GitOrigin-RevId: c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad
56 KiB
Release 23.11 (“Tapir”, 2023.11/??)
Highlights
-
FoundationDB now defaults to major version 7.
-
PostgreSQL now defaults to major version 15.
-
Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the
hostapd
package, along with a significant rework of the hostapd module. -
LXD now supports virtual machine instances to complement the existing container support
-
The
nixos-rebuild
command has been given alist-generations
subcommand. Seeman nixos-rebuild
for more details. -
systemd has been updated from v253 to v254, see the release notes for more information on the changes.
boot.resumeDevice
must be specified when hibernating if not in EFI mode.- systemd may warn your system about the permissions of your ESP partition (often
/boot
), this warning can be ignored for now, we are looking into a satisfying solution regarding this problem. - Updating with
nixos-rebuild boot
and rebooting is recommended, since in some rare cases thenixos-rebuild switch
into the new generation on a live system might fail due to missing mount units.
-
sudo-rs
, a reimplementation ofsudo
in Rust, is now supported. An experimental new modulesecurity.sudo-rs
was added. Switching to it (viasecurity.sudo.enable = false; security.sudo-rs.enable = true;
) introduces slight changes in sudo behaviour, due tosudo-rs
' current limitations:- terminfo-related environment variables aren't preserved for
root
andwheel
; root
andwheel
are not given the ability to set (or preserve) arbitrary environment variables.
- terminfo-related environment variables aren't preserved for
-
glibc has been updated from version 2.37 to 2.38, see the release notes for what was changed.
-
All ROCm packages have been updated to 5.7.0.
- ROCm package attribute sets are versioned:
rocmPackages
->rocmPackages_5
.
- ROCm package attribute sets are versioned:
-
yarn-berry
has been updated to 4.0.1. This means that NodeJS versions less than18.12
are no longer supported by it. More details at the upstream changelog. -
If the user has a custom shell enabled via
users.users.${USERNAME}.shell = ${CUSTOMSHELL}
, the assertion will require them to also setprograms.${CUSTOMSHELL}.enable = true
. This is generally safe behavior, but for anyone needing to opt out from the checkusers.users.${USERNAME}.ignoreShellProgramCheck = true
will do the job. -
Cassandra now defaults to 4.x, updated from 3.11.x.
New Services
-
MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.
-
acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.
-
frp, a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as services.frp.
-
river, A dynamic tiling wayland compositor. Available as programs.river.
-
wayfire, A modular and extensible wayland compositor. Available as programs.wayfire.
-
mautrix-whatsapp A Matrix-WhatsApp puppeting bridge
-
hddfancontrol, a service to regulate fan speeds based on hard drive temperature. Available as services.hddfancontrol.
-
GoToSocial, an ActivityPub social network server, written in Golang. Available as services.gotosocial.
-
Castopod, an open-source hosting platform made for podcasters who want to engage and interact with their audience. Available as services.castopod.
-
Typesense, a fast, typo-tolerant search engine for building delightful search experiences. Available as services.typesense.
- NS-USBLoader, an all-in-one tool for managing Nintendo Switch homebrew. Available as programs.ns-usbloader.
-
Mobilizon, a Fediverse platform for publishing events.
-
Anuko Time Tracker, a simple, easy to use, open source time tracking system. Available as services.anuko-time-tracker.
-
Prometheus MySQL exporter, a MySQL server exporter for Prometheus. Available as services.prometheus.exporters.mysqld.
-
LibreNMS, a auto-discovering PHP/MySQL/SNMP based network monitoring. Available as services.librenms.
-
Livebook, an interactive notebook with support for Elixir, graphs, machine learning, and more.
-
sitespeed-io, a tool that can generate metrics (timings, diagnostics) for websites. Available as services.sitespeed-io.
-
stalwart-mail, an all-in-one email server (SMTP, IMAP, JMAP). Available as services.stalwart-mail.
-
tang, a server for binding data to network presence. Available as services.tang.
-
Jool, a kernelspace NAT64 and SIIT implementation, providing translation between IPv4 and IPv6. Available as networking.jool.enable.
-
[Home Assistant Satellite], a streaming audio satellite for Home Assistant voice pipelines, where you can reuse existing mic/speaker hardware. Available as services.homeassistant-satellite.
-
Apache Guacamole, a cross-platform, clientless remote desktop gateway. Available as services.guacamole-server and services.guacamole-client services.
-
pgBouncer, a PostgreSQL connection pooler. Available as services.pgbouncer.
-
Goss, a YAML based serverspec alternative tool for validating a server's configuration. Available as services.goss.
-
trust-dns, a Rust based DNS server built to be safe and secure from the ground up. Available as services.trust-dns.
-
osquery, a SQL powered operating system instrumentation, monitoring, and analytics.
-
ebusd, a daemon for handling communication with eBUS devices connected to a 2-wire bus system (“energy bus” used by numerous heating systems). Available as services.ebusd.
-
systemd-sysupdate, atomically updates the host OS, container images, portable service images or other sources. Available as systemd.sysupdate.
-
eris-server. ERIS is an encoding for immutable storage and this server provides block exchange as well as content decoding over HTTP and through a FUSE file-system. Available as services.eris-server.
-
hardware/infiniband.nix adds infiniband subnet manager support using an opensm systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as hardware.infiniband.enable.
-
zwave-js, a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as services.zwave-js.
-
Honk, a complete ActivityPub server with minimal setup and support costs. Available as services.honk.
-
ferretdb, an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as services.ferretdb.
-
MicroBin, a feature rich, performant and secure text and file sharing web application, a "paste bin". Available as services.microbin.
-
NNCP. Added nncp-daemon and nncp-caller services. Configuration is set with programs.nncp.settings and the daemons are enabled at services.nncp.
-
FastNetMon Advanced, a commercial high performance DDoS detector / sensor. Available as services.fastnetmon-advanced.
-
tuxedo-rs, Rust utilities for interacting with hardware from TUXEDO Computers.
-
certspotter, a certificate transparency log monitor. Available as services.certspotter.
-
audiobookshelf, a self-hosted audiobook and podcast server. Available as services.audiobookshelf.
-
ZITADEL, a turnkey identity and access management platform. Available as services.zitadel.
-
exportarr, Prometheus Exporters for Bazarr, Lidarr, Prowlarr, Radarr, Readarr, and Sonarr. Available as services.prometheus.exporters.exportarr-bazarr/services.prometheus.exporters.exportarr-lidarr/services.prometheus.exporters.exportarr-prowlarr/services.prometheus.exporters.exportarr-radarr/services.prometheus.exporters.exportarr-readarr/services.prometheus.exporters.exportarr-sonarr.
-
netclient, an automated WireGuard® Management Client. Available as services.netclient.
-
trunk-ng, A fork of
trunk
: Build, bundle & ship your Rust WASM application to the web -
virt-manager, an UI for managing virtual machines in libvirt, is now available as
programs.virt-manager
. -
Soft Serve, a tasty, self-hostable Git server for the command line. Available as services.soft-serve.
-
Rosenpass, a service for post-quantum-secure VPNs with WireGuard. Available as services.rosenpass.
-
c2FmZQ, an application that can securely encrypt, store, and share files, including but not limited to pictures and videos. Available as services.c2fmzq-server.
Backward Incompatibilities
-
network-online.target
has been fixed to no longer time out for systems withnetworking.useDHCP = true
andnetworking.useNetworkd = true
. Workarounds for this can be removed. -
The
boot.loader.raspberryPi
options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs (before mid-2019) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. -
python3.pkgs.sequoia
was removed in favor ofpython3.pkgs.pysequoia
. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from gitlab:sequoia-pgp/sequoia were removed long ago. -
writeTextFile
now requiresexecutable
to be boolean, values likenull
or""
will now fail to evaluate. -
The latest version of
clonehero
now stores custom content in~/.clonehero
. See the migration instructions. Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in~/.config/unity3d/srylain Inc_/Clone Hero
. -
services.mastodon
doesn't support providing a TCP port to itsstreaming
component anymore, as upstream implemented parallelization by running multiple instances instead of running multiple processes in one instance. Please create a PR if you are interested in this feature. -
The
services.hostapd
module was rewritten to supportpasswordFile
like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.hostapd
is now started with additional systemd sandbox/hardening options for better security.services.hostapd.interface
was replaced with a per-radio and per-bss configuration scheme using services.hostapd.radios.services.hostapd.wpa
has been replaced by services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword and services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords which configure WPA2-PSK and WP3-SAE respectively.- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
-
python3.pkgs.fetchPypi
(andpython3Packages.fetchPypi
) has been deprecated in favor of top-levelfetchPypi
. -
pass
now does not containpassword-store.el
. Users should getpassword-store.el
from Emacs lisp package setemacs.pkgs.password-store
. -
services.knot
now supports.settings
from RFC42. The previous.extraConfig
still works the same, but it displays a warning now. -
mu
now does not installmu4e
files by default. Users should getmu4e
from Emacs lisp package setemacs.pkgs.mu4e
. -
mariadb
now defaults tomariadb_1011
instead ofmariadb_106
, meaning the default version was upgraded from 10.6.x to 10.11.x. See the upgrade notes for potential issues. -
getent
has been moved fromglibc
'sbin
output to its own dedicated output, reducing closure size for many dependents. Dependents using thegetent
alias should not be affected; others should move from usingglibc.bin
orgetBin glibc
togetent
(which also improves compatibility with non-glibc platforms). -
maintainers/scripts/update-luarocks-packages
is now a proper packageluarocks-packages-updater
that can be run to maintain out-of-tree luarocks packages -
The
users.users.<name>.passwordFile
has been renamed tousers.users.<name>.hashedPasswordFile
to avoid possible confusions. The option is in fact the file-based version ofhashedPassword
, notpassword
, and expects a file containing the {manpage}crypt(3)
hash of the user password. -
chromiumBeta
andchromiumDev
have been removed due to the lack of maintenance in nixpkgs. Consider usingchromium
instead. -
google-chrome-beta
andgoogle-chrome-dev
have been removed due to the lack of maintenance in nixpkgs. Consider usinggoogle-chrome
instead. -
The
services.ananicy.extraRules
option now has the type oflistOf attrs
instead ofstring
. -
buildVimPluginFrom2Nix
has been renamed tobuildVimPlugin
, which now now skipsconfigurePhase
andbuildPhase
-
JACK tools (
jack_*
exceptjack_control
) have moved from thejack2
package tojack-example-tools
-
The
waagent
service does provisioning now -
The
matrix-synapse
package & module have undergone some significant internal changes, for most setups no intervention is needed, though:- The option
services.matrix-synapse.package
is now read-only. For modifying the package, use an overlay which modifiesmatrix-synapse-unwrapped
instead. More on that below. - The
enableSystemd
&enableRedis
arguments have been removed andmatrix-synapse
has been renamed tomatrix-synapse-unwrapped
. Also, several optional dependencies (such aspsycopg2
orauthlib
) have been removed. - These optional dependencies are automatically added via a wrapper (
pkgs.matrix-synapse.override { extras = ["redis"]; }
forhiredis
&txredisapi
for instance) if the relevant config section is declared inservices.matrix-synapse.settings
. For instance, ifservices.matrix-synapse.settings.redis.enabled
is set totrue
,"redis"
will be automatically added to theextras
list ofpkgs.matrix-synapse
. - A list of all extras (and the extras enabled by default) can be found at the option's reference for
services.matrix-synapse.extras
. - In some cases (e.g. for running synapse workers) it was necessary to re-use the
PYTHONPATH
ofmatrix-synapse.service
's environment to have all plugins available. This isn't necessary anymore, insteadconfig.services.matrix-synapse.package
can be used as it points to the wrapper with properly configuredextras
and also all plugins defined viaservices.matrix-synapse.plugins
available. This is also the reason for why the option is read-only now, it's supposed to be set by the module only.
- The option
-
netbox
was updated to 3.6. NixOS'services.netbox.package
still defaults to 3.5 ifstateVersion
is earlier than 23.11. Please review upstream's breaking changes for 3.6.0 and upgrade NetBox by changingservices.netbox.package
. Database migrations will be run automatically. -
etcd
has been updated to 3.5, you will want to read the 3.3 to 3.4 and 3.4 to 3.5 upgrade guides -
gitlab
installations created or updated between versions [15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading togitlab
>=16.2.0. A workaround for affected users can be found in the GitLab docs. -
consul
has been updated to1.16.0
. See the release note for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version. -
llvmPackages_rocm
has been moved torocmPackages.llvm
. -
hip
,rocm-opencl-runtime
,rocm-opencl-icd
, androcclr
have been combined intorocmPackages.clr
. -
clang-ocl
,clr
,composable_kernel
,hipblas
,hipcc
,hip-common
,hipcub
,hipfft
,hipfort
,hipify
,hipsolver
,hipsparse
,migraphx
,miopen
,miopengemm
,rccl
,rdc
,rocalution
,rocblas
,rocdgbapi
,rocfft
,rocgdb
,rocm-cmake
,rocm-comgr
,rocm-core
,rocm-device-libs
,rocminfo
,rocmlir
,rocm-runtime
,rocm-smi
,rocm-thunk
,rocprim
,rocprofiler
,rocrand
,rocr-debug-agent
,rocsolver
,rocsparse
,rocthrust
,roctracer
,rocwmma
, andtensile
have been moved torocmPackages
. -
himalaya
has been updated to0.8.0
, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the release note for more details. -
nix-prefetch-git
now ignores global and user git config, to improve reproducibility. -
The services.caddy.acmeCA option now defaults to
null
instead of"https://acme-v02.api.letsencrypt.org/directory"
, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream. -
The default priorities of
services.nextcloud.phpOptions
have changed. This means that e.g.services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23";
doesn't discard all of the other defaults from this option anymore. The attribute values ofphpOptions
are still defaults, these can be overridden as shown here.To override all of the options (including including
upload_max_filesize
,post_max_size
andmemory_limit
which all point toservices.nextcloud.maxUploadSize
by default) can be done like this:{ services.nextcloud.phpOptions = lib.mkForce { /* ... */ }; }
-
php80
is no longer supported due to upstream not supporting this version anymore. -
PHP now defaults to PHP 8.2, updated from 8.1.
-
GraalVM has been updated to the latest version, and this brings significant changes. Upstream don't release multiple versions targeting different JVMs anymore, so now we only have one GraalVM derivation (
graalvm-ce
). While at first glance the version may seem a downgrade (22.3.1 -> 21.0.0), the major version is now following the JVM it targets (so this latest version targets JVM 21). Also some products likellvm-installable-svm
andnative-image-svm
were incorporate to the main GraalVM derivation, so they're included by default. -
GraalPy (
graalCEPackages.graalpy
), TruffleRuby (graalCEPackages.truffleruby
), GraalJS (graalCEPackages.graaljs
) and GraalNodeJS (grallCEPackages.graalnodejs
) are now indepedent from the main GraalVM derivation. -
The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq.
-
prometheus-unbound-exporter
has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notablecontrolInterface
needs migration towardsunbound.host
and requires either thetcp://
orunix://
URI scheme. -
odoo
now defaults to 16, updated from 15. -
varnish
was upgraded from 7.2.x to 7.4.x, see https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html and https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html for upgrade notes. The current LTS version is still offered asvarnish60
. -
util-linux
is now supported on Darwin and is no longer an alias tounixtools
. Use theunixtools.util-linux
package for access to the Apple variants of the utilities. -
services.keyd
changed API. Now you can create multiple configuration files. -
baloo
, the file indexer/search engine used by KDE now has a patch to prevent files from constantly being reindexed when the device ids of the their underlying storage changes. This happens frequently when using btrfs or LVM. The patch has not yet been accepted upstream but it provides a significantly improved experience. When upgrading, reset baloo to get a clean index:balooctl disable ; balooctl purge ; balooctl enable
. -
The
vlock
program from thekbd
package has been moved into its own package output and should now be referenced explicitly askbd.vlock
or replaced with an alternative such as the standalonevlock
package orphyslock
. -
fileSystems.<name>.autoFormat
now usessystemd-makefs
, which does not accept formatting options. Therefore,fileSystems.<name>.formatOptions
has been removed. -
fileSystems.<name>.autoResize
now usessystemd-growfs
to resize the file system online in stage 2. This means thatf2fs
andext2
can no longer be auto resized, whilexfs
andbtrfs
now can be. -
fuse3
has been updated from 3.11.0 to 3.16.2; see ChangeLog.rst for an overview of the changes.Unsupported mount options are no longer silently accepted (since 3.15.0). The affected mount options are:
atime
,diratime
,lazytime
,nolazytime
,relatime
,norelatime
,strictatime
.For example,
$ sshfs 127.0.0.1:/home/test/testdir /home/test/sshfs_mnt -o atime`
would previously terminate successfully with the mount point established, now it outputs the error message
fuse: unknown option(s): `-o atime'
and terminates with exit status 1. -
nixos-rebuild {switch,boot,test,dry-activate}
now runs the system activation insidesystemd-run
, creating an ephemeral systemd service and protecting the system switch against issues like network disconnections during remote (e.g. SSH) sessions. This has the side effect of running the switch in an isolated environment, that could possible break post-switch scripts that depends on things like environment variables being set. If you want to opt-out from this behavior for now, you may set theNIXOS_SWITCH_USE_DIRTY_ENV
environment variable before runningnixos-rebuild
. However, keep in mind that this option will be removed in the future. -
The
services.vaultwarden.config
option default value was changed to make Vaultwarden only listen on localhost, following the secure defaults for most NixOS services. -
services.lemmy.settings.federation
was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the release notes for more details. -
pict-rs
was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems withstateVersion = "23.05";
or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and setservices.pict-rs.package = pkgs.pict-rs;
. -
The following packages in
haskellPackages
have now a separate bin output:cabal-fmt
,calligraphy
,eventlog2html
,ghc-debug-brick
,hindent
,nixfmt
,releaser
. This means you need to replace e.g."${pkgs.haskellPackages.nixfmt}/bin/nixfmt"
with"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"
or"${lib.getExe pkgs.haskellPackages.nixfmt}"
. The binaries also won’t be in scope if you rely on them being installed e.g. viaghcWithPackages
.environment.packages
picks thebin
output automatically, so for normal installation no intervention is required. Also, toplevel attributes likepkgs.nixfmt
are not impacted negatively by this change. -
spamassassin
no longer supports theHashcash
module. The module needs to be removed from theloadplugin
list if it was copied over from the defaultinitPreConf
option. -
nano
was removed fromenvironment.defaultPackages
. To not leave systems without a editor, nowprograms.nano.enable
is enabled by default. -
programs.nano.nanorc
andprograms.nano.syntaxHighlight
no longer have an effect unlessprograms.nano.enable
is set to true which is the default. -
services.outline.sequelizeArguments
has been removed, asoutline
no longer executes database migrations via thesequelize
cli. -
The binary of the package
cloud-sql-proxy
has changed fromcloud_sql_proxy
tocloud-sql-proxy
. -
Garage has been upgraded to 0.9.x.
services.garage.package
now needs to be explicitly set, so version upgrades can be done in a controlled fashion. For this, we exposegarage_x_y
attributes which can be set here. -
voms
andxrootd
now moves the$out/etc
content to the$etc
output instead of$out/etc.orig
, when input argumentexternalEtc
is notnull
. -
The
woodpecker-*
CI packages have been updated to 1.0.0. This release is wildly incompatible with the 0.15.X versions that were previously packaged. Please read upstream's documentation to learn how to update your CI configurations. -
The Caddy module gained a new option named
services.caddy.enableReload
which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the Caddy admin API. If you keep this option enabled, you should consider settinggrace_period
to a non-infinite value to prevent Caddy from delaying the reload indefinitely. -
mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by
stateVersion
), but the appropriate settings will be generated bynixos-generate-config
when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you usestateVersion
correctly or setboot.swraid.enable
manually. On systems with an updatedstateVersion
we now also emit warnings ifmdadm.conf
does not contain the minimum required configuration necessary to run the dynamically enabled monitoring daemons. -
The
go-ethereum
package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed fromleveldb
topebble
butleveldb
can be forced with the --db.engine=leveldb flag. Thecheckpoint-admin
command was removed along with trusted checkpoints. -
The
aseprite-unfree
package has been upgraded from 1.2.16.3 to 1.2.40. The free version of aseprite has been dropped because it is EOL and the package attribute now points to the unfree version. A maintained fork of the last free version of Aseprite, named 'LibreSprite', is available in thelibresprite
package. -
The default
kops
version is now 1.28.0 and support for 1.25 and older has been dropped. -
pharo
has been updated to latest stable (PharoVM 10.0.8), which is compatible with the latest stable and oldstable images (Pharo 10 and 11). The VM in question is the 64bit Spur. The 32bit version has been dropped due to lack of maintenance. The Cog VM has been deleted because it is severily outdated. Finally, thepharo-launcher
package has been deleted because it was not compatible with the newer VM, and due to lack of maintenance. -
Emacs mainline version 29 was introduced. This new version includes many major additions, most notably
tree-sitter
support (enabled by default) and the pgtk variant (useful for Wayland users), which is available under the attributeemacs29-pgtk
. -
Emacs macport version 29 was introduced.
-
The option
services.networking.networkmanager.enableFccUnlock
was removed in favor ofnetworking.networkmanager.fccUnlockScripts
, which allows specifying unlock scripts explicitly. The previous option enabled all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. -
The
html-proofer
package has been updated from major version 3 to major version 5, which includes breaking changes. -
kratos
has been updated from 0.10.1 to the first stable version 1.0.0, please read the 0.10.1 to 0.11.0, 0.11.0 to 0.11.1, 0.11.1 to 0.13.0 and 0.13.0 to 1.0.0 upgrade guides. The most notable breaking change is the introduction of one-time passwords (code
) and update of the default recovery strategy fromlink
tocode
. -
The
hail
NixOS module was removed, ashail
was unmaintained since 2017. -
Package
noto-fonts-emoji
was renamed tonoto-fonts-color-emoji
; see #221181. -
Package
cloud-sql-proxy
was renamed togoogle-cloud-sql-proxy
as it cannot be used with other cloud providers.; -
Package
pash
was removed due to being archived upstream. Usepowershell
as an alternative. -
The option
services.plausible.releaseCookiePath
has been removed: Plausible does not use any distributed Erlang features, and does not plan to (see discussion), so NixOS now disables them, and the Erlang cookie becomes unnecessary. You may delete the file thatreleaseCookiePath
was set to. -
security.sudo.extraRules
now includesroot
's default rule, with ordering priority 400. This is functionally identical for users not specifying rule order, or relying onmkBefore
andmkAfter
, but may impact users callingmkOrder n
with n ≤ 400. -
X keyboard extension (XKB) options have been reorganized into a single attribute set,
services.xserver.xkb
. Specifically,services.xserver.layout
is nowservices.xserver.xkb.layout
,services.xserver.extraLayouts
is nowservices.xserver.xkb.extraLayouts
,services.xserver.xkbModel
is nowservices.xserver.xkb.model
,services.xserver.xkbOptions
is nowservices.xserver.xkb.options
,services.xserver.xkbVariant
is nowservices.xserver.xkb.variant
, andservices.xserver.xkbDir
is nowservices.xserver.xkb.dir
. -
networking.networkmanager.firewallBackend
was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. -
lib.lists.foldl'
now always evaluates the initial accumulator argument first. If you depend on the lazier behavior, consider usinglib.lists.foldl
orbuiltins.foldl'
instead. -
lib.attrsets.foldlAttrs
now always evaluates the initial accumulator argument first. -
rome
was removed because it is no longer maintained and is succeeded bybiome
. -
The
prometheus-knot-exporter
was migrated to a version maintained by CZ.NIC. Various metric names have changed, so checking existing rules is recommended. -
The
services.mtr-exporter.target
has been removed in favor ofservices.mtr-exporter.jobs
which allows specifying multiple targets. -
blender-with-packages
has been deprecated in favor ofblender.withPackages
, for exampleblender.withPackages (ps: [ps.bpycv])
. It behaves similarly topython3.withPackages
. -
Setting
nixpkgs.config
options while providing an externalpkgs
instance will now raise an error instead of silently ignoring the options. NixOS modules no longer setnixpkgs.config
to accomodate this. This specifically affectsservices.locate
,services.xserver.displayManager.lightdm.greeters.tiny
andprograms.firefox
NixOS modules. No manual intervention should be required in most cases, however, configurations relying on those modules affecting packages outside the system environment should switch to explicit overlays. -
service.borgmatic.settings.location
andservices.borgmatic.configurations.<name>.location
are deprecated, please move your options out of sections to the global scope. -
privacyidea
(and the correspondingprivacyidea-ldap-proxy
) has been removed from nixpkgs because it has severely outdated dependencies that became unmaintainable with nixpkgs' python package-set. -
dagger
was removed because using a package calleddagger
and packaging it from source violates their trademark policy. -
win-virtio
package was renamed tovirtio-win
to be consistent with the upstream package name. -
ps3netsrv
has been replaced with the webman-mod fork, the executable has been renamed fromps3netsrv++
tops3netsrv
and cli parameters have changed. -
ssm-agent
package and module were renamed toamazon-ssm-agent
to be consistent with the upstream package name. -
services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}
now use separate runtime directories instead of/run/kea
to work around the runtime directory being cleared on service start. -
mkDerivation
now rejects MD5 hashes. -
The
junicode
font package has been updated to major version 2, which is now a font family. In particular, plainJunicode.ttf
no longer exists. In addition, TrueType font files are now placed infont/truetype
instead offont/junicode-ttf
; this change does not affect use viafonts.packages
NixOS option. -
The
prayer
package as well asservices.prayer
have been removed because it's been unmaintained for several years and the author's website has vanished. -
The
chrony
NixOS module now tracks the Real-Time Clock drift from the System Clock withrtcfile
and automatically adjusts it withrtcautotrim
when it exceeds the maximum error specified inservices.chrony.autotrimThreshold
(default 30 seconds). If you enabledrtcsync
inextraConfig
, you should remove RTC related options fromextraConfig
. If you do not want chrony configured to keep the RTC in check, you can setservices.chrony.enableRTCTrimming = false;
Other Notable Changes
-
A new option
system.switch.enable
was added. By default, this is option is enabled. Disabling it makes the system unable to be reconfigured vianixos-rebuild
. This is good for image based appliances where updates are handled outside the image. -
The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
from your NixOS configuration. -
GNOME, Pantheon, Cinnamon module no longer forces Qt applications to use Adwaita style since it was buggy and is no longer maintained upstream (specifically, Cinnamon now defaults to the gtk2 style instead, following the default in Linux Mint). If you still want it, you can add the following options to your configuration but it will probably be eventually removed:
qt = { enable = true; platformTheme = "gnome"; style = "adwaita"; };
-
fontconfig
now defaults to using greyscale antialiasing instead of subpixel antialiasing because of a recommendation from one of the downstreams. You can change this value by configuring accordingly. -
The latest available version of Nextcloud is v27 (available as
pkgs.nextcloud27
). The installation logic is as follows:- If
services.nextcloud.package
is specified explicitly, this package will be installed (recommended) - If
system.stateVersion
is >=23.11,pkgs.nextcloud27
will be installed by default. - If
system.stateVersion
is >=23.05,pkgs.nextcloud26
will be installed by default. - Please note that an upgrade from v25 (or older) to v27 directly is not possible. Please upgrade to
nextcloud26
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud26;
.
- If
-
New options were added to
services.searx
for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server. -
jq
was updated to 1.7, its first release in 5 years. -
zfs
was updated from 2.1.x to 2.2.0, enabling newer kernel support and adding new features. -
Elixir now defaults to version v1.15.
-
A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing
virtualisation.vlans
is still supported for cases where the name of the network interface is irrelevant. -
DocBook option documentation is no longer supported, all module documentation now uses markdown.
-
services.outline
can now be configured to use local filesystem storage instead of S3 storage using services.outline.storage.storageType. -
paperwork
was updated to version 2.2. Documents scanned with this version will not be visible to previous versions if you downgrade. See the upstream announcement for details and workarounds. -
buildGoModule
go-modules
attrs have been renamed togoModules
. -
The
fonts.fonts
andfonts.enableDefaultFonts
options have been renamed tofonts.packages
andfonts.enableDefaultPackages
respectively. -
The
services.sslh
module has been updated to follow RFC 0042. As such, several options have been moved to the freeform attribute set services.sslh.settings, which allows to change any of the settings in {manpage}sslh(8)
. In addition, the newly added option services.sslh.method allows to switch between the {manpage}fork(2)
, {manpage}select(2)
andlibev
-based connection handling method; see the sslh docs for a comparison. -
pkgs.openvpn3
now optionally supports systemd-resolved.programs.openvpn3
will automatically enable systemd-resolved support ifconfig.services.resolved.enable
is enabled. -
services.fail2ban.jails
can now be configured with attribute sets defining settings and filters instead of lines. The stringed optionsdaemonConfig
andextraSettings
have respectively been replaced bydaemonSettings
andjails.DEFAULT.settings
which use attribute sets. -
The application firewall
opensnitch
now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting services.opensnitch.settings.ProcMonitorMethod. -
services.hedgedoc
has been heavily refactored, reducing the amount of declared options in the module. Most of the options should still work without any changes. Some options have been deprecated, as they no longer have any effect. See #244941 for more details. -
The services.woodpecker-server type was changed to list of paths to be more consistent to the woodpecker-agent module
-
The module services.ankisyncd has been switched to anki-sync-server-rs from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action.
-
services.matrix-synapse
has new options to configure worker processes for matrix-synapse usingservices.matrix-synapse.workers
. It's also now possible to configure a local redis server usingservices.matrix-synapse.configureRedisLocally
. -
services.nginx
gained adefaultListen
option at server-level with support for PROXY protocol listeners, alsoproxyProtocol
is now exposed inservices.nginx.virtualHosts.<name>.listen
option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see #213510 for more details. -
services.restic.backups
now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easily be run from the command line. This behavior can be disabled by settingcreateWrapper
tofalse
, per backup configuration. -
services.prometheus.exporters
has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called Scaphandre, see #239803 for more details. -
The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recommended to review the upstream release notes.
-
The module
services.calibre-server
has new options to configure thehost
,port
,auth.enable
,auth.mode
andauth.userDb
path, see #216497 for more details. -
Mattermost has been upgraded to extended support version 8.1 as the previously packaged extended support version 7.8 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.
-
services.prometheus.exporters
has a new exporter to monitor PHP-FPM processes, see #240394 for more details. -
services.github-runner
/services.github-runners.<name>
gained the optionnodeRuntimes
. The option defaults to[ "node20" ]
, i.e., the service supports Node.js 20 GitHub Actions only. The list of Node.js versions accepted bynodeRuntimes
tracks the versions the upstream GitHub Actions runner supports. See #249103 for details. -
programs.gnupg.agent.pinentryFlavor
is now set in/etc/gnupg/gpg-agent.conf
, and will no longer take precedence over apinentry-program
set in~/.gnupg/gpg-agent.conf
. -
programs.gnupg
now has the optionagent.settings
to set verbatim config values in/etc/gnupg/gpg-agent.conf
. -
dockerTools.buildImage
,dockerTools.buildLayeredImage
anddockerTools.streamLayeredImage
now uselib.makeOverridable
to allowdockerTools
-based images to be customized more efficiently at the nix-level. -
services.influxdb2
now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see #249502 for more details. -
wrapHelm
now exposespassthru.pluginsDir
which can be passed tohelmfile
. For convenience, a top-level packagehelmfile-wrapped
has been added, which inheritspassthru.pluginsDir
fromkubernetes-helm-wrapped
. See #217768 for details. -
boot.initrd.network.udhcp.enable
allows control over dhcp during stage 1 regardless of whatnetworking.useDHCP
is set to. -
Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see upstream release notes for more details.
-
Cloud support in the
netdata
package is now disabled by default. To enable it use thenetdataCloud
package. -
networking.nftables
now has the optionnetworking.nftables.table.<table>
to create tables and have them be updated atomically, instead of flushing the ruleset. -
networking.nftables
is no longer flushing all rulesets on every reload. Usenetworking.nftables.flushRuleset = true;
to get back the old behaviour. -
The
cawbird
package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream. -
hardware.nvidia
gaineddatacenter
options for enabling NVIDIA Data Center drivers and configuration of NVLink/NVSwitch topologies throughnv-fabricmanager
. -
Certificate generation via the
security.acme
now limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to 5 and can be adjusted viamaxConcurrentRenewals
. Setting it to 0 disables the limits altogether. -
New
boot.bcache.enable
(default enabled) allows completely removingbcache
mount support. -
The module
services.mbpfan
now has the optionaggressive
enabled by default for better heat moderation. You can disable it for upstream defaults. -
security.sudo
now provides two extra options, that do not change the module's default behaviour:defaultOptions
controls the options used for the default rules;keepTerminfo
controls whetherTERMINFO
andTERMINFO_DIRS
are preserved forroot
and thewheel
group.
-
virtualisation.googleComputeImage
now providesefi
option to support UEFI booting. -
CoreDNS can now be built with external plugins by overriding
externalPlugins
andvendorHash
arguments like this:services.coredns = { enable = true; package = pkgs.coredns.override { externalPlugins = [ {name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";} ]; vendorHash = "<SRI hash>"; }; };
To get the necessary SRI hash, set
vendorHash = "";
. The build will fail and produce the correctvendorHash
in the error message.If you use this feature, updates to CoreDNS may require updating
vendorHash
by following these steps again. -
postgresql_11
has been removed since it'll stop receiving fixes on November 9 2023. -
ffmpeg
default upgraded fromffmpeg_5
toffmpeg_6
. -
fusuma
now enables the following plugins: appmatcher, keypress, sendkey, tap and wmctrl. -
services.bitcoind
now properly respects theenable
option. -
The Home Assistant module now offers support for installing custom components and lovelace modules. Available at
services.home-assistant.customComponents
andservices.home-assistant.customLovelaceModules
. -
The argument
vendorSha256
ofbuildGoModule
is deprecated. UsevendorHash
instead. (#259999)
Nixpkgs internals
-
The use of
sourceRoot = "source";
,sourceRoot = "source/subdir";
, and similar lines in package derivations using the defaultunpackPhase
is deprecated as it requiresunpackPhase
to always produce a directory named "source". UsesourceRoot = src.name
,sourceRoot = "${src.name}/subdir";
, orsetSourceRoot = "sourceRoot=$(echo */subdir)";
or similar instead. -
The
django
alias in the python package set was upgraded to Django 4.x. Applications that consume Django should always pin their python environment to a compatible major version, so they can move at their own pace.python = python3.override { packageOverrides = self: super: { django = super.django_3; }; };
-
The
qemu-vm.nix
module by default now identifies block devices via persistent names available in/dev/disk/by-*
. Because the rootDevice is identified by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added (nixos/tests/common/auto-format-root-device.nix
). To use this in a NixOS test, import the module, e.g.imports = [ ./common/auto-format-root-device.nix ];
When you use the systemd initrd, you can automatically format the root device by settingvirtualisation.fileSystems."/".autoFormat = true;
. -
python3.pkgs.flitBuildHook
has been removed. Useflit-core
andformat = "pyproject"
instead. -
The
extend
function ofllvmPackages
has been removed due it coming from thetools
attrset thus only extending thetool
attrset. A possible replacement is to construct the set fromlibraries
andtools
, or patch nixpkgs. -
The
qemu-vm.nix
module now supports disabling overridingfileSystems
withvirtualisation.fileSystems
. This enables the user to boot VMs from "external" disk images not created by the qemu-vm module. You can stop the qemu-vm module from overridingfileSystems
by settingvirtualisation.fileSystems = lib.mkForce { };
. -
The
electron
packages now places its application files in$out/libexec/electron
instead of$out/lib/electron
. Packages using electron-builder will fail to build and need to be adjusted by changinglib
tolibexec
. -
teleport
has been upgraded from major version 12 to major version 14. Please see upstream upgrade instructions and release notes for versions 13 and 14. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by settingservices.teleport.package = pkgs.teleport_13
. Afterwards, this option can be removed to upgrade to the default version (14). -
The Linux kernel module
msr
(seemsr(4)
), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured viahardware.cpu.x86.msr
. -
Docker now defaults to 24, as 20.10 is stopping to receive security updates and bug fixes after December 10, 2023.
-
There is a new NixOS option when writing NixOS tests
testing.initrdBackdoor
, that enablesbackdoor.service
in initrd. Requiresboot.initrd.systemd.enable
to be enabled. Boot will pause in stage 1 atinitrd.target
, and will listen for commands from theMachine
python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Usemachine.switch_root()
to leave stage 1 and proceed to stage 2.