depot/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md
Default email 94427deb9d Project import generated by Copybara.
GitOrigin-RevId: f91ee3065de91a3531329a674a45ddcb3467a650
2023-05-24 16:37:59 +03:00

54 KiB
Raw Blame History

Release 23.05 (“Stoat”, 2023.05/??)

Support is planned until the end of December 2023, handing over to 23.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Core version changes:

    • default linux: 5.15 -> 6.1, all supported kernels available

    • systemd has been updated to v253.1, see the pull request for more info. It's recommended to use nixos-rebuild boot and reboot, rather than nixos-rebuild switch - since in some rare cases the switch of a live system might fail.

    • glibc: 2.35 -> 2.37

  • Cinnamon has been updated to 5.6, see the pull request for what is changed.

  • GNOME has been upgraded to version 44. Please see the release notes for details.

  • KDE Plasma has been updated to v5.27, see the release notes for what is changed.

  • Python implements PEP 668, providing better feedback to users that try to run pip install system-wide.

  • nixos-rebuild now supports an extra --specialisation option that can be used to change specialisation for switch and test commands.

  • libxcrypt, the library providing the crypt(3) password hashing function, is now built without support for algorithms not flagged strong. This affects the availability of password hashing algorithms used for system login (login(1), passwd(1)), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and many other packages.

  • boot.bootspec.enable (internal option) is now enabled by default because RFC-0125 was merged. This means you will have a bootspec document called boot.json generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot.

New Services

Backward Incompatibilities

  • carnix and cratesIO has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead.

  • services.asusd configuration now uses strings instead of structured configuration, as upstream switched to the RON configuration format. Support for structured configuration may return when RON generation is implemented in nixpkgs.

  • checkInputs have been renamed to nativeCheckInputs, because they behave the same as nativeBuildInputs when doCheck is set. checkInputs now denote a new type of dependencies, added to buildInputs when doCheck is set. As a rule of thumb, nativeCheckInputs are tools on $PATH used during the tests, and checkInputs are libraries which are linked to executables built as part of the tests. Similarly, installCheckInputs are renamed to nativeInstallCheckInputs, corresponding to nativeBuildInputs, and installCheckInputs are a new type of dependencies added to buildInputs when doInstallCheck is set. (Note that this change will not cause breakage to derivations with strictDeps unset, which are most packages except python, rust, ocaml and go packages).

  • buildDunePackage now defaults to strictDeps = true which means that any library should go into buildInputs or checkInputs. Any executable that is run on the building machine should go into nativeBuildInputs or nativeCheckInputs respectively. Example of executables are ocaml, findlib and menhir. PPXs are libraries which are built by dune and should therefore not go into nativeBuildInputs.

  • borgbackup module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.borgbackup.jobs.<name>.inhibitsSleep.

  • The ssh client tool now disables the ~C escape sequence by default. This can be re-enabled by setting EnableEscapeCommandline yes

  • Many services.syncthing options have been moved to services.syncthing.settings, as part of RFC 42's implementation, see #226088.

  • The ssh module does not read /etc/ssh/ssh_known_hosts2 anymore since this location is deprecated since 2001.

  • The openssh module does not read ~/.ssh/authorized_keys2 anymore since this location is deprecated since 2001.

  • podman now uses the netavark network stack. Users will need to delete all of their local containers, images, volumes, etc, by running podman system reset --force once before upgrading their systems.

  • git-bug has been updated to at least version 0.8.0, which includes backwards incompatible changes. The git-bug-migration package can be used to upgrade existing repositories.

  • graylog has been updated to version 5, which can not be upgraded directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the upgrade path from 3.3 to 4.0 to 4.3 to 5.0.

  • nushell has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as old-alias but it is recommended you migrate to the new format. See Reworked aliases.

  • gajim has been updated to version 1.7.3 which has disabled legacy ciphers. See changelog for version 1.7.0.

  • keepassx and keepassx2 have been removed, due to upstream stopping development. Consider KeePassXC as a maintained alternative.

  • The services.kubo.settings option is now no longer stateful. If you changed any of the options in services.kubo.settings in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.

  • The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the services.kubo.settings.Addresses.API option description for more information.

  • The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from /etc/ec2-metadata should now have an after dependency on fetch-ec2-metadata.service

  • The mailman service now defaults to using a randomly generated REST API password instead of a hardcoded one.

  • minio removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration we keep around the last version that still supports the old filesystem backend as minio_legacy_fs. Use it via services.minio.package = minio_legacy_fs; to export your data before switching to the new version. See the corresponding issue for more details.

  • services.sourcehut.dispatch and the corresponding package (sourcehut.dispatchsrht) have been removed due to upstream deprecation.

  • The attributes used by services.snapper.configs.<name> have changed. Migrate from this:

    services.snapper.configs.example = {
      subvolume = "/example";
      extraConfig = ''
        ALLOW_USERS="alice"
      '';
    };
    

    to this:

    services.snapper.configs.example = {
      SUBVOLUME = "/example";
      ALLOW_USERS = [ "alice" ];
    };
    
  • The services.snapserver.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.tmate-ssh-server.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The services.unifi-video.openFirewall module option default value has been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

  • The option i18n.inputMethod.fcitx5.enableRimeData has been removed. Default RIME data is now included in fcitx5-rime by default, and can be customized using fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ]; }

  • The udev hwdb.bin file is now built with systemd-hwdb rather than the deprecated "udevadm hwdb". This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.

  • Kime has been updated from 2.5.6 to 3.0.2 and the i18n.inputMethod.kime.config option has been removed. Users should use daemonModules, iconColor, and extraConfig options under i18n.inputMethod.kime instead.

  • tut has been updated from 1.0.34 to 2.0.0, and now uses the TOML format for the configuration file instead of INI. Additional information can be found here.

  • i3status-rust has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found here.

  • The wordpress derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them in wordpressPackages.{plugins,themes}.

  • llvmPackages_rocm.llvm will not contain clang or compiler-rt. llvmPackages_rocm.clang will not contain llvm. llvmPackages_rocm.clangNoCompilerRt has been removed in favor of using llvmPackages_rocm.clang-unwrapped.

  • services.xserver.desktopManager.plasma5.excludePackages has been moved to environment.plasma5.excludePackages, for consistency with other Desktop Environments

  • The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing /tmp on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.

  • teleport has been upgraded from major version 10 to major version 12. Please see upstream upgrade instructions and release notes for versions 11 and 12. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting services.teleport.package = pkgs.teleport_11. Afterwards, this option can be removed to upgrade to the default version (12).

  • The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

  • fail2ban has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 (changelog for 1.0.1, changelog for 1.0.2)

  • albert has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins (changelog for 0.18.0)

  • Calling makeSetupHook without passing a name argument is deprecated.

  • Top-level buildPlatform,hostPlatform,targetPlatform have been deprecated, use stdenv.X instead.

  • lib.systems.examples.ghcjs and consequently pkgsCross.ghcjs now use the target triplet javascript-unknown-ghcjs instead of js-unknown-ghcjs. This has been done to match an upstream decision to follow Cabal's platform naming more closely. Nixpkgs will also reject js as an architecture name.

  • dokuwiki has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has completely removed the options to embed HTML and PHP for security reasons. The htmlok plugin can be used to regain this functionality.

  • The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead.

  • The cosmoc package has been removed. The upstream scripts in cosmocc should be used instead.

  • Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.

  • The services.wordpress.sites.<name>.plugins and services.wordpress.sites.<name>.themes options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.

  • services.nextcloud.database.createLocally now uses socket authentication and is no longer compatible with password authentication.

  • protonmail-bridge package has been updated to major version 3.

  • Nebula now runs as a system user and group created for each nebula network, using the CAP_NET_ADMIN ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default nebula-${networkName}.

  • The i18n.inputMethod.fcitx option has been replaced with i18n.inputMethod.fcitx5 because fcitx 4 pkgs.fcitx has been removed.

  • In mastodon it is now necessary to specify location of file with PostgreSQL database password. In services.mastodon.database.passwordFile parameter default value /var/lib/mastodon/secrets/db-password has been changed to null.

  • The --target-host and --build-host options of nixos-rebuild no longer treat the localhost value specially to build on/deploy to local machine, omit the relevant flag.

  • The nix.readOnlyStore option has been renamed to boot.readOnlyNixStore to clarify that it configures the NixOS boot process, not the Nix daemon.

  • Deprecated xlibsWrapper transitional package has been removed in favour of direct use of its constituents: xorg.libX11, freetype and others.

  • The latest available version of Nextcloud is v26 (available as pkgs.nextcloud26) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:

    • If system.stateVersion is >=23.05, pkgs.nextcloud26 will be installed by default.
    • If system.stateVersion is >=22.11, pkgs.nextcloud25 will be installed by default.
    • Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to nextcloud25 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud25;.
    • It's recommended to use the latest version available (i.e. v26) and to specify that using services.nextcloud.package.
  • .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core

  • The iputils package, which is installed by default, no longer provides the ninfod, rarpd and rdisc tools. See upstream's release notes for more details and available replacements.

  • The ppp plugin rp-pppoe.so has been renamed to pppoe.so in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from plugin rp-pppoe.so to plugin pppoe.so. See upstream change.

  • services.xserver.videoDrivers now defaults to the modesetting driver over device-specific ones. The radeon, amdgpu and nouveau drivers are still available, but effectively unmaintained and not recommended for use.

  • services.xserver.libinput.enable is now set by default, enabling the more actively maintained and consistently behaved input device driver.

  • To enable the HTTP3 (QUIC) protocol for a nginx virtual host, set the quic attribute on it to true, e.g. services.nginx.virtualHosts.<name>.quic = true;.

  • In services.fail2ban, bantime-increment.<name> options now default to null (except bantime-increment.enable) and are used to set the corresponding option in jail.local only if not null. Also, enforce that bantime-increment.formula and bantime-increment.multipliers are not both specified.

  • The default Asterisk package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in ${asterisk-20}/var/lib/asterisk.

  • conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.

  • The services.pipewire.config options have been removed, as they have basically never worked correctly. All behavior defined by the default configuration can be overridden with drop-in files as necessary - see below for details.

  • The catch-all hardware.video.hidpi.enable option was removed. Users on high density displays may want to:

    • Set services.xserver.upscaleDefaultCursor to upscale the default X11 cursor for higher resolutions
    • Adjust settings under fonts.fontconfig according to preference
    • Adjust console.font according to preference, though the kernel will generally choose a reasonably sized font
  • services.pipewire.media-session and the pipewire-media-session package have been removed, as they are no longer supported upstream. Users are encouraged to use services.pipewire.wireplumber instead.

  • The baget package and module was removed due to being unmaintained.

  • The qlandkartegt and garmindev packages were removed due to being unmaintained and insecure.

  • go-ethereum package has been updated to v1.11.5 and the puppeth command is no longer available as of v1.11.0.

  • The pnpm package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required)

  • The zplug package changes its output path from $out to $out/share/zplug. Users should update their dependency on ${pkgs.zplug}/init.zsh to ${pkgs.zplug}/share/zplug/init.zsh.

  • The pict-rs package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one.

  • espanso has been updated to major version 2. Therefore, migration steps may need to be performed. See the official migration instructions for how to perform these migrations. Further, espanso-wayland can now be used for Wayland support.

Other Notable Changes

  • vim_configurable has been renamed to vim-full to avoid confusion: vim-full's build-time features are configurable, but both vim and vim-full are customizable (in the sense of user configuration, like vimrc).

  • Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.

  • The module for the application firewall opensnitch got the ability to configure rules. Available as services.opensnitch.rules

  • The module usbmuxd now has the ability to change the package used by the daemon. In case you're experiencing issues with usbmuxd you can try an alternative program like usbmuxd2. Available as services.usbmuxd.package

  • A few openssh options have been moved from extraConfig to the new freeform option settings and renamed as follows:

    • services.openssh.forwardX11 to services.openssh.settings.X11Forwarding
    • services.openssh.kbdInteractiveAuthentication -> services.openssh.settings.KbdInteractiveAuthentication
    • services.openssh.passwordAuthentication to services.openssh.settings.PasswordAuthentication
    • services.openssh.useDns to services.openssh.settings.UseDns
    • services.openssh.permitRootLogin to services.openssh.settings.PermitRootLogin
    • services.openssh.logLevel to services.openssh.settings.LogLevel
    • services.openssh.kexAlgorithms to services.openssh.settings.KexAlgorithms
    • services.openssh.macs to services.openssh.settings.Macs
    • services.openssh.ciphers to services.openssh.settings.Ciphers
    • services.openssh.gatewayPorts to services.openssh.settings.GatewayPorts
  • netbox was updated to 3.5. NixOS' services.netbox.package still defaults to 3.3 if stateVersion is earlier than 23.05. Please review upstream's breaking changes for 3.4.0 and for 3.5.0, and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

  • services.netbox now support RFC42-style options, through services.netbox.settings.

  • services.mastodon gained a tootctl wrapped named mastodon-tootctl similar to nextcloud-occ which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

  • DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in to silence this warning.

    DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.

  • NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set services.nscd.enableNsncd = false, but please open an issue in nixpkgs so your issue can be fixed.

  • services.borgmatic now allows for multiple configurations, placed in /etc/borgmatic.d/, you can define them with services.borgmatic.configurations.

  • service.openafsServer features a new backup server pkgs.fabs as a replacement for openafs's own buserver. See FABS to check if this is an viable replacement. It stores backups as volume dump files and thus better integrates into contemporary backup solutions.

  • services.maddy got several updates:

    • Configuration of users and their credentials using services.maddy.ensureCredentials.
    • TLS configuration is now possible via services.maddy.tls with two loaders present: ACME and file based.
  • The dnsmasq service now takes configuration via the services.dnsmasq.settings attribute set. The option services.dnsmasq.extraConfig will be deprecated when NixOS 22.11 reaches end of life.

  • kube3d has now been renamed to k3d since the 3d editor that originally took that name has been dropped from nixpkgs. kube3d will continue to work as an alias for now.

  • The dokuwiki service is now configured via services.dokuwiki.sites.<name>.settings attribute set; extraConfig has been removed. The {aclUse,superUser,disableActions} attributes have been renamed accordingly. pluginsConfig now only accepts an attribute set of booleans. Passing plain PHP is no longer possible. Same applies to acl which now also only accepts structured settings.

  • The zsh package changes the way to set environment variables on NixOS systems where programs.zsh.enable equals false. It now sources /etc/set-environment when reading the system-level zshenv file. Before, it sourced /etc/profile when reading the system-level zprofile file.

  • The wordpress service now takes configuration via the services.wordpress.sites.<name>.settings attribute set, extraConfig is still available to append additional text to wp-config.php.

  • To reduce closure size in nixos/modules/profiles/minimal.nix profile disabled installation documentations and manuals. Also disabled logrotate and udisks2 services.

  • To reduce closure size in nixos/modules/installer/netboot/netboot-minimal.nix profile disabled load linux firmwares, pre-installing the complete stdenv and networking.wireless service.

  • The minimal ISO image now uses the nixos/modules/profiles/minimal.nix profile.

  • The ghcWithPackages and ghcWithHoogle wrappers will now also symlink GHC's and all included libraries' documentation to $out/share/doc for convenience. If undesired, the old behavior can be restored by overriding the builders with { installDocumentation = false; }.

  • The new option networking.nftables.checkRuleset controls whether the ruleset is checked for syntax or not during build. It is true by default. The check might fail because it is in a sandbox environment. To circumvent this, the ruleset file can be edited using the networking.nftables.preCheckRuleset option.

  • mastodon now supports connection to a remote PostgreSQL database.

  • nextcloud has an option to enable SSE-C in S3.

  • NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the underlying block device rather than allowing them to be determined by cryptsetup(8). One can use these features like so:

    {
      swapDevices = [
        {
          device = "/dev/disk/by-partlabel/swapspace";
    
          randomEncryption = {
            enable = true;
            cipher = "aes-xts-plain64";
            keySize = 512;
            sectorSize = 4096;
          };
        }
      ];
    }
    
  • New option security.pam.zfs to enable unlocking and mounting of encrypted ZFS home dataset at login.

  • services.peertube now requires you to specify the secret file secrets.secretsFile. It can be generated by running openssl rand -hex 32. Before upgrading, read the release notes for PeerTube:

    And backup your data.

  • services.chronyd is now started with additional systemd sandbox/hardening options for better security.

  • PostgreSQL has opt-in support for JIT compilation. It can be enabled like this:

    {
      services.postgresql = {
        enable = true;
        enableJIT = true;
      };
    }
    
  • services.netdata offers a deadlineBeforeStopSec option which enable users who have netdata instance that takes time to initialize to not have systemd kill them for no reason.

  • services.dhcpcd service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses. If network uses both IPv6 Unique local addresses (ULA) and global IPv6 address auto-configuration with SLAAC, must add the parameter networking.dhcpcd.IPv6rs = true;.

  • The module services.headscale was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:

  • services.kubo now unmounts ipfsMountDir and ipnsMountDir even if it is killed unexpectedly when autoMount is enabled.

  • nixos/lib/make-disk-image.nix can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.

  • services.grafana listens only on localhost by default again. This was changed to upstreams default of 0.0.0.0 by accident in the freeform setting conversion.

  • Grafana Tempo has been updated to version 2.0. See the upstream upgrade guide for migration instructions.

  • A new virtualisation.rosetta module was added to allow running x86_64 binaries through Rosetta inside virtualised NixOS guests on Apple silicon. This feature works by default with the UTM virtualisation package.

  • The new option users.motdFile allows configuring a Message Of The Day that can be updated dynamically.

  • The root package is now built with the "-Dgnuinstall=ON" CMake flag, making the output conform the bin lib share layout. In this layout, tutorials is under share/doc/ROOT/; cmake, font, icons, js and macro under share/root; Makefile.comp and Makefile.config under etc/root.

  • Enabling global redirect in services.nginx.virtualHosts now allows one to add exceptions with the locations option.

  • A new option proxyCachePath has been added to services.nginx. Learn more about proxy_cache_path: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path.

  • A new option recommendedBrotliSettings has been added to services.nginx. Learn more about compression in Brotli format here.

  • Updated recommended settings in services.nginx.recommendedGzipSettings:

    • Enables gzip compression for only certain proxied requests.
    • Allow checking and loading of precompressed files.
    • Updated gzip mime-types.
    • Increased the minimum length of a response that will be gzipped.
  • Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and force services.garage.package or upgrade accordingly system.stateVersion.

  • Nebula now supports the services.nebula.networks.<name>.isRelay and services.nebula.networks.<name>.relays configuration options for setting up or allowing traffic relaying. See the announcement for more details about relays.

  • hip has been separated into hip, hip-common and hipcc.

  • services.nginx.recommendedProxySettings now removes the Connection header preventing clients from closing backend connections.

  • Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

  • The firewall and nat module now has a nftables based implementation. Enable networking.nftables to use it.

  • The services.fwupd module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings).

  • services.xserver.desktopManager.plasma5.phononBackend now defaults to vlc according to upstrean recommendation

  • The zramSwap is now implemented with zram-generator, and the option zramSwap.numDevices for using ZRAM devices as general purpose ephemeral block devices has been removed.

  • As Singularity has renamed to Apptainer to distinguish from an un-renamed fork by Sylabs Inc., there are now two packages of Singularity/Apptainer:

    • apptainer: From github.com/apptainer/apptainer, which is the new repo after renaming.
    • singularity: From github.com/sylabs/singularity, which is the fork by Sylabs Inc..

    programs.singularity got a new package option to specify which package to use.

    singularity-tools.buildImage got a new input argument singularity to specify which package to use.

  • The new option programs.singularity.enableFakeroot, if set to true, provides --fakeroot support for apptainer and singularity.

  • The unifi-poller package and corresponding NixOS module have been renamed to unpoller to match upstream.

  • The rtsp-simple-server package and corresponding NixOS module have been renamed to mediamtx to match upstream.

  • The new option services.tailscale.useRoutingFeatures controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to server, otherwise if you wish to use an exit node you can set this setting to client. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

  • openjdk from version 11 and above is not build with openjfx (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: openjdk11.override { enableJavaFX = true; };.

  • Xastir can now access AX.25 interfaces via the libax25 package.

  • nixos-version now accepts --configuration-revision to display more information about the current generation revision

  • The option services.nomad.extraSettingsPlugins has been fixed to allow more than one plugin in the path.

  • The option services.prometheus.exporters.pihole.interval does not exist anymore and has been removed.

  • The option services.gpsd.device has been replaced with services.gpsd.devices, which supports multiple devices.

  • k3s can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.

  • gitea module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under services.gitea.settings)

  • boot.initrd.luks.device.<name> has a new tryEmptyPassphrase option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase

  • Lisp gained a manual section, documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.

  • The bind module now allows the per-zone allow-query setting to be configured (previously it was hard-coded to any; it still defaults to any to retain compatibility).

  • make-disk-image handles contents arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended target.

  • The option services.jitsi-videobridge.apis has been renamed to colibriRestApi and turned into a boolean. Setting it to true will enable the private rest API, useful for monitoring using services.prometheus.exporters.jitsi.enable. Learn more about the API: "The COLIBRI control interface (/colibri/)".

Detailed migration information

Pipewire configuration overrides

Why this change?

The Pipewire config semantics don't really match the NixOS module semantics, so it's extremely awkward to override the default config, especially when lists are involved. Vendoring the configuration files in nixpkgs also creates unnecessary maintenance overhead.

Also, upstream added a lot of accommodations to allow doing most of the things you'd want to do with a config edit in better ways.

Migrating your configuration

Compare your settings to the defaults and where your configuration differs from them.

Then, create a drop-in JSON file in /etc/pipewire/<config file name>.d/99-custom.conf (the actual filename can be anything) and migrate your changes to it according to the following sections.

Repeat for every file you've modified, changing the directory name accordingly.

Things you can just copy over

If you are:

  • setting properties via *.properties
  • loading a new module to context.modules
  • creating new objects with context.objects
  • declaring SPA libraries with context.spa-libs
  • running custom commands with context.exec
  • adding new rules with *.rules
  • running custom PulseAudio commands with pulse.cmd

Simply move the definitions into the drop-in.

Note that the use of context.exec is not recommended and other methods of running your thing are likely a better option.

{
  "context.properties": {
    "your.property.name": "your.property.value"
  },
  "context.modules": [
    { "name": "libpipewire-module-my-cool-thing" }
  ],
  "context.objects": [
    { "factory": { ... } }
  ],
  "alsa.rules": [
    { "matches: { ... }, "actions": { ... } }
  ]
}

Removing a module from context.modules

Look for an option to disable it via context.properties ("module.x11.bell": "false" is likely the most common use case here). If one is not available, proceed to Nuclear option.

Modifying a module's parameters in context.modules

For most modules (e.g. libpipewire-module-rt) it's enough to load the module again with the new arguments, e.g.:

{
  "context.modules": [
    {
      "name": "libpipewire-module-rt",
      "args": {
        "rt.prio": 90
      }
    }
  ]
}

Note that module-rt specifically will generally use the highest values available by default, so setting limits on the pipewire systemd service is preferable to reloading.

If reloading the module is not an option, proceed to Nuclear option.

Nuclear option

If all else fails, you can still manually copy the contents of the default configuration file from ${pkgs.pipewire.lib}/share/pipewire to /etc/pipewire and edit it to fully override the default. However, this should be done only as a last resort. Please talk to the Pipewire maintainers if you ever need to do this.