depot/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md
Default email 2c76a4cb41 Project import generated by Copybara.
GitOrigin-RevId: c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad
2023-11-16 04:20:00 +00:00

56 KiB
Raw Blame History

Release 23.11 (“Tapir”, 2023.11/??)

Highlights

  • FoundationDB now defaults to major version 7.

  • PostgreSQL now defaults to major version 15.

  • Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the hostapd package, along with a significant rework of the hostapd module.

  • LXD now supports virtual machine instances to complement the existing container support

  • The nixos-rebuild command has been given a list-generations subcommand. See man nixos-rebuild for more details.

  • systemd has been updated from v253 to v254, see the release notes for more information on the changes.

    • boot.resumeDevice must be specified when hibernating if not in EFI mode.
    • systemd may warn your system about the permissions of your ESP partition (often /boot), this warning can be ignored for now, we are looking into a satisfying solution regarding this problem.
    • Updating with nixos-rebuild boot and rebooting is recommended, since in some rare cases the nixos-rebuild switch into the new generation on a live system might fail due to missing mount units.
  • sudo-rs, a reimplementation of sudo in Rust, is now supported. An experimental new module security.sudo-rs was added. Switching to it (via security.sudo.enable = false; security.sudo-rs.enable = true;) introduces slight changes in sudo behaviour, due to sudo-rs' current limitations:

    • terminfo-related environment variables aren't preserved for root and wheel;
    • root and wheel are not given the ability to set (or preserve) arbitrary environment variables.
  • glibc has been updated from version 2.37 to 2.38, see the release notes for what was changed.

  • All ROCm packages have been updated to 5.7.0.

    • ROCm package attribute sets are versioned: rocmPackages -> rocmPackages_5.
  • yarn-berry has been updated to 4.0.1. This means that NodeJS versions less than 18.12 are no longer supported by it. More details at the upstream changelog.

  • If the user has a custom shell enabled via users.users.${USERNAME}.shell = ${CUSTOMSHELL}, the assertion will require them to also set programs.${CUSTOMSHELL}.enable = true. This is generally safe behavior, but for anyone needing to opt out from the check users.users.${USERNAME}.ignoreShellProgramCheck = true will do the job.

  • Cassandra now defaults to 4.x, updated from 3.11.x.

New Services

  • MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.

  • acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.

  • frp, a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as services.frp.

Backward Incompatibilities

  • network-online.target has been fixed to no longer time out for systems with networking.useDHCP = true and networking.useNetworkd = true. Workarounds for this can be removed.

  • The boot.loader.raspberryPi options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs (before mid-2019) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices.

  • python3.pkgs.sequoia was removed in favor of python3.pkgs.pysequoia. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from gitlab:sequoia-pgp/sequoia were removed long ago.

  • writeTextFile now requires executable to be boolean, values like null or "" will now fail to evaluate.

  • The latest version of clonehero now stores custom content in ~/.clonehero. See the migration instructions. Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in ~/.config/unity3d/srylain Inc_/Clone Hero.

  • services.mastodon doesn't support providing a TCP port to its streaming component anymore, as upstream implemented parallelization by running multiple instances instead of running multiple processes in one instance. Please create a PR if you are interested in this feature.

  • The services.hostapd module was rewritten to support passwordFile like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.

  • python3.pkgs.fetchPypi (and python3Packages.fetchPypi) has been deprecated in favor of top-level fetchPypi.

  • pass now does not contain password-store.el. Users should get password-store.el from Emacs lisp package set emacs.pkgs.password-store.

  • services.knot now supports .settings from RFC42. The previous .extraConfig still works the same, but it displays a warning now.

  • mu now does not install mu4e files by default. Users should get mu4e from Emacs lisp package set emacs.pkgs.mu4e.

  • mariadb now defaults to mariadb_1011 instead of mariadb_106, meaning the default version was upgraded from 10.6.x to 10.11.x. See the upgrade notes for potential issues.

  • getent has been moved from glibc's bin output to its own dedicated output, reducing closure size for many dependents. Dependents using the getent alias should not be affected; others should move from using glibc.bin or getBin glibc to getent (which also improves compatibility with non-glibc platforms).

  • maintainers/scripts/update-luarocks-packages is now a proper package luarocks-packages-updater that can be run to maintain out-of-tree luarocks packages

  • The users.users.<name>.passwordFile has been renamed to users.users.<name>.hashedPasswordFile to avoid possible confusions. The option is in fact the file-based version of hashedPassword, not password, and expects a file containing the {manpage}crypt(3) hash of the user password.

  • chromiumBeta and chromiumDev have been removed due to the lack of maintenance in nixpkgs. Consider using chromium instead.

  • google-chrome-beta and google-chrome-dev have been removed due to the lack of maintenance in nixpkgs. Consider using google-chrome instead.

  • The services.ananicy.extraRules option now has the type of listOf attrs instead of string.

  • buildVimPluginFrom2Nix has been renamed to buildVimPlugin, which now now skips configurePhase and buildPhase

  • JACK tools (jack_* except jack_control) have moved from the jack2 package to jack-example-tools

  • The waagent service does provisioning now

  • The matrix-synapse package & module have undergone some significant internal changes, for most setups no intervention is needed, though:

    • The option services.matrix-synapse.package is now read-only. For modifying the package, use an overlay which modifies matrix-synapse-unwrapped instead. More on that below.
    • The enableSystemd & enableRedis arguments have been removed and matrix-synapse has been renamed to matrix-synapse-unwrapped. Also, several optional dependencies (such as psycopg2 or authlib) have been removed.
    • These optional dependencies are automatically added via a wrapper (pkgs.matrix-synapse.override { extras = ["redis"]; } for hiredis & txredisapi for instance) if the relevant config section is declared in services.matrix-synapse.settings. For instance, if services.matrix-synapse.settings.redis.enabled is set to true, "redis" will be automatically added to the extras list of pkgs.matrix-synapse.
    • A list of all extras (and the extras enabled by default) can be found at the option's reference for services.matrix-synapse.extras.
    • In some cases (e.g. for running synapse workers) it was necessary to re-use the PYTHONPATH of matrix-synapse.service's environment to have all plugins available. This isn't necessary anymore, instead config.services.matrix-synapse.package can be used as it points to the wrapper with properly configured extras and also all plugins defined via services.matrix-synapse.plugins available. This is also the reason for why the option is read-only now, it's supposed to be set by the module only.
  • netbox was updated to 3.6. NixOS' services.netbox.package still defaults to 3.5 if stateVersion is earlier than 23.11. Please review upstream's breaking changes for 3.6.0 and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

  • etcd has been updated to 3.5, you will want to read the 3.3 to 3.4 and 3.4 to 3.5 upgrade guides

  • gitlab installations created or updated between versions [15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading to gitlab >=16.2.0. A workaround for affected users can be found in the GitLab docs.

  • consul has been updated to 1.16.0. See the release note for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.

  • llvmPackages_rocm has been moved to rocmPackages.llvm.

  • hip, rocm-opencl-runtime, rocm-opencl-icd, and rocclr have been combined into rocmPackages.clr.

  • clang-ocl, clr, composable_kernel, hipblas, hipcc, hip-common, hipcub, hipfft, hipfort, hipify, hipsolver, hipsparse, migraphx, miopen, miopengemm, rccl, rdc, rocalution, rocblas, rocdgbapi, rocfft, rocgdb, rocm-cmake, rocm-comgr, rocm-core, rocm-device-libs, rocminfo, rocmlir, rocm-runtime, rocm-smi, rocm-thunk, rocprim, rocprofiler, rocrand, rocr-debug-agent, rocsolver, rocsparse, rocthrust, roctracer, rocwmma, and tensile have been moved to rocmPackages.

  • himalaya has been updated to 0.8.0, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the release note for more details.

  • nix-prefetch-git now ignores global and user git config, to improve reproducibility.

  • The services.caddy.acmeCA option now defaults to null instead of "https://acme-v02.api.letsencrypt.org/directory", to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream.

  • The default priorities of services.nextcloud.phpOptions have changed. This means that e.g. services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23"; doesn't discard all of the other defaults from this option anymore. The attribute values of phpOptions are still defaults, these can be overridden as shown here.

    To override all of the options (including including upload_max_filesize, post_max_size and memory_limit which all point to services.nextcloud.maxUploadSize by default) can be done like this:

    {
      services.nextcloud.phpOptions = lib.mkForce {
        /* ... */
      };
    }
    
  • php80 is no longer supported due to upstream not supporting this version anymore.

  • PHP now defaults to PHP 8.2, updated from 8.1.

  • GraalVM has been updated to the latest version, and this brings significant changes. Upstream don't release multiple versions targeting different JVMs anymore, so now we only have one GraalVM derivation (graalvm-ce). While at first glance the version may seem a downgrade (22.3.1 -> 21.0.0), the major version is now following the JVM it targets (so this latest version targets JVM 21). Also some products like llvm-installable-svm and native-image-svm were incorporate to the main GraalVM derivation, so they're included by default.

  • GraalPy (graalCEPackages.graalpy), TruffleRuby (graalCEPackages.truffleruby), GraalJS (graalCEPackages.graaljs) and GraalNodeJS (grallCEPackages.graalnodejs) are now indepedent from the main GraalVM derivation.

  • The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq.

  • prometheus-unbound-exporter has been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notable controlInterface needs migration towards unbound.host and requires either the tcp:// or unix:// URI scheme.

  • odoo now defaults to 16, updated from 15.

  • varnish was upgraded from 7.2.x to 7.4.x, see https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html and https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html for upgrade notes. The current LTS version is still offered as varnish60.

  • util-linux is now supported on Darwin and is no longer an alias to unixtools. Use the unixtools.util-linux package for access to the Apple variants of the utilities.

  • services.keyd changed API. Now you can create multiple configuration files.

  • baloo, the file indexer/search engine used by KDE now has a patch to prevent files from constantly being reindexed when the device ids of the their underlying storage changes. This happens frequently when using btrfs or LVM. The patch has not yet been accepted upstream but it provides a significantly improved experience. When upgrading, reset baloo to get a clean index: balooctl disable ; balooctl purge ; balooctl enable.

  • The vlock program from the kbd package has been moved into its own package output and should now be referenced explicitly as kbd.vlock or replaced with an alternative such as the standalone vlock package or physlock.

  • fileSystems.<name>.autoFormat now uses systemd-makefs, which does not accept formatting options. Therefore, fileSystems.<name>.formatOptions has been removed.

  • fileSystems.<name>.autoResize now uses systemd-growfs to resize the file system online in stage 2. This means that f2fs and ext2 can no longer be auto resized, while xfs and btrfs now can be.

  • fuse3 has been updated from 3.11.0 to 3.16.2; see ChangeLog.rst for an overview of the changes.

    Unsupported mount options are no longer silently accepted (since 3.15.0). The affected mount options are: atime, diratime, lazytime, nolazytime, relatime, norelatime, strictatime.

    For example,

    $ sshfs 127.0.0.1:/home/test/testdir /home/test/sshfs_mnt -o atime`
    

    would previously terminate successfully with the mount point established, now it outputs the error message fuse: unknown option(s): `-o atime' and terminates with exit status 1.

  • nixos-rebuild {switch,boot,test,dry-activate} now runs the system activation inside systemd-run, creating an ephemeral systemd service and protecting the system switch against issues like network disconnections during remote (e.g. SSH) sessions. This has the side effect of running the switch in an isolated environment, that could possible break post-switch scripts that depends on things like environment variables being set. If you want to opt-out from this behavior for now, you may set the NIXOS_SWITCH_USE_DIRTY_ENV environment variable before running nixos-rebuild. However, keep in mind that this option will be removed in the future.

  • The services.vaultwarden.config option default value was changed to make Vaultwarden only listen on localhost, following the secure defaults for most NixOS services.

  • services.lemmy.settings.federation was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the release notes for more details.

  • pict-rs was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems with stateVersion = "23.05"; or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and set services.pict-rs.package = pkgs.pict-rs;.

  • The following packages in haskellPackages have now a separate bin output: cabal-fmt, calligraphy, eventlog2html, ghc-debug-brick, hindent, nixfmt, releaser. This means you need to replace e.g. "${pkgs.haskellPackages.nixfmt}/bin/nixfmt" with "${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt" or "${lib.getExe pkgs.haskellPackages.nixfmt}". The binaries also wont be in scope if you rely on them being installed e.g. via ghcWithPackages. environment.packages picks the bin output automatically, so for normal installation no intervention is required. Also, toplevel attributes like pkgs.nixfmt are not impacted negatively by this change.

  • spamassassin no longer supports the Hashcash module. The module needs to be removed from the loadplugin list if it was copied over from the default initPreConf option.

  • nano was removed from environment.defaultPackages. To not leave systems without a editor, now programs.nano.enable is enabled by default.

  • programs.nano.nanorc and programs.nano.syntaxHighlight no longer have an effect unless programs.nano.enable is set to true which is the default.

  • services.outline.sequelizeArguments has been removed, as outline no longer executes database migrations via the sequelize cli.

  • The binary of the package cloud-sql-proxy has changed from cloud_sql_proxy to cloud-sql-proxy.

  • Garage has been upgraded to 0.9.x. services.garage.package now needs to be explicitly set, so version upgrades can be done in a controlled fashion. For this, we expose garage_x_y attributes which can be set here.

  • voms and xrootd now moves the $out/etc content to the $etc output instead of $out/etc.orig, when input argument externalEtc is not null.

  • The woodpecker-* CI packages have been updated to 1.0.0. This release is wildly incompatible with the 0.15.X versions that were previously packaged. Please read upstream's documentation to learn how to update your CI configurations.

  • The Caddy module gained a new option named services.caddy.enableReload which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the Caddy admin API. If you keep this option enabled, you should consider setting grace_period to a non-infinite value to prevent Caddy from delaying the reload indefinitely.

  • mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by stateVersion), but the appropriate settings will be generated by nixos-generate-config when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use stateVersion correctly or set boot.swraid.enable manually. On systems with an updated stateVersion we now also emit warnings if mdadm.conf does not contain the minimum required configuration necessary to run the dynamically enabled monitoring daemons.

  • The go-ethereum package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from leveldb to pebble but leveldb can be forced with the --db.engine=leveldb flag. The checkpoint-admin command was removed along with trusted checkpoints.

  • The aseprite-unfree package has been upgraded from 1.2.16.3 to 1.2.40. The free version of aseprite has been dropped because it is EOL and the package attribute now points to the unfree version. A maintained fork of the last free version of Aseprite, named 'LibreSprite', is available in the libresprite package.

  • The default kops version is now 1.28.0 and support for 1.25 and older has been dropped.

  • pharo has been updated to latest stable (PharoVM 10.0.8), which is compatible with the latest stable and oldstable images (Pharo 10 and 11). The VM in question is the 64bit Spur. The 32bit version has been dropped due to lack of maintenance. The Cog VM has been deleted because it is severily outdated. Finally, the pharo-launcher package has been deleted because it was not compatible with the newer VM, and due to lack of maintenance.

  • Emacs mainline version 29 was introduced. This new version includes many major additions, most notably tree-sitter support (enabled by default) and the pgtk variant (useful for Wayland users), which is available under the attribute emacs29-pgtk.

  • Emacs macport version 29 was introduced.

  • The option services.networking.networkmanager.enableFccUnlock was removed in favor of networking.networkmanager.fccUnlockScripts, which allows specifying unlock scripts explicitly. The previous option enabled all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all.

  • The html-proofer package has been updated from major version 3 to major version 5, which includes breaking changes.

  • kratos has been updated from 0.10.1 to the first stable version 1.0.0, please read the 0.10.1 to 0.11.0, 0.11.0 to 0.11.1, 0.11.1 to 0.13.0 and 0.13.0 to 1.0.0 upgrade guides. The most notable breaking change is the introduction of one-time passwords (code) and update of the default recovery strategy from link to code.

  • The hail NixOS module was removed, as hail was unmaintained since 2017.

  • Package noto-fonts-emoji was renamed to noto-fonts-color-emoji; see #221181.

  • Package cloud-sql-proxy was renamed to google-cloud-sql-proxy as it cannot be used with other cloud providers.;

  • Package pash was removed due to being archived upstream. Use powershell as an alternative.

  • The option services.plausible.releaseCookiePath has been removed: Plausible does not use any distributed Erlang features, and does not plan to (see discussion), so NixOS now disables them, and the Erlang cookie becomes unnecessary. You may delete the file that releaseCookiePath was set to.

  • security.sudo.extraRules now includes root's default rule, with ordering priority 400. This is functionally identical for users not specifying rule order, or relying on mkBefore and mkAfter, but may impact users calling mkOrder n with n ≤ 400.

  • X keyboard extension (XKB) options have been reorganized into a single attribute set, services.xserver.xkb. Specifically, services.xserver.layout is now services.xserver.xkb.layout, services.xserver.extraLayouts is now services.xserver.xkb.extraLayouts, services.xserver.xkbModel is now services.xserver.xkb.model, services.xserver.xkbOptions is now services.xserver.xkb.options, services.xserver.xkbVariant is now services.xserver.xkb.variant, and services.xserver.xkbDir is now services.xserver.xkb.dir.

  • networking.networkmanager.firewallBackend was removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally.

  • lib.lists.foldl' now always evaluates the initial accumulator argument first. If you depend on the lazier behavior, consider using lib.lists.foldl or builtins.foldl' instead.

  • lib.attrsets.foldlAttrs now always evaluates the initial accumulator argument first.

  • rome was removed because it is no longer maintained and is succeeded by biome.

  • The prometheus-knot-exporter was migrated to a version maintained by CZ.NIC. Various metric names have changed, so checking existing rules is recommended.

  • The services.mtr-exporter.target has been removed in favor of services.mtr-exporter.jobs which allows specifying multiple targets.

  • blender-with-packages has been deprecated in favor of blender.withPackages, for example blender.withPackages (ps: [ps.bpycv]). It behaves similarly to python3.withPackages.

  • Setting nixpkgs.config options while providing an external pkgs instance will now raise an error instead of silently ignoring the options. NixOS modules no longer set nixpkgs.config to accomodate this. This specifically affects services.locate, services.xserver.displayManager.lightdm.greeters.tiny and programs.firefox NixOS modules. No manual intervention should be required in most cases, however, configurations relying on those modules affecting packages outside the system environment should switch to explicit overlays.

  • service.borgmatic.settings.location and services.borgmatic.configurations.<name>.location are deprecated, please move your options out of sections to the global scope.

  • privacyidea (and the corresponding privacyidea-ldap-proxy) has been removed from nixpkgs because it has severely outdated dependencies that became unmaintainable with nixpkgs' python package-set.

  • dagger was removed because using a package called dagger and packaging it from source violates their trademark policy.

  • win-virtio package was renamed to virtio-win to be consistent with the upstream package name.

  • ps3netsrv has been replaced with the webman-mod fork, the executable has been renamed from ps3netsrv++ to ps3netsrv and cli parameters have changed.

  • ssm-agent package and module were renamed to amazon-ssm-agent to be consistent with the upstream package name.

  • services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6} now use separate runtime directories instead of /run/kea to work around the runtime directory being cleared on service start.

  • mkDerivation now rejects MD5 hashes.

  • The junicode font package has been updated to major version 2, which is now a font family. In particular, plain Junicode.ttf no longer exists. In addition, TrueType font files are now placed in font/truetype instead of font/junicode-ttf; this change does not affect use via fonts.packages NixOS option.

  • The prayer package as well as services.prayer have been removed because it's been unmaintained for several years and the author's website has vanished.

  • The chrony NixOS module now tracks the Real-Time Clock drift from the System Clock with rtcfile and automatically adjusts it with rtcautotrim when it exceeds the maximum error specified in services.chrony.autotrimThreshold (default 30 seconds). If you enabled rtcsync in extraConfig, you should remove RTC related options from extraConfig. If you do not want chrony configured to keep the RTC in check, you can set services.chrony.enableRTCTrimming = false;

Other Notable Changes

  • A new option system.switch.enable was added. By default, this is option is enabled. Disabling it makes the system unable to be reconfigured via nixos-rebuild. This is good for image based appliances where updates are handled outside the image.

  • The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; from your NixOS configuration.

  • GNOME, Pantheon, Cinnamon module no longer forces Qt applications to use Adwaita style since it was buggy and is no longer maintained upstream (specifically, Cinnamon now defaults to the gtk2 style instead, following the default in Linux Mint). If you still want it, you can add the following options to your configuration but it will probably be eventually removed:

    qt = {
      enable = true;
      platformTheme = "gnome";
      style = "adwaita";
    };
    
  • fontconfig now defaults to using greyscale antialiasing instead of subpixel antialiasing because of a recommendation from one of the downstreams. You can change this value by configuring accordingly.

  • The latest available version of Nextcloud is v27 (available as pkgs.nextcloud27). The installation logic is as follows:

  • New options were added to services.searx for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server.

  • jq was updated to 1.7, its first release in 5 years.

  • zfs was updated from 2.1.x to 2.2.0, enabling newer kernel support and adding new features.

  • Elixir now defaults to version v1.15.

  • A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing virtualisation.vlans is still supported for cases where the name of the network interface is irrelevant.

  • DocBook option documentation is no longer supported, all module documentation now uses markdown.

  • services.outline can now be configured to use local filesystem storage instead of S3 storage using services.outline.storage.storageType.

  • paperwork was updated to version 2.2. Documents scanned with this version will not be visible to previous versions if you downgrade. See the upstream announcement for details and workarounds.

  • buildGoModule go-modules attrs have been renamed to goModules.

  • The fonts.fonts and fonts.enableDefaultFonts options have been renamed to fonts.packages and fonts.enableDefaultPackages respectively.

  • The services.sslh module has been updated to follow RFC 0042. As such, several options have been moved to the freeform attribute set services.sslh.settings, which allows to change any of the settings in {manpage}sslh(8). In addition, the newly added option services.sslh.method allows to switch between the {manpage}fork(2), {manpage}select(2) and libev-based connection handling method; see the sslh docs for a comparison.

  • pkgs.openvpn3 now optionally supports systemd-resolved. programs.openvpn3 will automatically enable systemd-resolved support if config.services.resolved.enable is enabled.

  • services.fail2ban.jails can now be configured with attribute sets defining settings and filters instead of lines. The stringed options daemonConfig and extraSettings have respectively been replaced by daemonSettings and jails.DEFAULT.settings which use attribute sets.

  • The application firewall opensnitch now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting services.opensnitch.settings.ProcMonitorMethod.

  • services.hedgedoc has been heavily refactored, reducing the amount of declared options in the module. Most of the options should still work without any changes. Some options have been deprecated, as they no longer have any effect. See #244941 for more details.

  • The services.woodpecker-server type was changed to list of paths to be more consistent to the woodpecker-agent module

  • The module services.ankisyncd has been switched to anki-sync-server-rs from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action.

  • services.matrix-synapse has new options to configure worker processes for matrix-synapse using services.matrix-synapse.workers. It's also now possible to configure a local redis server using services.matrix-synapse.configureRedisLocally.

  • services.nginx gained a defaultListen option at server-level with support for PROXY protocol listeners, also proxyProtocol is now exposed in services.nginx.virtualHosts.<name>.listen option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see #213510 for more details.

  • services.restic.backups now adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easily be run from the command line. This behavior can be disabled by setting createWrapper to false, per backup configuration.

  • services.prometheus.exporters has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called Scaphandre, see #239803 for more details.

  • The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recommended to review the upstream release notes.

  • The module services.calibre-server has new options to configure the host, port, auth.enable, auth.mode and auth.userDb path, see #216497 for more details.

  • Mattermost has been upgraded to extended support version 8.1 as the previously packaged extended support version 7.8 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.

  • services.prometheus.exporters has a new exporter to monitor PHP-FPM processes, see #240394 for more details.

  • services.github-runner / services.github-runners.<name> gained the option nodeRuntimes. The option defaults to [ "node20" ], i.e., the service supports Node.js 20 GitHub Actions only. The list of Node.js versions accepted by nodeRuntimes tracks the versions the upstream GitHub Actions runner supports. See #249103 for details.

  • programs.gnupg.agent.pinentryFlavor is now set in /etc/gnupg/gpg-agent.conf, and will no longer take precedence over a pinentry-program set in ~/.gnupg/gpg-agent.conf.

  • programs.gnupg now has the option agent.settings to set verbatim config values in /etc/gnupg/gpg-agent.conf.

  • dockerTools.buildImage, dockerTools.buildLayeredImage and dockerTools.streamLayeredImage now use lib.makeOverridable to allow dockerTools-based images to be customized more efficiently at the nix-level.

  • services.influxdb2 now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see #249502 for more details.

  • wrapHelm now exposes passthru.pluginsDir which can be passed to helmfile. For convenience, a top-level package helmfile-wrapped has been added, which inherits passthru.pluginsDir from kubernetes-helm-wrapped. See #217768 for details.

  • boot.initrd.network.udhcp.enable allows control over dhcp during stage 1 regardless of what networking.useDHCP is set to.

  • Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see upstream release notes for more details.

  • Cloud support in the netdata package is now disabled by default. To enable it use the netdataCloud package.

  • networking.nftables now has the option networking.nftables.table.<table> to create tables and have them be updated atomically, instead of flushing the ruleset.

  • networking.nftables is no longer flushing all rulesets on every reload. Use networking.nftables.flushRuleset = true; to get back the old behaviour.

  • The cawbird package is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream.

  • hardware.nvidia gained datacenter options for enabling NVIDIA Data Center drivers and configuration of NVLink/NVSwitch topologies through nv-fabricmanager.

  • Certificate generation via the security.acme now limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to 5 and can be adjusted via maxConcurrentRenewals. Setting it to 0 disables the limits altogether.

  • New boot.bcache.enable (default enabled) allows completely removing bcache mount support.

  • The module services.mbpfan now has the option aggressive enabled by default for better heat moderation. You can disable it for upstream defaults.

  • security.sudo now provides two extra options, that do not change the module's default behaviour:

    • defaultOptions controls the options used for the default rules;
    • keepTerminfo controls whether TERMINFO and TERMINFO_DIRS are preserved for root and the wheel group.
  • virtualisation.googleComputeImage now provides efi option to support UEFI booting.

  • CoreDNS can now be built with external plugins by overriding externalPlugins and vendorHash arguments like this:

    services.coredns = {
      enable = true;
      package = pkgs.coredns.override {
        externalPlugins = [
          {name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";}
        ];
        vendorHash = "<SRI hash>";
      };
    };
    

    To get the necessary SRI hash, set vendorHash = "";. The build will fail and produce the correct vendorHash in the error message.

    If you use this feature, updates to CoreDNS may require updating vendorHash by following these steps again.

  • postgresql_11 has been removed since it'll stop receiving fixes on November 9 2023.

  • ffmpeg default upgraded from ffmpeg_5 to ffmpeg_6.

  • fusuma now enables the following plugins: appmatcher, keypress, sendkey, tap and wmctrl.

  • services.bitcoind now properly respects the enable option.

  • The Home Assistant module now offers support for installing custom components and lovelace modules. Available at services.home-assistant.customComponents and services.home-assistant.customLovelaceModules.

  • The argument vendorSha256 of buildGoModule is deprecated. Use vendorHash instead. (#259999)

Nixpkgs internals

  • The use of sourceRoot = "source";, sourceRoot = "source/subdir";, and similar lines in package derivations using the default unpackPhase is deprecated as it requires unpackPhase to always produce a directory named "source". Use sourceRoot = src.name, sourceRoot = "${src.name}/subdir";, or setSourceRoot = "sourceRoot=$(echo */subdir)"; or similar instead.

  • The django alias in the python package set was upgraded to Django 4.x. Applications that consume Django should always pin their python environment to a compatible major version, so they can move at their own pace.

    python = python3.override {
      packageOverrides = self: super: {
        django = super.django_3;
      };
    };
    
  • The qemu-vm.nix module by default now identifies block devices via persistent names available in /dev/disk/by-*. Because the rootDevice is identified by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added (nixos/tests/common/auto-format-root-device.nix). To use this in a NixOS test, import the module, e.g. imports = [ ./common/auto-format-root-device.nix ]; When you use the systemd initrd, you can automatically format the root device by setting virtualisation.fileSystems."/".autoFormat = true;.

  • python3.pkgs.flitBuildHook has been removed. Use flit-core and format = "pyproject" instead.

  • The extend function of llvmPackages has been removed due it coming from the tools attrset thus only extending the tool attrset. A possible replacement is to construct the set from libraries and tools, or patch nixpkgs.

  • The qemu-vm.nix module now supports disabling overriding fileSystems with virtualisation.fileSystems. This enables the user to boot VMs from "external" disk images not created by the qemu-vm module. You can stop the qemu-vm module from overriding fileSystems by setting virtualisation.fileSystems = lib.mkForce { };.

  • The electron packages now places its application files in $out/libexec/electron instead of $out/lib/electron. Packages using electron-builder will fail to build and need to be adjusted by changing lib to libexec.

  • teleport has been upgraded from major version 12 to major version 14. Please see upstream upgrade instructions and release notes for versions 13 and 14. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by setting services.teleport.package = pkgs.teleport_13. Afterwards, this option can be removed to upgrade to the default version (14).

  • The Linux kernel module msr (see msr(4)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured via hardware.cpu.x86.msr.

  • Docker now defaults to 24, as 20.10 is stopping to receive security updates and bug fixes after December 10, 2023.

  • There is a new NixOS option when writing NixOS tests testing.initrdBackdoor, that enables backdoor.service in initrd. Requires boot.initrd.systemd.enable to be enabled. Boot will pause in stage 1 at initrd.target, and will listen for commands from the Machine python interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Use machine.switch_root() to leave stage 1 and proceed to stage 2.