This section lists the release notes for each stable version of NixOS and current unstable revision.

B.1. Release 17.03 (“Gorilla”, 2017/03/31)

B.1.1. Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.

  • This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.

  • The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed

  • The setuid wrapper functionality now supports setting capabilities.

  • server uses branch 1.19. Due to ABI incompatibilities, ati_unfree keeps forcing 1.17 and amdgpu-pro starts forcing 1.18.

  • Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv nor .crossDrv are now cross by default, not native.

  • The overridePackages function has been rewritten to be replaced by overlays

  • Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.

  • PHP now defaults to PHP 7.1

B.1.2. New Services

The following new services were added since the last release:

  • hardware/ckb.nix

  • hardware/mcelog.nix

  • hardware/usb-wwan.nix

  • hardware/video/capture/mwprocapture.nix

  • programs/adb.nix

  • programs/chromium.nix

  • programs/gphoto2.nix

  • programs/java.nix

  • programs/mtr.nix

  • programs/oblogout.nix

  • programs/vim.nix

  • programs/wireshark.nix

  • security/dhparams.nix

  • services/audio/ympd.nix

  • services/computing/boinc/client.nix

  • services/continuous-integration/buildbot/master.nix

  • services/continuous-integration/buildbot/worker.nix

  • services/continuous-integration/gitlab-runner.nix

  • services/databases/riak-cs.nix

  • services/databases/stanchion.nix

  • services/desktops/gnome3/gnome-terminal-server.nix

  • services/editors/infinoted.nix

  • services/hardware/illum.nix

  • services/hardware/trezord.nix

  • services/logging/journalbeat.nix

  • services/mail/offlineimap.nix

  • services/mail/postgrey.nix

  • services/misc/couchpotato.nix

  • services/misc/docker-registry.nix

  • services/misc/errbot.nix

  • services/misc/geoip-updater.nix

  • services/misc/gogs.nix

  • services/misc/leaps.nix

  • services/misc/nix-optimise.nix

  • services/misc/ssm-agent.nix

  • services/misc/sssd.nix

  • services/monitoring/arbtt.nix

  • services/monitoring/netdata.nix

  • services/monitoring/prometheus/default.nix

  • services/monitoring/prometheus/alertmanager.nix

  • services/monitoring/prometheus/blackbox-exporter.nix

  • services/monitoring/prometheus/json-exporter.nix

  • services/monitoring/prometheus/nginx-exporter.nix

  • services/monitoring/prometheus/node-exporter.nix

  • services/monitoring/prometheus/snmp-exporter.nix

  • services/monitoring/prometheus/unifi-exporter.nix

  • services/monitoring/prometheus/varnish-exporter.nix

  • services/monitoring/sysstat.nix

  • services/monitoring/telegraf.nix

  • services/monitoring/vnstat.nix

  • services/network-filesystems/cachefilesd.nix

  • services/network-filesystems/glusterfs.nix

  • services/network-filesystems/ipfs.nix

  • services/networking/dante.nix

  • services/networking/dnscrypt-wrapper.nix

  • services/networking/fakeroute.nix

  • services/networking/flannel.nix

  • services/networking/htpdate.nix

  • services/networking/miredo.nix

  • services/networking/nftables.nix

  • services/networking/powerdns.nix

  • services/networking/pdns-recursor.nix

  • services/networking/quagga.nix

  • services/networking/redsocks.nix

  • services/networking/wireguard.nix

  • services/system/cgmanager.nix

  • services/torrent/opentracker.nix

  • services/web-apps/atlassian/confluence.nix

  • services/web-apps/atlassian/crowd.nix

  • services/web-apps/atlassian/jira.nix

  • services/web-apps/frab.nix

  • services/web-apps/nixbot.nix

  • services/web-apps/selfoss.nix

  • services/web-apps/quassel-webserver.nix

  • services/x11/unclutter-xfixes.nix

  • services/x11/urxvtd.nix

  • system/boot/systemd-nspawn.nix

  • virtualisation/ecs-agent.nix

  • virtualisation/lxcfs.nix

  • virtualisation/openstack/keystone.nix

  • virtualisation/openstack/glance.nix

B.1.3. Backward Incompatibilities

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Derivations have no .nativeDrv nor .crossDrv and are now cross by default, not native.

  • stdenv.overrides is now expected to take self and super arguments. See lib.trivial.extends for what those parameters represent.

  • ansible now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.

  • gnome alias has been removed along with gtk, gtkmm and several others. Now you need to use versioned attributes, like gnome3.

  • The attribute name of the Radicale daemon has been changed from pythonPackages.radicale to radicale.

  • The stripHash bash function in stdenv changed according to its documentation; it now outputs the stripped name to stdout instead of putting it in the variable strippedName.

  • PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.

  • Two lone top-level dict dbs moved into dictdDBs. This affects: dictdWordnet which is now at dictdDBs.wordnet and dictdWiktionary which is now at dictdDBs.wiktionary

  • Parsoid service now uses YAML configuration format. service.parsoid.interwikis is now called service.parsoid.wikis and is a list of either API URLs or attribute sets as specified in parsoid's documentation.

  • Ntpd was replaced by systemd-timesyncd as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting services.ntp.enable to true. Upstream time servers for all NTP implementations are now configured using networking.timeServers.

  • service.nylon is now declared using named instances. As an example:

      services.nylon = {
        enable = true;
        acceptInterface = "br0";
        bindInterface = "tun1";
        port = 5912;

    should be replaced with:

      services.nylon.myvpn = {
        enable = true;
        acceptInterface = "br0";
        bindInterface = "tun1";
        port = 5912;

    this enables you to declare a SOCKS proxy for each uplink.

  • overridePackages function no longer exists. It is replaced by overlays. For example, the following code:

        pkgs = import <nixpkgs> {};
        pkgs.overridePackages (self: super: ...)

    should be replaced by:

        pkgs = import <nixpkgs> {};
        import pkgs.path { overlays = [(self: super: ...)] }

  • Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable networking.firewall.autoLoadConntrackHelpers and tune networking.firewall.connectionTrackingModules to suit your needs.

  • local_recipient_maps is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via services.postfix.extraConfig.

  • Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags -4 and -6 have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the -I flag, but by encoding the interface into the address (ping fe80::1%eth0).

  • The socket handling of the services.rmilter module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the options bindUnixSockets and bindInetSockets have been replaced by services.rmilter.bindSocket.*. The default is still a unix socket in /run/rmilter/rmilter.sock. Refer to the options documentation for more information.

  • The fetch* functions no longer support md5, please use sha256 instead.

  • The dnscrypt-proxy module interface has been streamlined around the extraArgs option. Where possible, legacy option declarations are mapped to extraArgs but will emit warnings. The resolverList has been outright removed: to use an unlisted resolver, use the customResolver option.

  • torbrowser now stores local state under ~/.local/share/tor-browser by default. Any browser profile data from the old location, ~/.torbrowser4, must be migrated manually.

  • The ihaskell, monetdb, offlineimap and sitecopy services have been removed.

B.1.4. Other Notable Changes

  • Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.

  • jre now defaults to GTK+ UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use jre_headless.

  • Python 2.6 interpreter and package set have been removed.

  • The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.

  • Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a nix-shell. See the Nixpkgs manual for details.

  • The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.

  • The Python function buildPythonPackage has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.

  • When adding new or updating current Python libraries, the expressions should be put in separate files in pkgs/development/python-modules and called from python-packages.nix.

  • The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.

  • Containers using bridged networking no longer lose their connection after changes to the host networking.

  • ZFS supports pool auto scrubbing.

  • The bind DNS utilities (e.g. dig) have been split into their own output and are now also available in pkgs.dnsutils and it is no longer necessary to pull in all of bind to use them.

  • Per-user configuration was moved from ~/.nixpkgs to ~/.config/nixpkgs. The former is still valid for config.nix for backwards compatibility.

B.2. Release 16.09 (“Flounder”, 2016/09/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.

  • To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.

  • Support for PXE netboot. See Section 2.3, “Booting from the netboot media (PXE)” for documentation.

  • server 1.18. If you use the ati_unfree driver, 1.17 is still used due to an ABI incompatibility.

  • This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.

The following new services were added since the last release:

  • (this will get automatically generated at release time)

When upgrading from a previous release, please be aware of the following incompatible changes:

  • A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)

  • Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided haskell.packages.lts-x_y package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. The motivation for this change has been discussed at length on the nix-dev mailing list and in Github issue #14897. Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in another nix-dev article.

  • Shell aliases for systemd sub-commands were dropped: start, stop, restart, status.

  • Redis now binds to only instead of listening to all network interfaces. This is the default behavior of Redis 3.2

  • /var/empty is now immutable. Activation script runs chattr +i to forbid any modifications inside the folder. See the pull request for what bugs this caused.

  • Gitlab's maintainance script gitlab-runner was removed and split up into the more clearer gitlab-run and gitlab-rake scripts, because gitlab-runner is a component of Gitlab CI.

  • services.xserver.libinput.accelProfile default changed from flat to adaptive, as per official documentation.

  • fonts.fontconfig.ultimate.rendering was removed because our presets were obsolete for some time. New presets are hardcoded into FreeType; you can select a preset via fonts.fontconfig.ultimate.preset. You can customize those presets via ordinary environment variables, using environment.variables.

  • The audit service is no longer enabled by default. Use security.audit.enable = true to explicitly enable it.

  • pkgs.linuxPackages.virtualbox now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the new pkgs.virtualbox instead.

  • goPackages was replaced with separated Go applications in appropriate nixpkgs categories. Each Go package uses its own dependency set. There's also a new go2nix tool introduced to generate a Go package definition from its Go source automatically.

  • services.mongodb.extraConfig configuration format was changed to YAML.

  • PHP has been upgraded to 7.0

Other notable improvements:

  • Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set

    security.grsecurity.enable = true

    to get a reasonably secure system without having to sacrifice too much functionality. See Chapter 19, Grsecurity/PaX for documentation

  • Special filesystems, like /proc, /run and others, now have the same mount options as recommended by systemd and are unified across different places in NixOS. Mount options are updated during nixos-rebuild switch if possible. One benefit from this is improved security — most such filesystems are now mounted with noexec, nodev and/or nosuid options.

  • The reverse path filter was interfering with DHCPv4 server operation in the past. An exception for DHCPv4 and a new option to log packets that were dropped due to the reverse path filter was added (networking.firewall.logReversePathDrops) for easier debugging.

  • Containers configuration within containers.<name>.config is now properly typed and checked. In particular, partial configurations are merged correctly.

  • The directory container setuid wrapper programs, /var/setuid-wrappers, is now updated atomically to prevent failures if the switch to a new configuration is interrupted.

  • services.xserver.startGnuPGAgent has been removed due to GnuPG 2.1.x bump. See how to achieve similar behavior. You might need to pkill gpg-agent after the upgrade to prevent a stale agent being in the way.

  • Declarative users could share the uid due to the bug in the script handling conflict resolution.

  • Gummi boot has been replaced using systemd-boot.

  • Hydra package and NixOS module were added for convenience.

B.3. Release 16.03 (“Emu”, 2016/03/31)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Systemd 229, bringing numerous improvements over 217.

  • Linux 4.4 (was 3.18).

  • GCC 5.3 (was 4.9). Note that GCC 5 changes the C++ ABI in an incompatible way; this may cause problems if you try to link objects compiled with different versions of GCC.

  • Glibc 2.23 (was 2.21).

  • Binutils 2.26 (was 2.23.1). See #909

  • Improved support for ensuring bitwise reproducible builds. For example, stdenv now sets the environment variable SOURCE_DATE_EPOCH to a deterministic value, and Nix has gained an option to repeat a build a number of times to test determinism. An ongoing project, the goal of exact reproducibility is to allow binaries to be verified independently (e.g., a user might only trust binaries that appear in three independent binary caches).

  • Perl 5.22.

The following new services were added since the last release:

  • services/monitoring/longview.nix

  • hardware/video/webcam/facetimehd.nix

  • i18n/input-method/default.nix

  • i18n/input-method/fcitx.nix

  • i18n/input-method/ibus.nix

  • i18n/input-method/nabi.nix

  • i18n/input-method/uim.nix

  • programs/fish.nix

  • security/acme.nix

  • security/audit.nix

  • security/oath.nix

  • services/hardware/irqbalance.nix

  • services/mail/dspam.nix

  • services/mail/opendkim.nix

  • services/mail/postsrsd.nix

  • services/mail/rspamd.nix

  • services/mail/rmilter.nix

  • services/misc/autofs.nix

  • services/misc/bepasty.nix

  • services/misc/calibre-server.nix

  • services/misc/cfdyndns.nix

  • services/misc/gammu-smsd.nix

  • services/misc/mathics.nix

  • services/misc/matrix-synapse.nix

  • services/misc/octoprint.nix

  • services/monitoring/hdaps.nix

  • services/monitoring/heapster.nix

  • services/monitoring/longview.nix

  • services/network-filesystems/netatalk.nix

  • services/network-filesystems/xtreemfs.nix

  • services/networking/autossh.nix

  • services/networking/dnschain.nix

  • services/networking/gale.nix

  • services/networking/miniupnpd.nix

  • services/networking/namecoind.nix

  • services/networking/ostinato.nix

  • services/networking/pdnsd.nix

  • services/networking/shairport-sync.nix

  • services/networking/supplicant.nix

  • services/search/kibana.nix

  • services/security/haka.nix

  • services/security/physlock.nix

  • services/web-apps/

  • services/x11/hardware/libinput.nix

  • services/x11/window-managers/windowlab.nix

  • system/boot/initrd-network.nix

  • system/boot/initrd-ssh.nix

  • system/boot/loader/loader.nix

  • system/boot/networkd.nix

  • system/boot/resolved.nix

  • virtualisation/lxd.nix

  • virtualisation/rkt.nix

When upgrading from a previous release, please be aware of the following incompatible changes:

  • We no longer produce graphical ISO images and VirtualBox images for i686-linux. A minimal ISO image is still provided.

  • Firefox and similar browsers are now wrapped by default. The package and attribute names are plain firefox or midori, etc. Backward-compatibility attributes were set up, but note that nix-env -u will not update your current firefox-with-plugins; you have to uninstall it and install firefox instead.

  • wmiiSnap has been replaced with wmii_hg, but services.xserver.windowManager.wmii.enable has been updated respectively so this only affects you if you have explicitly installed wmiiSnap.

  • jobs NixOS option has been removed. It served as compatibility layer between Upstart jobs and SystemD services. All services have been rewritten to use

  • wmiimenu is removed, as it has been removed by the developers upstream. Use wimenu from the wmii-hg package.

  • Gitit is no longer automatically added to the module list in NixOS and as such there will not be any manual entries for it. You will need to add an import statement to your NixOS configuration in order to use it, e.g.

      imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];

    will include the Gitit service configuration options.

  • nginx does not accept flags for enabling and disabling modules anymore. Instead it accepts modules argument, which is a list of modules to be built in. All modules now reside in nginxModules set. Example configuration:

    nginx.override {
      modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];

  • s3sync is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at tarsnap and others.

  • ruby_1_8 has been removed as it's not supported from upstream anymore and probably contains security issues.

  • tidy-html5 package is removed. Upstream only provided (lib)tidy5 during development, and now they went back to (lib)tidy to work as a drop-in replacement of the original package that has been unmaintained for years. You can (still) use the html-tidy package, which got updated to a stable release from this new upstream.

  • extraDeviceOptions argument is removed from bumblebee package. Instead there are now two separate arguments: extraNvidiaDeviceOptions and extraNouveauDeviceOptions for setting extra X11 options for nvidia and nouveau drivers, respectively.

  • The Ctrl+Alt+Backspace key combination no longer kills the X server by default. There's a new option services.xserver.enableCtrlAltBackspace allowing to enable the combination again.

  • emacsPackagesNg now contains all packages from the ELPA, MELPA, and MELPA Stable repositories.

  • Data directory for Postfix MTA server is moved from /var/postfix to /var/lib/postfix. Old configurations are migrated automatically. service.postfix module has also received many improvements, such as correct directories' access rights, new aliasFiles and mapFiles options and more.

  • Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style:

    fileSystems."/example" = {
      device = "/dev/sdc";
      fsType = "btrfs";
      options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ];

  • CUPS, installed by services.printing module, now has its data directory in /var/lib/cups. Old configurations from /etc/cups are moved there automatically, but there might be problems. Also configuration options services.printing.cupsdConf and services.printing.cupsdFilesConf were removed because they had been allowing one to override configuration variables required for CUPS to work at all on NixOS. For most use cases, services.printing.extraConf and new option services.printing.extraFilesConf should be enough; if you encounter a situation when they are not, please file a bug.

    There are also Gutenprint improvements; in particular, a new option services.printing.gutenprint is added to enable automatic updating of Gutenprint PPMs; it's greatly recommended to enable it instead of adding gutenprint to the drivers list.

  • services.xserver.vaapiDrivers has been removed. Use hardware.opengl.extraPackages{,32} instead. You can also specify VDPAU drivers there.

  • programs.ibus moved to i18n.inputMethod.ibus. The option programs.ibus.plugins changed to i18n.inputMethod.ibus.engines and the option to enable ibus changed from programs.ibus.enable to i18n.inputMethod.enabled. i18n.inputMethod.enabled should be set to the used input method name, "ibus" for ibus. An example of the new style:

    i18n.inputMethod.enabled = "ibus";
    i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];

    That is equivalent to the old version:

    programs.ibus.enable = true;
    programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];

  • services.udev.extraRules option now writes rules to 99-local.rules instead of 10-local.rules. This makes all the user rules apply after others, so their results wouldn't be overriden by anything else.

  • Large parts of the services.gitlab module has been been rewritten. There are new configuration options available. The stateDir option was renamned to statePath and the satellitesDir option was removed. Please review the currently available options.

  • The option services.nsd.zones.<name>.data no longer interpret the dollar sign ($) as a shell variable, as such it should not be escaped anymore. Thus the following zone data:

    \$TTL 1800
    @       IN      SOA (

    Should modified to look like the actual file expected by nsd:

    $TTL 1800
    @       IN      SOA (
  • service.syncthing.dataDir options now has to point to exact folder where syncthing is writing to. Example configuration should look something like:

    services.syncthing = {
        enable = true;
        dataDir = "/home/somebody/.syncthing";
        user = "somebody";
  • networking.firewall.allowPing is now enabled by default. Users are encourarged to configure an approiate rate limit for their machines using the Kernel interface at /proc/sys/net/ipv4/icmp_ratelimit and /proc/sys/net/ipv6/icmp/ratelimit or using the firewall itself, i.e. by setting the NixOS option networking.firewall.pingLimit.

  • Systems with some broadcom cards used to result into a generated config that is no longer accepted. If you get errors like

    error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created

    you should either re-run nixos-generate-config or manually replace "${config.boot.kernelPackages.broadcom_sta}" by config.boot.kernelPackages.broadcom_sta in your /etc/nixos/hardware-configuration.nix. More discussion is on the github issue.

  • The services.xserver.startGnuPGAgent option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the "start everything as a child of the agent" scheme we've implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to ~/.bashrc or some file that’s sourced when your shell is started:

    export GPG_TTY

    If you want to use gpg-agent for SSH, too, add the following to your session initialization (e.g. displayManager.sessionCommands)

    gpg-connect-agent /bye
    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"

    and make sure that


    is included in your ~/.gnupg/gpg-agent.conf. You will need to use ssh-add to re-add your ssh keys. If gpg’s automatic transformation of the private keys to the new format fails, you will need to re-import your private keyring as well:

    gpg --import ~/.gnupg/secring.gpg

    The gpg-agent(1) man page has more details about this subject, i.e. in the "EXAMPLES" section.

Other notable improvements:

  • ejabberd module is brought back and now works on NixOS.

  • Input method support was improved. New NixOS modules (fcitx, nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) have been added.

B.4. Release 15.09 (“Dingo”, 2015/09/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • The Haskell packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on Hackage -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the User's Guide to the Haskell Infrastructure. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single LTS Haskell release since version 0.0 as well as the most recent Stackage Nightly snapshot. The announcement "Full Stackage Support in Nixpkgs" gives additional details.

  • Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.

  • You can now keep your NixOS system up to date automatically by setting

    system.autoUpgrade.enable = true;

    This will cause the system to periodically check for updates in your current channel and run nixos-rebuild.

  • This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.

  • GNOME has been upgraded to 3.16.

  • Xfce has been upgraded to 4.12.

  • KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.

  • E19 has been upgraded to

The following new services were added since the last release:

  • services/mail/exim.nix

  • services/misc/apache-kafka.nix

  • services/misc/canto-daemon.nix

  • services/misc/confd.nix

  • services/misc/devmon.nix

  • services/misc/gitit.nix

  • services/misc/ihaskell.nix

  • services/misc/mbpfan.nix

  • services/misc/mediatomb.nix

  • services/misc/mwlib.nix

  • services/misc/parsoid.nix

  • services/misc/plex.nix

  • services/misc/ripple-rest.nix

  • services/misc/ripple-data-api.nix

  • services/misc/subsonic.nix

  • services/misc/sundtek.nix

  • services/monitoring/cadvisor.nix

  • services/monitoring/das_watchdog.nix

  • services/monitoring/grafana.nix

  • services/monitoring/riemann-tools.nix

  • services/monitoring/teamviewer.nix

  • services/network-filesystems/u9fs.nix

  • services/networking/aiccu.nix

  • services/networking/asterisk.nix

  • services/networking/bird.nix

  • services/networking/charybdis.nix

  • services/networking/docker-registry-server.nix

  • services/networking/fan.nix

  • services/networking/firefox/sync-server.nix

  • services/networking/gateone.nix

  • services/networking/heyefi.nix

  • services/networking/i2p.nix

  • services/networking/lambdabot.nix

  • services/networking/mstpd.nix

  • services/networking/nix-serve.nix

  • services/networking/nylon.nix

  • services/networking/racoon.nix

  • services/networking/skydns.nix

  • services/networking/shout.nix

  • services/networking/softether.nix

  • services/networking/sslh.nix

  • services/networking/tinc.nix

  • services/networking/tlsdated.nix

  • services/networking/tox-bootstrapd.nix

  • services/networking/tvheadend.nix

  • services/networking/zerotierone.nix

  • services/scheduling/marathon.nix

  • services/security/fprintd.nix

  • services/security/hologram.nix

  • services/security/munge.nix

  • services/system/cloud-init.nix

  • services/web-servers/shellinabox.nix

  • services/web-servers/uwsgi.nix

  • services/x11/unclutter.nix

  • services/x11/display-managers/sddm.nix

  • system/boot/coredump.nix

  • system/boot/loader/loader.nix

  • system/boot/loader/generic-extlinux-compatible

  • system/boot/networkd.nix

  • system/boot/resolved.nix

  • system/boot/timesyncd.nix

  • tasks/filesystems/exfat.nix

  • tasks/filesystems/ntfs.nix

  • tasks/filesystems/vboxsf.nix

  • virtualisation/virtualbox-host.nix

  • virtualisation/vmware-guest.nix

  • virtualisation/xen-dom0.nix

When upgrading from a previous release, please be aware of the following incompatible changes:

  • sshd no longer supports DSA and ECDSA host keys by default. If you have existing systems with such host keys and want to continue to use them, please set

    system.stateVersion = "14.12";

    The new option system.stateVersion ensures that certain configuration changes that could break existing systems (such as the sshd host key setting) will maintain compatibility with the specified NixOS release. NixOps sets the state version of existing deployments automatically.

  • cron is no longer enabled by default, unless you have a non-empty services.cron.systemCronJobs. To force cron to be enabled, set services.cron.enable = true.

  • Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set nix.requireSignedBinaryCaches = false.

  • Steam now doesn't need root rights to work. Instead of using *-steam-chrootenv, you should now just run steam. steamChrootEnv package was renamed to steam, and old steam package -- to steamOriginal.

  • CMPlayer has been renamed to bomi upstream. Package cmplayer was accordingly renamed to bomi

  • Atom Shell has been renamed to Electron upstream. Package atom-shell was accordingly renamed to electron

  • Elm is not released on Hackage anymore. You should now use elmPackages.elm which contains the latest Elm platform.

  • The CUPS printing service has been updated to version 2.0.2. Furthermore its systemd service has been renamed to cups.service.

    Local printers are no longer shared or advertised by default. This behavior can be changed by enabling services.printing.defaultShared or services.printing.browsing respectively.

  • The VirtualBox host and guest options have been named more consistently. They can now found in* instead of services.virtualboxHost.* and virtualisation.virtualbox.guest.* instead of services.virtualboxGuest.*.

    Also, there now is support for the vboxsf file system using the fileSystems configuration attribute. An example of how this can be used in a configuration:

    fileSystems."/shiny" = {
      device = "myshinysharedfolder";
      fsType = "vboxsf";

  • "nix-env -qa" no longer discovers Haskell packages by name. The only packages visible in the global scope are ghc, cabal-install, and stack, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most nix-env -qa operations would become much slower if we'd add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running:

    nix-env -f "<nixpkgs>" -qaP -A haskellPackages

    Executable programs written in Haskell can be installed with:

    nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc

    Installing Haskell libraries this way, however, is no longer supported. See the next item for more details.

  • Previous versions of NixOS came with a feature called ghc-wrapper, a small script that allowed GHC to transparently pick up on libraries installed in the user's profile. This feature has been deprecated; ghc-wrapper was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the haskellPackages.ghcWithPackages function. The User's Guide to the Haskell Infrastructure provides more information about this subject.

  • All Haskell builds that have been generated with version 1.x of the cabal2nix utility are now invalid and need to be re-generated with a current version of cabal2nix to function. The most recent version of this tool can be installed by running nix-env -i cabal2nix.

  • The haskellPackages set in Nixpkgs used to have a function attribute called extension that users could override in their ~/.nixpkgs/config.nix files to configure additional attributes, etc. That function still exists, but it's now called overrides.

  • The OpenBLAS library has been updated to version 0.2.14. Support for the x86_64-darwin platform was added. Dynamic architecture detection was enabled; OpenBLAS now selects microarchitecture-optimized routines at runtime, so optimal performance is achieved without the need to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages which use an optimized BLAS or LAPACK implementation.

  • The phpfpm is now using the default PHP version (pkgs.php) instead of PHP 5.4 (pkgs.php54).

  • The locate service no longer indexes the Nix store by default, preventing packages with potentially numerous versions from cluttering the output. Indexing the store can be activated by setting services.locate.includeStore = true.

  • The Nix expression search path (NIX_PATH) no longer contains /etc/nixos/nixpkgs by default. You can override NIX_PATH by setting nix.nixPath.

  • Python 2.6 has been marked as broken (as it no longer recieves security updates from upstream).

  • Any use of module arguments such as pkgs to access library functions, or to define imports attributes will now lead to an infinite loop at the time of the evaluation.

    In case of an infinite loop, use the --show-trace command line argument and read the line just above the error message.

    $ nixos-rebuild build --show-trace
    while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
    infinite recursion encountered

    Any use of pkgs.lib, should be replaced by lib, after adding it as argument of the module. The following module

    { config, pkgs, ... }:
    with pkgs.lib;
      options = {
        foo = mkOption { … };
      config = mkIf { … };

    should be modified to look like:

    { config, pkgs, lib, ... }:
    with lib;
      options = {
        foo = mkOption { option declaration };
      config = mkIf { option definition };

    When pkgs is used to download other projects to import their modules, and only in such cases, it should be replaced by (import <nixpkgs> {}). The following module

    { config, pkgs, ... }:
      myProject = pkgs.fetchurl {
        src = url;
        sha256 = hash;
      imports = [ "${myProject}/module.nix" ];

    should be modified to look like:

    { config, pkgs, ... }:
      myProject = (import <nixpkgs> {}).fetchurl {
        src = url;
        sha256 = hash;
      imports = [ "${myProject}/module.nix" ];

Other notable improvements:

  • The nixos and nixpkgs channels were unified, so one can use nix-env -iA nixos.bash instead of nix-env -iA nixos.pkgs.bash. See the commit for details.

  • Users running an SSH server who worry about the quality of their /etc/ssh/moduli file with respect to the vulnerabilities discovered in the Diffie-Hellman key exchange can now replace OpenSSH's default version with one they generated themselves using the new services.openssh.moduliFile option.

  • A newly packaged TeX Live 2015 is provided in pkgs.texlive, split into 6500 nix packages. For basic user documentation see the source. Beware of an issue when installing a too large package set. The plan is to deprecate and maybe delete the original TeX packages until the next release.

  • buildEnv.env on all Python interpreters is now available for nix-shell interoperability.

B.5. Release 14.12 (“Caterpillar”, 2014/12/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Systemd has been updated to version 217, which has numerous improvements.

  • Nix has been updated to 1.8.

  • NixOS is now based on Glibc 2.20.

  • KDE has been updated to 4.14.

  • The default Linux kernel has been updated to 3.14.

  • If users.mutableUsers is enabled (the default), changes made to the declaration of a user or group will be correctly realised when running nixos-rebuild. For instance, removing a user specification from configuration.nix will cause the actual user account to be deleted. If users.mutableUsers is disabled, it is no longer necessary to specify UIDs or GIDs; if omitted, they are allocated dynamically.

Following new services were added since the last release:

  • atftpd

  • bosun

  • bspwm

  • chronos

  • collectd

  • consul

  • cpuminer-cryptonight

  • crashplan

  • dnscrypt-proxy

  • docker-registry

  • docker

  • etcd

  • fail2ban

  • fcgiwrap

  • fleet

  • fluxbox

  • gdm

  • geoclue2

  • gitlab

  • gitolite

  • gnome3.gnome-documents

  • gnome3.gnome-online-miners

  • gnome3.gvfs

  • gnome3.seahorse

  • hbase

  • i2pd

  • influxdb

  • kubernetes

  • liquidsoap

  • lxc

  • mailpile

  • mesos

  • mlmmj

  • monetdb

  • mopidy

  • neo4j

  • nsd

  • openntpd

  • opentsdb

  • openvswitch

  • parallels-guest

  • peerflix

  • phd

  • polipo

  • prosody

  • radicale

  • redmine

  • riemann

  • scollector

  • seeks

  • siproxd

  • strongswan

  • tcsd

  • teamspeak3

  • thermald

  • torque/mrom

  • torque/server

  • uhub

  • unifi

  • znc

  • zookeeper

When upgrading from a previous release, please be aware of the following incompatible changes:

  • The default version of Apache httpd is now 2.4. If you use the extraConfig option to pass literal Apache configuration text, you may need to update it — see Apache’s documentation for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration:

    services.httpd.package = pkgs.apacheHttpd_2_2;

  • PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.

  • The host side of a container virtual Ethernet pair is now called ve-container-name rather than c-container-name.

  • GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.

  • VirtualBox has been upgraded to 4.3.20 release. Users may be required to run rm -rf /tmp/.vbox*. The line imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ] is no longer necessary, use services.virtualboxHost.enable = true instead.

    Also, hardening mode is now enabled by default, which means that unless you want to use USB support, you no longer need to be a member of the vboxusers group.

  • Chromium has been updated to 39.0.2171.65. enablePepperPDF is now enabled by default. chromium*Wrapper packages no longer exist, because upstream removed NSAPI support. chromium-stable has been renamed to chromium.

  • Python packaging documentation is now part of nixpkgs manual. To override the python packages available to a custom python you now use pkgs.pythonFull.buildEnv.override instead of pkgs.pythonFull.override.

  • boot.resumeDevice = "8:6" is no longer supported. Most users will want to leave it undefined, which takes the swap partitions automatically. There is an evaluation assertion to ensure that the string starts with a slash.

  • The system-wide default timezone for NixOS installations changed from CET to UTC. To choose a different timezone for your system, configure time.timeZone in configuration.nix. A fairly complete list of possible values for that setting is available at

  • GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.

  • The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.

B.6. Release 14.04 (“Baboon”, 2014/04/30)

This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:

  • Installation on UEFI systems is now supported. See Section 2.1, “UEFI Installation” for details.

  • Systemd has been updated to version 212, which has numerous improvements. NixOS now automatically starts systemd user instances when you log in. You can define global user units through the systemd.unit.* options.

  • NixOS is now based on Glibc 2.19 and GCC 4.8.

  • The default Linux kernel has been updated to 3.12.

  • KDE has been updated to 4.12.

  • GNOME 3.10 experimental support has been added.

  • Nix has been updated to 1.7 (details).

  • NixOS now supports fully declarative management of users and groups. If you set users.mutableUsers to false, then the contents of /etc/passwd and /etc/group will be congruent to your NixOS configuration. For instance, if you remove a user from users.extraUsers and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. If users.mutableUsers is true (the default), then behaviour is unchanged from NixOS 13.10.

  • NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 28, Container Management for details.

  • Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package foo provides systemd units, you can say:

    systemd.packages = [ ];

    to enable those units. You can then set or override unit options in the usual way, e.g. = [ "" ]; = "512M";

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:

    nixpkgs.config.allowUnfree = true;

    Otherwise, you get an error message such as:

    error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
      has an unfree license, refusing to evaluate

  • The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:

    nixpkgs.config.allowUnfree = true;
    nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
    nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium

  • The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:

    networking.firewall.enable = false;

  • The option boot.loader.grub.memtest86 has been renamed to boot.loader.grub.memtest86.enable.

  • The mysql55 service has been merged into the mysql service, which no longer sets a default for the option services.mysql.package.

  • Package variants are now differentiated by suffixing the name, rather than the version. For instance, sqlite- is now called sqlite-interactive- This ensures that nix-env -i sqlite is unambiguous, and that nix-env -u won’t “upgrade” sqlite to sqlite-interactive or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now called firefox-wrapper. So when using nix-env, you should do nix-env -e firefox; nix-env -i firefox-wrapper if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names like pkgs.firefoxWrapper were already unambiguous.

  • The symlink /etc/ca-bundle.crt is gone. Programs should instead use the environment variable OPENSSL_X509_CERT_FILE (which points to /etc/ssl/certs/ca-bundle.crt).

B.7. Release 13.10 (“Aardvark”, 2013/10/31)

This is the first stable release branch of NixOS.