# Release 24.11 (“Vicuña”, 2024.11/??) {#sec-release-24.11} ## Highlights {#sec-release-24.11-highlights} - Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`. - [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option. This also allows configuring runtime settings of AMDVLK and enabling experimental features. - The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems. ## New Services {#sec-release-24.11-new-services} - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable) service. - [Quickwit](https://quickwit.io), sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit). - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood). - [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable). - [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf). - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable). - [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable). - [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable). - [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld). - [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance). ## Backward Incompatibilities {#sec-release-24.11-incompatibilities} - `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage: - `transmission-gtk`: `~/.config/transmission` - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`) - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later. - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. - `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust. The module was updated to accommodate for breaking changes. Breaking changes to the module API were minimised as much as possible, but some were nonetheless inevitable due to changes in the upstream CLI. Certain options were moved from separate CLI arguments into the forward specifications, and those options were also removed from the module's API, please consult the wstunnel man page for more detail. Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}..extraArgs`, that those might have been removed or modified upstream. - `clang-tools_` packages have been moved into `llvmPackages_` (i.e. `clang-tools_18` is now `llvmPackages_18.clang-tools`). - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`. - Top-level `clang_tools_` attributes are now aliases; these will be removed in a future release. - `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html). - `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`. - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). - `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if it is set, instead of the previous hardcoded default of `${networking.hostName}.${security.ipa.domain}`. - The fcgiwrap module now allows multiple instances running as distinct users. The option `services.fgciwrap` now takes an attribute set of the configuration of each individual instance. This requires migrating any previous configuration keys from `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`. The ownership and mode of the UNIX sockets created by this service are now configurable and private by default. Processes also now run as a dynamically allocated user by default instead of root. - `services.cgit` now runs as the cgit user by default instead of root. This change requires granting access to the repositories to this user or setting the appropriate one through `services.cgit.some-instance.user`. - `nvimpager` was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in `-c` and `--cmd` now override the respective default settings because they are executed later. - `pkgs.nextcloud27` has been removed since it's EOL. - `services.forgejo.mailerPasswordFile` has been deprecated by the drop-in replacement `services.forgejo.secrets.mailer.PASSWD`, which is part of the new free-form `services.forgejo.secrets` option. `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value. - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead. - `teleport` has been upgraded from major version 15 to major version 16. Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324). - `vaultwarden` lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in your local configuration. - The Invoiceplane module now only accepts the structured `settings` option. `extraConfig` is now removed. - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package). - `androidndkPkgs` has been updated to `androidndkPkgs_26`. - Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android. - `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`, and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream. The `vscode-langservers-extracted` package is a maintained drop-in replacement. - `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the output by default, to alert users to closure size issues caused by [#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging Helpers" in the Haskell section of the Nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers) for information on working around `output '...' is not allowed to refer to the following paths` errors caused by this change. - The `stalwart-mail` service now runs under the `stalwart-mail` system user instead of a dynamically created one via `DynamicUser`, to avoid automatic ownership changes on its large file store each time the service was started. This change requires to manually move the state directory from `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to change the ownership of the directory and its content to `stalwart-mail`. - The `stalwart-mail` module now uses RocksDB as the default storage backend for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs). - The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option: ``` # This is how a environment file can be generated: # $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file services.shiori.environmentFile = "/path/to/env-file"; ``` - `/share/nano` is now only linked when `programs.nano.enable` is enabled. - `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details. - `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will ultimately remove it in GitLab 18.0, as outlined in the [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes). After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170). GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170) with *runner authentication tokens* until the release of GitLab 18.0. - `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. - `zx` was updated to v8, which introduces several breaking changes. See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information. - The `portunus` package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration: ```nix services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; }; services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; ``` - The default value of `services.kubernetes.kubelet.hostname` is now lowercased. Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back the old default behavior. - `keycloak` was updated to version 25, which introduces new hostname related options. See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions. - `programs.vim.defaultEditor` now only works if `programs.vim.enable` is enabled. - `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled - The `tracy` package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new package `tracy-x11`. - The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead. - The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300) - `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments. - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details. - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer. Consequently the package `pkgs.ma1sd` has also been removed. ## Other Notable Changes {#sec-release-24.11-notable-changes} - The `zerocallusedregs` hardening flag is enabled by default on compilers that support it. - The `stackclashprotection` hardening flag has been added, though disabled by default. - `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor of `cargoHash` which supports SRI hashes. See [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo) for more information. - `hareHook` has been added as the language framework for Hare. From now on, it, not the `hare` package, should be added to `nativeBuildInputs` when building Hare programs. - [`lib.options.mkPackageOptionMD`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOptionMD) is now obsolete; use the identical [`lib.options.mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption) instead. - To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use `imgui.src` if you just want to access the unpacked sources. - The `i18n.inputMethod` module introduces two new properties: `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release. - `security.pam.u2f` now follows RFC42. All module options are now settable through the freeform `.settings`. - The hooks `yarnConfigHook` and `yarnBuildHook` were added. These should replace `yarn2nix.mkYarnPackage` and other `yarn2nix` related tools. The motivation to get rid of `yarn2nix` tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at [#296856](https://github.com/NixOS/nixpkgs/issues/296856). The transition from `mkYarnPackage` to `yarn{Config,Build}Hook` is tracked at [#324246](https://github.com/NixOS/nixpkgs/issues/324246). - Cinnamon has been updated to 6.2. - Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default. - Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop listed as a regular entry in Cinnamon Wayland session's window list applet. - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872) in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners should be changed to using *runner authentication tokens* by configuring {option}`services.gitlab-runner.services..authenticationTokenConfigFile` instead of the former {option}`services.gitlab-runner.services..registrationConfigFile` option. - `iproute2` now has libbpf support. ## Detailed migration information {#sec-release-24.11-migration} ### `sound` options removal {#sec-release-24.11-migration-sound} The `sound` options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled. If you set `sound.enable` in your configuration: - If you are using Pulseaudio or PipeWire, simply remove that option - If you are not using an external sound server, and want volumes to be persisted across shutdowns, set `hardware.alsa.enablePersistence = true` instead If you set `sound.enableOSSEmulation` in your configuration: - Make sure it is still necessary, as very few applications actually use OSS - If necessary, set `boot.kernelModules = [ "snd_pcm_oss" ]` If you set `sound.extraConfig` in your configuration: - If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that - If you are not using an external sound server, set `environment.etc."asound.conf".text = yourExtraConfig` instead If you set `sound.mediaKeys` in your configuration: - Preferably switch to handling media keys in your desktop environment/compositor - If you want to maintain the exact behavior of the option, use the following snippet ```nix services.actkbd = let volumeStep = "1%"; in { enable = true; bindings = [ # "Mute" media key { keys = [ 113 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Master toggle"; } # "Lower Volume" media key { keys = [ 114 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute"; } # "Raise Volume" media key { keys = [ 115 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute"; } # "Mic Mute" media key { keys = [ 190 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Capture toggle"; } ]; }; ```