This section lists the release notes for each stable version of NixOS and current unstable revision.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2018, handing over to 18.09.
Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.
Nix now defaults to 2.0; see its release notes.
Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.
Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.
MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:
libmysql has been deprecated, please use
mysql.connector-c instead, a compatibility passthru
has been added to the MySQL packages.
The mysql57 package has a new
static output containing the static libraries
including libmysqld.a
PHP now defaults to PHP 7.2, updated from 7.1.
The following new services were added since the last release:
./config/krb5/default.nix
./hardware/digitalbitbox.nix
./misc/label.nix
./programs/ccache.nix
./programs/criu.nix
./programs/digitalbitbox/default.nix
./programs/less.nix
./programs/npm.nix
./programs/plotinus.nix
./programs/rootston.nix
./programs/systemtap.nix
./programs/sway.nix
./programs/udevil.nix
./programs/way-cooler.nix
./programs/yabar.nix
./programs/zsh/zsh-autoenv.nix
./services/backup/borgbackup.nix
./services/backup/crashplan-small-business.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/tracker-miners.nix
./services/hardware/fwupd.nix
./services/hardware/interception-tools.nix
./services/hardware/u2f.nix
./services/hardware/usbmuxd.nix
./services/mail/clamsmtp.nix
./services/mail/dkimproxy-out.nix
./services/mail/pfix-srsd.nix
./services/misc/gitea.nix
./services/misc/home-assistant.nix
./services/misc/ihaskell.nix
./services/misc/logkeys.nix
./services/misc/novacomd.nix
./services/misc/osrm.nix
./services/misc/plexpy.nix
./services/misc/pykms.nix
./services/misc/tzupdate.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/prometheus/exporters.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/davfs2.nix
./services/network-filesystems/openafs/client.nix
./services/network-filesystems/openafs/server.nix
./services/network-filesystems/ceph.nix
./services/networking/aria2.nix
./services/networking/monero.nix
./services/networking/nghttpx/default.nix
./services/networking/nixops-dns.nix
./services/networking/rxe.nix
./services/networking/stunnel.nix
./services/web-apps/matomo.nix
./services/web-apps/restya-board.nix
./services/web-servers/mighttpd2.nix
./services/x11/fractalart.nix
./system/boot/binfmt.nix
./system/boot/grow-partition.nix
./tasks/filesystems/ecryptfs.nix
./virtualisation/hyperv-guest.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sound.enable now defaults to false.
Dollar signs in options under services.postfix are passed
verbatim to Postfix, which will interpret them as the beginning of a
parameter expression. This was already true for string-valued options in
the previous release, but not for list-valued options. If you need to pass
literal dollar signs through Postfix, double them.
The postage package (for web-based PostgreSQL
administration) has been renamed to pgmanage. The
corresponding module has also been renamed. To migrate please rename all
services.postage options to
services.pgmanage.
Package attributes starting with a digit have been prefixed with an
underscore sign. This is to avoid quoting in the configuration and other
issues with command-line tools like nix-env. The change
affects the following packages:
2048-in-terminal →
_2048-in-terminal
90secondportraits →
_90secondportraits
2bwm → _2bwm
389-ds-base → _389-ds-base
The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.
DSA support was
deprecated in
OpenSSH 7.0, due to it being too weak. To re-enable support, add
PubkeyAcceptedKeyTypes +ssh-dss to the end of your
services.openssh.extraConfig.
After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.
The openssh package now includes Kerberos support by
default; the openssh_with_kerberos package is now a
deprecated alias. If you do not want Kerberos support, you can do
openssh.override { withKerberos = false; }. Note, this
also applies to the openssh_hpn package.
cc-wrapper has been split in two; there is now also a
bintools-wrapper. The most commonly used files in
nix-support are now split between the two wrappers.
Some commonly used ones, like
nix-support/dynamic-linker, are duplicated for
backwards compatability, even though they rightly belong only in
bintools-wrapper. Other more obscure ones are just
moved.
The propagation logic has been changed. The new logic, along with new
types of dependencies that go with, is thoroughly documented in the
"Specifying dependencies" section of the "Standard Environment" chapter of
the nixpkgs manual.
The old logic isn't but is easy to describe: dependencies were propagated
as the same type of dependency no matter what. In practice, that means
that many propagatedNativeBuildInputs should instead
be propagatedBuildInputs. Thankfully, that was and is
the least used type of dependency. Also, it means that some
propagatedBuildInputs should instead be
depsTargetTargetPropagated. Other types dependencies
should be unaffected.
lib.addPassthru drv passthru is removed. Use
lib.extendDerivation true passthru drv instead.
The memcached service no longer accept dynamic socket
paths via services.memcached.socket. Unix sockets can be
still enabled by services.memcached.enableUnixSocket and
will be accessible at /run/memcached/memcached.sock.
The hardware.amdHybridGraphics.disable option was
removed for lack of a maintainer. If you still need this module, you may
wish to include a copy of it from an older version of nixos in your
imports.
The merging of config options for
services.postfix.config was buggy. Previously, if other
options in the Postfix module like
services.postfix.useSrs were set and the user set
config options that were also set by such options, the resulting config
wouldn't include all options that were needed. They are now merged
correctly. If config options need to be overridden,
lib.mkForce or lib.mkOverride can be
used.
The following changes apply if the stateVersion is
changed to 18.03 or higher. For stateVersion = "17.09"
or lower the old behavior is preserved.
matrix-synapse uses postgresql by default instead of
sqlite. Migration instructions can be found
here .
The jid package has been removed, due to maintenance
overhead of a go package having non-versioned dependencies.
When using services.xserver.libinput (enabled by default
in GNOME), it now handles all input devices, not just touchpads. As a
result, you might need to re-evaluate any custom Xorg configuration. In
particular, Option "XkbRules" "base" may result in
broken keyboard layout.
The attic package was removed. A maintained fork called
Borg should be used
instead. Migration instructions can be found
here.
The Piwik analytics software was renamed to Matomo:
The package pkgs.piwik was renamed to
pkgs.matomo.
The service services.piwik was renamed to
services.matomo.
The data directory /var/lib/piwik was renamed to
/var/lib/matomo. All files will be moved
automatically on first startup, but you might need to adjust your
backup scripts.
The default serverName for the nginx configuration
changed from piwik.${config.networking.hostName} to
matomo.${config.networking.hostName}.${config.networking.domain}
if config.networking.domain is set,
matomo.${config.networking.hostName} if it is not
set. If you change your serverName, remember you'll
need to update the trustedHosts[] array in
/var/lib/matomo/config/config.ini.php as well.
The piwik user was renamed to
matomo. The service will adjust ownership
automatically for files in the data directory. If you use unix socket
authentication, remember to give the new matomo user
access to the database and to change the username to
matomo in the [database] section
of /var/lib/matomo/config/config.ini.php.
If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, but this is neither enforced nor required.
nodejs-4_x is end-of-life.
nodejs-4_x, nodejs-slim-4_x and
nodePackages_4_x are removed.
The pump.io NixOS module was removed. It is now
maintained as an
external
module.
The Prosody XMPP server has received a major update. The following modules were renamed:
services.prosody.modules.httpserver is now
services.prosody.modules.http_files
services.prosody.modules.console is now
services.prosody.modules.admin_telnet
Many new modules are now core modules, most notably
services.prosody.modules.carbons and
services.prosody.modules.mam.
The better-performing libevent backend is now enabled
by default.
withCommunityModules now passes through the modules to
services.prosody.extraModules. Use
withOnlyInstalledCommunityModules for modules that
should not be enabled directly, e.g lib_ldap.
All prometheus exporter modules are now defined as submodules. The
exporters are configured using
services.prometheus.exporters.
ZNC option services.znc.mutable now defaults to
true. That means that old configuration is not
overwritten by default when update to the znc options are made.
The option networking.wireless.networks.<name>.auth
has been added for wireless networks with WPA-Enterprise authentication.
There is also a new extraConfig option to directly
configure wpa_supplicant and hidden to
connect to hidden networks.
In the module networking.interfaces.<name> the
following options have been removed:
ipAddress
ipv6Address
prefixLength
ipv6PrefixLength
subnetMask
To assign static addresses to an interface the options
ipv4.addresses and ipv6.addresses should
be used instead. The options ip4 and ip6
have been renamed to ipv4.addresses
ipv6.addresses respectively. The new options
ipv4.routes and ipv6.routes have been
added to set up static routing.
The option services.logstash.listenAddress is now
127.0.0.1 by default. Previously the default behaviour
was to listen on all interfaces.
services.btrfs.autoScrub has been added, to
periodically check btrfs filesystems for data corruption. If there's a
correct copy available, it will automatically repair corrupted blocks.
displayManager.lightdm.greeters.gtk.clock-format. has
been added, the clock format string (as expected by strftime, e.g.
%H:%M) to use with the lightdm gtk greeter panel.
If set to null the default clock format is used.
displayManager.lightdm.greeters.gtk.indicators has been
added, a list of allowed indicator modules to use with the lightdm gtk
greeter panel.
Built-in indicators include ~a11y,
~language, ~session,
~power, ~clock,
~host, ~spacer. Unity indicators can
be represented by short name (e.g. sound,
power), service file name, or absolute path.
If set to null the default indicators are used.
In order to have the previous default configuration add
NixOS
services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
"~host" "~spacer"
"~clock" "~spacer"
"~session"
"~language"
"~a11y"
"~power"
];
to your configuration.nix.
The NixOS test driver supports user services declared by
systemd.user.services. The methods
waitForUnit, getUnitInfo,
startJob and stopJob provide an
optional $user argument for that purpose.
Enabling bash completion on NixOS,
programs.bash.enableCompletion, will now also enable
completion for the Nix command line tools by installing the
nix-bash-completions
package.
In addition to numerous new and upgraded packages, this release has the following highlights:
The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.
The module option services.xserver.xrandrHeads now causes
the first head specified in this list to be set as the primary head. Apart
from that, it's now possible to also set additional options by using an
attribute set, for example:
{ services.xserver.xrandrHeads = [
"HDMI-0"
{
output = "DVI-0";
primary = true;
monitorConfig = ''
Option "Rotate" "right"
'';
}
];
}
This will set the DVI-0 output to be the primary head,
even though HDMI-0 is the first head in the list.
The handling of SSL in the services.nginx module has
been cleaned up, renaming the misnamed enableSSL to
onlySSL which reflects its original intention. This is
not to be used with the already existing forceSSL which
creates a second non-SSL virtual host redirecting to the SSL virtual host.
This by chance had worked earlier due to specific implementation details.
In case you had specified both please remove the
enableSSL option to keep the previous behaviour.
Another addSSL option has been introduced to configure
both a non-SSL virtual host and an SSL virtual host with the same
configuration.
Options to configure resolver options and
upstream blocks have been introduced. See their
information for further details.
The port option has been replaced by a more generic
listen option which makes it possible to specify
multiple addresses, ports and SSL configs dependant on the new SSL
handling mentioned above.
The following new services were added since the last release:
config/fonts/fontconfig-penultimate.nix
config/fonts/fontconfig-ultimate.nix
config/terminfo.nix
hardware/sensor/iio.nix
hardware/nitrokey.nix
hardware/raid/hpsa.nix
programs/browserpass.nix
programs/gnupg.nix
programs/qt5ct.nix
programs/slock.nix
programs/thefuck.nix
security/auditd.nix
security/lock-kernel-modules.nix
service-managers/docker.nix
service-managers/trivial.nix
services/admin/salt/master.nix
services/admin/salt/minion.nix
services/audio/slimserver.nix
services/cluster/kubernetes/default.nix
services/cluster/kubernetes/dns.nix
services/cluster/kubernetes/dashboard.nix
services/continuous-integration/hail.nix
services/databases/clickhouse.nix
services/databases/postage.nix
services/desktops/gnome3/gnome-disks.nix
services/desktops/gnome3/gpaste.nix
services/logging/SystemdJournal2Gelf.nix
services/logging/heartbeat.nix
services/logging/journalwatch.nix
services/logging/syslogd.nix
services/mail/mailhog.nix
services/mail/nullmailer.nix
services/misc/airsonic.nix
services/misc/autorandr.nix
services/misc/exhibitor.nix
services/misc/fstrim.nix
services/misc/gollum.nix
services/misc/irkerd.nix
services/misc/jackett.nix
services/misc/radarr.nix
services/misc/snapper.nix
services/monitoring/osquery.nix
services/monitoring/prometheus/collectd-exporter.nix
services/monitoring/prometheus/fritzbox-exporter.nix
services/network-filesystems/kbfs.nix
services/networking/dnscache.nix
services/networking/fireqos.nix
services/networking/iwd.nix
services/networking/keepalived/default.nix
services/networking/keybase.nix
services/networking/lldpd.nix
services/networking/matterbridge.nix
services/networking/squid.nix
services/networking/tinydns.nix
services/networking/xrdp.nix
services/security/shibboleth-sp.nix
services/security/sks.nix
services/security/sshguard.nix
services/security/torify.nix
services/security/usbguard.nix
services/security/vault.nix
services/system/earlyoom.nix
services/system/saslauthd.nix
services/web-apps/nexus.nix
services/web-apps/pgpkeyserver-lite.nix
services/web-apps/piwik.nix
services/web-servers/lighttpd/collectd.nix
services/web-servers/minio.nix
services/x11/display-managers/xpra.nix
services/x11/xautolock.nix
tasks/filesystems/bcachefs.nix
tasks/powertop.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
In an Qemu-based virtualization environment, the
network interface names changed from i.e. enp0s3 to
ens3.
This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.
A machine is affected if the virt-what tool either
returns qemu or kvm
and has interface names used in any part of its NixOS
configuration, in particular if a static network configuration with
networking.interfaces is used.
Before rebooting affected machines, please ensure:
Change the interface names in your NixOS configuration. The first
interface will be called ens3, the second one
ens8 and starting from there incremented by 1.
After changing the interface names, rebuild your system with
nixos-rebuild boot to activate the new configuration
after a reboot. If you switch to the new configuration right away you
might lose network connectivity! If using nixops,
deploy with nixops deploy --force-reboot.
The following changes apply if the stateVersion is
changed to 17.09 or higher. For stateVersion = "17.03"
or lower the old behavior is preserved.
The postgres default version was changed from 9.5 to
9.6.
The postgres superuser name has changed from
root to postgres to more closely
follow what other Linux distributions are doing.
The postgres default dataDir has
changed from /var/db/postgres to
/var/lib/postgresql/$psqlSchema where $psqlSchema is
9.6 for example.
The mysql default dataDir has
changed from /var/mysql to
/var/lib/mysql.
Radicale's default package has changed from 1.x to 2.x. Instructions to
migrate can be found here
. It is also possible to use the newer version by setting the
package to radicale2, which is
done automatically when stateVersion is 17.09 or
higher. The extraArgs option has been added to allow
passing the data migration arguments specified in the instructions; see
the
radicale.nix
NixOS test for an example migration.
The aiccu package was removed. This is due to SixXS
sunsetting its IPv6
tunnel.
The fanctl package and fan module
have been removed due to the developers not upstreaming their iproute2
patches and lagging with compatibility to recent iproute2 versions.
Top-level idea package collection was renamed. All
JetBrains IDEs are now at jetbrains.
flexget's state database cannot be upgraded to its new
internal format, requiring removal of any existing
db-config.sqlite which will be automatically recreated.
The ipfs service now doesn't ignore the
dataDir option anymore. If you've ever set this option
to anything other than the default you'll have to either unset it (so the
default gets used) or migrate the old data manually with
dataDir=<valueOfDataDir> mv /var/lib/ipfs/.ipfs/* $dataDir rmdir /var/lib/ipfs/.ipfs
The caddy service was previously using an extra
.caddy directory in the data directory specified with
the dataDir option. The contents of the
.caddy directory are now expected to be in the
dataDir.
The ssh-agent user service is not started by default
anymore. Use programs.ssh.startAgent to enable it if
needed. There is also a new programs.gnupg.agent module
that creates a gpg-agent user service. It can also
serve as a SSH agent if enableSSHSupport is set.
The services.tinc.networks.<name>.listenAddress
option had a misleading name that did not correspond to its behavior. It
now correctly defines the ip to listen for incoming connections on. To
keep the previous behaviour, use
services.tinc.networks.<name>.bindToAddress
instead. Refer to the description of the options for more details.
tlsdate package and module were removed. This is due to
the project being dead and not building with openssl 1.1.
wvdial package and module were removed. This is due to
the project being dead and not building with openssl 1.1.
cc-wrapper's setup-hook now exports a number of
environment variables corresponding to binutils binaries, (e.g.
LD, STRIP, RANLIB, etc). This
is done to prevent packages' build systems guessing, which is harder to
predict, especially when cross-compiling. However, some packages have
broken due to this—their build systems either not supporting, or
claiming to support without adequate testing, taking such environment
variables as parameters.
services.firefox.syncserver now runs by default as a
non-root user. To accomodate this change, the default sqlite database
location has also been changed. Migration should work automatically. Refer
to the description of the options for more details.
The compiz window manager and package was removed. The
system support had been broken for several years.
Touchpad support should now be enabled through libinput
as synaptics is now deprecated. See the option
services.xserver.libinput.enable.
grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.
services.mysql now has declarative configuration of
databases and users with the ensureDatabases and
ensureUsers options.
These options will never delete existing databases and users, especially not when the value of the options are changed.
The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.
If you have previously created a MySQL root user
with a password, you will need to add
root user for unix socket authentication before using
the new options. This can be done by running the following SQL script:
CREATE USER 'root'@'%' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; -- Optionally, delete the password-authenticated user: -- DROP USER 'root'@'localhost';
services.mysqlBackup now works by default without any
user setup, including for users other than mysql.
By default, the mysql user is no longer the user which
performs the backup. Instead a system account
mysqlbackup is used.
The mysqlBackup service is also now using systemd
timers instead of cron.
Therefore, the services.mysqlBackup.period option no
longer exists, and has been replaced with
services.mysqlBackup.calendar, which is in the format
of
systemd.time(7).
If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.
You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.
Templated systemd services e.g container@name are now
handled currectly when switching to a new configuration, resulting in them
being reloaded.
Steam: the newStdcpp parameter was removed and should
not be needed anymore.
Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.
Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.
Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.
ZFS/SPL have been updated to 0.7.0, zfsUnstable,
splUnstable have therefore been removed.
The time.timeZone option now allows the value
null in addition to timezone strings. This value allows
changing the timezone of a system imperatively using timedatectl
set-timezone. The default timezone is still UTC.
Nixpkgs overlays may now be specified with a file as well as a directory.
The value of <nixpkgs-overlays> may be a file, and
~/.config/nixpkgs/overlays.nix can be used instead of
the ~/.config/nixpkgs/overlays directory.
See the overlays chapter of the Nixpkgs manual for more details.
Definitions for /etc/hosts can now be specified
declaratively with networking.hosts.
Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.
This therefore leads to adding a new debug option to
set the log level to the previous verbose mode, to make debugging easier,
but still accessible easily.
Additionally a copytoram option has been added, which
makes it possible to remove the install medium after booting. This allows
tethering from your phone after booting from it.
services.gitlab-runner.configOptions has been added to
specify the configuration of gitlab-runners declaratively.
services.jenkins.plugins has been added to install
plugins easily, this can be generated with jenkinsPlugins2nix.
services.postfix.config has been added to specify the
main.cf with NixOS options. Additionally other options have been added to
the postfix module and has been improved further.
The GitLab package and module have been updated to the latest 10.0 release.
The systemd-boot boot loader now lists the NixOS
version, kernel version and build date of all bootable generations.
The dnscrypt-proxy service now defaults to using a random upstream
resolver, selected from the list of public non-logging resolvers with
DNSSEC support. Existing configurations can be migrated to this mode of
operation by omitting the
services.dnscrypt-proxy.resolverName option or setting it
to "random".
In addition to numerous new and upgraded packages, this release has the following highlights:
Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.
This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed
The setuid wrapper functionality now supports setting capabilities.
X.org server uses branch 1.19. Due to ABI incompatibilities,
ati_unfree keeps forcing 1.17 and
amdgpu-pro starts forcing 1.18.
Cross compilation has been rewritten. See the nixpkgs manual for details.
The most obvious breaking change is that in derivations there is no
.nativeDrv nor .crossDrv are now
cross by default, not native.
The overridePackages function has been rewritten to be
replaced by
overlays
Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.
PHP now defaults to PHP 7.1
The following new services were added since the last release:
hardware/ckb.nix
hardware/mcelog.nix
hardware/usb-wwan.nix
hardware/video/capture/mwprocapture.nix
programs/adb.nix
programs/chromium.nix
programs/gphoto2.nix
programs/java.nix
programs/mtr.nix
programs/oblogout.nix
programs/vim.nix
programs/wireshark.nix
security/dhparams.nix
services/audio/ympd.nix
services/computing/boinc/client.nix
services/continuous-integration/buildbot/master.nix
services/continuous-integration/buildbot/worker.nix
services/continuous-integration/gitlab-runner.nix
services/databases/riak-cs.nix
services/databases/stanchion.nix
services/desktops/gnome3/gnome-terminal-server.nix
services/editors/infinoted.nix
services/hardware/illum.nix
services/hardware/trezord.nix
services/logging/journalbeat.nix
services/mail/offlineimap.nix
services/mail/postgrey.nix
services/misc/couchpotato.nix
services/misc/docker-registry.nix
services/misc/errbot.nix
services/misc/geoip-updater.nix
services/misc/gogs.nix
services/misc/leaps.nix
services/misc/nix-optimise.nix
services/misc/ssm-agent.nix
services/misc/sssd.nix
services/monitoring/arbtt.nix
services/monitoring/netdata.nix
services/monitoring/prometheus/default.nix
services/monitoring/prometheus/alertmanager.nix
services/monitoring/prometheus/blackbox-exporter.nix
services/monitoring/prometheus/json-exporter.nix
services/monitoring/prometheus/nginx-exporter.nix
services/monitoring/prometheus/node-exporter.nix
services/monitoring/prometheus/snmp-exporter.nix
services/monitoring/prometheus/unifi-exporter.nix
services/monitoring/prometheus/varnish-exporter.nix
services/monitoring/sysstat.nix
services/monitoring/telegraf.nix
services/monitoring/vnstat.nix
services/network-filesystems/cachefilesd.nix
services/network-filesystems/glusterfs.nix
services/network-filesystems/ipfs.nix
services/networking/dante.nix
services/networking/dnscrypt-wrapper.nix
services/networking/fakeroute.nix
services/networking/flannel.nix
services/networking/htpdate.nix
services/networking/miredo.nix
services/networking/nftables.nix
services/networking/powerdns.nix
services/networking/pdns-recursor.nix
services/networking/quagga.nix
services/networking/redsocks.nix
services/networking/wireguard.nix
services/system/cgmanager.nix
services/torrent/opentracker.nix
services/web-apps/atlassian/confluence.nix
services/web-apps/atlassian/crowd.nix
services/web-apps/atlassian/jira.nix
services/web-apps/frab.nix
services/web-apps/nixbot.nix
services/web-apps/selfoss.nix
services/web-apps/quassel-webserver.nix
services/x11/unclutter-xfixes.nix
services/x11/urxvtd.nix
system/boot/systemd-nspawn.nix
virtualisation/ecs-agent.nix
virtualisation/lxcfs.nix
virtualisation/openstack/keystone.nix
virtualisation/openstack/glance.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
Derivations have no .nativeDrv nor
.crossDrv and are now cross by default, not native.
stdenv.overrides is now expected to take
self and super arguments. See
lib.trivial.extends for what those parameters
represent.
ansible now defaults to ansible version 2 as version 1
has been removed due to a serious
vulnerability unpatched by upstream.
gnome alias has been removed along with
gtk, gtkmm and several others. Now
you need to use versioned attributes, like gnome3.
The attribute name of the Radicale daemon has been changed from
pythonPackages.radicale to radicale.
The stripHash bash function in
stdenv changed according to its documentation; it now
outputs the stripped name to stdout instead of putting
it in the variable strippedName.
PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.
Two lone top-level dict dbs moved into dictdDBs. This
affects: dictdWordnet which is now at
dictdDBs.wordnet and dictdWiktionary
which is now at dictdDBs.wiktionary
Parsoid service now uses YAML configuration format.
service.parsoid.interwikis is now called
service.parsoid.wikis and is a list of either API URLs
or attribute sets as specified in parsoid's documentation.
Ntpd was replaced by
systemd-timesyncd as the default service to synchronize
system time with a remote NTP server. The old behavior can be restored by
setting services.ntp.enable to true.
Upstream time servers for all NTP implementations are now configured using
networking.timeServers.
service.nylon is now declared using named instances. As
an example:
services.nylon = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
should be replaced with:
services.nylon.myvpn = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
this enables you to declare a SOCKS proxy for each uplink.
overridePackages function no longer exists. It is
replaced by
overlays. For example, the following code:
let
pkgs = import <nixpkgs> {};
in
pkgs.overridePackages (self: super: ...)
should be replaced by:
let
pkgs = import <nixpkgs> {};
in
import pkgs.path { overlays = [(self: super: ...)]; }
Autoloading connection tracking helpers is now disabled by default. This
default was also changed in the Linux kernel and is considered insecure if
not configured properly in your firewall. If you need connection tracking
helpers (i.e. for active FTP) please enable
networking.firewall.autoLoadConntrackHelpers and tune
networking.firewall.connectionTrackingModules to suit
your needs.
local_recipient_maps is not set to empty value by
Postfix service. It's an insecure default as stated by Postfix
documentation. Those who want to retain this setting need to set it via
services.postfix.extraConfig.
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools has been integrated into ping and traceroute respectively. To
enforce an address family the new flags -4 and
-6 have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer
done with the -I flag, but by encoding the interface
into the address (ping fe80::1%eth0).
The socket handling of the services.rmilter module has
been fixed and refactored. As rmilter doesn't support binding to more than
one socket, the options bindUnixSockets and
bindInetSockets have been replaced by
services.rmilter.bindSocket.*. The default is still a
unix socket in /run/rmilter/rmilter.sock. Refer to the
options documentation for more information.
The fetch* functions no longer support md5, please use
sha256 instead.
The dnscrypt-proxy module interface has been streamlined around the
extraArgs option. Where possible, legacy option
declarations are mapped to extraArgs but will emit
warnings. The resolverList has been outright removed: to
use an unlisted resolver, use the customResolver option.
torbrowser now stores local state under
~/.local/share/tor-browser by default. Any browser
profile data from the old location, ~/.torbrowser4,
must be migrated manually.
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.
jre now defaults to GTK+ UI by default. This improves
visual consistency and makes Java follow system font style, improving the
situation on HighDPI displays. This has a cost of increased closure size;
for server and other headless workloads it's recommended to use
jre_headless.
Python 2.6 interpreter and package set have been removed.
The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
Minor modifications had to be made to the interpreters in order to
generate deterministic bytecode. This has security implications and is
relevant for those using Python in a nix-shell. See the
Nixpkgs manual for details.
The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.
The Python function buildPythonPackage has been
improved and can be used to build from Setuptools source, Flit source, and
precompiled Wheels.
When adding new or updating current Python libraries, the expressions
should be put in separate files in
pkgs/development/python-modules and called from
python-packages.nix.
The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.
Containers using bridged networking no longer lose their connection after changes to the host networking.
ZFS supports pool auto scrubbing.
The bind DNS utilities (e.g. dig) have been split into their own output
and are now also available in pkgs.dnsutils and it is
no longer necessary to pull in all of bind to use them.
Per-user configuration was moved from ~/.nixpkgs to
~/.config/nixpkgs. The former is still valid for
config.nix for backwards compatibility.
In addition to numerous new and upgraded packages, this release has the following highlights:
Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.
Support for PXE netboot. See Section 2.2, “Booting from the “netboot” media (PXE)” for documentation.
X.org server 1.18. If you use the ati_unfree driver,
1.17 is still used due to an ABI incompatibility.
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.
The following new services were added since the last release:
(this will get automatically generated at release time)
When upgrading from a previous release, please be aware of the following incompatible changes:
A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
Previous versions of Nixpkgs had support for all versions of the LTS
Haskell package set. That support has been dropped. The previously provided
haskell.packages.lts-x_y package sets still exist in
name to aviod breaking user code, but these package sets don't actually
contain the versions mandated by the corresponding LTS release. Instead,
our package set it loosely based on the latest available LTS release, i.e.
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
drop those old names entirely.
The
motivation for this change has been discussed at length on the
nix-dev mailing list and in
Github
issue #14897. Development strategies for Haskell hackers who want to
rely on Nix and NixOS have been described in
another
nix-dev article.
Shell aliases for systemd sub-commands were dropped: start, stop, restart, status.
Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default behavior of Redis 3.2
/var/empty is now immutable. Activation script runs
chattr +i to forbid any modifications inside the folder.
See the
pull request for what bugs this caused.
Gitlab's maintainance script gitlab-runner was removed and split up into the more clearer gitlab-run and gitlab-rake scripts, because gitlab-runner is a component of Gitlab CI.
services.xserver.libinput.accelProfile default changed
from flat to adaptive, as per
official documentation.
fonts.fontconfig.ultimate.rendering was removed because
our presets were obsolete for some time. New presets are hardcoded into
FreeType; you can select a preset via
fonts.fontconfig.ultimate.preset. You can customize
those presets via ordinary environment variables, using
environment.variables.
The audit service is no longer enabled by default. Use
security.audit.enable = true to explicitly enable it.
pkgs.linuxPackages.virtualbox now contains only the
kernel modules instead of the VirtualBox user space binaries. If you want
to reference the user space binaries, you have to use the new
pkgs.virtualbox instead.
goPackages was replaced with separated Go applications
in appropriate nixpkgs categories. Each Go package uses
its own dependency set. There's also a new go2nix tool
introduced to generate a Go package definition from its Go source
automatically.
services.mongodb.extraConfig configuration format was
changed to YAML.
PHP has been upgraded to 7.0
Other notable improvements:
Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set
security.grsecurity.enable = true
to get a reasonably secure system without having to sacrifice too much functionality.
Special filesystems, like /proc, /run
and others, now have the same mount options as recommended by systemd and
are unified across different places in NixOS. Mount options are updated
during nixos-rebuild switch if possible. One benefit
from this is improved security — most such filesystems are now mounted
with noexec, nodev and/or
nosuid options.
The reverse path filter was interfering with DHCPv4 server operation in the
past. An exception for DHCPv4 and a new option to log packets that were
dropped due to the reverse path filter was added
(networking.firewall.logReversePathDrops) for easier
debugging.
Containers configuration within
containers.<name>.config is
now
properly typed and checked. In particular, partial configurations
are merged correctly.
The directory container setuid wrapper programs,
/var/setuid-wrappers,
is now
updated atomically to prevent failures if the switch to a new configuration
is interrupted.
services.xserver.startGnuPGAgent has been removed due to
GnuPG 2.1.x bump. See
how to achieve similar behavior. You might need to pkill
gpg-agent after the upgrade to prevent a stale agent being in the
way.
Declarative users could share the uid due to the bug in the script handling conflict resolution.
Gummi boot has been replaced using systemd-boot.
Hydra package and NixOS module were added for convenience.
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd 229, bringing numerous improvements over 217.
Linux 4.4 (was 3.18).
GCC 5.3 (was 4.9). Note that GCC 5 changes the C++ ABI in an incompatible way; this may cause problems if you try to link objects compiled with different versions of GCC.
Glibc 2.23 (was 2.21).
Binutils 2.26 (was 2.23.1). See #909
Improved support for ensuring
bitwise
reproducible builds. For example, stdenv now sets
the environment variable
SOURCE_DATE_EPOCH
to a deterministic value, and Nix has
gained
an option to repeat a build a number of times to test determinism.
An ongoing project, the goal of exact reproducibility is to allow binaries
to be verified independently (e.g., a user might only trust binaries that
appear in three independent binary caches).
Perl 5.22.
The following new services were added since the last release:
services/monitoring/longview.nix
hardware/video/webcam/facetimehd.nix
i18n/input-method/default.nix
i18n/input-method/fcitx.nix
i18n/input-method/ibus.nix
i18n/input-method/nabi.nix
i18n/input-method/uim.nix
programs/fish.nix
security/acme.nix
security/audit.nix
security/oath.nix
services/hardware/irqbalance.nix
services/mail/dspam.nix
services/mail/opendkim.nix
services/mail/postsrsd.nix
services/mail/rspamd.nix
services/mail/rmilter.nix
services/misc/autofs.nix
services/misc/bepasty.nix
services/misc/calibre-server.nix
services/misc/cfdyndns.nix
services/misc/gammu-smsd.nix
services/misc/mathics.nix
services/misc/matrix-synapse.nix
services/misc/octoprint.nix
services/monitoring/hdaps.nix
services/monitoring/heapster.nix
services/monitoring/longview.nix
services/network-filesystems/netatalk.nix
services/network-filesystems/xtreemfs.nix
services/networking/autossh.nix
services/networking/dnschain.nix
services/networking/gale.nix
services/networking/miniupnpd.nix
services/networking/namecoind.nix
services/networking/ostinato.nix
services/networking/pdnsd.nix
services/networking/shairport-sync.nix
services/networking/supplicant.nix
services/search/kibana.nix
services/security/haka.nix
services/security/physlock.nix
services/web-apps/pump.io.nix
services/x11/hardware/libinput.nix
services/x11/window-managers/windowlab.nix
system/boot/initrd-network.nix
system/boot/initrd-ssh.nix
system/boot/loader/loader.nix
system/boot/networkd.nix
system/boot/resolved.nix
virtualisation/lxd.nix
virtualisation/rkt.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
We no longer produce graphical ISO images and VirtualBox images for
i686-linux. A minimal ISO image is still provided.
Firefox and similar browsers are now wrapped by
default. The package and attribute names are plain
firefox or midori, etc.
Backward-compatibility attributes were set up, but note that
nix-env -u will not update your
current firefox-with-plugins; you have to uninstall it
and install firefox instead.
wmiiSnap has been replaced with wmii_hg, but services.xserver.windowManager.wmii.enable has been updated respectively so this only affects you if you have explicitly installed wmiiSnap.
jobs NixOS option has been removed. It served as
compatibility layer between Upstart jobs and SystemD services. All services
have been rewritten to use systemd.services
wmiimenu is removed, as it has been removed by the developers upstream. Use wimenu from the wmii-hg package.
Gitit is no longer automatically added to the module list in NixOS and as such there will not be any manual entries for it. You will need to add an import statement to your NixOS configuration in order to use it, e.g.
{
imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
}
will include the Gitit service configuration options.
nginx does not accept flags for enabling and disabling
modules anymore. Instead it accepts modules argument,
which is a list of modules to be built in. All modules now reside in
nginxModules set. Example configuration:
nginx.override {
modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];
}
s3sync is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at tarsnap and others.
ruby_1_8 has been removed as it's not supported from upstream anymore and probably contains security issues.
tidy-html5 package is removed. Upstream only provided
(lib)tidy5 during development, and now they went back to
(lib)tidy to work as a drop-in replacement of the
original package that has been unmaintained for years. You can (still) use
the html-tidy package, which got updated to a stable
release from this new upstream.
extraDeviceOptions argument is removed from
bumblebee package. Instead there are now two separate
arguments: extraNvidiaDeviceOptions and
extraNouveauDeviceOptions for setting extra X11 options
for nvidia and nouveau drivers, respectively.
The Ctrl+Alt+Backspace key combination no longer kills
the X server by default. There's a new option
services.xserver.enableCtrlAltBackspace allowing to enable
the combination again.
emacsPackagesNg now contains all packages from the ELPA,
MELPA, and MELPA Stable repositories.
Data directory for Postfix MTA server is moved from
/var/postfix to /var/lib/postfix.
Old configurations are migrated automatically.
service.postfix module has also received many
improvements, such as correct directories' access rights, new
aliasFiles and mapFiles options and
more.
Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style:
fileSystems."/example" = {
device = "/dev/sdc";
fsType = "btrfs";
options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ];
};
CUPS, installed by services.printing module, now has its
data directory in /var/lib/cups. Old configurations
from /etc/cups are moved there automatically, but
there might be problems. Also configuration options
services.printing.cupsdConf and
services.printing.cupsdFilesConf were removed because
they had been allowing one to override configuration variables required for
CUPS to work at all on NixOS. For most use cases,
services.printing.extraConf and new option
services.printing.extraFilesConf should be enough; if
you encounter a situation when they are not, please file a bug.
There are also Gutenprint improvements; in particular, a new option
services.printing.gutenprint is added to enable
automatic updating of Gutenprint PPMs; it's greatly recommended to enable
it instead of adding gutenprint to the
drivers list.
services.xserver.vaapiDrivers has been removed. Use
hardware.opengl.extraPackages{,32} instead. You can also
specify VDPAU drivers there.
programs.ibus moved to
i18n.inputMethod.ibus. The option
programs.ibus.plugins changed to
i18n.inputMethod.ibus.engines and the option to enable
ibus changed from programs.ibus.enable to
i18n.inputMethod.enabled.
i18n.inputMethod.enabled should be set to the used input
method name, "ibus" for ibus. An example of the new
style:
i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];
That is equivalent to the old version:
programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];
services.udev.extraRules option now writes rules to
99-local.rules instead of
10-local.rules. This makes all the user rules apply
after others, so their results wouldn't be overriden by anything else.
Large parts of the services.gitlab module has been been
rewritten. There are new configuration options available. The
stateDir option was renamned to
statePath and the satellitesDir
option was removed. Please review the currently available options.
The option services.nsd.zones.<name>.data no longer
interpret the dollar sign ($) as a shell variable, as such it should not be
escaped anymore. Thus the following zone data:
\$ORIGIN example.com.
\$TTL 1800
@ IN SOA ns1.vpn.nbp.name. admin.example.com. (
Should modified to look like the actual file expected by nsd:
$ORIGIN example.com.
$TTL 1800
@ IN SOA ns1.vpn.nbp.name. admin.example.com. (
service.syncthing.dataDir options now has to point to
exact folder where syncthing is writing to. Example configuration should
look something like:
services.syncthing = {
enable = true;
dataDir = "/home/somebody/.syncthing";
user = "somebody";
};
networking.firewall.allowPing is now enabled by default.
Users are encouraged to configure an appropriate rate limit for their
machines using the Kernel interface at
/proc/sys/net/ipv4/icmp_ratelimit and
/proc/sys/net/ipv6/icmp/ratelimit or using the
firewall itself, i.e. by setting the NixOS option
networking.firewall.pingLimit.
Systems with some broadcom cards used to result into a generated config that is no longer accepted. If you get errors like
error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created
you should either re-run nixos-generate-config or
manually replace
"${config.boot.kernelPackages.broadcom_sta}" by
config.boot.kernelPackages.broadcom_sta in your
/etc/nixos/hardware-configuration.nix. More discussion
is on the
github issue.
The services.xserver.startGnuPGAgent option has been
removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new
approach no longer requires (or even supports) the "start everything as a
child of the agent" scheme we've implemented in NixOS for older versions.
To configure the gpg-agent for your X session, add the following code to
~/.bashrc or some file that’s sourced when your
shell is started:
GPG_TTY=$(tty)
export GPG_TTY
If you want to use gpg-agent for SSH, too, add the following to your
session initialization (e.g.
displayManager.sessionCommands)
gpg-connect-agent /bye
unset SSH_AGENT_PID
export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
and make sure that
enable-ssh-support
is included in your ~/.gnupg/gpg-agent.conf. You will
need to use ssh-add to re-add your ssh keys. If gpg’s
automatic transformation of the private keys to the new format fails, you
will need to re-import your private keyring as well:
gpg --import ~/.gnupg/secring.gpg
The gpg-agent(1) man page has more details about this subject, i.e. in the "EXAMPLES" section.
Other notable improvements:
ejabberd module is brought back and now works on NixOS.
Input method support was improved. New NixOS modules (fcitx, nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) have been added.
In addition to numerous new and upgraded packages, this release has the following highlights:
The Haskell packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on Hackage -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the User's Guide to the Haskell Infrastructure. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single LTS Haskell release since version 0.0 as well as the most recent Stackage Nightly snapshot. The announcement "Full Stackage Support in Nixpkgs" gives additional details.
Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.
You can now keep your NixOS system up to date automatically by setting
system.autoUpgrade.enable = true;
This will cause the system to periodically check for updates in your current channel and run nixos-rebuild.
This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.
GNOME has been upgraded to 3.16.
Xfce has been upgraded to 4.12.
KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.
E19 has been upgraded to 0.16.8.15.
The following new services were added since the last release:
services/mail/exim.nix
services/misc/apache-kafka.nix
services/misc/canto-daemon.nix
services/misc/confd.nix
services/misc/devmon.nix
services/misc/gitit.nix
services/misc/ihaskell.nix
services/misc/mbpfan.nix
services/misc/mediatomb.nix
services/misc/mwlib.nix
services/misc/parsoid.nix
services/misc/plex.nix
services/misc/ripple-rest.nix
services/misc/ripple-data-api.nix
services/misc/subsonic.nix
services/misc/sundtek.nix
services/monitoring/cadvisor.nix
services/monitoring/das_watchdog.nix
services/monitoring/grafana.nix
services/monitoring/riemann-tools.nix
services/monitoring/teamviewer.nix
services/network-filesystems/u9fs.nix
services/networking/aiccu.nix
services/networking/asterisk.nix
services/networking/bird.nix
services/networking/charybdis.nix
services/networking/docker-registry-server.nix
services/networking/fan.nix
services/networking/firefox/sync-server.nix
services/networking/gateone.nix
services/networking/heyefi.nix
services/networking/i2p.nix
services/networking/lambdabot.nix
services/networking/mstpd.nix
services/networking/nix-serve.nix
services/networking/nylon.nix
services/networking/racoon.nix
services/networking/skydns.nix
services/networking/shout.nix
services/networking/softether.nix
services/networking/sslh.nix
services/networking/tinc.nix
services/networking/tlsdated.nix
services/networking/tox-bootstrapd.nix
services/networking/tvheadend.nix
services/networking/zerotierone.nix
services/scheduling/marathon.nix
services/security/fprintd.nix
services/security/hologram.nix
services/security/munge.nix
services/system/cloud-init.nix
services/web-servers/shellinabox.nix
services/web-servers/uwsgi.nix
services/x11/unclutter.nix
services/x11/display-managers/sddm.nix
system/boot/coredump.nix
system/boot/loader/loader.nix
system/boot/loader/generic-extlinux-compatible
system/boot/networkd.nix
system/boot/resolved.nix
system/boot/timesyncd.nix
tasks/filesystems/exfat.nix
tasks/filesystems/ntfs.nix
tasks/filesystems/vboxsf.nix
virtualisation/virtualbox-host.nix
virtualisation/vmware-guest.nix
virtualisation/xen-dom0.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sshd no longer supports DSA and ECDSA host keys by default. If you have existing systems with such host keys and want to continue to use them, please set
system.stateVersion = "14.12";
The new option system.stateVersion ensures that certain
configuration changes that could break existing systems (such as the
sshd host key setting) will maintain compatibility with
the specified NixOS release. NixOps sets the state version of existing
deployments automatically.
cron is no longer enabled by default, unless you have a
non-empty services.cron.systemCronJobs. To force
cron to be enabled, set services.cron.enable =
true.
Nix now requires binary caches to be cryptographically signed. If you have
unsigned binary caches that you want to continue to use, you should set
nix.requireSignedBinaryCaches = false.
Steam now doesn't need root rights to work. Instead of using
*-steam-chrootenv, you should now just run
steam. steamChrootEnv package was
renamed to steam, and old steam
package -- to steamOriginal.
CMPlayer has been renamed to bomi upstream. Package
cmplayer was accordingly renamed to
bomi
Atom Shell has been renamed to Electron upstream. Package
atom-shell was accordingly renamed to
electron
Elm is not released on Hackage anymore. You should now use
elmPackages.elm which contains the latest Elm platform.
The CUPS printing service has been updated to version
2.0.2. Furthermore its systemd service has been renamed
to cups.service.
Local printers are no longer shared or advertised by default. This
behavior can be changed by enabling
services.printing.defaultShared or
services.printing.browsing respectively.
The VirtualBox host and guest options have been named more consistently.
They can now found in virtualisation.virtualbox.host.*
instead of services.virtualboxHost.* and
virtualisation.virtualbox.guest.* instead of
services.virtualboxGuest.*.
Also, there now is support for the vboxsf file system
using the fileSystems configuration attribute. An example
of how this can be used in a configuration:
fileSystems."/shiny" = {
device = "myshinysharedfolder";
fsType = "vboxsf";
};
"nix-env -qa" no longer discovers Haskell
packages by name. The only packages visible in the global scope are
ghc, cabal-install, and
stack, but all other packages are hidden. The reason
for this inconvenience is the sheer size of the Haskell package set.
Name-based lookups are expensive, and most nix-env -qa
operations would become much slower if we'd add the entire Hackage
database into the top level attribute set. Instead, the list of Haskell
packages can be displayed by running:
nix-env -f "<nixpkgs>" -qaP -A haskellPackages
Executable programs written in Haskell can be installed with:
nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc
Installing Haskell libraries this way, however, is no longer supported. See the next item for more details.
Previous versions of NixOS came with a feature called
ghc-wrapper, a small script that allowed GHC to
transparently pick up on libraries installed in the user's profile. This
feature has been deprecated; ghc-wrapper was removed
from the distribution. The proper way to register Haskell libraries with
the compiler now is the haskellPackages.ghcWithPackages
function. The
User's
Guide to the Haskell Infrastructure provides more information about
this subject.
All Haskell builds that have been generated with version 1.x of the
cabal2nix utility are now invalid and need to be
re-generated with a current version of cabal2nix to
function. The most recent version of this tool can be installed by running
nix-env -i cabal2nix.
The haskellPackages set in Nixpkgs used to have a
function attribute called extension that users could
override in their ~/.nixpkgs/config.nix files to
configure additional attributes, etc. That function still exists, but it's
now called overrides.
The OpenBLAS library has been updated to version
0.2.14. Support for the
x86_64-darwin platform was added. Dynamic architecture
detection was enabled; OpenBLAS now selects microarchitecture-optimized
routines at runtime, so optimal performance is achieved without the need
to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages
which use an optimized BLAS or LAPACK implementation.
The phpfpm is now using the default PHP version
(pkgs.php) instead of PHP 5.4
(pkgs.php54).
The locate service no longer indexes the Nix store by
default, preventing packages with potentially numerous versions from
cluttering the output. Indexing the store can be activated by setting
services.locate.includeStore = true.
The Nix expression search path (NIX_PATH) no longer
contains /etc/nixos/nixpkgs by default. You can
override NIX_PATH by setting nix.nixPath.
Python 2.6 has been marked as broken (as it no longer receives security updates from upstream).
Any use of module arguments such as pkgs to access
library functions, or to define imports attributes will
now lead to an infinite loop at the time of the evaluation.
In case of an infinite loop, use the --show-trace command line argument and read the line just above the error message.
$ nixos-rebuild build --show-trace … while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix": infinite recursion encountered
Any use of pkgs.lib, should be replaced by
lib, after adding it as argument of the module. The
following module
{ config, pkgs, ... }:
with pkgs.lib;
{
options = {
foo = mkOption { … };
};
config = mkIf config.foo { … };
}
should be modified to look like:
{ config, pkgs, lib, ... }:
with lib;
{
options = {
foo = mkOption { option declaration };
};
config = mkIf config.foo { option definition };
}
When pkgs is used to download other projects to import
their modules, and only in such cases, it should be replaced by
(import <nixpkgs> {}). The following module
{ config, pkgs, ... }:
let
myProject = pkgs.fetchurl {
src = url;
sha256 = hash;
};
in
{
imports = [ "${myProject}/module.nix" ];
}
should be modified to look like:
{ config, pkgs, ... }:
let
myProject = (import <nixpkgs> {}).fetchurl {
src = url;
sha256 = hash;
};
in
{
imports = [ "${myProject}/module.nix" ];
}
Other notable improvements:
The nixos and nixpkgs channels were unified, so one
can use nix-env -iA nixos.bash
instead of nix-env -iA nixos.pkgs.bash. See
the
commit for details.
Users running an SSH server who worry about the quality of their
/etc/ssh/moduli file with respect to the
vulnerabilities
discovered in the Diffie-Hellman key exchange can now replace
OpenSSH's default version with one they generated themselves using the new
services.openssh.moduliFile option.
A newly packaged TeX Live 2015 is provided in
pkgs.texlive, split into 6500 nix packages. For basic
user documentation see
the
source. Beware of
an
issue when installing a too large package set. The plan is to
deprecate and maybe delete the original TeX packages until the next
release.
buildEnv.env on all Python interpreters is now available
for nix-shell interoperability.
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd has been updated to version 217, which has numerous improvements.
NixOS is now based on Glibc 2.20.
KDE has been updated to 4.14.
The default Linux kernel has been updated to 3.14.
If users.mutableUsers is enabled (the default), changes
made to the declaration of a user or group will be correctly realised when
running nixos-rebuild. For instance, removing a user
specification from configuration.nix will cause the
actual user account to be deleted. If users.mutableUsers
is disabled, it is no longer necessary to specify UIDs or GIDs; if
omitted, they are allocated dynamically.
Following new services were added since the last release:
atftpd
bosun
bspwm
chronos
collectd
consul
cpuminer-cryptonight
crashplan
dnscrypt-proxy
docker-registry
docker
etcd
fail2ban
fcgiwrap
fleet
fluxbox
gdm
geoclue2
gitlab
gitolite
gnome3.gnome-documents
gnome3.gnome-online-miners
gnome3.gvfs
gnome3.seahorse
hbase
i2pd
influxdb
kubernetes
liquidsoap
lxc
mailpile
mesos
mlmmj
monetdb
mopidy
neo4j
nsd
openntpd
opentsdb
openvswitch
parallels-guest
peerflix
phd
polipo
prosody
radicale
redmine
riemann
scollector
seeks
siproxd
strongswan
tcsd
teamspeak3
thermald
torque/mrom
torque/server
uhub
unifi
znc
zookeeper
When upgrading from a previous release, please be aware of the following incompatible changes:
The default version of Apache httpd is now 2.4. If you use the
extraConfig option to pass literal Apache configuration
text, you may need to update it — see
Apache’s
documentation for details. If you wish to continue to use httpd
2.2, add the following line to your NixOS configuration:
services.httpd.package = pkgs.apacheHttpd_2_2;
PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.
The host side of a container virtual Ethernet pair is now called
ve- rather
than container-namec-.
container-name
GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.
VirtualBox has been upgraded to 4.3.20 release. Users may be required to
run rm -rf /tmp/.vbox*. The line imports = [
<nixpkgs/nixos/modules/programs/virtualbox.nix> ] is no
longer necessary, use services.virtualboxHost.enable =
true instead.
Also, hardening mode is now enabled by default, which means that unless
you want to use USB support, you no longer need to be a member of the
vboxusers group.
Chromium has been updated to 39.0.2171.65.
enablePepperPDF is now enabled by default.
chromium*Wrapper packages no longer exist, because
upstream removed NSAPI support. chromium-stable has
been renamed to chromium.
Python packaging documentation is now part of nixpkgs manual. To override
the python packages available to a custom python you now use
pkgs.pythonFull.buildEnv.override instead of
pkgs.pythonFull.override.
boot.resumeDevice = "8:6" is no longer supported. Most
users will want to leave it undefined, which takes the swap partitions
automatically. There is an evaluation assertion to ensure that the string
starts with a slash.
The system-wide default timezone for NixOS installations changed from
CET to UTC. To choose a different
timezone for your system, configure time.timeZone in
configuration.nix. A fairly complete list of possible
values for that setting is available at
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.
The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.
This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:
Installation on UEFI systems is now supported. See Chapter 2, Installing NixOS for details.
Systemd has been updated to version 212, which has
numerous
improvements. NixOS now automatically starts systemd user instances
when you log in. You can define global user units through the
systemd.unit.* options.
NixOS is now based on Glibc 2.19 and GCC 4.8.
The default Linux kernel has been updated to 3.12.
KDE has been updated to 4.12.
GNOME 3.10 experimental support has been added.
Nix has been updated to 1.7 (details).
NixOS now supports fully declarative management of users and groups. If
you set users.mutableUsers to false,
then the contents of /etc/passwd and
/etc/group will be
congruent
to your NixOS configuration. For instance, if you remove a user from
users.extraUsers and run
nixos-rebuild, the user account will cease to exist.
Also, imperative commands for managing users and groups, such as
useradd, are no longer available. If
users.mutableUsers is true (the
default), then behaviour is unchanged from NixOS 13.10.
NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 31, Container Management for details.
Systemd units provided by packages can now be overridden from the NixOS
configuration. For instance, if a package foo provides
systemd units, you can say:
systemd.packages = [ pkgs.foo ];
to enable those units. You can then set or override unit options in the usual way, e.g.
systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M";
When upgrading from a previous release, please be aware of the following incompatible changes:
Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:
nixpkgs.config.allowUnfree = true;
Otherwise, you get an error message such as:
error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ has an unfree license, refusing to evaluate
The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:
nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:
networking.firewall.enable = false;
The option boot.loader.grub.memtest86 has been renamed to
boot.loader.grub.memtest86.enable.
The mysql55 service has been merged into the
mysql service, which no longer sets a default for the
option services.mysql.package.
Package variants are now differentiated by suffixing the name, rather than
the version. For instance, sqlite-3.8.4.3-interactive
is now called sqlite-interactive-3.8.4.3. This
ensures that nix-env -i sqlite is unambiguous, and that
nix-env -u won’t “upgrade”
sqlite to sqlite-interactive or vice
versa. Notably, this change affects the Firefox wrapper (which provides
plugins), as it is now called firefox-wrapper. So when
using nix-env, you should do nix-env -e
firefox; nix-env -i firefox-wrapper if you want to keep using
the wrapper. This change does not affect declarative package management,
since attribute names like pkgs.firefoxWrapper were
already unambiguous.
The symlink /etc/ca-bundle.crt is gone. Programs
should instead use the environment variable
OPENSSL_X509_CERT_FILE (which points to
/etc/ssl/certs/ca-bundle.crt).
This is the first stable release branch of NixOS.