed and refactored. As rmilter doesn’t support binding to more than one socket, the options bindUnixSockets
and bindInetSockets
have been replaced by services.rmilter.bindSocket.*
. The default is still a unix socket in /run/rmilter/rmilter.sock
. Refer to the options documentation for more information.
The fetch*
functions no longer support md5, please use sha256 instead.
The dnscrypt-proxy module interface has been streamlined around the extraArgs
option. Where possible, legacy option declarations are mapped to extraArgs
but will emit warnings. The resolverList
has been outright removed: to use an unlisted resolver, use the customResolver
option.
torbrowser now stores local state under ~/.local/share/tor-browser
by default. Any browser profile data from the old location, ~/.torbrowser4
, must be migrated manually.
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.
jre
now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it’s recommended to use jre_headless
.
Python 2.6 interpreter and package set have been removed.
The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a nix-shell
. See the Nixpkgs manual for details.
The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.
The Python function buildPythonPackage
has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.
When adding new or updating current Python libraries, the expressions should be put in separate files in pkgs/development/python-modules
and called from python-packages.nix
.
The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.
Containers using bridged networking no longer lose their connection after changes to the host networking.
ZFS supports pool auto scrubbing.
The bind DNS utilities (e.g. dig) have been split into their own output and are now also available in pkgs.dnsutils
and it is no longer necessary to pull in all of bind
to use them.
Per-user configuration was moved from ~/.nixpkgs
to ~/.config/nixpkgs
. The former is still valid for config.nix
for backwards compatibility.
In addition to numerous new and upgraded packages, this release has the following highlights:
Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.
Support for PXE netboot. See the section called “Booting from the “netboot” media (PXE)” for documentation.
X.org server 1.18. If you use the ati_unfree
driver, 1.17 is still used due to an ABI incompatibility.
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.
The following new services were added since the last release:
(this will get automatically generated at release time)
When upgrading from a previous release, please be aware of the following incompatible changes:
A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided haskell.packages.lts-x_y
package sets still exist in name to avoid breaking user code, but these package sets don’t actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. The motivation for this change has been discussed at length on the nix-dev
mailing list and in Github issue #14897. Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in another nix-dev article.
Shell aliases for systemd sub-commands were dropped: start
, stop
, restart
, status
.
Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default behavior of Redis 3.2
/var/empty
is now immutable. Activation script runs chattr +i
to forbid any modifications inside the folder. See the pull request for what bugs this caused.
Gitlab’s maintenance script gitlab-runner
was removed and split up into the more clearer gitlab-run
and gitlab-rake
scripts, because gitlab-runner
is a component of Gitlab CI.
services.xserver.libinput.accelProfile
default changed from flat
to adaptive
, as per official documentation.
fonts.fontconfig.ultimate.rendering
was removed because our presets were obsolete for some time. New presets are hardcoded into FreeType; you can select a preset via fonts.fontconfig.ultimate.preset
. You can customize those presets via ordinary environment variables, using environment.variables
.
The audit
service is no longer enabled by default. Use security.audit.enable = true
to explicitly enable it.
pkgs.linuxPackages.virtualbox
now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the new pkgs.virtualbox
instead.
goPackages
was replaced with separated Go applications in appropriate nixpkgs
categories. Each Go package uses its own dependency set. There’s also a new go2nix
tool introduced to generate a Go package definition from its Go source automatically.
services.mongodb.e