This section lists the release notes for each stable version of NixOS and current unstable revision.

B.1. Release 18.09 (“Jellyfish”, 2018/10/05)

B.1.1. Highlights

In addition to numerous new and upgraded packages, this release has the following notable updates:

  • End of support is planned for end of April 2019, handing over to 19.03.

  • Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.

  • Nix has been updated to 2.1; see its release notes.

  • Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.

  • Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.

Notable changes and additions for 18.09 include:

  • Support for wrapping binaries using firejail has been added through programs.firejail.wrappedBinaries.

    For example

    programs.firejail = {
      enable = true;
      wrappedBinaries = {
        firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
        mpv = "${lib.getBin pkgs.mpv}/bin/mpv";

    This will place firefox and mpv binaries in the global path wrapped by firejail.

  • User channels are now in the default NIX_PATH, allowing users to use their personal nix-channel defined channels in nix-build and nix-shell commands, as well as in imports like import <mychannel>.

    For example

    $ nix-channel --add nixpkgsunstable
    $ nix-channel --update
    $ nix-build '<nixpkgsunstable>' -A gitFull
    $ nix run -f '<nixpkgsunstable>' gitFull
    $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'

B.1.2. New Services

A curated selection of new services that were added since the last release:

  • The services.cassandra module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of Apache Cassandra.

  • There is a new services.foundationdb module for deploying FoundationDB clusters.

  • When enabled the iproute2 will copy the files expected by ip route (e.g., rt_tables) in /etc/iproute2. This allows to write aliases for routing tables for instance.

  • services.strongswan-swanctl is a modern replacement for services.strongswan. You can use either one of them to setup IPsec VPNs but not both at the same time.

    services.strongswan-swanctl uses the swanctl command which uses the modern vici Versatile IKE Configuration Interface. The deprecated ipsec command used in services.strongswan is using the legacy stroke configuration interface.

  • The new services.elasticsearch-curator service periodically curates or manages, your Elasticsearch indices and snapshots.

Every new services:

  • ./config/xdg/autostart.nix

  • ./config/xdg/icons.nix

  • ./config/xdg/menus.nix

  • ./config/xdg/mime.nix

  • ./hardware/brightnessctl.nix

  • ./hardware/onlykey.nix

  • ./hardware/video/uvcvideo/default.nix

  • ./misc/documentation.nix

  • ./programs/firejail.nix

  • ./programs/iftop.nix

  • ./programs/sedutil.nix

  • ./programs/singularity.nix

  • ./programs/xss-lock.nix

  • ./programs/zsh/zsh-autosuggestions.nix

  • ./services/admin/oxidized.nix

  • ./services/backup/duplicati.nix

  • ./services/backup/restic.nix

  • ./services/backup/restic-rest-server.nix

  • ./services/cluster/hadoop/default.nix

  • ./services/databases/aerospike.nix

  • ./services/databases/monetdb.nix

  • ./services/desktops/bamf.nix

  • ./services/desktops/flatpak.nix

  • ./services/desktops/zeitgeist.nix

  • ./services/development/bloop.nix

  • ./services/development/jupyter/default.nix

  • ./services/hardware/lcd.nix

  • ./services/hardware/undervolt.nix

  • ./services/misc/clipmenu.nix

  • ./services/misc/gitweb.nix

  • ./services/misc/serviio.nix

  • ./services/misc/safeeyes.nix

  • ./services/misc/sysprof.nix

  • ./services/misc/weechat.nix

  • ./services/monitoring/datadog-agent.nix

  • ./services/monitoring/incron.nix

  • ./services/networking/dnsdist.nix

  • ./services/networking/freeradius.nix

  • ./services/networking/hans.nix

  • ./services/networking/morty.nix

  • ./services/networking/ndppd.nix

  • ./services/networking/ocserv.nix

  • ./services/networking/owamp.nix

  • ./services/networking/quagga.nix

  • ./services/networking/shadowsocks.nix

  • ./services/networking/stubby.nix

  • ./services/networking/zeronet.nix

  • ./services/security/certmgr.nix

  • ./services/security/cfssl.nix

  • ./services/security/oauth2_proxy_nginx.nix

  • ./services/web-apps/virtlyst.nix

  • ./services/web-apps/youtrack.nix

  • ./services/web-servers/hitch/default.nix

  • ./services/web-servers/hydron.nix

  • ./services/web-servers/meguca.nix

  • ./services/web-servers/nginx/gitweb.nix

  • ./virtualisation/kvmgt.nix

  • ./virtualisation/qemu-guest-agent.nix

B.1.3. Backward Incompatibilities

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Some licenses that were incorrectly not marked as unfree now are. This is the case for:

    • cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike 2.0

    • cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike 2.5

    • cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike 3.0

    • cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike 4.0

    • cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00

    • msrla: Microsoft Research License Agreement

  • The deprecated services.cassandra module has seen a complete rewrite. (See above.)

  • lib.strict is removed. Use builtins.seq instead.

  • The clementine package points now to the free derivation. clementineFree is removed now and clementineUnfree points to the package which is bundled with the unfree libspotify package.

  • The netcat package is now taken directly from OpenBSD's libressl, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command.

  • The services.docker-registry.extraConfig object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in the docker/distribution docs.

  • gnucash has changed from version 2.4 to 3.x. If you've been using gnucash (version 2.4) instead of gnucash26 (version 2.6) you must open your Gnucash data file(s) with gnucash26 and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade documentation. Gnucash 2.4 is still available under the attribute gnucash24.

  • services.munge now runs as user (and group) munge instead of root. Make sure the key file is accessible to the daemon.

  • dockerTools.buildImage now uses null as default value for tag, which indicates that the nix output hash will be used as tag.

  • The ELK stack: elasticsearch, logstash and kibana has been upgraded from 2.* to 6.3.*. The 2.* versions have been unsupported since last year so they have been removed. You can still use the 5.* versions under the names elasticsearch5, logstash5 and kibana5.

    The elastic beats: filebeat, heartbeat, metricbeat and packetbeat have had the same treatment: they now target 6.3.* as well. The 5.* versions are available under the names: filebeat5, heartbeat5, metricbeat5 and packetbeat5

    The ELK-6.3 stack now comes with X-Pack by default. Since X-Pack is licensed under the Elastic License the ELK packages now have an unfree license. To use them you need to specify allowUnfree = true; in your nixpkgs configuration.

    Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names: elasticsearch-oss, logstash-oss and kibana-oss.

  • Options were removed. luksroot.nix module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues.

  • stdenv.system and system in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, and stdenv.buildPlatform.system can be used instead for the old behavior. They should be using that anyways for clarity.

  • Groups kvm and render are introduced now, as systemd requires them.

B.1.4. Other Notable Changes

  • dockerTools.pullImage relies on image digest instead of image tag to download the image. The sha256 of a pulled image has to be updated.

  • lib.attrNamesToStr has been deprecated. Use more specific concatenation (lib.concat(Map)StringsSep) instead.

  • lib.addErrorContextToAttrs has been deprecated. Use builtins.addErrorContext directly.

  • lib.showVal has been deprecated. Use lib.traceSeqN instead.

  • lib.traceXMLVal has been deprecated. Use lib.traceValFn builtins.toXml instead.

  • lib.traceXMLValMarked has been deprecated. Use lib.traceValFn (x: str + builtins.toXML x) instead.

  • The pkgs argument to NixOS modules can now be set directly using nixpkgs.pkgs. Previously, only the system, config and overlays arguments could be used to influence pkgs.

  • A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:

    inherit (pkgs.nixos {
      boot.loader.grub.enable = false;
      fileSystems."/".device = "/dev/xvda1";
    }) toplevel kernel initialRamdisk manual;

    This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.

  • lib.traceValIfNot has been deprecated. Use if/then/else and lib.traceValSeq instead.

  • lib.traceCallXml has been deprecated. Please complain if you use the function regularly.

  • The attribute lib.nixpkgsVersion has been deprecated in favor of lib.version. Please refer to the discussion in NixOS/nixpkgs#39416 for further reference.

  • lib.recursiveUpdateUntil was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added.

  • The module for security.dhparams has two new options now:


    Puts the generated Diffie-Hellman parameters into the Nix store instead of managing them in a stateful manner in /var/lib/dhparams.


    The default bit size to use for the generated Diffie-Hellman parameters.

    Note: The path to the actual generated parameter files should now be queried using because it might be either in the Nix store or in a directory configured by security.dhparams.path.

    For developers:

    Module implementers should not set a specific bit size in order to let users configure it by themselves if they want to have a different bit size than the default (2048).

    An example usage of this would be:

    { config, ... }:
      security.dhparams.params.myservice = {};
      environment.etc."myservice.conf".text = ''
        dhparams = ${}

  • networking.networkmanager.useDnsmasq has been deprecated. Use networking.networkmanager.dns instead.

  • The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.

  • The option services.kubernetes.apiserver.admissionControl was renamed to services.kubernetes.apiserver.enableAdmissionPlugins.

  • Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.

  • The option services.kubernetes.apiserver.address was renamed to services.kubernetes.apiserver.bindAddress. Note that the default value has changed from to

  • The option services.kubernetes.apiserver.publicAddress was not used and thus has been removed.

  • The option services.kubernetes.addons.dashboard.enableRBAC was renamed to services.kubernetes.addons.dashboard.rbac.enable.

  • The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set services.kubernetes.addons.dashboard.rbac.clusterAdmin to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: kubectl delete clusterrolebinding kubernetes-dashboard

  • The programs.screen module provides allows to configure /etc/screenrc, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 pkgs.screen will be added to environment.systemPackages.

  • The module services.networking.hostapd now uses WPA2 by default.

  • s6Dns, s6Networking, s6LinuxUtils and s6PortableUtils renamed to s6-dns, s6-networking, s6-linux-utils and s6-portable-utils respectively.

  • The module option nix.useSandbox is now defaulted to true.

  • The config activation script of nixos-rebuild now reloads all user units for each authenticated user.

  • The default display manager is now LightDM. To use SLiM set services.xserver.displayManager.slim.enable to true.

  • NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use </para><para> to start a new paragraph.

  • Top-level buildPlatform, hostPlatform, and targetPlatform in Nixpkgs are deprecated. Please use their equivalents in stdenv instead: stdenv.buildPlatform, stdenv.hostPlatform, and stdenv.targetPlatform.

B.2. Release 18.03 (“Impala”, 2018/04/04)

B.2.1. Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • End of support is planned for end of October 2018, handing over to 18.09.

  • Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.

  • Nix now defaults to 2.0; see its release notes.

  • Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.

  • Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.

  • MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:

    • libmysql has been deprecated, please use mysql.connector-c instead, a compatibility passthru has been added to the MySQL packages.

    • The mysql57 package has a new static output containing the static libraries including libmysqld.a

  • PHP now defaults to PHP 7.2, updated from 7.1.

B.2.2. New Services

The following new services were added since the last release:

  • ./config/krb5/default.nix

  • ./hardware/digitalbitbox.nix

  • ./misc/label.nix

  • ./programs/ccache.nix

  • ./programs/criu.nix

  • ./programs/digitalbitbox/default.nix

  • ./programs/less.nix

  • ./programs/npm.nix

  • ./programs/plotinus.nix

  • ./programs/rootston.nix

  • ./programs/systemtap.nix

  • ./programs/sway.nix

  • ./programs/udevil.nix

  • ./programs/way-cooler.nix

  • ./programs/yabar.nix

  • ./programs/zsh/zsh-autoenv.nix

  • ./services/backup/borgbackup.nix

  • ./services/backup/crashplan-small-business.nix

  • ./services/desktops/dleyna-renderer.nix

  • ./services/desktops/dleyna-server.nix

  • ./services/desktops/pipewire.nix

  • ./services/desktops/gnome3/chrome-gnome-shell.nix

  • ./services/desktops/gnome3/tracker-miners.nix

  • ./services/hardware/fwupd.nix

  • ./services/hardware/interception-tools.nix

  • ./services/hardware/u2f.nix

  • ./services/hardware/usbmuxd.nix

  • ./services/mail/clamsmtp.nix

  • ./services/mail/dkimproxy-out.nix

  • ./services/mail/pfix-srsd.nix

  • ./services/misc/gitea.nix

  • ./services/misc/home-assistant.nix

  • ./services/misc/ihaskell.nix

  • ./services/misc/logkeys.nix

  • ./services/misc/novacomd.nix

  • ./services/misc/osrm.nix

  • ./services/misc/plexpy.nix

  • ./services/misc/pykms.nix

  • ./services/misc/tzupdate.nix

  • ./services/monitoring/fusion-inventory.nix

  • ./services/monitoring/prometheus/exporters.nix

  • ./services/network-filesystems/beegfs.nix

  • ./services/network-filesystems/davfs2.nix

  • ./services/network-filesystems/openafs/client.nix

  • ./services/network-filesystems/openafs/server.nix

  • ./services/network-filesystems/ceph.nix

  • ./services/networking/aria2.nix

  • ./services/networking/monero.nix

  • ./services/networking/nghttpx/default.nix

  • ./services/networking/nixops-dns.nix

  • ./services/networking/rxe.nix

  • ./services/networking/stunnel.nix

  • ./services/web-apps/matomo.nix

  • ./services/web-apps/restya-board.nix

  • ./services/web-servers/mighttpd2.nix

  • ./services/x11/fractalart.nix

  • ./system/boot/binfmt.nix

  • ./system/boot/grow-partition.nix

  • ./tasks/filesystems/ecryptfs.nix

  • ./virtualisation/hyperv-guest.nix

B.2.3. Backward Incompatibilities

When upgrading from a previous release, please be aware of the following incompatible changes:

  • sound.enable now defaults to false.

  • Dollar signs in options under services.postfix are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options in the previous release, but not for list-valued options. If you need to pass literal dollar signs through Postfix, double them.

  • The postage package (for web-based PostgreSQL administration) has been renamed to pgmanage. The corresponding module has also been renamed. To migrate please rename all services.postage options to services.pgmanage.

  • Package attributes starting with a digit have been prefixed with an underscore sign. This is to avoid quoting in the configuration and other issues with command-line tools like nix-env. The change affects the following packages:

    • 2048-in-terminal_2048-in-terminal

    • 90secondportraits_90secondportraits

    • 2bwm_2bwm

    • 389-ds-base_389-ds-base

  • The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.

    DSA support was deprecated in OpenSSH 7.0, due to it being too weak. To re-enable support, add PubkeyAcceptedKeyTypes +ssh-dss to the end of your services.openssh.extraConfig.

    After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.

  • The openssh package now includes Kerberos support by default; the openssh_with_kerberos package is now a deprecated alias. If you do not want Kerberos support, you can do openssh.override { withKerberos = false; }. Note, this also applies to the openssh_hpn package.

  • cc-wrapper has been split in two; there is now also a bintools-wrapper. The most commonly used files in nix-support are now split between the two wrappers. Some commonly used ones, like nix-support/dynamic-linker, are duplicated for backwards compatability, even though they rightly belong only in bintools-wrapper. Other more obscure ones are just moved.

  • The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many propagatedNativeBuildInputs should instead be propagatedBuildInputs. Thankfully, that was and is the least used type of dependency. Also, it means that some propagatedBuildInputs should instead be depsTargetTargetPropagated. Other types dependencies should be unaffected.

  • lib.addPassthru drv passthru is removed. Use lib.extendDerivation true passthru drv instead.

  • The memcached service no longer accept dynamic socket paths via services.memcached.socket. Unix sockets can be still enabled by services.memcached.enableUnixSocket and will be accessible at /run/memcached/memcached.sock.

  • The hardware.amdHybridGraphics.disable option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.

  • The merging of config options for services.postfix.config was buggy. Previously, if other options in the Postfix module like services.postfix.useSrs were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden, lib.mkForce or lib.mkOverride can be used.

  • The following changes apply if the stateVersion is changed to 18.03 or higher. For stateVersion = "17.09" or lower the old behavior is preserved.

    • matrix-synapse uses postgresql by default instead of sqlite. Migration instructions can be found here .

  • The jid package has been removed, due to maintenance overhead of a go package having non-versioned dependencies.

  • When using services.xserver.libinput (enabled by default in GNOME), it now handles all input devices, not just touchpads. As a result, you might need to re-evaluate any custom Xorg configuration. In particular, Option "XkbRules" "base" may result in broken keyboard layout.

  • The attic package was removed. A maintained fork called Borg should be used instead. Migration instructions can be found here.

  • The Piwik analytics software was renamed to Matomo:

    • The package pkgs.piwik was renamed to pkgs.matomo.

    • The service services.piwik was renamed to services.matomo.

    • The data directory /var/lib/piwik was renamed to /var/lib/matomo. All files will be moved automatically on first startup, but you might need to adjust your backup scripts.

    • The default serverName for the nginx configuration changed from piwik.${config.networking.hostName} to matomo.${config.networking.hostName}.${config.networking.domain} if config.networking.domain is set, matomo.${config.networking.hostName} if it is not set. If you change your serverName, remember you'll need to update the trustedHosts[] array in /var/lib/matomo/config/config.ini.php as well.

    • The piwik user was renamed to matomo. The service will adjust ownership automatically for files in the data directory. If you use unix socket authentication, remember to give the new matomo user access to the database and to change the username to matomo in the [database] section of /var/lib/matomo/config/config.ini.php.

    • If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, but this is neither enforced nor required.

  • nodejs-4_x is end-of-life. nodejs-4_x, nodejs-slim-4_x and nodePackages_4_x are removed.

  • The NixOS module was removed. It is now maintained as an external module.

  • The Prosody XMPP server has received a major update. The following modules were renamed:

    • services.prosody.modules.httpserver is now services.prosody.modules.http_files

    • services.prosody.modules.console is now services.prosody.modules.admin_telnet

    Many new modules are now core modules, most notably services.prosody.modules.carbons and services.prosody.modules.mam.

    The better-performing libevent backend is now enabled by default.

    withCommunityModules now passes through the modules to services.prosody.extraModules. Use withOnlyInstalledCommunityModules for modules that should not be enabled directly, e.g lib_ldap.

  • All prometheus exporter modules are now defined as submodules. The exporters are configured using services.prometheus.exporters.

B.2.4. Other Notable Changes

  • ZNC option services.znc.mutable now defaults to true. That means that old configuration is not overwritten by default when update to the znc options are made.

  • The option networking.wireless.networks.<name>.auth has been added for wireless networks with WPA-Enterprise authentication. There is also a new extraConfig option to directly configure wpa_supplicant and hidden to connect to hidden networks.

  • In the module networking.interfaces.<name> the following options have been removed:

    • ipAddress

    • ipv6Address

    • prefixLength

    • ipv6PrefixLength

    • subnetMask

    To assign static addresses to an interface the options ipv4.addresses and ipv6.addresses should be used instead. The options ip4 and ip6 have been renamed to ipv4.addresses ipv6.addresses respectively. The new options ipv4.routes and ipv6.routes have been added to set up static routing.

  • The option services.logstash.listenAddress is now by default. Previously the default behaviour was to listen on all interfaces.

  • services.btrfs.autoScrub has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

  • displayManager.lightdm.greeters.gtk.clock-format. has been added, the clock format string (as expected by strftime, e.g. %H:%M) to use with the lightdm gtk greeter panel.

    If set to null the default clock format is used.

  • displayManager.lightdm.greeters.gtk.indicators has been added, a list of allowed indicator modules to use with the lightdm gtk greeter panel.

    Built-in indicators include ~a11y, ~language, ~session, ~power, ~clock, ~host, ~spacer. Unity indicators can be represented by short name (e.g. sound, power), service file name, or absolute path.

    If set to null the default indicators are used.

    In order to have the previous default configuration add

      services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
        "~host" "~spacer"
        "~clock" "~spacer"

    to your configuration.nix.

  • The NixOS test driver supports user services declared by The methods waitForUnit, getUnitInfo, startJob and stopJob provide an optional $user argument for that purpose.

  • Enabling bash completion on NixOS, programs.bash.enableCompletion, will now also enable completion for the Nix command line tools by installing the nix-bash-completions package.

B.3. Release 17.09 (“Hummingbird”, 2017/09/??)

B.3.1. Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.

  • The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.

  • The module option services.xserver.xrandrHeads now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example:

    { services.xserver.xrandrHeads = [
          output = "DVI-0";
          primary = true;
          monitorConfig = ''
            Option "Rotate" "right"

    This will set the DVI-0 output to be the primary head, even though HDMI-0 is the first head in the list.

  • The handling of SSL in the services.nginx module has been cleaned up, renaming the misnamed enableSSL to onlySSL which reflects its original intention. This is not to be used with the already existing forceSSL which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove the enableSSL option to keep the previous behaviour.

    Another addSSL option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.

    Options to configure resolver options and upstream blocks have been introduced. See their information for further details.

    The port option has been replaced by a more generic listen option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.

B.3.2. New Services

The following new services were added since the last release:

  • config/fonts/fontconfig-penultimate.nix

  • config/fonts/fontconfig-ultimate.nix

  • config/terminfo.nix

  • hardware/sensor/iio.nix

  • hardware/nitrokey.nix

  • hardware/raid/hpsa.nix

  • programs/browserpass.nix

  • programs/gnupg.nix

  • programs/qt5ct.nix

  • programs/slock.nix

  • programs/thefuck.nix

  • security/auditd.nix

  • security/lock-kernel-modules.nix

  • service-managers/docker.nix

  • service-managers/trivial.nix

  • services/admin/salt/master.nix

  • services/admin/salt/minion.nix

  • services/audio/slimserver.nix

  • services/cluster/kubernetes/default.nix

  • services/cluster/kubernetes/dns.nix

  • services/cluster/kubernetes/dashboard.nix

  • services/continuous-integration/hail.nix

  • services/databases/clickhouse.nix

  • services/databases/postage.nix

  • services/desktops/gnome3/gnome-disks.nix

  • services/desktops/gnome3/gpaste.nix

  • services/logging/SystemdJournal2Gelf.nix

  • services/logging/heartbeat.nix

  • services/logging/journalwatch.nix

  • services/logging/syslogd.nix

  • services/mail/mailhog.nix

  • services/mail/nullmailer.nix

  • services/misc/airsonic.nix

  • services/misc/autorandr.nix

  • services/misc/exhibitor.nix

  • services/misc/fstrim.nix

  • services/misc/gollum.nix

  • services/misc/irkerd.nix

  • services/misc/jackett.nix

  • services/misc/radarr.nix

  • services/misc/snapper.nix

  • services/monitoring/osquery.nix

  • services/monitoring/prometheus/collectd-exporter.nix

  • services/monitoring/prometheus/fritzbox-exporter.nix

  • services/network-filesystems/kbfs.nix

  • services/networking/dnscache.nix

  • services/networking/fireqos.nix

  • services/networking/iwd.nix

  • services/networking/keepalived/default.nix

  • services/networking/keybase.nix

  • services/networking/lldpd.nix

  • services/networking/matterbridge.nix

  • services/networking/squid.nix

  • services/networking/tinydns.nix

  • services/networking/xrdp.nix

  • services/security/shibboleth-sp.nix

  • services/security/sks.nix

  • services/security/sshguard.nix

  • services/security/torify.nix

  • services/security/usbguard.nix

  • services/security/vault.nix

  • services/system/earlyoom.nix

  • services/system/saslauthd.nix

  • services/web-apps/nexus.nix

  • services/web-apps/pgpkeyserver-lite.nix

  • services/web-apps/piwik.nix

  • services/web-servers/lighttpd/collectd.nix

  • services/web-servers/minio.nix

  • services/x11/display-managers/xpra.nix

  • services/x11/xautolock.nix

  • tasks/filesystems/bcachefs.nix

  • tasks/powertop.nix

B.3.3. Backward Incompatibilities

When upgrading from a previous release, please be aware of the following incompatible changes:

  • In an Qemu-based virtualization environment, the network interface names changed from i.e. enp0s3 to ens3.

    This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.

    A machine is affected if the virt-what tool either returns qemu or kvm and has interface names used in any part of its NixOS configuration, in particular if a static network configuration with networking.interfaces is used.

    Before rebooting affected machines, please ensure:

    • Change the interface names in your NixOS configuration. The first interface will be called ens3, the second one ens8 and starting from there incremented by 1.

    • After changing the interface names, rebuild your system with nixos-rebuild boot to activate the new configuration after a reboot. If you switch to the new configuration right away you might lose network connectivity! If using nixops, deploy with nixops deploy --force-reboot.

  • The following changes apply if the stateVersion is changed to 17.09 or higher. For stateVersion = "17.03" or lower the old behavior is preserved.

    • The postgres default version was changed from 9.5 to 9.6.

    • The postgres superuser name has changed from root to postgres to more closely follow what other Linux distributions are doing.

    • The postgres default dataDir has changed from /var/db/postgres to /var/lib/postgresql/$psqlSchema where $psqlSchema is 9.6 for example.

    • The mysql default dataDir has changed from /var/mysql to /var/lib/mysql.

    • Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found here . It is also possible to use the newer version by setting the package to radicale2, which is done automatically when stateVersion is 17.09 or higher. The extraArgs option has been added to allow passing the data migration arguments specified in the instructions; see the radicale.nix NixOS test for an example migration.

  • The aiccu package was removed. This is due to SixXS sunsetting its IPv6 tunnel.

  • The fanctl package and fan module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.

  • Top-level idea package collection was renamed. All JetBrains IDEs are now at jetbrains.

  • flexget's state database cannot be upgraded to its new internal format, requiring removal of any existing db-config.sqlite which will be automatically recreated.

  • The ipfs service now doesn't ignore the dataDir option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with

    mv /var/lib/ipfs/.ipfs/* $dataDir
    rmdir /var/lib/ipfs/.ipfs

  • The caddy service was previously using an extra .caddy directory in the data directory specified with the dataDir option. The contents of the .caddy directory are now expected to be in the dataDir.

  • The ssh-agent user service is not started by default anymore. Use programs.ssh.startAgent to enable it if needed. There is also a new programs.gnupg.agent module that creates a gpg-agent user service. It can also serve as a SSH agent if enableSSHSupport is set.

  • The services.tinc.networks.<name>.listenAddress option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, use services.tinc.networks.<name>.bindToAddress instead. Refer to the description of the options for more details.

  • tlsdate package and module were removed. This is due to the project being dead and not building with openssl 1.1.

  • wvdial package and module were removed. This is due to the project being dead and not building with openssl 1.1.

  • cc-wrapper's setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. LD, STRIP, RANLIB, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.

  • services.firefox.syncserver now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.

  • The compiz window manager and package was removed. The system support had been broken for several years.

  • Touchpad support should now be enabled through libinput as synaptics is now deprecated. See the option services.xserver.libinput.enable.

  • grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.

  • services.mysql now has declarative configuration of databases and users with the ensureDatabases and ensureUsers options.

    These options will never delete existing databases and users, especially not when the value of the options are changed.

    The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.

    If you have previously created a MySQL root user with a password, you will need to add root user for unix socket authentication before using the new options. This can be done by running the following SQL script:

    CREATE USER 'root'@'%' IDENTIFIED BY '';
    -- Optionally, delete the password-authenticated user:
    -- DROP USER 'root'@'localhost';

  • services.mysqlBackup now works by default without any user setup, including for users other than mysql.

    By default, the mysql user is no longer the user which performs the backup. Instead a system account mysqlbackup is used.

    The mysqlBackup service is also now using systemd timers instead of cron.

    Therefore, the services.mysqlBackup.period option no longer exists, and has been replaced with services.mysqlBackup.calendar, which is in the format of systemd.time(7).

    If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.

    You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.

  • Templated systemd services e.g container@name are now handled currectly when switching to a new configuration, resulting in them being reloaded.

  • Steam: the newStdcpp parameter was removed and should not be needed anymore.

  • Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.

B.3.4. Other Notable Changes

  • Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.

  • Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.

  • ZFS/SPL have been updated to 0.7.0, zfsUnstable, splUnstable have therefore been removed.

  • The time.timeZone option now allows the value null in addition to timezone strings. This value allows changing the timezone of a system imperatively using timedatectl set-timezone. The default timezone is still UTC.

  • Nixpkgs overlays may now be specified with a file as well as a directory. The value of <nixpkgs-overlays> may be a file, and ~/.config/nixpkgs/overlays.nix can be used instead of the ~/.config/nixpkgs/overlays directory.

    See the overlays chapter of the Nixpkgs manual for more details.

  • Definitions for /etc/hosts can now be specified declaratively with networking.hosts.

  • Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.

    This therefore leads to adding a new debug option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.

    Additionally a copytoram option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.

  • services.gitlab-runner.configOptions has been added to specify the configuration of gitlab-runners declaratively.

  • services.jenkins.plugins has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.

  • services.postfix.config has been added to specify the with NixOS options. Additionally other options have been added to the postfix module and has been improved further.

  • The GitLab package and module have been updated to the latest 10.0 release.

  • The systemd-boot boot loader now lists the NixOS version, kernel version and build date of all bootable generations.

  • The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the services.dnscrypt-proxy.resolverName option or setting it to "random".

B.4. Release 17.03 (“Gorilla”, 2017/03/31)

B.4.1. Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.

  • This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.

  • The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed

  • The setuid wrapper functionality now supports setting capabilities.

  • server uses branch 1.19. Due to ABI incompatibilities, ati_unfree keeps forcing 1.17 and amdgpu-pro starts forcing 1.18.

  • Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv nor .crossDrv are now cross by default, not native.

  • The overridePackages function has been rewritten to be replaced by overlays

  • Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.

  • PHP now defaults to PHP 7.1

B.4.2. New Services

The following new services were added since the last release:

  • hardware/ckb.nix

  • hardware/mcelog.nix

  • hardware/usb-wwan.nix

  • hardware/video/capture/mwprocapture.nix

  • programs/adb.nix

  • programs/chromium.nix

  • programs/gphoto2.nix

  • programs/java.nix

  • programs/mtr.nix

  • programs/oblogout.nix

  • programs/vim.nix

  • programs/wireshark.nix

  • security/dhparams.nix

  • services/audio/ympd.nix

  • services/computing/boinc/client.nix

  • services/continuous-integration/buildbot/master.nix

  • services/continuous-integration/buildbot/worker.nix

  • services/continuous-integration/gitlab-runner.nix

  • services/databases/riak-cs.nix

  • services/databases/stanchion.nix

  • services/desktops/gnome3/gnome-terminal-server.nix

  • services/editors/infinoted.nix

  • services/hardware/illum.nix

  • services/hardware/trezord.nix

  • services/logging/journalbeat.nix

  • services/mail/offlineimap.nix

  • services/mail/postgrey.nix

  • services/misc/couchpotato.nix

  • services/misc/docker-registry.nix

  • services/misc/errbot.nix

  • services/misc/geoip-updater.nix

  • services/misc/gogs.nix

  • services/misc/leaps.nix

  • services/misc/nix-optimise.nix

  • services/misc/ssm-agent.nix

  • services/misc/sssd.nix

  • services/monitoring/arbtt.nix

  • services/monitoring/netdata.nix

  • services/monitoring/prometheus/default.nix

  • services/monitoring/prometheus/alertmanager.nix

  • services/monitoring/prometheus/blackbox-exporter.nix

  • services/monitoring/prometheus/json-exporter.nix

  • services/monitoring/prometheus/nginx-exporter.nix

  • services/monitoring/prometheus/node-exporter.nix

  • services/monitoring/prometheus/snmp-exporter.nix

  • services/monitoring/prometheus/unifi-exporter.nix

  • services/monitoring/prometheus/varnish-exporter.nix

  • services/monitoring/sysstat.nix

  • services/monitoring/telegraf.nix

  • services/monitoring/vnstat.nix

  • services/network-filesystems/cachefilesd.nix

  • services/network-filesystems/glusterfs.nix

  • services/network-filesystems/ipfs.nix

  • services/networking/dante.nix

  • services/networking/dnscrypt-wrapper.nix

  • services/networking/fakeroute.nix

  • services/networking/flannel.nix

  • services/networking/htpdate.nix

  • services/networking/miredo.nix

  • services/networking/nftables.nix

  • services/networking/powerdns.nix

  • services/networking/pdns-recursor.nix

  • services/networking/quagga.nix

  • services/networking/redsocks.nix

  • services/networking/wireguard.nix

  • services/system/cgmanager.nix

  • services/torrent/opentracker.nix

  • services/web-apps/atlassian/confluence.nix

  • services/web-apps/atlassian/crowd.nix

  • services/web-apps/atlassian/jira.nix

  • services/web-apps/frab.nix

  • services/web-apps/nixbot.nix

  • services/web-apps/selfoss.nix

  • services/web-apps/quassel-webserver.nix

  • services/x11/unclutter-xfixes.nix

  • services/x11/urxvtd.nix

  • system/boot/systemd-nspawn.nix

  • virtualisation/ecs-agent.nix

  • virtualisation/lxcfs.nix

  • virtualisation/openstack/keystone.nix

  • virtualisation/openstack/glance.nix

B.4.3. Backward Incompatibilities

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Derivations have no .nativeDrv nor .crossDrv and are now cross by default, not native.

  • stdenv.overrides is now expected to take self and super arguments. See lib.trivial.extends for what those parameters represent.

  • ansible now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.

  • gnome alias has been removed along with gtk, gtkmm and several others. Now you need to use versioned attributes, like gnome3.

  • The attribute name of the Radicale daemon has been changed from pythonPackages.radicale to radicale.

  • The stripHash bash function in stdenv changed according to its documentation; it now outputs the stripped name to stdout instead of putting it in the variable strippedName.

  • PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.

  • Two lone top-level dict dbs moved into dictdDBs. This affects: dictdWordnet which is now at dictdDBs.wordnet and dictdWiktionary which is now at dictdDBs.wiktionary

  • Parsoid service now uses YAML configuration format. service.parsoid.interwikis is now called service.parsoid.wikis and is a list of either API URLs or attribute sets as specified in parsoid's documentation.

  • Ntpd was replaced by systemd-timesyncd as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting services.ntp.enable to true. Upstream time servers for all NTP implementations are now configured using networking.timeServers.

  • service.nylon is now declared using named instances. As an example:

      services.nylon = {
        enable = true;
        acceptInterface = "br0";
        bindInterface = "tun1";
        port = 5912;

    should be replaced with:

      services.nylon.myvpn = {
        enable = true;
        acceptInterface = "br0";
        bindInterface = "tun1";
        port = 5912;

    this enables you to declare a SOCKS proxy for each uplink.

  • overridePackages function no longer exists. It is replaced by overlays. For example, the following code:

        pkgs = import <nixpkgs> {};
        pkgs.overridePackages (self: super: ...)

    should be replaced by:

        pkgs = import <nixpkgs> {};
        import pkgs.path { overlays = [(self: super: ...)]; }

  • Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable networking.firewall.autoLoadConntrackHelpers and tune networking.firewall.connectionTrackingModules to suit your needs.

  • local_recipient_maps is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via services.postfix.extraConfig.

  • Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags -4 and -6 have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the -I flag, but by encoding the interface into the address (ping fe80::1%eth0).

  • The socket handling of the services.rmilter module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the options bindUnixSockets and bindInetSockets have been replaced by services.rmilter.bindSocket.*. The default is still a unix socket in /run/rmilter/rmilter.sock. Refer to the options documentation for more information.

  • The fetch* functions no longer support md5, please use sha256 instead.

  • The dnscrypt-proxy module interface has been streamlined around the extraArgs option. Where possible, legacy option declarations are mapped to extraArgs but will emit warnings. The resolverList has been outright removed: to use an unlisted resolver, use the customResolver option.

  • torbrowser now stores local state under ~/.local/share/tor-browser by default. Any browser profile data from the old location, ~/.torbrowser4, must be migrated manually.

  • The ihaskell, monetdb, offlineimap and sitecopy services have been removed.

B.4.4. Other Notable Changes

  • Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.

  • jre now defaults to GTK+ UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use jre_headless.

  • Python 2.6 interpreter and package set have been removed.

  • The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.

  • Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a nix-shell. See the Nixpkgs manual for details.

  • The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.

  • The Python function buildPythonPackage has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.

  • When adding new or updating current Python libraries, the expressions should be put in separate files in pkgs/development/python-modules and called from python-packages.nix.

  • The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.

  • Containers using bridged networking no longer lose their connection after changes to the host networking.

  • ZFS supports pool auto scrubbing.

  • The bind DNS utilities (e.g. dig) have been split into their own output and are now also available in pkgs.dnsutils and it is no longer necessary to pull in all of bind to use them.

  • Per-user configuration was moved from ~/.nixpkgs to ~/.config/nixpkgs. The former is still valid for config.nix for backwards compatibility.

B.5. Release 16.09 (“Flounder”, 2016/09/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.

  • To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.

  • Support for PXE netboot. See Section 2.5.2, “Booting from the netboot media (PXE)” for documentation.

  • server 1.18. If you use the ati_unfree driver, 1.17 is still used due to an ABI incompatibility.

  • This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.

The following new services were added since the last release:

  • (this will get automatically generated at release time)

When upgrading from a previous release, please be aware of the following incompatible changes:

  • A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)

  • Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided haskell.packages.lts-x_y package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. The motivation for this change has been discussed at length on the nix-dev mailing list and in Github issue #14897. Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in another nix-dev article.

  • Shell aliases for systemd sub-commands were dropped: start, stop, restart, status.

  • Redis now binds to only instead of listening to all network interfaces. This is the default behavior of Redis 3.2

  • /var/empty is now immutable. Activation script runs chattr +i to forbid any modifications inside the folder. See the pull request for what bugs this caused.

  • Gitlab's maintainance script gitlab-runner was removed and split up into the more clearer gitlab-run and gitlab-rake scripts, because gitlab-runner is a component of Gitlab CI.

  • services.xserver.libinput.accelProfile default changed from flat to adaptive, as per official documentation.

  • fonts.fontconfig.ultimate.rendering was removed because our presets were obsolete for some time. New presets are hardcoded into FreeType; you can select a preset via fonts.fontconfig.ultimate.preset. You can customize those presets via ordinary environment variables, using environment.variables.

  • The audit service is no longer enabled by default. Use security.audit.enable = true to explicitly enable it.

  • pkgs.linuxPackages.virtualbox now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the new pkgs.virtualbox instead.

  • goPackages was replaced with separated Go applications in appropriate nixpkgs categories. Each Go package uses its own dependency set. There's also a new go2nix tool introduced to generate a Go package definition from its Go source automatically.

  • services.mongodb.extraConfig configuration format was changed to YAML.

  • PHP has been upgraded to 7.0

Other notable improvements:

  • Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set

    security.grsecurity.enable = true

    to get a reasonably secure system without having to sacrifice too much functionality.

  • Special filesystems, like /proc, /run and others, now have the same mount options as recommended by systemd and are unified across different places in NixOS. Mount options are updated during nixos-rebuild switch if possible. One benefit from this is improved security — most such filesystems are now mounted with noexec, nodev and/or nosuid options.

  • The reverse path filter was interfering with DHCPv4 server operation in the past. An exception for DHCPv4 and a new option to log packets that were dropped due to the reverse path filter was added (networking.firewall.logReversePathDrops) for easier debugging.

  • Containers configuration within containers.<name>.config is now properly typed and checked. In particular, partial configurations are merged correctly.

  • The directory container setuid wrapper programs, /var/setuid-wrappers, is now updated atomically to prevent failures if the switch to a new configuration is interrupted.

  • services.xserver.startGnuPGAgent has been removed due to GnuPG 2.1.x bump. See how to achieve similar behavior. You might need to pkill gpg-agent after the upgrade to prevent a stale agent being in the way.

  • Declarative users could share the uid due to the bug in the script handling conflict resolution.

  • Gummi boot has been replaced using systemd-boot.

  • Hydra package and NixOS module were added for convenience.

B.6. Release 16.03 (“Emu”, 2016/03/31)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Systemd 229, bringing numerous improvements over 217.

  • Linux 4.4 (was 3.18).

  • GCC 5.3 (was 4.9). Note that GCC 5 changes the C++ ABI in an incompatible way; this may cause problems if you try to link objects compiled with different versions of GCC.

  • Glibc 2.23 (was 2.21).

  • Binutils 2.26 (was 2.23.1). See #909

  • Improved support for ensuring bitwise reproducible builds. For example, stdenv now sets the environment variable SOURCE_DATE_EPOCH to a deterministic value, and Nix has gained an option to repeat a build a number of times to test determinism. An ongoing project, the goal of exact reproducibility is to allow binaries to be verified independently (e.g., a user might only trust binaries that appear in three independent binary caches).

  • Perl 5.22.

The following new services were added since the last release:

  • services/monitoring/longview.nix

  • hardware/video/webcam/facetimehd.nix

  • i18n/input-method/default.nix

  • i18n/input-method/fcitx.nix

  • i18n/input-method/ibus.nix

  • i18n/input-method/nabi.nix

  • i18n/input-method/uim.nix

  • programs/fish.nix

  • security/acme.nix

  • security/audit.nix

  • security/oath.nix

  • services/hardware/irqbalance.nix

  • services/mail/dspam.nix

  • services/mail/opendkim.nix

  • services/mail/postsrsd.nix

  • services/mail/rspamd.nix

  • services/mail/rmilter.nix

  • services/misc/autofs.nix

  • services/misc/bepasty.nix

  • services/misc/calibre-server.nix

  • services/misc/cfdyndns.nix

  • services/misc/gammu-smsd.nix

  • services/misc/mathics.nix

  • services/misc/matrix-synapse.nix

  • services/misc/octoprint.nix

  • services/monitoring/hdaps.nix

  • services/monitoring/heapster.nix

  • services/monitoring/longview.nix

  • services/network-filesystems/netatalk.nix

  • services/network-filesystems/xtreemfs.nix

  • services/networking/autossh.nix

  • services/networking/dnschain.nix

  • services/networking/gale.nix

  • services/networking/miniupnpd.nix

  • services/networking/namecoind.nix

  • services/networking/ostinato.nix

  • services/networking/pdnsd.nix

  • services/networking/shairport-sync.nix

  • services/networking/supplicant.nix

  • services/search/kibana.nix

  • services/security/haka.nix

  • services/security/physlock.nix

  • services/web-apps/

  • services/x11/hardware/libinput.nix

  • services/x11/window-managers/windowlab.nix

  • system/boot/initrd-network.nix

  • system/boot/initrd-ssh.nix

  • system/boot/loader/loader.nix

  • system/boot/networkd.nix

  • system/boot/resolved.nix

  • virtualisation/lxd.nix

  • virtualisation/rkt.nix

When upgrading from a previous release, please be aware of the following incompatible changes:

  • We no longer produce graphical ISO images and VirtualBox images for i686-linux. A minimal ISO image is still provided.

  • Firefox and similar browsers are now wrapped by default. The package and attribute names are plain firefox or midori, etc. Backward-compatibility attributes were set up, but note that nix-env -u will not update your current firefox-with-plugins; you have to uninstall it and install firefox instead.

  • wmiiSnap has been replaced with wmii_hg, but services.xserver.windowManager.wmii.enable has been updated respectively so this only affects you if you have explicitly installed wmiiSnap.

  • jobs NixOS option has been removed. It served as compatibility layer between Upstart jobs and SystemD services. All services have been rewritten to use

  • wmiimenu is removed, as it has been removed by the developers upstream. Use wimenu from the wmii-hg package.

  • Gitit is no longer automatically added to the module list in NixOS and as such there will not be any manual entries for it. You will need to add an import statement to your NixOS configuration in order to use it, e.g.

      imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];

    will include the Gitit service configuration options.

  • nginx does not accept flags for enabling and disabling modules anymore. Instead it accepts modules argument, which is a list of modules to be built in. All modules now reside in nginxModules set. Example configuration:

    nginx.override {
      modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];

  • s3sync is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at tarsnap and others.

  • ruby_1_8 has been removed as it's not supported from upstream anymore and probably contains security issues.

  • tidy-html5 package is removed. Upstream only provided (lib)tidy5 during development, and now they went back to (lib)tidy to work as a drop-in replacement of the original package that has been unmaintained for years. You can (still) use the html-tidy package, which got updated to a stable release from this new upstream.

  • extraDeviceOptions argument is removed from bumblebee package. Instead there are now two separate arguments: extraNvidiaDeviceOptions and extraNouveauDeviceOptions for setting extra X11 options for nvidia and nouveau drivers, respectively.

  • The Ctrl+Alt+Backspace key combination no longer kills the X server by default. There's a new option services.xserver.enableCtrlAltBackspace allowing to enable the combination again.

  • emacsPackagesNg now contains all packages from the ELPA, MELPA, and MELPA Stable repositories.

  • Data directory for Postfix MTA server is moved from /var/postfix to /var/lib/postfix. Old configurations are migrated automatically. service.postfix module has also received many improvements, such as correct directories' access rights, new aliasFiles and mapFiles options and more.

  • Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style:

    fileSystems."/example" = {
      device = "/dev/sdc";
      fsType = "btrfs";
      options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ];

  • CUPS, installed by services.printing module, now has its data directory in /var/lib/cups. Old configurations from /etc/cups are moved there automatically, but there might be problems. Also configuration options services.printing.cupsdConf and services.printing.cupsdFilesConf were removed because they had been allowing one to override configuration variables required for CUPS to work at all on NixOS. For most use cases, services.printing.extraConf and new option services.printing.extraFilesConf should be enough; if you encounter a situation when they are not, please file a bug.

    There are also Gutenprint improvements; in particular, a new option services.printing.gutenprint is added to enable automatic updating of Gutenprint PPMs; it's greatly recommended to enable it instead of adding gutenprint to the drivers list.

  • services.xserver.vaapiDrivers has been removed. Use hardware.opengl.extraPackages{,32} instead. You can also specify VDPAU drivers there.

  • programs.ibus moved to i18n.inputMethod.ibus. The option programs.ibus.plugins changed to i18n.inputMethod.ibus.engines and the option to enable ibus changed from programs.ibus.enable to i18n.inputMethod.enabled. i18n.inputMethod.enabled should be set to the used input method name, "ibus" for ibus. An example of the new style:

    i18n.inputMethod.enabled = "ibus";
    i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];

    That is equivalent to the old version:

    programs.ibus.enable = true;
    programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];

  • services.udev.extraRules option now writes rules to 99-local.rules instead of 10-local.rules. This makes all the user rules apply after others, so their results wouldn't be overriden by anything else.

  • Large parts of the services.gitlab module has been been rewritten. There are new configuration options available. The stateDir option was renamned to statePath and the satellitesDir option was removed. Please review the currently available options.

  • The option services.nsd.zones.<name>.data no longer interpret the dollar sign ($) as a shell variable, as such it should not be escaped anymore. Thus the following zone data:

    \$TTL 1800
    @       IN      SOA (

    Should modified to look like the actual file expected by nsd:

    $TTL 1800
    @       IN      SOA (
  • service.syncthing.dataDir options now has to point to exact folder where syncthing is writing to. Example configuration should look something like:

    services.syncthing = {
        enable = true;
        dataDir = "/home/somebody/.syncthing";
        user = "somebody";
  • networking.firewall.allowPing is now enabled by default. Users are encouraged to configure an appropriate rate limit for their machines using the Kernel interface at /proc/sys/net/ipv4/icmp_ratelimit and /proc/sys/net/ipv6/icmp/ratelimit or using the firewall itself, i.e. by setting the NixOS option networking.firewall.pingLimit.

  • Systems with some broadcom cards used to result into a generated config that is no longer accepted. If you get errors like

    error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created

    you should either re-run nixos-generate-config or manually replace "${config.boot.kernelPackages.broadcom_sta}" by config.boot.kernelPackages.broadcom_sta in your /etc/nixos/hardware-configuration.nix. More discussion is on the github issue.

  • The services.xserver.startGnuPGAgent option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the "start everything as a child of the agent" scheme we've implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to ~/.bashrc or some file that’s sourced when your shell is started:

    export GPG_TTY

    If you want to use gpg-agent for SSH, too, add the following to your session initialization (e.g. displayManager.sessionCommands)

    gpg-connect-agent /bye
    unset SSH_AGENT_PID
    export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"

    and make sure that


    is included in your ~/.gnupg/gpg-agent.conf. You will need to use ssh-add to re-add your ssh keys. If gpg’s automatic transformation of the private keys to the new format fails, you will need to re-import your private keyring as well:

    gpg --import ~/.gnupg/secring.gpg

    The gpg-agent(1) man page has more details about this subject, i.e. in the "EXAMPLES" section.

Other notable improvements:

  • ejabberd module is brought back and now works on NixOS.

  • Input method support was improved. New NixOS modules (fcitx, nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) have been added.

B.7. Release 15.09 (“Dingo”, 2015/09/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • The Haskell packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on Hackage -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the User's Guide to the Haskell Infrastructure. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single LTS Haskell release since version 0.0 as well as the most recent Stackage Nightly snapshot. The announcement "Full Stackage Support in Nixpkgs" gives additional details.

  • Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.

  • You can now keep your NixOS system up to date automatically by setting

    system.autoUpgrade.enable = true;

    This will cause the system to periodically check for updates in your current channel and run nixos-rebuild.

  • This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.

  • GNOME has been upgraded to 3.16.

  • Xfce has been upgraded to 4.12.

  • KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.

  • E19 has been upgraded to

The following new services were added since the last release:

  • services/mail/exim.nix

  • services/misc/apache-kafka.nix

  • services/misc/canto-daemon.nix

  • services/misc/confd.nix

  • services/misc/devmon.nix

  • services/misc/gitit.nix

  • services/misc/ihaskell.nix

  • services/misc/mbpfan.nix

  • services/misc/mediatomb.nix

  • services/misc/mwlib.nix

  • services/misc/parsoid.nix

  • services/misc/plex.nix

  • services/misc/ripple-rest.nix

  • services/misc/ripple-data-api.nix

  • services/misc/subsonic.nix

  • services/misc/sundtek.nix

  • services/monitoring/cadvisor.nix

  • services/monitoring/das_watchdog.nix

  • services/monitoring/grafana.nix

  • services/monitoring/riemann-tools.nix

  • services/monitoring/teamviewer.nix

  • services/network-filesystems/u9fs.nix

  • services/networking/aiccu.nix

  • services/networking/asterisk.nix

  • services/networking/bird.nix

  • services/networking/charybdis.nix

  • services/networking/docker-registry-server.nix

  • services/networking/fan.nix

  • services/networking/firefox/sync-server.nix

  • services/networking/gateone.nix

  • services/networking/heyefi.nix

  • services/networking/i2p.nix

  • services/networking/lambdabot.nix

  • services/networking/mstpd.nix

  • services/networking/nix-serve.nix

  • services/networking/nylon.nix

  • services/networking/racoon.nix

  • services/networking/skydns.nix

  • services/networking/shout.nix

  • services/networking/softether.nix

  • services/networking/sslh.nix

  • services/networking/tinc.nix

  • services/networking/tlsdated.nix

  • services/networking/tox-bootstrapd.nix

  • services/networking/tvheadend.nix

  • services/networking/zerotierone.nix

  • services/scheduling/marathon.nix

  • services/security/fprintd.nix

  • services/security/hologram.nix

  • services/security/munge.nix

  • services/system/cloud-init.nix

  • services/web-servers/shellinabox.nix

  • services/web-servers/uwsgi.nix

  • services/x11/unclutter.nix

  • services/x11/display-managers/sddm.nix

  • system/boot/coredump.nix

  • system/boot/loader/loader.nix

  • system/boot/loader/generic-extlinux-compatible

  • system/boot/networkd.nix

  • system/boot/resolved.nix

  • system/boot/timesyncd.nix

  • tasks/filesystems/exfat.nix

  • tasks/filesystems/ntfs.nix

  • tasks/filesystems/vboxsf.nix

  • virtualisation/virtualbox-host.nix

  • virtualisation/vmware-guest.nix

  • virtualisation/xen-dom0.nix

When upgrading from a previous release, please be aware of the following incompatible changes:

  • sshd no longer supports DSA and ECDSA host keys by default. If you have existing systems with such host keys and want to continue to use them, please set

    system.stateVersion = "14.12";

    The new option system.stateVersion ensures that certain configuration changes that could break existing systems (such as the sshd host key setting) will maintain compatibility with the specified NixOS release. NixOps sets the state version of existing deployments automatically.

  • cron is no longer enabled by default, unless you have a non-empty services.cron.systemCronJobs. To force cron to be enabled, set services.cron.enable = true.

  • Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set nix.requireSignedBinaryCaches = false.

  • Steam now doesn't need root rights to work. Instead of using *-steam-chrootenv, you should now just run steam. steamChrootEnv package was renamed to steam, and old steam package -- to steamOriginal.

  • CMPlayer has been renamed to bomi upstream. Package cmplayer was accordingly renamed to bomi

  • Atom Shell has been renamed to Electron upstream. Package atom-shell was accordingly renamed to electron

  • Elm is not released on Hackage anymore. You should now use elmPackages.elm which contains the latest Elm platform.

  • The CUPS printing service has been updated to version 2.0.2. Furthermore its systemd service has been renamed to cups.service.

    Local printers are no longer shared or advertised by default. This behavior can be changed by enabling services.printing.defaultShared or services.printing.browsing respectively.

  • The VirtualBox host and guest options have been named more consistently. They can now found in* instead of services.virtualboxHost.* and virtualisation.virtualbox.guest.* instead of services.virtualboxGuest.*.

    Also, there now is support for the vboxsf file system using the fileSystems configuration attribute. An example of how this can be used in a configuration:

    fileSystems."/shiny" = {
      device = "myshinysharedfolder";
      fsType = "vboxsf";

  • "nix-env -qa" no longer discovers Haskell packages by name. The only packages visible in the global scope are ghc, cabal-install, and stack, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and most nix-env -qa operations would become much slower if we'd add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running:

    nix-env -f "<nixpkgs>" -qaP -A haskellPackages

    Executable programs written in Haskell can be installed with:

    nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc

    Installing Haskell libraries this way, however, is no longer supported. See the next item for more details.

  • Previous versions of NixOS came with a feature called ghc-wrapper, a small script that allowed GHC to transparently pick up on libraries installed in the user's profile. This feature has been deprecated; ghc-wrapper was removed from the distribution. The proper way to register Haskell libraries with the compiler now is the haskellPackages.ghcWithPackages function. The User's Guide to the Haskell Infrastructure provides more information about this subject.

  • All Haskell builds that have been generated with version 1.x of the cabal2nix utility are now invalid and need to be re-generated with a current version of cabal2nix to function. The most recent version of this tool can be installed by running nix-env -i cabal2nix.

  • The haskellPackages set in Nixpkgs used to have a function attribute called extension that users could override in their ~/.nixpkgs/config.nix files to configure additional attributes, etc. That function still exists, but it's now called overrides.

  • The OpenBLAS library has been updated to version 0.2.14. Support for the x86_64-darwin platform was added. Dynamic architecture detection was enabled; OpenBLAS now selects microarchitecture-optimized routines at runtime, so optimal performance is achieved without the need to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages which use an optimized BLAS or LAPACK implementation.

  • The phpfpm is now using the default PHP version (pkgs.php) instead of PHP 5.4 (pkgs.php54).

  • The locate service no longer indexes the Nix store by default, preventing packages with potentially numerous versions from cluttering the output. Indexing the store can be activated by setting services.locate.includeStore = true.

  • The Nix expression search path (NIX_PATH) no longer contains /etc/nixos/nixpkgs by default. You can override NIX_PATH by setting nix.nixPath.

  • Python 2.6 has been marked as broken (as it no longer receives security updates from upstream).

  • Any use of module arguments such as pkgs to access library functions, or to define imports attributes will now lead to an infinite loop at the time of the evaluation.

    In case of an infinite loop, use the --show-trace command line argument and read the line just above the error message.

    $ nixos-rebuild build --show-trace
    while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
    infinite recursion encountered

    Any use of pkgs.lib, should be replaced by lib, after adding it as argument of the module. The following module

    { config, pkgs, ... }:
    with pkgs.lib;
      options = {
        foo = mkOption { … };
      config = mkIf { … };

    should be modified to look like:

    { config, pkgs, lib, ... }:
    with lib;
      options = {
        foo = mkOption { option declaration };
      config = mkIf { option definition };

    When pkgs is used to download other projects to import their modules, and only in such cases, it should be replaced by (import <nixpkgs> {}). The following module

    { config, pkgs, ... }:
      myProject = pkgs.fetchurl {
        src = url;
        sha256 = hash;
      imports = [ "${myProject}/module.nix" ];

    should be modified to look like:

    { config, pkgs, ... }:
      myProject = (import <nixpkgs> {}).fetchurl {
        src = url;
        sha256 = hash;
      imports = [ "${myProject}/module.nix" ];

Other notable improvements:

  • The nixos and nixpkgs channels were unified, so one can use nix-env -iA nixos.bash instead of nix-env -iA nixos.pkgs.bash. See the commit for details.

  • Users running an SSH server who worry about the quality of their /etc/ssh/moduli file with respect to the vulnerabilities discovered in the Diffie-Hellman key exchange can now replace OpenSSH's default version with one they generated themselves using the new services.openssh.moduliFile option.

  • A newly packaged TeX Live 2015 is provided in pkgs.texlive, split into 6500 nix packages. For basic user documentation see the source. Beware of an issue when installing a too large package set. The plan is to deprecate and maybe delete the original TeX packages until the next release.

  • buildEnv.env on all Python interpreters is now available for nix-shell interoperability.

B.8. Release 14.12 (“Caterpillar”, 2014/12/30)

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Systemd has been updated to version 217, which has numerous improvements.

  • Nix has been updated to 1.8.

  • NixOS is now based on Glibc 2.20.

  • KDE has been updated to 4.14.

  • The default Linux kernel has been updated to 3.14.

  • If users.mutableUsers is enabled (the default), changes made to the declaration of a user or group will be correctly realised when running nixos-rebuild. For instance, removing a user specification from configuration.nix will cause the actual user account to be deleted. If users.mutableUsers is disabled, it is no longer necessary to specify UIDs or GIDs; if omitted, they are allocated dynamically.

Following new services were added since the last release:

  • atftpd

  • bosun

  • bspwm

  • chronos

  • collectd

  • consul

  • cpuminer-cryptonight

  • crashplan

  • dnscrypt-proxy

  • docker-registry

  • docker

  • etcd

  • fail2ban

  • fcgiwrap

  • fleet

  • fluxbox

  • gdm

  • geoclue2

  • gitlab

  • gitolite

  • gnome3.gnome-documents

  • gnome3.gnome-online-miners

  • gnome3.gvfs

  • gnome3.seahorse

  • hbase

  • i2pd

  • influxdb

  • kubernetes

  • liquidsoap

  • lxc

  • mailpile

  • mesos

  • mlmmj

  • monetdb

  • mopidy

  • neo4j

  • nsd

  • openntpd

  • opentsdb

  • openvswitch

  • parallels-guest

  • peerflix

  • phd

  • polipo

  • prosody

  • radicale

  • redmine

  • riemann

  • scollector

  • seeks

  • siproxd

  • strongswan

  • tcsd

  • teamspeak3

  • thermald

  • torque/mrom

  • torque/server

  • uhub

  • unifi

  • znc

  • zookeeper

When upgrading from a previous release, please be aware of the following incompatible changes:

  • The default version of Apache httpd is now 2.4. If you use the extraConfig option to pass literal Apache configuration text, you may need to update it — see Apache’s documentation for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration:

    services.httpd.package = pkgs.apacheHttpd_2_2;

  • PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.

  • The host side of a container virtual Ethernet pair is now called ve-container-name rather than c-container-name.

  • GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.

  • VirtualBox has been upgraded to 4.3.20 release. Users may be required to run rm -rf /tmp/.vbox*. The line imports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ] is no longer necessary, use services.virtualboxHost.enable = true instead.

    Also, hardening mode is now enabled by default, which means that unless you want to use USB support, you no longer need to be a member of the vboxusers group.

  • Chromium has been updated to 39.0.2171.65. enablePepperPDF is now enabled by default. chromium*Wrapper packages no longer exist, because upstream removed NSAPI support. chromium-stable has been renamed to chromium.

  • Python packaging documentation is now part of nixpkgs manual. To override the python packages available to a custom python you now use pkgs.pythonFull.buildEnv.override instead of pkgs.pythonFull.override.

  • boot.resumeDevice = "8:6" is no longer supported. Most users will want to leave it undefined, which takes the swap partitions automatically. There is an evaluation assertion to ensure that the string starts with a slash.

  • The system-wide default timezone for NixOS installations changed from CET to UTC. To choose a different timezone for your system, configure time.timeZone in configuration.nix. A fairly complete list of possible values for that setting is available at

  • GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.

  • The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.

B.9. Release 14.04 (“Baboon”, 2014/04/30)

This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:

  • Installation on UEFI systems is now supported. See Chapter 2, Installing NixOS for details.

  • Systemd has been updated to version 212, which has numerous improvements. NixOS now automatically starts systemd user instances when you log in. You can define global user units through the systemd.unit.* options.

  • NixOS is now based on Glibc 2.19 and GCC 4.8.

  • The default Linux kernel has been updated to 3.12.

  • KDE has been updated to 4.12.

  • GNOME 3.10 experimental support has been added.

  • Nix has been updated to 1.7 (details).

  • NixOS now supports fully declarative management of users and groups. If you set users.mutableUsers to false, then the contents of /etc/passwd and /etc/group will be congruent to your NixOS configuration. For instance, if you remove a user from users.extraUsers and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. If users.mutableUsers is true (the default), then behaviour is unchanged from NixOS 13.10.

  • NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 35, Container Management for details.

  • Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package foo provides systemd units, you can say:

    systemd.packages = [ ];

    to enable those units. You can then set or override unit options in the usual way, e.g. = [ "" ]; = "512M";

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:

    nixpkgs.config.allowUnfree = true;

    Otherwise, you get an error message such as:

    error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
      has an unfree license, refusing to evaluate

  • The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:

    nixpkgs.config.allowUnfree = true;
    nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
    nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium

  • The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:

    networking.firewall.enable = false;

  • The option boot.loader.grub.memtest86 has been renamed to boot.loader.grub.memtest86.enable.

  • The mysql55 service has been merged into the mysql service, which no longer sets a default for the option services.mysql.package.

  • Package variants are now differentiated by suffixing the name, rather than the version. For instance, sqlite- is now called sqlite-interactive- This ensures that nix-env -i sqlite is unambiguous, and that nix-env -u won’t “upgrade” sqlite to sqlite-interactive or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now called firefox-wrapper. So when using nix-env, you should do nix-env -e firefox; nix-env -i firefox-wrapper if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names like pkgs.firefoxWrapper were already unambiguous.

  • The symlink /etc/ca-bundle.crt is gone. Programs should instead use the environment variable OPENSSL_X509_CERT_FILE (which points to /etc/ssl/certs/ca-bundle.crt).

B.10. Release 13.10 (“Aardvark”, 2013/10/31)

This is the first stable release branch of NixOS.