GitOrigin-RevId: a64e169e396460d6b5763a1de1dd197df8421688
31 KiB
Release 23.05 (“Stoat”, 2023.05/??)
Support is planned until the end of December 2023, handing over to 23.11.
Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
-
Core version changes:
- default linux: 5.15 -> 6.1, all supported kernels available
-
Cinnamon has been updated to 5.6, see the pull request for what is changed.
-
KDE Plasma has been updated to v5.27, see the release notes for what is changed.
-
nixos-rebuild
now supports an extra--specialisation
option that can be used to change specialisation forswitch
andtest
commands.
New Services
-
Akkoma, an ActivityPub microblogging server. Available as services.akkoma.
-
blesh, a line editor written in pure bash. Available as programs.bash.blesh.
-
webhook, a lightweight webhook server. Available as services.webhook.
-
cups-pdf-to-pdf, a pdf-generating cups backend based on cups-pdf. Available as services.printing.cups-pdf.
-
Cloudlog, a web-based Amateur Radio logging application. Available as services.cloudlog.
-
fzf, a command line fuzzyfinder. Available as programs.fzf.
-
readarr, Book Manager and Automation (Sonarr for Ebooks). Available as services.readarr.
-
gemstash, a RubyGems.org cache and private gem server. Available as services.gemstash.
-
gmediarender, a simple, headless UPnP/DLNA renderer. Available as services.gmediarender.
-
stevenblack-blocklist, A unified hosts file with base extensions for blocking unwanted websites. Available as networking.stevenblack.
-
imaginary, a microservice for high-level image processing that Nextcloud can use to generate previews. Available as services.imaginary.
-
opensearch, a search server alternative to Elasticsearch. Available as services.opensearch.
-
goeland, an alternative to rss2email written in golang with many filters. Available as services.goeland.
-
alertmanager-irc-relay, a Prometheus Alertmanager IRC Relay. Available as services.prometheus.alertmanagerIrcRelay.
-
tts, a battle-tested deep learning toolkit for Text-to-Speech. Mutiple servers may be configured below services.tts.servers.
-
atuin, a sync server for shell history. Available as services.atuin.
-
networkd-dispatcher, a dispatcher service for systemd-networkd connection status changes. Available as services.networkd-dispatcher.
-
mmsd, a lower level daemon that transmits and recieves MMSes. Available as services.mmsd.
-
QDMR, a GUI application and command line tool for programming DMR radios programs.qdmr
-
keyd, a key remapping daemon for linux. Available as services.keyd.
-
v2rayA, a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as services.v2raya.
-
ulogd, a userspace logging daemon for netfilter/iptables related logging. Available as services.ulogd.
-
jellyseerr, a web-based requests manager for Jellyfin, forked from Overseerr. Available as services.jellyseerr.
-
photoprism, a AI-Powered Photos App for the Decentralized Web. Available as services.photoprism.
-
peroxide, a fork of the official ProtonMail bridge that aims to be similar to Hydroxide. Available as services.peroxide.
-
autosuspend, a python daemon that suspends a system if certain conditions are met, or not met.
-
sharing, a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as programs.sharing.
-
nimdow, a window manager written in Nim, inspired by dwm.
-
woodpecker-agent, a simple CI engine with great extensibility. Available as services.woodpecker-agent.
-
woodpecker-server, a simple CI engine with great extensibility. Available as services.woodpecker-server.
-
ReGreet, a clean and customizable greeter for greetd. Available as programs.regreet.
Backward Incompatibilities
-
carnix
andcratesIO
has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead. -
checkInputs
have been renamed tonativeCheckInputs
, because they behave the same asnativeBuildInputs
whendoCheck
is set.checkInputs
now denote a new type of dependencies, added tobuildInputs
whendoCheck
is set. As a rule of thumb,nativeCheckInputs
are tools on$PATH
used during the tests, andcheckInputs
are libraries which are linked to executables built as part of the tests. Similarly,installCheckInputs
are renamed tonativeInstallCheckInputs
, corresponding tonativeBuildInputs
, andinstallCheckInputs
are a new type of dependencies added tobuildInputs
whendoInstallCheck
is set. (Note that this change will not cause breakage to derivations withstrictDeps
unset, which are most packages except python, rust, ocaml and go packages). -
buildDunePackage
now defaults tostrictDeps = true
which means that any library should go intobuildInputs
orcheckInputs
. Any executable that is run on the building machine should go intonativeBuildInputs
ornativeCheckInputs
respectively. Example of executables areocaml
,findlib
andmenhir
. PPXs are libraries which are built by dune and should therefore not go intonativeBuildInputs
. -
borgbackup
module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available asservices.borgbackup.jobs.<name>.inhibitsSleep
. -
The
ssh
client tool now disables the~C
escape sequence by default. This can be re-enabled by settingEnableEscapeCommandline yes
-
podman
now uses thenetavark
network stack. Users will need to delete all of their local containers, images, volumes, etc, by runningpodman system reset --force
once before upgrading their systems. -
git-bug
has been updated to at least version 0.8.0, which includes backwards incompatible changes. Thegit-bug-migration
package can be used to upgrade existing repositories. -
nushell
has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available asold-alias
but it is recommended you migrate to the new format. See Reworked aliases. -
keepassx
andkeepassx2
have been removed, due to upstream stopping development. Consider KeePassXC as a maintained alternative. -
The
services.kubo.settings
option is now no longer stateful. If you changed any of the options inservices.kubo.settings
in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update. -
The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from
/etc/ec2-metadata
should now have anafter
dependency onfetch-ec2-metadata.service
-
minio
removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration we keep around the last version that still supports the old filesystem backend asminio_legacy_fs
. Use it viaservices.minio.package = minio_legacy_fs;
to export your data before switching to the new version. See the corresponding issue for more details. -
services.sourcehut.dispatch
and the corresponding package (sourcehut.dispatchsrht
) have been removed due to upstream deprecation. -
The services.snapserver.openFirewall module option default value has been changed from
true
tofalse
. You will need to explicitly set this option totrue
, or configure your firewall. -
The services.tmate-ssh-server.openFirewall module option default value has been changed from
true
tofalse
. You will need to explicitly set this option totrue
, or configure your firewall. -
The services.unifi-video.openFirewall module option default value has been changed from
true
tofalse
. You will need to explicitly set this option totrue
, or configure your firewall. -
Kime has been updated from 2.5.6 to 3.0.2 and the
i18n.inputMethod.kime.config
option has been removed. Users should usedaemonModules
,iconColor
, andextraConfig
options underi18n.inputMethod.kime
instead. -
tut
has been updated from 1.0.34 to 2.0.0, and now uses the TOML format for the configuration file instead of INI. Additional information can be found here. -
i3status-rust
has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found here. -
The
wordpress
derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them inwordpressPackages.{plugins,themes}
. -
llvmPackages_rocm.llvm
will not containclang
orcompiler-rt
.llvmPackages_rocm.clang
will not containllvm
.llvmPackages_rocm.clangNoCompilerRt
has been removed in favor of usingllvmPackages_rocm.clang-unwrapped
. -
services.xserver.desktopManager.plasma5.excludePackages
has been moved toenvironment.plasma5.excludePackages
, for consistency with other Desktop Environments -
The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing
/tmp
on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -
teleport
has been upgraded from major version 10 to major version 12. Please see upstream upgrade instructions and release notes for versions 11 and 12. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by settingservices.teleport.package = pkgs.teleport_11
. Afterwards, this option can be removed to upgrade to the default version (12). -
The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
-
fail2ban
has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 (changelog for 1.0.1, changelog for 1.0.2) -
Calling
makeSetupHook
without passing aname
argument is deprecated. -
lib.systems.examples.ghcjs
and consequentlypkgsCross.ghcjs
now use the target tripletjavascript-unknown-ghcjs
instead ofjs-unknown-ghcjs
. This has been done to match an upstream decision to follow Cabal's platform naming more closely. Nixpkgs will also rejectjs
as an architecture name. -
The
cosmoc
package has been removed. The upstream scripts incosmocc
should be used instead. -
Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.
-
The services.wordpress.sites.<name>.plugins and services.wordpress.sites.<name>.themes options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.
-
protonmail-bridge
package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream. -
Nebula now runs as a system user and group created for each nebula network, using the
CAP_NET_ADMIN
ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by defaultnebula-${networkName}
. -
In
mastodon
it is now necessary to specify location of file withPostgreSQL
database password. Inservices.mastodon.database.passwordFile
parameter default value/var/lib/mastodon/secrets/db-password
has been changed tonull
. -
The
--target-host
and--build-host
options ofnixos-rebuild
no longer treat thelocalhost
value specially – to build on/deploy to local machine, omit the relevant flag. -
The
nix.readOnlyStore
option has been renamed toboot.readOnlyNixStore
to clarify that it configures the NixOS boot process, not the Nix daemon. -
Deprecated
xlibsWrapper
transitional package has been removed in favour of direct use of its constitutents:xorg.libX11
,freetype
and others. -
The latest available version of Nextcloud is v26 (available as
pkgs.nextcloud26
) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:- If
system.stateVersion
is >=23.05,pkgs.nextcloud26
will be installed by default. - If
system.stateVersion
is >=22.11,pkgs.nextcloud25
will be installed by default. - Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to
nextcloud25
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud25;
. - It's recommended to use the latest version available (i.e. v26) and to specify that using
services.nextcloud.package
.
- If
-
.NET 5.0 was removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
-
The iputils package, which is installed by default, no longer provides the
ninfod
,rarpd
andrdisc
tools. See upstream's release notes for more details and available replacements. -
services.xserver.videoDrivers now defaults to the
modesetting
driver over device-specific ones. Theradeon
,amdgpu
andnouveau
drivers are still available, but effectively unmaintained and not recommended for use. -
conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.
-
The catch-all
hardware.video.hidpi.enable
option was removed. Users on high density displays may want to:- Set
services.xserver.upscaleDefaultCursor
to upscale the default X11 cursor for higher resolutions - Adjust settings under
fonts.fontconfig
according to preference - Adjust
console.font
according to preference, though the kernel will generally choose a reasonably sized font
- Set
-
The
baget
package and module was removed due to being unmaintained.
Other Notable Changes
-
vim_configurable
has been renamed tovim-full
to avoid confusion:vim-full
's build-time features are configurable, but bothvim
andvim-full
are customizable (in the sense of user configuration, like vimrc). -
Pantheon now defaults to Mutter 42 and GNOME settings daemon 42, all Pantheon packages are now tracking elementary OS 7 updates.
-
The module for the application firewall
opensnitch
got the ability to configure rules. Available as services.opensnitch.rules -
The module
usbmuxd
now has the ability to change the package used by the daemon. In case you're experiencing issues withusbmuxd
you can try an alternative program likeusbmuxd2
. Available as services.usbmuxd.package -
A few openssh options have been moved from extraConfig to the new freeform option
settings
and renamed as follows:services.openssh.forwardX11
toservices.openssh.settings.X11Forwarding
services.openssh.kbdInteractiveAuthentication
->services.openssh.settings.KbdInteractiveAuthentication
services.openssh.passwordAuthentication
toservices.openssh.settings.PasswordAuthentication
services.openssh.useDns
toservices.openssh.settings.UseDns
services.openssh.permitRootLogin
toservices.openssh.settings.PermitRootLogin
services.openssh.logLevel
toservices.openssh.settings.LogLevel
services.openssh.kexAlgorithms
toservices.openssh.settings.KexAlgorithms
services.openssh.macs
toservices.openssh.settings.Macs
services.openssh.ciphers
toservices.openssh.settings.Ciphers
services.openssh.gatewayPorts
toservices.openssh.settings.GatewayPorts
-
services.mastodon
gained a tootctl wrapped namedmastodon-tootctl
similar tonextcloud-occ
which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. -
DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in to silence this warning.
DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.
-
NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set
services.nscd.enableNsncd = false
, but please open an issue in nixpkgs so your issue can be fixed. -
services.borgmatic
now allows for multiple configurations, placed in/etc/borgmatic.d/
, you can define them withservices.borgmatic.configurations
. -
The
dnsmasq
service now takes configuration via theservices.dnsmasq.settings
attribute set. The optionservices.dnsmasq.extraConfig
will be deprecated when NixOS 22.11 reaches end of life. -
The
dokuwiki
service now takes configuration via theservices.dokuwiki.sites.<name>.settings
attribute set,extraConfig
is deprecated and will be removed. The{aclUse,superUser,disableActions}
attributes have been renamed,pluginsConfig
now also accepts an attribute set of booleans, passing plain PHP is deprecated. Same applies toacl
which now also accepts structured settings. -
The
zsh
package changes the way to set environment variables on NixOS systems whereprograms.zsh.enable
equalsfalse
. It now sources/etc/set-environment
when reading the system-levelzshenv
file. Before, it sourced/etc/profile
when reading the system-levelzprofile
file. -
The
wordpress
service now takes configuration via theservices.wordpress.sites.<name>.settings
attribute set,extraConfig
is still available to append additional text towp-config.php
. -
To reduce closure size in
nixos/modules/profiles/minimal.nix
profile disabled installation documentations and manuals. Also disabledlogrotate
andudisks2
services. -
To reduce closure size in
nixos/modules/installer/netboot/netboot-minimal.nix
profile disabled load linux firmwares, pre-installing the complete stdenv andnetworking.wireless
service. -
The minimal ISO image now uses the
nixos/modules/profiles/minimal.nix
profile. -
The
ghcWithPackages
andghcWithHoogle
wrappers will now also symlink GHC's and all included libraries' documentation to$out/share/doc
for convenience. If undesired, the old behavior can be restored by overriding the builders with{ installDocumentation = false; }
. -
mastodon
now supports connection to a remotePostgreSQL
database. -
nextcloud
has an option to enable SSE-C in S3. -
services.peertube
now requires you to specify the secret filesecrets.secretsFile
. It can be generated by runningopenssl rand -hex 32
. Before upgrading, read the release notes for PeerTube:And backup your data.
-
services.chronyd
is now started with additional systemd sandbox/hardening options for better security. -
services.dhcpcd
service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses. -
The module
services.headscale
was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:- Most settings has been migrated under services.headscale.settings which is an attribute-set that will be converted into headscale's YAML config format. This means that the configuration from headscale's example configuration can be directly written as attribute-set in Nix within this option.
-
nixos/lib/make-disk-image.nix
can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual. -
services.grafana
listens only on localhost by default again. This was changed to upstreams default of0.0.0.0
by accident in the freeform setting conversion. -
Grafana Tempo has been updated to version 2.0. See the upstream upgrade guide for migration instructions.
-
A new
virtualisation.rosetta
module was added to allow runningx86_64
binaries through Rosetta inside virtualised NixOS guests on Apple silicon. This feature works by default with the UTM virtualisation package. -
The new option
users.motdFile
allows configuring a Message Of The Day that can be updated dynamically. -
The
root
package is now built with the"-Dgnuinstall=ON"
CMake flag, making the output conform thebin
lib
share
layout. In this layout,tutorials
is undershare/doc/ROOT/
;cmake
,font
,icons
,js
andmacro
undershare/root
;Makefile.comp
andMakefile.config
underetc/root
. -
Enabling global redirect in
services.nginx.virtualHosts
now allows one to add exceptions with thelocations
option. -
A new option
recommendedBrotliSettings
has been added toservices.nginx
. Learn more about compression in Brotli format here. -
Updated recommended settings in
services.nginx.recommendedGzipSettings
:- Enables gzip compression for only certain proxied requests.
- Allow checking and loading of precompressed files.
- Updated gzip mime-types.
- Increased the minimum length of a response that will be gzipped.
-
Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and force services.garage.package or upgrade accordingly system.stateVersion.
-
Nebula now supports the
services.nebula.networks.<name>.isRelay
andservices.nebula.networks.<name>.relays
configuration options for setting up or allowing traffic relaying. See the announcement for more details about relays. -
hip
has been separated intohip
,hip-common
andhipcc
. -
services.nginx.recommendedProxySettings
now removes theConnection
header preventing clients from closing backend connections. -
Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
-
The
firewall
andnat
module now has a nftables based implementation. Enablenetworking.nftables
to use it. -
The
services.fwupd
module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings
). -
services.xserver.desktopManager.plasma5.phononBackend
now defaults to vlc according to upstrean recommendation -
The
zramSwap
is now implemented withzram-generator
, and the optionzramSwap.numDevices
for using ZRAM devices as general purpose ephemeral block devices has been removed. -
As Singularity has renamed to Apptainer to distinguish from an un-renamed fork by Sylabs Inc., there are now two packages of Singularity/Apptainer:
apptainer
: Fromgithub.com/apptainer/apptainer
, which is the new repo after renaming.singularity
: Fromgithub.com/sylabs/singularity
, which is the fork by Sylabs Inc..
programs.singularity
got a newpackage
option to specify which package to use.singularity-tools.buildImage
got a new input argumentsingularity
to specify which package to use. -
The new option
programs.singularity.enableFakeroot
, if set totrue
, provides--fakeroot
support forapptainer
andsingularity
. -
The
unifi-poller
package and corresponding NixOS module have been renamed tounpoller
to match upstream. -
protonmail-bridge
package has been updated to v3.0 and the CLI executable is now named bridge instead of protonmail-bridge to be more in line with upstream. -
The new option
services.tailscale.useRoutingFeatures
controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting toserver
, otherwise if you wish to use an exit node you can set this setting toclient
. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. -
openjdk
from version 11 and above is not build withopenjfx
(i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.:openjdk11.override { enableJavaFX = true; };
. -
Xastir can now access AX.25 interfaces via the
libax25
package. -
nixos-version
now accepts--configuration-revision
to display more information about the current generation revision -
The option
services.nomad.extraSettingsPlugins
has been fixed to allow more than one plugin in the path. -
The option
services.prometheus.exporters.pihole.interval
does not exist anymore and has been removed. -
k3s
can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.