nixpkgs/nixos/doc/manual/release-notes/rl-2405.section.md
Jonas Chevalier 5d6d058646
Merge pull request #308090 from mogeko/service-rke2
nixos/rke2: add rke2 service
2024-05-28 09:36:03 +02:00

63 KiB

Release 24.05 (“Uakari”, 2024.05/??)

Support is planned until the end of December 2024, handing over to 24.11.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.

  • For each supporting version of the Linux kernel, firmware blobs are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however a significantly higher decompression speed.

  • NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.

    • This can be disabled through the environment.stub-ld.enable option.
    • If you use programs.nix-ld.enable, no changes are needed. The stub will be disabled automatically.
  • On flake-based NixOS configurations using nixpkgs.lib.nixosSystem, NixOS will automatically set NIX_PATH and the system-wide flake registry (/etc/nix/registry.json) to point <nixpkgs> and the unqualified flake path nixpkgs to the version of nixpkgs used to build the system.

    This makes nix run nixpkgs#hello and nix-build '<nixpkgs>' -A hello work out of the box with no added configuration, reusing dependencies already on the system.

    This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.

    To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.

  • NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in nixos/modules/virtualisation/amazon-ec2-amis.nix will stop being updated and will be removed in the future.

  • It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:

    { modulesPath, ... }: {
      imports = [ "${modulesPath}/profiles/perlless.nix" ];
    }
    
  • Lomiri (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with services.desktopManager.lomiri.enable = true. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there.

  • MATE has been updated to 1.28.

    • To properly support panel plugins built with Wayland (in-process) support, we are introducing services.xserver.desktopManager.mate.extraPanelApplets option, please use that for installing panel applets.
    • Similarly, please use services.xserver.desktopManager.mate.extraCajaExtensions option for installing Caja extensions.
    • To use the Wayland session, enable services.xserver.desktopManager.mate.enableWaylandSession. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to known issues with LightDM, we suggest using SDDM for display manager.
  • Plasma 6 is now available and can be installed with services.xserver.desktopManager.plasma6.enable = true;. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.

New Services

Backward Incompatibilities

  • akkoma now requires explicitly setting the base URL for uploaded media (settings."Pleroma.Upload".base_url), as well as for the media proxy if enabled (settings."Media"). This is recommended to be a separate (sub)domain to the one Akkoma is hosted at. See here for more details.

  • appimageTools.wrapAppImage now creates the binary at $out/bin/${pname} rather than $out/bin/${pname}-${version}, which will break downstream workarounds.

  • azure-cli now has extension support. For example, to install the aks-preview extension, use

    environment.systemPackages = [
      (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ])
    ];
    

    To make the azure-cli immutable and prevent clashes in case azure-cli is also installed via other package managers, some configuration files were moved into the derivation. This can be disabled by overriding withImmutableConfig = false when building azure-cli.

  • boot.supportedFilesystems and boot.initrd.supportedFilesystems are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using supportedFilesystems.fs or false instead of using lib.elem "fs" supportedFilesystems as was done previously.

  • buildGoModule now throws an error when vendorHash is not specified. vendorSha256, deprecated in Nixpkgs 23.11, is now ignored and is no longer a vendorHash alias.

  • chromium and ungoogled-chromium had a long-standing issue regarding Widevine DRM handling in nixpkgs fixed. chromium now no longer automatically downloads Widevine when encountering DRM protected content. To be able to play DRM protected content in chromium now, you have to explicitly opt-in as originally intended using chromium.override { enableWideVine = true; }. This override was added almost 10 years ago.

  • craftos-pc package has been updated to v2.8, which includes breaking changes.

    • Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
    • The ROM was updated to match ComputerCraft version v1.109.2.
    • The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
    • The WebSocket API was rewritten, which introduced breaking changes.
  • cryptsetup has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. Take the time to review the release notes. One of the highlights is that it is now possible to use hardware OPAL-based encryption of your disk with cryptsetup. It has a lot of caveats, see the above notes for the full details.

  • crystal package has been updated to 1.11.x, which has some breaking changes. Refer to crystal's changelog for more information. (v1.10, v1.11)

  • cudaPackages package scope has been updated to cudaPackages_12.

  • cudaPackages.autoAddOpenGLRunpathHook and cudaPackages.autoAddDriverRunpath have been deprecated for pkgs.autoAddDriverRunpath. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope.

  • cudaPackages.cudatoolkit has been deprecated and replaced with a symlink-based wrapper for the splayed redistributable CUDA packages. The wrapper only includes tools and libraries necessary to build common packages such as tensorflow. The original runfile-based cudatoolkit is still available as cudatoolkit-legacy-runfile.

  • cudaPackages.nsight_systems now has most vendored third party-libraries removed, though we now only ship it for cudaPackages_11_8 and later, due to outdated dependencies. Users comfortable with the vendored dependencies may use overrideAttrs to amend the postPatch phase and the meta.broken correspondingly. Alternatively, one could package the deprecated boost170 locally, as required for cudaPackages_11_4.nsight_systems.

  • cudaPackages.autoFixElfFiles has been deprecated for pkgs.autoFixElfFiles. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope.

  • davfs2's services.davfs2.extraConfig setting has been deprecated and converted to the free-form type option named services.davfs2.settings according to RFC42.

  • dwarf-fortress has been updated to version 50, and its derivations continue to menace with spikes of Nix and bash [TODO what does this mean?]. Version 50 is identical to the version on Steam, but without the paid elements like tilepacks. dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier. See Bay 12 Games for more details on what's new in Dwarf Fortress.

    • Running an earlier version can be achieved through an override: dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }

    • Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes.

  • erlang-ls package no longer ships the els_dap binary as of v0.51.0.

  • erlang_node_short_name, erlang_node_name, port and options configuration parameters are gone, and have been replaced with an environment parameter. Use the appropriate environment variables inside environment to configure the service instead.

  • firefox-devedition, firefox-beta, firefox-esr executable file names for now match their package names, which is consistent with the firefox-*-bin packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.

  • gauge now supports installing plugins using nix. For the old imperative approach, switch to gauge-unwrapped. You can load plugins from an existing gauge manifest file using gauge.fromManifest ./path/to/manifest.json or specify plugins in nix using gauge.withPlugins (p: with p; [ js html-report xml-report ]).

  • gitea has been updated to 1.21, which introduces several breaking changes, including:

    • Custom themes and other assets that were previously stored in custom/public/* now belong in custom/public/assets/*
    • New instances of Gitea using MySQL now ignore the [database].CHARSET config option and always use the utf8mb4 charset, existing instances should migrate via the gitea doctor convert CLI command.
  • git-town was updated from version 11 to 13. See the changelog for breaking changes.

  • gonic has been updated to v0.16.4. Config now requires playlists-path to be set. See the rest of the v0.16.0 release notes for more details.

  • go-ethereum has been updated to v1.14.3. Geth v1.14.0 introduced a brand new live-tracing feature, which required a number of breaking internal API changes. If you had your own native tracers implemented before this change, the changelog contains the necessary steps needed to update your old code for the new APIs. Geth v1.14.0 drops support for running pre-merge networks (#29169). It also stops automatically constructing the pending block (#28623), removes support for filtering pending logs, switched to using Go v1.22 by default (#28946), which means we've dropped support for Go v1.20. See the 1.14.0 release notes for more details.

  • grafana-loki has been updated to 3.0.0, which includes breaking changes.

  • gtest package has been updated past v1.13.0, which requires C++14 or higher.

  • hare may now be cross-compiled. For that to work, however, haredoc needed to stop being built together with it. Thus, the latter is now its own package with the name of haredoc.

  • himalaya has been updated to v1.0.0-beta.4, which introduces breaking changes. Check out the release note for details.

  • halloy has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details.

  • hvm was updated to version 2.

  • icu no longer includes install-sh and mkinstalldirs in the shared folder.

  • idris2 was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details.

  • inetutils now has a lower priority to avoid shadowing the commonly used util-linux. If one wishes to restore the default priority, simply use lib.setPrio 5 inetutils or override with meta.priority = 5.

  • jdt-language-server package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:

    • The main binary for the package is now named jdtls instead of jdt-language-server, equivalent to what most editors expect the binary to be named.

    • JVM arguments should now be provided with the --jvm-arg flag instead of setting JAVA_OPTS.

    • The -data path is no longer required to run the package, and will be set to point to a folder in $TMP if missing.

  • julia environments can now be built with arbitrary packages from the ecosystem using the .withPackages function. For example: julia.withPackages ["Plots"].

  • k3s has been updated to version v1.30, previous supported versions are available under release specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) and present to help you migrate to the latest supported version. See changelog and upgrade notes for more information.

  • k9s was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration.

  • kanata package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of v1.5.0 and v1.6.0 for details.

  • linuxPackages_testing_bcachefs is now fully deprecated by linuxPackages_latest, and is therefore no longer available.

  • livebook package is now built as a mix release instead of an escript. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that the livebook service configuration has changed.

  • lua interpreters default LUA_PATH and LUA_CPATH are not overriden by nixpkgs anymore, we patch LUA_ROOT instead which is more respectful to upstream.

  • luarocks-packages-updater's .csv format used to define lua packages to be updated, has changed: src (URL of a git repository) has now become rockspec (URL of a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation.

  • mkosi was updated to v22. Parts of the user interface have changed. Consult the release notes of v19, v20, v21 and v22 for a list of changes.

  • mongodb-4_4 has been removed as it has reached end of life. Consequently, unifi7 and unifi8 now use MongoDB 5.0 by default.

  • mongodb-5_0 and newer requires a cpu with the avx instruction set to run.

  • neo4j has been updated to version 5. You may want to read the release notes for Neo4j 5.

  • netbox was updated to v3.7. services.netbox.package still defaults to v3.6 if stateVersion is earlier than 24.05. Refer to upstream's breaking changes for v3.7.0 and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

  • network-interfaces.target system target was removed as it has been deprecated for a long time. Use network.target instead.

  • networking.iproute2.enable now does not set environment.etc."iproute2/rt_tables".text.

    Setting environment.etc."iproute2/{CONFIG_FILE_NAME}".text will override the whole configuration file instead of appending it to the upstream configuration file.

    CONFIG_FILE_NAME includes bpf_pinning, ematch_map, group, nl_protos, rt_dsfield, rt_protos, rt_realms, rt_scopes, and rt_tables.

  • nextcloud26 has been removed since it's not maintained anymore by upstream. The latest available version of Nextcloud is now v29 (available as pkgs.nextcloud29). The installation logic is as follows:

    • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
    • If system.stateVersion is >=24.05, pkgs.nextcloud29 will be installed by default.
    • If system.stateVersion is >=23.11, pkgs.nextcloud27 will be installed by default.
    • Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to nextcloud28 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud28;.
    • Known warnings after the upgrade are documented in from now on.
    • The "Photos" app only displays Media from inside the Photos directory. This can be changed manually in the "Photos" tab below "Photos settings".
  • nitter requires a guest_accounts.jsonl to be provided as a path or loaded into the default location at /var/lib/nitter/guest_accounts.jsonl. See Guest Account Branch Deployment for details.

  • nixVersions.unstable was removed. Instead the following attributes are provided:

    • nixVersions.git which tracks the latest Nix master and is roughly updated once a week. This is intended to enable people to easily test unreleased changes of Nix to catch regressions earlier.
    • nixVersions.latest which points to the latest Nix version packaged in nixpkgs.
  • nomad has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.

    • nomad is now Nomad 1.7.x.

    • nomad_1_4 has been removed, as it is now unsupported upstream.

  • nvtop family of packages was reorganized into a nested attrset. nvtop has been renamed to nvtopPackages.full, and all nvtop-{amd,nvidia,intel,msm} packages are renamed to nvtopPackages.{amd,nvidia,intel,msm}.

  • openssh, openssh_hpn and openssh_gssapi are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading to another signature algorithm. However, for the time being it is possible to restore DSA key support using override to set dsaKeysSupport = true.

  • optparse-bash is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include argc, argbash, bashly and gum, to name a few.

  • paperless' services.paperless.extraConfig setting has been removed and converted to the free-form type and option named services.paperless.settings.

  • pdns was updated to version v4.9.x, which introduces breaking changes. Check out the Upgrade Notes for details.

  • percona-server now follows the same two-fold release cycle as Oracle MySQL and provides a Long-Term-Support (LTS) in parallel with a continuous-delivery Innovation release. percona-server defaults to percona-server_lts, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attribute percona-server_8_0. The percona-server_innovation releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the Innovation releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format. The same release scheme is applied to the supporting percona-xtrabackup tool as well.

  • pipewire and wireplumber modules have removed support for using environment.etc."pipewire/..." and environment.etc."wireplumber/...". Use services.pipewire.extraConfig or services.pipewire.configPackages for PipeWire and services.pipewire.wireplumber.configPackages for WirePlumber instead."

  • power.ups now generates upsd.conf, upsd.users and upsmon.conf automatically from a set of new configuration options. This breaks compatibility with existing power.ups setups where these files were created manually. Back up these files before upgrading NixOS.

  • programs.nix-ld.libraries no longer sets baseLibraries via the option's default but in config and now merges any additional libraries with the default ones. This means that lib.mkForce must be used to clear the list of default libraries.

  • screen's module has been cleaned, and will now require you to set programs.screen.enable in order to populate screenrc and add the program to the environment.

  • security.pam.enableSSHAgentAuth now requires services.openssh.authorizedKeysFiles to be non-empty, which is the case when services.openssh.enable is true. Previously, pam_ssh_agent_auth silently failed to work.

  • security.pam.enableSSHAgentAuth was replaced by the sshAgentAuth attrset, and only authorized_keys files listed in sshAgentAuth.authorizedKeysFiles are trusted, defaulting to /etc/ssh/authorized_keys.d/%u. ::: {.warning} Users of {manpage}pam_ssh_agent_auth(8) must take care that the pubkeys they use (for instance with sudo) are listed in sshAgentAuth.authorizedKeysFiles. ::: ::: {.note} Previously, all services.openssh.authorizedKeysFiles were trusted, including ~/.ssh/authorized_keys, which results in an insecure configuration; see #31611. :::

  • services.archisteamfarm no longer uses the abbreviation asf for its state directory (/var/lib/asf), user and group (both asf). Instead the long name archisteamfarm is used. Configurations with system.stateVersion 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.

  • frr was updated to 10.0, which introduces the default of enforce-first-as for BGP. Please disable again if needed.

  • services.aria2.rpcSecret has been replaced with services.aria2.rpcSecretFile. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have to create a file with the same exact string, and change your module options to point to that file. For example, services.aria2.rpcSecret = "mysecret" becomes services.aria2.rpcSecretFile = "/path/to/secret_file" where the file secret_file contains the string mysecret.

  • services.avahi.nssmdns was split into services.avahi.nssmdns4 and services.avahi.nssmdns6 which enable the mDNS NSS switches for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.

  • services.frp.settings now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options:

    • The settings.common section in the configuration is no longer valid and all the options form inside it now go directly under settings.
    • Configuration option names have been changed from snake_case to camelCase. For example: server_addr becomes serverAddr, server_port becomes serverPort etc.
    • Proxies are now defined with a new option settings.proxies which takes a list of proxies.
    • Consult the upstream documentation for more details on the changes.
  • services.hledger-web.capabilities options has been replaced by a new option services.hledger-web.allow.

    • allow = "view" means capabilities = { view = true; };
    • allow = "add" means capabilities = { view = true; add = true; };
    • allow = "edit" means capabilities = { view = true; add = true; edit = true };
    • allow = "sandstorm" reads permissions from the X-Sandstorm-Permissions request header.
  • services.homepage-dashboard now takes its configuration using native Nix expressions, rather than dumping templated configurations into /var/lib/homepage-dashboard where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix.

  • services.invidious.settings.db.user, the default database username has changed from kemal to invidious. Setups involving an externally-provisioned database (i.e. services.invidious.database.createLocally == false) should adjust their configuration accordingly. The old kemal user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857).

  • services.oauth2_proxy was renamed to services.oauth2-proxy. Also the corresponding service, user and group were renamed.

  • services.smokeping now has an option webService. When enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences:

    • The default port for smokeping is now the nginx default port 80 instead of 8081.
    • The option services.smokeping.port has been removed. To customize the port, use services.nginx.virtualHosts.smokeping.listen.*.port.
  • services.neo4j.allowUpgrade was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.

  • services.nextcloud has the following options moved into services.nextcloud.settings and renamed to match the name from Nextcloud's config.php:

  • services.nginx will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:

    {
      locations."/".extraConfig = ''
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
      '';
      locations."^~ /assets/".extraConfig = ''
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
      '';
    }
    
  • services.pgbouncer now has systemd support enabled and will log to journald. The default setting for services.pgbouncer.logFile is now null to disable logging to a separate log file.

  • services.postgresql.ensureUsers._.ensurePermissions has been removed as it is not declarative and is broken with newer postgresql versions. Consider using instead or a tool that is more suited for managing the data inside a postgresql database.

  • services.redis.vmOverCommit now defaults to true and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured to madvise which is the kernel's default.

  • services.resolved.fallbackDns

    • can now be used to disable the upstream fallback servers entirely by setting it to []
    • to get previous behaviour of upstream defaults, set it to null
    • default value has changed from [] to null, in order to preserve default behaviour

can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

  • services.vikunja systemd service now uses vikunja as dynamic user instead of vikunja-api. Database users might need to be changed.

  • services.vikunja.setupNginx setting has been removed. Users now need to set up the webserver configuration on their own with a proxy pass to the vikunja service.

  • services.vmagent module deprecates dataDir, group and user setting in favor of systemd provided CacheDirectory and DynamicUser.

  • services.vmagent.remoteWriteUrl setting has been renamed to services.vmagent.remoteWrite.url and now defaults to null.

  • services.zope2 has been removed, as zope2 is unmaintained and was relying on Python 2.

  • spark2014 has been renamed to gnatprove. A version of gnatprove matching different GNAT versions is available from the different gnatPackages sets.

  • stalwart-mail has been updated to v0.5.3, which includes breaking changes.

  • system.etc.overlay.enable option was added. If enabled, /etc is mounted via an overlayfs instead of being created by a custom perl script.

  • system.forbiddenDependenciesRegex has been renamed to system.forbiddenDependenciesRegexes and now has the type of listOf string instead of string to accept multiple regexes.

  • systemd.oomd module behavior has changed:

    • Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit.

    • Remove swap policy. This helps prevent killing processes when user's swap is small.

    • Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: commit.

    • systemd.oomd.enableUserServices is renamed to systemd.oomd.enableUserSlices.

  • systemd.sysusers.enable option was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script.

  • teleport has been upgraded from major version 14 to major version 15. Refer to upstream upgrade instructions and release notes for v15.

  • unifiLTS, unifi5 and unifi6 have been removed, as they require MongoDB versions which are end-of-life. All these versions can be upgraded to unifi7 directly.

  • unrar was updated to v7. See changelog for more information.

  • virtualisation.docker.enableNvidia and virtualisation.podman.enableNvidia options are deprecated. hardware.nvidia-container-toolkit.enable should be used instead. This option will expose GPUs on containers with the --device CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.

  • virtialisation.incus now defaults to the newly-added incus-lts release (v6.0.x). Users who wish to continue using the non-LTS release will need to set virtualisation.incus.package = pkgs.incus. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported.

  • woodpecker-* packages have been updated to v2 which includes breaking changes.

  • wpaperd has been updated to 1.0.1, which has a breaking change: previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (wallpaper.toml) to config.toml.

  • writeReferencesToFile is deprecated in favour of the new trivial build helper writeClosure. The latter accepts a list of paths and has an unambiguous name and cleaner implementation.

  • xfsprogs was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default. Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5. Format your filesystems with mkfs.xfs -i nrext64=0, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19.

  • xxd has been moved from vim default output to its own output to reduce closure size. The canonical way to reference it across all platforms is unixtools.xxd.

  • youtrack is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.

  • Ada packages (libraries and tools) have been moved into the gnatPackages scope. gnatPackages uses the default GNAT compiler, gnat12Packages and gnat13Packages use the respective matching compiler version.

  • Paths provided as restartTriggers and reloadTriggers for systemd units will now be copied into the nix store to make the behavior consistent. Previously, restartTriggers = [ ./config.txt ], if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents of config.txt changed.

  • A warning has been added for services that are after = [ "network-online.target" ] but do not depend on it (e.g. using wants), because the dependency that multi-user.target has on network-online.target is planned for removal.

  • switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.

  • services.prometheus.exporters.snmp's configuration format changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository.

Other Notable Changes

  • addDriverRunpath has been added to facilitate the deprecation of the old addOpenGLRunpath setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.

  • appimage, appimageTools.wrapAppImage and buildFHSEnvBubblewrap now properly accept pname and version.

  • bacula now allows to configure TLS for encrypted communication.

  • boot.initrd.network.ssh.authorizedKeyFiles is a new option in the initrd ssh daemon module, for adding authorized keys via list of files.

  • boot.kernel.sysctl."net.core.wmem_max" changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as boot.kernel.sysctl."net.core.rmem_max" since 22.11.

  • boot.loader.systemd-boot.xbootldrMountPoint is a new option for setting up a separate XBOOTLDR partition to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned.

  • boot.loader.systemd-boot will now verify that efiSysMountPoint (and xbootldrMountPoint if configured) are mounted partitions.

  • buildDubPackage can now be used to build Programs written in D using the dub build system and package manager. See the D section in the manual for more information.

  • castopod has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See https://code.castopod.org/adaures/castopod/-/releases for more information.

  • cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release and could potentially affect Xorg sessions. We suggest a reboot when switching between sessions.

  • documentation.man.mandoc now uses MANPATH by defaultwas to set the directories where mandoc will search for manual pages. This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the mandoc.conf configuration file like before, use documentation.man.mandoc.settings.manpath instead.

  • drbd out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver.

  • garage has been updated to v1.x.x. Users should read the upstream release notes and follow the documentation when changing over their services.garage.package and performing this manual upgrade.

  • hardware.pulseaudio module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399.

  • kavita has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's release notes for details.

  • krb5 module has been rewritten and moved to security.krb5, moving all options but security.krb5.enable and security.krb5.package into security.krb5.settings.

  • libass now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with mpv, ffmpeg, etc.

  • libjxl version bumped from 0.8.2 to 0.9.1 dropped support for the butteraugli API. You will no longer be able to set enableButteraugli on libaom.

  • lilypond and denemo are now compiled with Guile 3.0.

  • lxd has been upgraded to v5.21.x, an LTS release. The LTS release is now the only supported LXD release. Users are encouraged to migrate to Incus for better support on NixOS.

  • matrix-synapse homeserver module now supports configuring UNIX domain socket listeners through the path option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

  • mockgen has changed to the go.uber.org/mock fork because the original repository is no longer maintained.

  • mpich now requires withPm to be a list, e.g. "hydra:gforker" becomes [ "hydra" "gforker" ].

  • nextcloud-setup.service no longer changes the group of each file & directory inside /var/lib/nextcloud/{config,data,store-apps} if one of these directories has the wrong owner group. This was part of transitioning the group used for /var/lib/nextcloud, but isn't necessary anymore.

  • oils-for-unix, the oil shell's c++ version is now available. The python version is still available as oil.

  • pkgsExtraHardening, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

  • portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.

  • programs.fish.package now allows you to override the package used in the fish module.

  • qt6.qtmultimedia has changed its default backend to QT_MEDIA_BACKEND=ffmpeg (previously gstreamer on Linux or darwin on macOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.

  • services.btrbk now automatically selects and provides required compression program depending on the configured stream_compress option. Since this replaces the need for the extraPackages option, this option will be deprecated in future releases.

  • services.github-runner module has been removed. To configure a single GitHub Actions Runner refer to services.github-runners.*. Note that this will trigger a new runner registration.

  • services.networkmanager.extraConfig was renamed to services.networkmanager.settings and changed to use the ini type instead of using a multiline string.

  • services.nextcloud.config.dbport option of the Nextcloud module was removed to match upstream. The port can be specified in services.nextcloud.config.dbhost.

  • services.kavita now uses the free-form option services.kavita.settings for the application settings file. The options services.kavita.ipAdresses and services.kavita.port now exist at services.kavita.settings.IpAddresses and services.kavita.settings.IpAddresses. The file at services.kavita.tokenKeyFile now needs to contain a secret with 512+ bits instead of 128+ bits.

  • services.netbird now allows running multiple tunnels in parallel through services.netbird.tunnels.

  • services.nginx.virtualHosts using forceSSL or globalRedirect can now have redirect codes other than 301 through redirectCode.

  • services.openssh now has an option authorizedKeysInHomedir, controlling whether ~/.ssh/authorizedKeys is added to authorizedKeysFiles. ::: {.note} This option currently defaults to true for NixOS 24.05, preserving the previous behaviour. This is expected to change in NixOS 24.11. ::: ::: {.warning} Users should check that their SSH keys are in users.users.*.openssh, or that they have another way to access and administer the system, before setting this option to false. :::

  • services.paperless module no longer uses the previously downloaded NLTK data stored in /var/cache/paperless/nltk. This directory can be removed.

  • services.postgresql.extraPlugins' type has expanded. Previously it was a list of packages, now it can also be a function that returns such a list. For example a config line like services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ]; is recommended to be changed to services.postgresql.extraPlugins = ps: with ps; [ postgis ];;

  • services.slskd has been refactored to include more configuation options in the free-form services.slskd.settings option, and some defaults (including listen ports) have been changed to match the upstream defaults. Additionally, disk logging is now disabled by default, and the log rotation timer has been removed. The nginx virtualhost option is now of the vhost-options type.

  • services.soju now has a wrapper for the sojuctl command, pointed at the service config file. It also has the new option adminSocket.enable, which creates a unix admin socket at /run/soju/admin.

  • services.stalwart-mail uses the legacy version 0.6.X as default because newer stalwart-mail versions require a manual upgrade process. Change services.stalwart-mail.package to pkgs.stalwart-mail if you wish to switch to the new version.

  • services.teeworlds module now has a wealth of configuration options, including a new package option.

  • services.xserver.desktopManager.budgie installs gnome.gnome-terminal by default (instead of mate.mate-terminal).

  • services.zfs.zed.enableMail now uses the global sendmail wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

  • sonarr version bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly.

  • stdenv: The --replace flag in substitute, substituteInPlace, substituteAll, substituteAllStream, and substituteStream is now deprecated if favor of the new --replace-fail, --replace-warn and --replace-quiet. The deprecated --replace equates to --replace-warn.

  • systemd: when merging unit options (of type unitOption), if at least one definition is a list, all those which aren't are now lifted into a list, making it possible to accumulate definitions without resorting to mkForce, hence to retain the definitions not anticipating that need.

  • systemd units can now specify the Upholds= and UpheldBy= unit dependencies via the aptly named upholds and upheldBy options. These options get systemd to enforce that the dependencies remain continuosly running for as long as the dependent unit is in a running state.

  • A stdenv's default set of hardening flags can now be set via its bintools-wrapper's defaultHardeningFlags argument. A convenient stdenv adapter, withDefaultHardeningFlags, can be used to override an existing stdenv's defaultHardeningFlags.

  • Programs written in Nim are built with libraries selected by lockfiles. The nimPackages and nim2Packages sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

  • The EC2 image module now enables the Amazon SSM Agent by default.

  • A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.

  • A new hardening flag, zerocallusedregs was made available, corresponding to the gcc/clang option -fzero-call-used-regs=used-gpr.

  • A new hardening flag, trivialautovarinit was made available, corresponding to the gcc/clang option -ftrivial-auto-var-init=pattern.

  • dnsdist has new options to enable and configure a DNSCrypt endpoint (see services.dnsdist.dnscrypt.enable, etc.). The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime.

  • The kernel Yama LSM is now enabled by default, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set boot.kernel.sysctl."kernel.yama.ptrace_scope" to 0.

  • Lisp modules: previously deprecated interface based on common-lisp.sh has now been removed.

  • The systemd-confinement module extension is now compatible with DynamicUser=true and thus ProtectSystem=strict too.