- use upstream service and scripts - switch to integrated-vtysh-config, abandon per-daemon config - use always daemon names in options (e.g. ospf -> ospfd) - zebra, mgmtd and staticd are always enabled - abandon vtyListenAddress, vtyListenPort options; use just "extraOptions" or "options" instead, respectively - extend test to test staticd - update release-notes - pkgs.servers.frr: fix sbindir and remove FHS PATH - introduce services.frr.openFilesLimit option
65 KiB
Release 22.05 (“Quokka”, 2022.05/30)
- Support is planned until the end of December 2022, handing over to 22.11.
Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
-
Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the
nix
command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the release notes for nix-2.4, nix-2.5, nix-2.6, nix-2.7 and nix-2.8 -
The
firefox
browser onx86_64-linux
now makes use of profile-guided optimisation, resulting in a much more responsive browsing experience. -
GNOME has been upgraded to 42. Please take a look at their Release Notes for details. In particular, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King's Cross) and GNOME Screenshot by a tool integrated into the Shell.
-
PHP 8.1 is now available.
-
systemd services can now set systemd.services.<name>.reloadTriggers instead of
reloadIfChanged
for a more granular distinction between reloads and restarts. -
Systemd has been upgraded to the version 250.
-
Pulseaudio has been updated to version 15.0 and now optionally supports additional Bluetooth audio codecs such as aptX or LDAC, with codec switching available in
pavucontrol
. This feature is disabled by default, but can be enabled with the optionhardware.pulseaudio.package = pkgs.pulseaudioFull;
. Existing third-party modules that offered similar functions, such aspulseaudio-modules-bt
orpulseaudio-hsphfpd
, are obsolete and have been removed. -
PostgreSQL now defaults to major version 14.
-
Module authors can use
mkRenamedOptionModuleWith
to automate the deprecation cycle without annoying out-of-tree module authors and their users. -
The default GHC version has been updated from 8.10.7 to 9.0.2.
pkgs.haskellPackages
andpkgs.ghc
will now use this version by default. -
The GNOME and Plasma installation CDs now use
pkgs.calamares
andpkgs.calamares-nixos-extensions
to allow users to easily install and set up NixOS with a GUI. -
security.acme.defaults
has been added to simplify the configuration of settings for many certificates at once. This also opens up the option to use DNS-01 validation when usingenableACME
web server virtual hosts (e.g.services.nginx.virtualHosts.*.enableACME
).
New Services
-
1password, command-lines and graphic interface for 1Password. Available as programs._1password and programs._1password-gui.
-
aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd.
-
agate, a very simple server for the Gemini hypertext protocol. Available as services.agate.
-
apfs, a kernel module for mounting the Apple File System (APFS).
-
argonone, a replacement daemon for the Raspberry Pi Argon One power button and cooler. Available at services.hardware.argonone.
-
ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm.
-
BaGet, a lightweight NuGet and symbol server. Available at services.baget.
-
bird-lg, a BGP looking glass for Bird Routing. Available as services.bird-lg.
-
blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as services.blocky.
-
cloudflare-dyndns, CloudFlare Dynamic DNS client. Available as services.cloudflare-dyndns.
-
Corosync and Pacemaker, A open-source high availability resource manager. Available as services.corosync and services.pacemaker.
-
create_ap, a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as services.create_ap.
-
Envoy, a high-performance reverse proxy. Available as services.envoy.
-
ergochat, a modern IRC with IRCv3 features. Available as services.ergochat.
-
ethercalc, an online collaborative spreadsheet. Available as services.ethercalc.
-
filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.
-
FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as services.frr.
-
Grafana Mimir, an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as services.mimir.
-
Haste, a pastebin written in node.js. Available as services.haste.
-
headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale.
-
heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge.
-
https-dns-proxy, DNS to DNS over HTTPS (DoH) proxy. Available as services.https-dns-proxy.
-
input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper.
-
InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane.
-
k3b, the KDE disk burning application. Available as programs.k3b.
-
K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the
k40
group to be able to access the device. -
kanidm, an identity management server written in Rust. Available as services.kanidm
-
Maddy, a free an open source mail server. Available as services.maddy.
-
matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.
-
Moosefs, fault tolerant petabyte distributed file system. Available as moosefs.
-
mozillavpn, the client for the Mozilla VPN service. Available as services.mozillavpn.
-
mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter.
-
nbd, a Network Block Device server. Available as services.nbd.
-
netbox, infrastructure resource modeling (IRM) tool. Available as services.netbox.
-
nethoscope, listen to your network traffic. Available as programs.nethoscope.
-
nifi, an easy to use, powerful, and reliable system to process and distribute data. Available as services.nifi.
-
nix-ld, Run unpatched dynamic binaries on NixOS. Available as programs.nix-ld.
-
NNCP, NNCP (Node to Node copy) utilities and configuration, Available as programs.nncp.
-
pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin.
-
PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin.
-
prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve.
-
prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer.
-
Public Inbox, an "archives first" approach to mailing lists. Available as services.public-inbox.
-
r53-ddns, a small tool to run your own DDNS service via AWS Route53. Available as services.r53-ddns.
-
rmfakecloud, a clone of the cloud sync the remarkable tablet. Available as services.rmfakecloud.
-
rootless Docker, a
systemd --user
Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable. -
rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server.
-
mediamtx, ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as services.mediamtx.
-
Snipe-IT, a free open source IT asset/license management system. Available as services.snipe-it.
-
snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy.
-
sslmate-agent, a daemon for managing SSL/TLS certificates on a server. Available as services.sslmate-agent.
-
starship, a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at programs.startship.
-
systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.
-
teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport.
-
tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd.
-
uptermd, an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at services.uptermd.
-
usbrelayd, an USB Relay MQTT daemon. Available as services.usbrelayd.
-
webdav-server-rs, Webdav server in rust. Available as services.webdav-server-rs.
-
wg-netmanager, the Wireguard network manager. Available as services.wg-netmanager.
-
Zammad, a web-based, open source user support/ticketing solution. Available as services.zammad.
Backward Incompatibilities
-
pkgs.ghc
now refers topkgs.targetPackages.haskellPackages.ghc
. This only makes a difference if you are cross-compiling and will ensure thatpkgs.ghc
always runs on the host platform and compiles for the target platform (similar topkgs.gcc
for example).haskellPackages.ghc
still behaves as before, running on the build platform and compiling for the host platform (similar tostdenv.cc
). This means you don't have to adjust your derivations if you usehaskellPackages.callPackage
, but when usingpkgs.callPackage
and takingghc
as an input, you should now usebuildPackages.ghc
instead to ensure cross compilation keeps working (or switch tohaskellPackages.callPackage
). -
pkgs.ghc.withPackages
as well ashaskellPackages.ghcWithPackages
etc. now needs be overridden directly, as opposed to overriding the result of calling it. Additionally, thewithLLVM
parameter has been renamed touseLLVM
. So instead of(ghc.withPackages (p: [])).override { withLLVM = true; }
, one needs to use(ghc.withPackages.override { useLLVM = true; }) (p: [])
. -
The update of the haskell package set brings with it a new version of the
xmonad
module, which will break your configuration if you uselaunch
as entrypoint. The example code the corresponding nixos module was adjusted, you may want to have a look at it. -
The
home-assistant
module now requires users that don't want their configuration to be managed declaratively to setservices.home-assistant.config = null;
. This is required due to the way default settings are handled with the new settings style.Additionally the default list of
extraComponents
now includes the minimal dependencies to successfully complete the onboarding procedure. -
pkgs.emacsPackages.orgPackages
is removed because org elpa is deprecated. The packages in the top level ofpkgs.emacsPackages
, such as org and org-contrib, refer to the ones inpkgs.emacsPackages.elpaPackages
andpkgs.emacsPackages.nongnuPackages
where the new versions will release. -
The configuration and state directories used by
nixos-containers
have been moved from/etc/containers
and/var/lib/containers
to/etc/nixos-containers
and/var/lib/nixos-containers
.If you are changing
system.stateVersion
to"22.05"
manually on an existing system you are responsible for migrating these directories yourself.This is to improve compatibility with
libcontainer
based software such as Podman and Skopeo which assumes they have ownership over/etc/containers
. -
lib.systems.supported
has been removed, as it was overengineered for determining the systems to support in the nixpkgs flake. The list of systems exposed by the nixpkgs flake can now be accessed aslib.systems.flakeExposed
. -
For new installations
virtualisation.oci-containers.backend
is now set topodman
by default. If you still want to use Docker on systems wheresystem.stateVersion
is set to to"22.05"
setvirtualisation.oci-containers.backend = "docker";
.Old systems with olderstateVersion
s stay with "docker". -
security.klogd
was removed. Logging of kernel messages is handled by systemd since Linux 3.5. -
pkgs.ssmtp
has been dropped due to the program being unmaintained.pkgs.msmtp
can be used instead as a substitutesendmail
implementation. The corresponding optionsservices.ssmtp.*
have been removed as well.programs.msmtp.*
can be used instead for an equivalent setup. For example:{ # Original ssmtp configuration: services.ssmtp = { enable = true; useTLS = true; useSTARTTLS = true; hostName = "smtp.example:587"; authUser = "someone"; authPassFile = "/secrets/password.txt"; }; # Equivalent msmtp configuration: programs.msmtp = { enable = true; accounts.default = { tls = true; tls_starttls = true; auth = true; host = "smtp.example"; port = 587; user = "someone"; passwordeval = "cat /secrets/password.txt"; }; }; }
-
services.kubernetes.addons.dashboard
was removed due to it being an outdated version. -
services.kubernetes.scheduler.{port,address}
now set--secure-port
and--bind-address
instead of--port
and--address
, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. -
In the PowerDNS Recursor module (
services.pdns-recursor
), default values of several IP address-related NixOS options have been updated to match the default upstream behavior. In particular, Recursor by default will:- listen on (and allows connections from) both IPv4 and IPv6 addresses
(
services.pdns-recursor.dns.address
,services.pdns-recursor.dns.allowFrom
); - allow only local connections to the REST API server (
services.pdns-recursor.api.allowFrom
).
- listen on (and allows connections from) both IPv4 and IPv6 addresses
(
-
In the ncdns module, the default value of
services.ncdns.address
has been changed to the IPv6 loopback address (::1
). -
openldap
(and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your databaseslapcat -n 1
in LDIF format, and reimport it after updating yourservices.openldap.settings
, which represents yourcn=config
.Additionally with 2.5 the argon2 module was included in the standard distribution and renamed from
pw-argon2
toargon2
. Remember to update yourolcModuleLoad
entry incn=config
. -
openssh
has been update to 8.9p1, changing the FIDO security key middleware interface. -
git
no longer hardcodes the path to openssh' ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your environment consider addingopenssh
to it or switching togitFull
. -
services.k3s.enable
no longer impliessystemd.enableUnifiedCgroupHierarchy = false
, and will default to the 'systemd' cgroup driver when usingservices.k3s.docker = true
. This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly settingsystemd.enableUnifiedCgroupHierarchy = false
in your configuration. -
fonts.fonts
no longer includes ancient bitmap fonts when bothconfig.services.xserver.enable
andconfig.nixpkgs.config.allowUnfree
are enabled. If you still want these fonts, use:{ fonts.fonts = [ pkgs.xorg.fontbhlucidatypewriter100dpi pkgs.xorg.fontbhlucidatypewriter75dpi pkgs.xorg.fontbh100dpi ]; }
-
services.prometheus.alertManagerTimeout
has been removed as it has been deprecated upstream and has no effect. -
The DHCP server (
services.dhcpd4
,services.dhcpd6
) has been hardened. The service is now using the systemd'sDynamicUser
mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in/var/lib/dhcpd{4,6}
and theservices.dhcpd4.stateDir
andservice.dhcpd6.stateDir
options have been removed. If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g.systemd.services.dhcpd6.serviceConfig.AmbientCapabilities
. -
The
mailpile
email webclient (services.mailpile
) has been removed due to its reliance on python2. -
services.ipfs.extraFlags
is now escaped withutils.escapeSystemdExecArgs
. If you rely on systemd interpolatingextraFlags
in the serviceExecStart
, this will no longer work. -
hbase
version 0.98.24 has been removed. The package now defaults to version 2.4.11. Versions 1.7.1 and 3.0.0-alpha-2 are also available. -
services.paperless-ng
was renamed toservices.paperless
. Accordingly, thepaperless-ng-manage
script (located indataDir
) was renamed topaperless-manage
.services.paperless
now usespaperless-ngx
. -
The
matrix-synapse
service (services.matrix-synapse
) has been converted to use thesettings
option defined in RFC42. This means that options that are part of yourhomeserver.yaml
configuration, and that were specified at the top-level of the module (services.matrix-synapse
) now need to be moved intoservices.matrix-synapse.settings
. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.The
listeners.*.bind_address
option was renamed tobind_addresses
in order to match the upstreamhomeserver.yaml
option name. It is now also a list of strings instead of a string.An example to make the required migration clearer:
Before:
{ services.matrix-synapse = { enable = true; server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut"; macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_address = ""; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; }
After:
{ services.matrix-synapse = { enable = true; # this attribute set holds all values that go into your homeserver.yaml configuration # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for # possible values. settings = { server_name = "example.com"; public_baseurl = "https://example.com:8448"; enable_registration = false; # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem"; listeners = [ { port = 8448; bind_addresses = [ "::" "0.0.0.0" ]; type = "http"; tls = true; resources = [ { names = [ "client" ]; compress = true; } { names = [ "federation" ]; compress = false; } ]; } ]; }; extraConfigFiles = [ "/run/keys/matrix-synapse/secrets.yaml" ]; }; }
The secrets in your original config should be migrated into a YAML file that is included via
extraConfigFiles
. The filename must be quoted to prevent nix from copying it to the (world readable) store.Additionally a few option defaults have been synced up with upstream default values, for example the
max_upload_size
grew from10M
to50M
. For the same reason, the defaultmedia_store_path
was changed from${dataDir}/media
to${dataDir}/media_store
ifsystem.stateVersion
is at least22.05
. Files will need to be manually moved to the new location if thestateVersion
is updated.As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0.
-
The Keycloak package (
pkgs.keycloak
) has been switched from the Wildfly version, which will soon be deprecated, to the Quarkus based version. The Keycloak service (services.keycloak
) has been updated to accommodate the change and now differs from the previous version in a few ways:-
services.keycloak.extraConfig
has been removed in favor of the new settings-styleservices.keycloak.settings
option. The available options correspond directly to parameters inconf/keycloak.conf
. Some of the most important parameters are documented as suboptions, the rest can be found in the All configuration section of the Keycloak Server Installation and Configuration Guide. While the new configuration is much simpler and cleaner than the old JBoss CLI one, this unfortunately mean that there's no straightforward way to convert an old configuration to the new format and some settings may not even be available anymore. -
services.keycloak.frontendUrl
was removed and the frontend URL is now configured through thehostname
family of settings inservices.keycloak.settings
instead. See the Hostname section of the Keycloak Server Installation and Configuration Guide for more details. Additionally,/auth
was removed from the default context path and needs to be added back inservices.keycloak.settings.http-relative-path
if you want to keep compatibility with your current clients. -
services.keycloak.bindAddress
,services.keycloak.forceBackendUrlToFrontendUrl
,services.keycloak.httpPort
andservices.keycloak.httpsPort
have been removed in favor of their equivalent options inservices.keycloak.settings
.httpPort
andhttpsPort
have additionally had their types changed fromstr
toport
.The new names are as follows:
bindAddress
:services.keycloak.settings.http-host
forceBackendUrlToFrontendUrl
:services.keycloak.settings.hostname-strict-backchannel
httpPort
:services.keycloak.settings.http-port
httpsPort
:services.keycloak.settings.https-port
For example, when using a reverse proxy the migration could look like this:
Before:
{ services.keycloak = { enable = true; httpPort = "8080"; frontendUrl = "https://keycloak.example.com/auth"; database.passwordFile = "/run/keys/db_password"; extraConfig = { "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; }; }; }
After:
{ services.keycloak = { enable = true; settings = { http-port = 8080; hostname = "keycloak.example.com"; http-relative-path = "/auth"; proxy = "edge"; }; database.passwordFile = "/run/keys/db_password"; }; }
-
-
The MoinMoin wiki engine (
services.moinmoin
) has been removed, because Python 2 is being retired from nixpkgs. -
Services in the
hadoop
module previously setopenFirewall
to true by default. This has now been changed to false. Node definitions for multi-node clusters would needopenFirewall = true;
to be added to to hadoop services when upgrading from NixOS 21.11. -
services.hadoop.yarn.nodemanager
now uses cgroup-based CPU limit enforcement by default. Additionally, the optionuseCGroups
was added to nodemanagers as an easy way to switch back to the old behavior. -
The
wafHook
hook now honorsNIX_BUILD_CORES
whenenableParallelBuilding
is not set explicitly. Packages can restore the old behaviour by settingenableParallelBuilding=false
. -
pkgs.claws-mail-gtk2
, representing Claws Mail's older release version three, was removed in order to get rid of Python 2. Please switch toclaws-mail
, which is Claws Mail's latest release based on GTK+3 and Python 3. -
The
writers.writePython2
and correspondingwriters.writePython2Bin
convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use withwriters.writePython3
orwriters.writePyPy2
needs to be used. -
buildGoModule
was updated to usego_1_17
, third party derivations that specify >= go 1.17 in the maingo.mod
will need to regenerate theirvendorSha256
hash. -
The
gnome-passwordsafe
package updated to version 6.x and renamed tognome-secrets
. -
services.gnome.experimental-features.realtime-scheduling
option has been removed, as GNOME Shell now uses rtkit. Usesecurity.rtkit.enable = true;
instead. As before, you will need to have it enabled using GSettings. -
services.telepathy
will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari. -
If you previously used
/etc/docker/daemon.json
, you need to incorporate the changes into the new optionvirtualisation.docker.daemon.settings
. -
Ntopng (
services.ntopng
) is updated to 5.2.1 and uses a separate Redis instance ifsystem.stateVersion
is at least22.05
. Existing setups shouldn't be affected. -
The backward compatibility in
services.wordpress
to configure sites with the old interface has been removed. Please useservices.wordpress.sites
instead. -
The backward compatibility in
services.dokuwiki
to configure sites with the old interface has been removed. Please useservices.dokuwiki.sites
instead. -
opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
-
services.miniflux.adminCredentialFiles
is now required, instead of defaulting toadmin
andpassword
. -
The
taskserver
module no longer implicitly opens ports in the firewall configuration. This is now controlled through the optionservices.taskserver.openFirewall
. -
The
autorestic
package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details. -
teleport
has been upgraded to major version 9. Please see upstream upgrade instructions and release notes. -
For
pkgs.python3.pkgs.ipython
, its direct dependencypkgs.python3.pkgs.matplotlib-inline
(which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend onpkgs.python3.pkgs.matplotlib
anymore. This is closer to a non-Nix install of ipython. This has the added benefit to reduce the closure size ofipython
from ~400MB to ~160MB (including ~100MB for python itself). -
documentation.man
has been refactored to support choosing a man implementation other than GNU'sman-db
. For this,documentation.man.manualPages
has been renamed todocumentation.man.man-db.manualPages
. If you want to use the new alternative man implementationmandoc
, adddocumentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }
to your configuration. -
Normal users (with
isNormalUser = true
) which have non-emptysubUidRanges
orsubGidRanges
set no longer have additional implicit ranges allocated. To enable automatic allocation back setautoSubUidGidRange = true
. -
idris2
now requires--package
when using packagescontrib
andnetwork
, while previously these idris2 packages were automatically loaded. -
The iputils package, which is installed by default, no longer provides the legacy tools
tftpd
andtraceroute6
. More tools (ninfod
,rarpd
, andrdisc
) are going to be removed in the next release. See upstream's release notes for more details and available replacements. -
services.thelounge.private
was removed in favor ofservices.thelounge.public
, to follow with upstream changes. -
pkgs.docbookrx
was removed since it's unmaintained -
pkgs._7zz
is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code -
The
vim.customize
function produced byvimUtils.makeCustomizable
now has a slightly different interface:- The wrapper now includes everything in the given Vim derivation if
name
is"vim"
(the default). This makes thewrapManual
argument obsolete, but this behavior can be overridden by setting thestandalone
argument. - All the executables present in the given derivation (or, in
standalone
mode, only the*vim
ones) are wrapped. This makes thewrapGui
argument obsolete. - The
vimExecutableName
andgvimExecutableName
arguments were replaced by a singleexecutableName
argument in which the shell variable$exe
can be used to refer to the wrapped executable's name.
See the comments in
pkgs/applications/editors/vim/plugins/vim-utils.nix
for more details.vimUtils.vimWithRC
was removed. You should instead usecustomize
on a Vim derivation, which now acceptsvimrcFile
andgvimrcFile
arguments. - The wrapper now includes everything in the given Vim derivation if
-
tilp2
was removed together with its module -
The F-PROT antivirus (
fprot
package) and its service module were removed because it reached end-of-life. -
bird1
and its modulesservices.bird
as well asservices.bird6
have been removed. Upgrade toservices.bird2
. -
The options
networking.interfaces.<name>.ipv4.routes
andnetworking.interfaces.<name>.ipv6.routes
are no longer ignored when using networkd instead of the default scripted network backend by settingnetworking.useNetworkd
totrue
. -
The
miller
package has been upgraded from 5.10.3 to 6.2.0. See What's new in Miller 6. -
MultiMC has been replaced with the fork PrismLauncher due to upstream developers being hostile to 3rd party package maintainers. PrismLauncher removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename
~/.local/share/multimc
to~/.local/share/PrismLauncher
. The main config file's path has also moved from~/.local/share/multimc/multimc.cfg
to~/.local/share/PrismLauncher/prismlauncher.cfg
. -
systemd-nspawn@.service
settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to setsystemd.nspawn.<name>.execConfig.PrivateUsers = false
-
systemd-shutdown
is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled usingsystemd.shutdownRamfs.enable
. -
The Tor SOCKS proxy is now actually disabled if
services.tor.client.enable
is set tofalse
(the default). If you are using this functionality but didn't change the setting or set it tofalse
, you now need to set it totrue
. -
services.github-runner
has been hardened. Notably address families and system calls have been restricted, which may adversely affect some kinds of testing, e.g. usingAF_BLUETOOTH
to test bluetooth devices. -
The terraform 0.12 compatibility has been removed and the
terraform.withPlugins
andterraform-providers.mkProvider
implementations simplified. Providers now need to be stored under$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>
(which mkProvider does).This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly.
-
The
dendrite
package has been upgraded from 0.5.1 to 0.6.5. Instances configured with split sqlite databases, which has been the default in NixOS, require merging of the federation sender and signing key databases. See upstream release notes on version 0.6.0 for details on database changes. -
The existing
pkgs.opentelemetry-collector
has been moved topkgs.opentelemetry-collector-contrib
to match the actual source being the "contrib" edition.pkgs.opentelemetry-collector
is now the actual core release of opentelemetry-collector. If you use the community contributions you should change the package you refer to. If you don't need them update your commands fromotelcontribcol
tootelcorecol
and enjoy a 7x smaller binary. -
services.zookeeper
has a new optionjre
for specifying the JRE to start zookeeper with. It defaults to the JRE thatpkgs.zookeeper
was wrapped with, instead ofpkgs.jre
. This changes the JRE topkgs.jdk11_headless
by default. -
pkgs.pgadmin
now refers topkgs.pgadmin4
.pgadmin3
has been removed. -
pkgs.minetestclient_4
andpkgs.minetestserver_4
have been removed, as the last 4.x release was in 2018.pkgs.minetestclient
(equivalent topkgs.minetest
) andpkgs.minetestserver
can be used instead. -
pkgs.noto-fonts-cjk
is now deprecated in favor ofpkgs.noto-fonts-cjk-sans
andpkgs.noto-fonts-cjk-serif
because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs,pkgs.noto-fonts-cjk
is currently an alias ofpkgs.noto-fonts-cjk-sans
and doesn't include serif fonts. -
pkgs.epgstation
has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format. -
Some top-level settings under services.epgstation is now deprecated because it was redundant due to the same options being present in services.epgstation.settings.
-
The option
services.epgstation.basicAuth
was removed because basic authentication support was dropped by upstream. -
The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary.
-
The services.epgstation.settings option now expects options for
config.yml
in EPGStation v2. -
Existing data for the services.epgstation module would have to be backed up prior to the upgrade. To back up existing data to
/tmp/epgstation.bak
, runsudo -u epgstation epgstation run backup /tmp/epgstation.bak
. To import that data after to the upgrade, runsudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak
-
switch-to-configuration
(the script that is run when runningnixos-rebuild switch
for example) has been reworked- The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file
/run/nixos/activation-restart-list
that honorsrestartIfChanged
andreloadIfChanged
of the units.- Preferring to reload instead of restarting can still be achieved using
/run/nixos/activation-reload-list
.
- Preferring to reload instead of restarting can still be achieved using
- The script now uses a proper ini-file parser to parse systemd units. Some values are now only searched in one section instead of in the entire unit. This is only relevant for units that don't use the NixOS systemd moule.
RefuseManualStop
,X-OnlyManualStart
,X-StopOnRemoval
,X-StopOnReconfiguration
are only searched in the[Unit]
sectionX-ReloadIfChanged
,X-RestartIfChanged
,X-StopIfChanged
are only searched in the[Service]
section
- The interface that allows activation scripts to restart units has been streamlined. Restarting and reloading is now done by a single file
-
The
services.bookstack.cacheDir
option has been removed, since the cache directory is now handled by systemd. -
The
services.bookstack.extraConfig
option has been replaced byservices.bookstack.config
which implements a settings-style configuration. -
lib.assertMsg
andlib.assertOneOf
no longer returnfalse
if the passed condition isfalse
,throw
ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper forassert
conditions. -
The
vpnc
package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons. -
The default version of
nextcloud
is nextcloud24. Please note that it's not possible to upgradenextcloud
across multiple major versions! This means it's e.g. not possible to upgrade fromnextcloud22
tonextcloud24
in a single deploy and most21.11
users will have to upgrade tonextcloud23
first. -
pkgs.vimPlugins.onedark-nvim
now refers to navarasu/onedark.nvim (formerly refers to olimorris/onedarkpro.nvim). -
services.pipewire.enable
will default to enabling the WirePlumber session manager instead of pipewire-media-session. pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by settingservices.pipewire.media-session.enable
totrue
andservices.pipewire.wireplumber.enable
tofalse
. -
pkgs.makeDesktopItem
has been refactored to provide a more idiomatic API. Specifically:- All valid options as of FDO Desktop Entry specification version 1.4 can now be passed in as explicit arguments
exec
can now be null, for entries that are not of type ApplicationmimeType
argument is renamed tomimeTypes
for consistencymimeTypes
,categories
,implements
,keywords
,onlyShowIn
andnotShowIn
take lists of strings instead of one string with semicolon separatorsextraDesktopEntries
renamed toextraConfig
for consistency- Actions should now be provided as an attrset
actions
, theActions
line will be autogenerated. extraEntries
is removed.- Additional validation is added both at eval time and at build time.
See the
vscode
package for a more detailed example. -
Existing
resholve*
functions have been renamed and nested underpkgs.resholve
. Update uses to:resholvePackage
->resholve.mkDerivation
resholveScript
->resholve.writeScript
resholveScriptBin
->resholve.writeScriptBin
-
pkgs.cosmopolitan
no longer provides thecosmoc
command. It has been moved topkgs.cosmoc
. -
pkgs.graalvmXX-ce
packages no longer provide support for Python/Ruby/WASM, instead focusing only in Java and Native Image Support. If you need to add support back, please see thepkgs.graalvmCEPackages.mkGraal
function to create your own customized version of GraalVM with support for what you need.
Other Notable Changes
-
The option services.redis.servers was added to support per-application
redis-server
which is more secure since Redis databases are only mere key prefixes without any configuration or ACL of their own. Backward-compatibility is preserved by mapping oldservices.redis.settings
toservices.redis.servers."".settings
, but you are strongly encouraged to name eachredis-server
instance after the application using it, instead of keeping that nameless one. Except for the namelessservices.redis.servers.""
still accessible at127.0.0.1:6379
, and to the members of the Unix groupredis
through the Unix socket/run/redis/redis.sock
, all otherservices.redis.servers.${serverName}
are only accessible by default to the members of the Unix groupredis-${serverName}
through the Unix socket/run/redis-${serverName}/redis.sock
. -
The option virtualisation.vmVariant was added to allow users to make changes to the
nixos-rebuild build-vm
configuration that do not apply to their normal system.The
config.system.build.vm
attribute now always exists and defaults to the value fromvmVariant
. Configurations that import thevirtualisation/qemu-vm.nix
module themselves will override this value, such thatvmVariant
is not used.Similarly virtualisation.vmVariantWithBootloader was added.
-
The configuration portion of the
nix-daemon
module has been reworked and exposed as nix.settings:- Legacy options have been mapped to the corresponding options under under nix.settings and will be deprecated when NixOS 21.11 reaches end of life.
- nix.buildMachines.publicHostKey has been added.
-
kops
defaults to 1.23.2, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour forspec.kubeDNS.nodeLocalDNS.forwardToKubeDNS
has changed fromtrue
tofalse
. Cilium now hasdisable-cnp-status-updates: true
by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the 1.22 release notes and 1.23 release notes for more details, including other significant changes. -
Mattermost has been upgraded to extended support version 6.3 as the previously packaged extended support version 5.37 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.
-
The
writers.writePyPy2
/writers.writePyPy3
and correspondingwriters.writePyPy2Bin
/writers.writePyPy3Bin
convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added. -
Some improvements have been made to the
hadoop
module:- A
gatewayRole
option has been added, for deploying hadoop cluster configuration files to a node that does not have any active services - Support for older versions of hadoop have been added to the module
- Overriding and extending site XML files has been made easier
- A
-
The auto-upgrade service now accepts persistent (default: true) parameter. By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive.
-
Mastodon now uses
services.redis.servers
to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.Note that this will recreate the redis database, although according to the Mastodon docs, this is almost harmless:
Losing the Redis database is almost harmless: The only irrecoverable data will be the contents of the Sidekiq queues and scheduled retries of previously failed jobs. The home and list feeds are stored in Redis, but can be regenerated with tootctl.
If you do want to save the redis database, you can use the following commands:
redis-cli save cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
-
Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.
Redis database is used for storage only cache and job queue. More information can be found here - Peertube architecture.
If you do want to save the redis database, you can use the following commands before upgrade OS:
redis-cli save sudo mkdir /var/lib/redis-peertube sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
-
Added the
keter
NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames. -
If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable
NIXOS_OZONE_WL=1
(for example viaenvironment.sessionVariables.NIXOS_OZONE_WL = "1"
). This is not enabled by default because Ozone Wayland is still under heavy development and behavior is not always flawless. Furthermore, not all Electron apps use the latest Electron versions. -
A new option group
systemd.network.wait-online
was added, with options to configuresystemd-networkd-wait-online.service
:anyInterface
allows specifying that the network should be considered online when at least one interface is online (useful on laptops)timeout
defines how long to wait for the network to come onlineextraArgs
for everything else
-
The
influxdb2
package was split intoinfluxdb2-server
andinfluxdb2-cli
, matching the split that took place upstream. A combinedinfluxdb2
package is still provided in this release for backwards compatibility, but will be removed at a later date. -
The
unifi
package was switched fromunifi6
tounifi7
. Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6. -
programs.zsh.autosuggestions.strategy
now takes a list of strings instead of a string. -
The
asterisk
andasterisk-stable
packages were switched fromasterisk_18
to the newly-packagedasterisk_19
. Asterisk 13 and 17 have been removed as they have reached their end of life. -
The
services.unifi.openPorts
option default value oftrue
is now deprecated and will be changed tofalse
in 22.11. Configurations using this default will print a warning when rebuilt. -
The
services.unifi-video.openPorts
option default value oftrue
is now deprecated and will be changed tofalse
in 22.11. Configurations using this default will print a warning when rebuilt. -
security.acme
certificates will now correctly check for CA revocation before reaching their minimum age. -
Removing domains from
security.acme.certs._name_.extraDomainNames
will now correctly remove those domains during rebuild/renew. -
MariaDB is now offered in several versions, not just the newest one. So if you have a need for running MariaDB 10.4 for example, you can now just set
services.mysql.package = pkgs.mariadb_104;
. In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience. Sometimes software is also incompatible with the newest version of MariaDB. -
The option programs.ssh.enableAskPassword was added, decoupling the setting of
SSH_ASKPASS
fromservices.xserver.enable
. This allows easy usage in non-X11 environments, e.g. Wayland. -
programs.ssh.knownHosts has gained an
extraHostNames
option to augmenthostNames
. It is now possible to use the attribute name of aknownHosts
entry as the primary host name and specify secondary host names usingextraHostNames
without having to duplicate the primary host name. -
The
services.stubby
module was converted to a settings-style configuration. -
The option services.xserver.desktopManager.runXdgAutostartIfNone was added in order to automatically run XDG autostart files for sessions without a desktop manager. This replaces helpers like the
dex
package. -
When setting i18n.inputMethod.enabled to
fcitx5
, it no longer creates corresponding systemd user services. It now relies on XDG autostart files to start and work properly in your desktop sessions. If you are using only a window manager without a desktop manager, you need to enableservices.xserver.desktopManager.runXdgAutostartIfNone
or using thedex
package to makefcitx5
work. -
The option
services.duplicati.dataDir
has been added to allow changing the location of duplicati's files. -
The options
boot.extraModprobeConfig
andboot.blacklistedKernelModules
now also take effect in the initrd by copying the file/etc/modprobe.d/nixos.conf
into the initrd. -
nixos-generate-config
now puts the dhcp configuration inhardware-configuration.nix
instead ofconfiguration.nix
. -
ORY Kratos was updated to version 0.9.0-alpha.3, which introduces some breaking changes:
- All endpoints at the Admin API are now exposed at
/admin/
. For example, endpointhttps://kratos:4434/identities
is now exposed athttps://kratos:4434/admin/identities
- Configuration key
selfservice.whitelisted_return_urls
has been renamed toallowed_return_urls
- The
password_identifier
form field of the password login strategy has been renamed toidentifier
to make compatibility with passwordless flows possible. - Instead of having a global
default_schema_url
which developers used to update their schema, you now need to define thedefault_schema_id
which must reference schema ID in your config. - Calling
/self-service/recovery
without flow ID or with an invalid flow ID while authenticated will now respond with an error instead of redirecting to the default page. - If you are relying on the SQLite images, update your Docker Pull commands as follows:
docker pull oryd/kratos:{version}
- Additionally, all passwords now have to be at least 8 characters long.
- For more details, see:
- All endpoints at the Admin API are now exposed at
-
fetchFromSourcehut
now allows fetching repositories recursively usingfetchgit
orfetchhg
if the argumentfetchSubmodules
is set totrue
. -
A module for declarative configuration of openconnect VPN profiles was added under
networking.openconnect
. -
The
element-desktop
package now has anuseKeytar
option (defaults totrue
), which allows disablingkeytar
and in turnlibsecret
usage (which binds to native credential managers / keychain libraries). -
The option
services.thelounge.plugins
has been added to allow installing plugins for The Lounge. Plugins can be found inpkgs.theLoungePlugins.plugins
andpkgs.theLoungePlugins.themes
. -
The option
services.xserver.videoDriver = [ "nvidia" ];
will now also install nvidia VA-API drivers by default. -
The
firmwareLinuxNonfree
package has been renamed tolinux-firmware
. -
It is now possible to specify wordlists to include as handy to access environment variables using the
config.environment.wordlist
configuration options. -
The
services.mbpfan
module was converted to a RFC 0042 configuration. -
The default value for
programs.spacefm.settings.graphical_su
got unset. It previously pointed togksu
which has been removed. -
The Dino XMPP client was updated to 0.3, adding support for audio and video calls.
-
services.mattermost.plugins
has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf. -
services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default.
-
The logrotate module also has been updated to freeform syntax:
services.logrotate.paths
andservices.logrotate.extraConfig
will work, but issue deprecation warnings and services.logrotate.settings should now be used instead. -
security.pam.ussh
has been added, which allows authorizing PAM sessions based on SSH certificates held within an SSH agent, using pam-ussh. -
The
vscode-extensions.ionide.ionide-fsharp
package has been updated to 6.0.0 and now requires .NET 6.0. -
The
phpPackages.box
package has been updated from 2.7.5 to 3.16.0. See the upgrade guide for more details. -
The
zrepl
package has been updated from 0.4.0 to 0.5:- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
- A bug involving encrypt-on-receive has been fixed. Read the zrepl documentation and check the output of
zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS
on the receiver.
-
The
polybar
package has been updated from 3.5.7 to 3.6.2. See the changelog for more details.- Breaking changes include changes to escaping rules in configuration values, changes in behavior when encountering invalid tag names, and changes to inter-process-messaging (IPC).
-
Renamed option
services.openssh.challengeResponseAuthentication
toservices.openssh.kbdInteractiveAuthentication
. Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning. -
services.autorandr
now allows for adding hooks and profiles declaratively. -
The
pomerium-cli
command has been moved out of thepomerium
package into thepomerium-cli
package, following upstream's repository split. If you are using thepomerium-cli
command, you should now install thepomerium-cli
package. -
The option
services.networking.networkmanager.enableFccUnlock
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See the docs for more details. -
programs.tmux
has a new optionplugins
that accepts a list of packages from thetmuxPlugins
group. The specified packages are added to the system and loaded bytmux
. -
The polkit service, available at
security.polkit.enable
, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. -
mercury
was updated to 22.01.1, which has some breaking changes (Mercury 22.01 news). -
xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with
mkfs.xfs -m bigtime=0 -m inobtcount=0
. -
services.xserver.desktopManager.xfce
now includes Xfce's screen locker,xfce4-screensaver
that is enabled by default. You can disable it by settingfalse
to services.xserver.desktopManager.xfce.enableScreensaver. -
The
hadoop
package has added support foraarch64-linux
andaarch64-darwin
as of 3.3.1 (#158613). -
The
R
package now builds again onaarch64-darwin
(#158992). -
The
nss
package was split intonss_esr
andnss_latest
, withnss
being an alias fornss_esr
. This was done to ease maintenance ofnss
and dependent high-profile packages likefirefox
. -
The default
scribus
version is now 1.5, while version 1.4 is still available asscribus_1_4
(#172700). -
The Nextcloud module now supports to create a Mysql database automatically with
services.nextcloud.database.createLocally
enabled. -
The Nextcloud module now allows setting the value of the
max-age
directive of theStrict-Transport-Security
HTTP header, which is now controlled by theservices.nextcloud.https
option, rather thanservices.nginx.recommendedHttpHeaders
. -
The
spark3
package has been updated from 3.1.2 to 3.2.1 (#160075): -
The option
services.snapserver.openFirewall
will no longer default totrue
starting with NixOS 22.11. Enable it explicitly if you need to control Snapserver remotely or connect streamig clients from other hosts. -
The option networking.useDHCP isn't deprecated anymore. When using
systemd-networkd
, a generic.network
-unit is added which enables DHCP for each interface matchingen*
,eth*
orwl*
with priority 99 (which means that it doesn't have any effect if such an interface is matched by a.network-
unit with a lower priority). In case of scripted networking, no behavior was changed. -
The new
postgresqlTestHook
runs a PostgreSQL server for the duration of package checks. -
zfs
was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18. -
stdenv.mkDerivation
now supports a self-referencingfinalAttrs:
parameter containing the finalmkDerivation
arguments including overrides.drv.overrideAttrs
now supports two parametersfinalAttrs: previousAttrs:
. This allows packaging configuration to be overridden in a consistent manner by providing an alternative torec {}
syntax.Additionally,
passthru
can now referencefinalAttrs.finalPackage
containing the final package, including attributes such as the output paths andoverrideAttrs
.New language integrations can be simplified by overriding a "prototype" package containing the language-specific logic. This removes the need for a extra layer of overriding for the "generic builder" arguments, thus removing a usability problem and source of error.