nixos/rke2: add rke2 service
63 KiB
Release 24.05 (“Uakari”, 2024.05/??)
Support is planned until the end of December 2024, handing over to 24.11.
Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
-
The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.
-
For each supporting version of the Linux kernel, firmware blobs are compressed with zstd. For firmware blobs this means an increase of 4.4% in size, however a significantly higher decompression speed.
-
NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
- This can be disabled through the
environment.stub-ld.enable
option. - If you use
programs.nix-ld.enable
, no changes are needed. The stub will be disabled automatically.
- This can be disabled through the
-
On flake-based NixOS configurations using
nixpkgs.lib.nixosSystem
, NixOS will automatically setNIX_PATH
and the system-wide flake registry (/etc/nix/registry.json
) to point<nixpkgs>
and the unqualified flake pathnixpkgs
to the version of nixpkgs used to build the system.This makes
nix run nixpkgs#hello
andnix-build '<nixpkgs>' -A hello
work out of the box with no added configuration, reusing dependencies already on the system.This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.
-
NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in
nixos/modules/virtualisation/amazon-ec2-amis.nix
will stop being updated and will be removed in the future. -
It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:
{ modulesPath, ... }: { imports = [ "${modulesPath}/profiles/perlless.nix" ]; }
-
Lomiri (formerly known as Unity8) desktop mode, using Mir 2.x to function as a Wayland compositor, is now available and can be installed with
services.desktopManager.lomiri.enable = true
. Note that some core applications, services and indicators have yet to be packaged, and some functions may remain incomplete, but the base experience should be there. -
MATE has been updated to 1.28.
- To properly support panel plugins built with Wayland (in-process) support, we are introducing
services.xserver.desktopManager.mate.extraPanelApplets
option, please use that for installing panel applets. - Similarly, please use
services.xserver.desktopManager.mate.extraCajaExtensions
option for installing Caja extensions. - To use the Wayland session, enable
services.xserver.desktopManager.mate.enableWaylandSession
. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to known issues with LightDM, we suggest using SDDM for display manager.
- To properly support panel plugins built with Wayland (in-process) support, we are introducing
-
Plasma 6 is now available and can be installed with
services.xserver.desktopManager.plasma6.enable = true;
. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.
New Services
-
Anki Sync Server, the official sync server built into recent versions of Anki. Available as services.anki-sync-server. The pre-existing services.ankisyncd has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server software.
-
ALVR, a VR desktop streamer. Available as programs.alvr.
-
AppImage, a tool to package desktop applications, now has a
binfmt
option to support running AppImages seamlessly on NixOS. Available as programs.appimage.binfmt. -
armagetronad, a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using
services.armagetronad.<server>.enable
. -
BenchExec, a framework for reliable benchmarking and resource measurement, available as programs.benchexec, As well as related programs CPU Energy Meter, available as programs.cpu-energy-meter, and PQoS Wrapper, available as programs.pqos-wrapper.
-
Bluemap, a 3D minecraft map renderer. Available as services.bluemap.
-
clatd, a CLAT / SIIT-DC Edge Relay implementation for Linux.
-
Clevis, a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as boot.initrd.clevis.enable.
-
CommaFeed, a Google Reader-inspired self-hosted RSS reader. Available as services.commafeed.
-
davis, a simple CardDav and CalDav server inspired by Baïkal. Available as services.davis.
-
db-rest, a wrapper around Deutsche Bahn's internal API for public transport data. Available as services.db-rest.
-
dnsproxy, a simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support. Available as services.dnsproxy.
-
FCast Receiver, an open-source alternative to Chromecast and AirPlay. Available as programs.fcast-receiver.
-
FileSender, a file sharing software. Available as services.filesender.
-
Firefly-iii, a free and open source personal finance manager. Available as services.firefly-iii.
-
Flarum, a delightfully simple discussion platform for your website. Available as services.flarum.
-
fritz-exporter, a Prometheus exporter for extracting metrics from FRITZ! devices. Available as services.prometheus.exporters.fritz.
-
GNS3, a network software emulator. Available as services.gns3-server.
-
go-camo, a secure image proxy server. Available as services.go-camo.
-
Guix, a functional package manager inspired by Nix. Available as services.guix.
-
Handheld Daemon, support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as services.handheld-daemon.
-
hebbot, a Matrix bot to generate "This Week in X" like blog posts. Available as services.hebbot.
-
inadyn, a Dynamic DNS client with built-in support for multiple providers. Available as services.inadyn.
-
intel-gpu-tools, tools for development and testing of the Intel DRM driver. Available as hardware.intel-gpu-tools.
-
isolate, a sandbox for securely executing untrusted programs. Available as security.isolate.
-
Jottacloud Command-line Tool, a CLI for the Jottacloud cloud storage provider. Available as services.jotta-cli.
-
keto, a permission & access control server, the first open source implementation of "Zanzibar: Google's Consistent, Global Authorization System".
-
manticoresearch, easy to use open source fast database for search. Available as services.manticore.
-
maubot, a plugin-based Matrix bot framework. Available as services.maubot.
-
mautrix-meta, a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge. Available as services.mautrix-meta.
-
mautrix-signal, a Matrix-Signal puppeting bridge. Available as services.mautrix-signal.
-
Mealie, a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as services.mealie.
-
MollySocket which allows getting Signal notifications via UnifiedPush.
-
microsocks, a tiny, portable SOCKS5 server with very moderate resource usage. Available as services.microsocks.
-
Mihomo, a rule-based proxy in Go. Available as services.mihomo.enable.
-
Monado, an open source XR runtime. Available as services.monado.
-
Netbird, an open-source VPN management platform, now has a self-hosted management server. Available as services.netbird.server.
-
nh, yet another Nix CLI helper. Available as programs.nh.
-
oink, a dynamic DNS client for Porkbun. Available as services.oink.
-
ollama, server for running large language models locally.
-
nextjs-ollama-llm-ui, light-weight frontend server to chat with Ollama models through a web app.
-
ownCloud Infinite Scale Stack, a modern and scalable rewrite of ownCloud.
-
PhotonVision, a free, fast, and easy-to-use computer vision solution for the FIRST® Robotics Competition.
-
ping_exporter, a Prometheus exporter for ICMP echo requests. Available as services.prometheus.exporters.ping.
-
Pretix, an open source ticketing software for events. Available as services.pretix.
-
pretalx, a conference planning tool. Available as services.pretalx.
-
private-gpt, a service to interact with your documents using the power of LLMs, 100% privately, no data leaks. Available as services.private-gpt.
-
Prometheus DNSSEC Exporter, check for validity and expiration in DNSSEC signatures and expose metrics for Prometheus. Available as services.prometheus.exporters.dnssec.
-
prometheus-nats-exporter, a Prometheus exporter for NATS. Available as services.prometheus.exporters.nats.
-
pyLoad, a FOSS download manager written in Python. Available as services.pyload.
-
Python Matter Server, a Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. Available as services.matter-server.
-
RustDesk, a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer. Available as services.rustdesk-server.
-
ryzen-monitor-ng, a desktop AMD CPU power monitor and controller, similar to Ryzen Master but for Linux. Available as programs.ryzen-monitor-ng.
-
ryzen-smu, Linux kernel driver to expose the SMU (System Management Unit) for certain AMD Ryzen Processors. Includes the userspace program
monitor_cpu
. Available at hardward.cpu.amd.ryzen-smu. -
Scrutiny, a S.M.A.R.T monitoring tool for hard disks with a web frontend. Available as services.scrutiny.
-
SimpleSAMLphp, an application written in native PHP that deals with authentication (SQL, .htpasswd, YubiKey, LDAP, PAPI, Radius). Available as services.simplesamlphp.
-
systemd
'sgateway
,upload
, andremote
services, which provide ways of sending journals across the network. Enable using services.journald.gateway, services.journald.upload, and services.journald.remote. -
systemd-lock-handler, a bridge between logind D-Bus events and systemd targets. Available as services.systemd-lock-handler.enable.
-
rspamd-trainer, script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.
-
Sunshine, a self-hosted game stream host for Moonlight. Available as services.sunshine.
-
Suwayomi Server, a free and open source manga reader server that runs extensions built for Tachiyomi. Available as services.suwayomi-server.
-
TigerBeetle, a distributed financial accounting database designed for mission critical safety and performance. Available as services.tigerbeetle.
-
transfer-sh, a tool that supports easy and fast file sharing from the command-line. Available as services.transfer-sh.
-
TuxClocker, a hardware control and monitoring program. Available as programs.tuxclocker.
-
Uni-Sync, a synchronization tool for Lian Li Uni Controllers. Available as hardware.uni-sync.
-
wastebin, a pastebin server written in rust. Available as services.wastebin.
-
watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.
-
Workout-tracker, a workout tracking web application for personal use.
-
wyoming-satellite, a voice assistant satellite for Home Assistant using the Wyoming protocol. Available as services.wyoming.satellite.
-
xdg-terminal-exec, the proposed Default Terminal Execution Specification.
-
ydotool, a generic command-line automation tool now has a module. Available as programs.ydotool.
-
your_spotify, a self hosted Spotify tracking dashboard. Available as services.your_spotify
-
RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. Available as services.rke2.
Backward Incompatibilities
-
akkoma
now requires explicitly setting the base URL for uploaded media (settings."Pleroma.Upload".base_url
), as well as for the media proxy if enabled (settings."Media"
). This is recommended to be a separate (sub)domain to the one Akkoma is hosted at. See here for more details. -
appimageTools.wrapAppImage
now creates the binary at$out/bin/${pname}
rather than$out/bin/${pname}-${version}
, which will break downstream workarounds. -
azure-cli
now has extension support. For example, to install theaks-preview
extension, useenvironment.systemPackages = [ (azure-cli.withExtensions [ azure-cli.extensions.aks-preview ]) ];
To make the
azure-cli
immutable and prevent clashes in caseazure-cli
is also installed via other package managers, some configuration files were moved into the derivation. This can be disabled by overridingwithImmutableConfig = false
when buildingazure-cli
. -
boot.supportedFilesystems
andboot.initrd.supportedFilesystems
are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done usingsupportedFilesystems.fs or false
instead of usinglib.elem "fs" supportedFilesystems
as was done previously. -
buildGoModule
now throws an error whenvendorHash
is not specified.vendorSha256
, deprecated in Nixpkgs 23.11, is now ignored and is no longer avendorHash
alias. -
chromium
andungoogled-chromium
had a long-standing issue regarding Widevine DRM handling in nixpkgs fixed.chromium
now no longer automatically downloads Widevine when encountering DRM protected content. To be able to play DRM protected content inchromium
now, you have to explicitly opt-in as originally intended usingchromium.override { enableWideVine = true; }
. This override was added almost 10 years ago. -
craftos-pc
package has been updated to v2.8, which includes breaking changes.- Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
- The ROM was updated to match ComputerCraft version v1.109.2.
- The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
- The WebSocket API was rewritten, which introduced breaking changes.
-
cryptsetup
has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. Take the time to review the release notes. One of the highlights is that it is now possible to use hardware OPAL-based encryption of your disk withcryptsetup
. It has a lot of caveats, see the above notes for the full details. -
crystal
package has been updated to 1.11.x, which has some breaking changes. Refer to crystal's changelog for more information. (v1.10, v1.11) -
cudaPackages
package scope has been updated tocudaPackages_12
. -
cudaPackages.autoAddOpenGLRunpathHook
andcudaPackages.autoAddDriverRunpath
have been deprecated forpkgs.autoAddDriverRunpath
. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope. -
cudaPackages.cudatoolkit
has been deprecated and replaced with a symlink-based wrapper for the splayed redistributable CUDA packages. The wrapper only includes tools and libraries necessary to build common packages such as tensorflow. The original runfile-basedcudatoolkit
is still available ascudatoolkit-legacy-runfile
. -
cudaPackages.nsight_systems
now has most vendored third party-libraries removed, though we now only ship it forcudaPackages_11_8
and later, due to outdated dependencies. Users comfortable with the vendored dependencies may useoverrideAttrs
to amend thepostPatch
phase and themeta.broken
correspondingly. Alternatively, one could package the deprecatedboost170
locally, as required forcudaPackages_11_4.nsight_systems
. -
cudaPackages.autoFixElfFiles
has been deprecated forpkgs.autoFixElfFiles
. Functionality has not changed, but the setuphook has been renamed and moved to the top-level package scope. -
davfs2
'sservices.davfs2.extraConfig
setting has been deprecated and converted to the free-form type option namedservices.davfs2.settings
according to RFC42. -
dwarf-fortress
has been updated to version 50, and its derivations continue to menace with spikes of Nix and bash [TODO what does this mean?]. Version 50 is identical to the version on Steam, but without the paid elements like tilepacks. dfhack and Dwarf Therapist still work, and older versions are still packaged in case you'd like to roll back. Note that DF 50 saves will not be compatible with DF 0.47 and earlier. See Bay 12 Games for more details on what's new in Dwarf Fortress.-
Running an earlier version can be achieved through an override:
dwarf-fortress-packages.dwarf-fortress-full.override { dfVersion = "0.47.5"; }
-
Ruby plugin support has been disabled in DFHack. Many of the Ruby plugins have been converted to Lua, and support was removed upstream due to frequent crashes.
-
-
erlang-ls
package no longer ships theels_dap
binary as of v0.51.0. -
erlang_node_short_name
,erlang_node_name
,port
andoptions
configuration parameters are gone, and have been replaced with anenvironment
parameter. Use the appropriate environment variables insideenvironment
to configure the service instead. -
firefox-devedition
,firefox-beta
,firefox-esr
executable file names for now match their package names, which is consistent with thefirefox-*-bin
packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. -
gauge
now supports installing plugins using nix. For the old imperative approach, switch togauge-unwrapped
. You can load plugins from an existing gauge manifest file usinggauge.fromManifest ./path/to/manifest.json
or specify plugins in nix usinggauge.withPlugins (p: with p; [ js html-report xml-report ])
. -
gitea
has been updated to 1.21, which introduces several breaking changes, including:- Custom themes and other assets that were previously stored in
custom/public/*
now belong incustom/public/assets/*
- New instances of Gitea using MySQL now ignore the
[database].CHARSET
config option and always use theutf8mb4
charset, existing instances should migrate via thegitea doctor convert
CLI command.
- Custom themes and other assets that were previously stored in
-
git-town
was updated from version 11 to 13. See the changelog for breaking changes. -
gonic
has been updated to v0.16.4. Config now requiresplaylists-path
to be set. See the rest of the v0.16.0 release notes for more details. -
go-ethereum
has been updated to v1.14.3. Geth v1.14.0 introduced a brand new live-tracing feature, which required a number of breaking internal API changes. If you had your own native tracers implemented before this change, the changelog contains the necessary steps needed to update your old code for the new APIs. Geth v1.14.0 drops support for running pre-merge networks (#29169). It also stops automatically constructing the pending block (#28623), removes support for filtering pending logs, switched to using Go v1.22 by default (#28946), which means we've dropped support for Go v1.20. See the 1.14.0 release notes for more details. -
grafana-loki
has been updated to 3.0.0, which includes breaking changes. -
gtest
package has been updated past v1.13.0, which requires C++14 or higher. -
hare
may now be cross-compiled. For that to work, however,haredoc
needed to stop being built together with it. Thus, the latter is now its own package with the name ofharedoc
. -
himalaya
has been updated to v1.0.0-beta.4, which introduces breaking changes. Check out the release note for details. -
halloy
has been updated to 2024.5, which introduced a breaking change by switching the config format from YAML to TOML. See https://github.com/squidowl/halloy/releases/tag/2024.5 for details. -
hvm
was updated to version 2. -
icu
no longer includesinstall-sh
andmkinstalldirs
in the shared folder. -
idris2
was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details. -
inetutils
now has a lower priority to avoid shadowing the commonly usedutil-linux
. If one wishes to restore the default priority, simply uselib.setPrio 5 inetutils
or override withmeta.priority = 5
. -
jdt-language-server
package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:-
The main binary for the package is now named
jdtls
instead ofjdt-language-server
, equivalent to what most editors expect the binary to be named. -
JVM arguments should now be provided with the
--jvm-arg
flag instead of settingJAVA_OPTS
. -
The
-data
path is no longer required to run the package, and will be set to point to a folder in$TMP
if missing.
-
-
julia
environments can now be built with arbitrary packages from the ecosystem using the.withPackages
function. For example:julia.withPackages ["Plots"]
. -
k3s
has been updated to version v1.30, previous supported versions are available under release specific names (e.g. k3s_1_27, k3s_1_28, and k3s_1_29) and present to help you migrate to the latest supported version. See changelog and upgrade notes for more information. -
k9s
was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration. -
kanata
package has been updated to v1.6.1, which includes breaking changes. Check out the changelog of v1.5.0 and v1.6.0 for details. -
linuxPackages_testing_bcachefs
is now fully deprecated bylinuxPackages_latest
, and is therefore no longer available. -
livebook
package is now built as amix release
instead of anescript
. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that thelivebook
service configuration has changed. -
lua
interpreters default LUA_PATH and LUA_CPATH are not overriden by nixpkgs anymore, we patch LUA_ROOT instead which is more respectful to upstream. -
luarocks-packages-updater
's .csv format used to define lua packages to be updated, has changed:src
(URL of a git repository) has now becomerockspec
(URL of a rockspec) to remove ambiguity regarding which rockspec to use and simplify implementation. -
mkosi
was updated to v22. Parts of the user interface have changed. Consult the release notes of v19, v20, v21 and v22 for a list of changes. -
mongodb-4_4
has been removed as it has reached end of life. Consequently,unifi7
andunifi8
now use MongoDB 5.0 by default. -
mongodb-5_0
and newer requires a cpu with the avx instruction set to run. -
neo4j
has been updated to version 5. You may want to read the release notes for Neo4j 5. -
netbox
was updated to v3.7.services.netbox.package
still defaults to v3.6 ifstateVersion
is earlier than 24.05. Refer to upstream's breaking changes for v3.7.0 and upgrade NetBox by changingservices.netbox.package
. Database migrations will be run automatically. -
network-interfaces.target
system target was removed as it has been deprecated for a long time. Usenetwork.target
instead. -
networking.iproute2.enable
now does not setenvironment.etc."iproute2/rt_tables".text
.Setting
environment.etc."iproute2/{CONFIG_FILE_NAME}".text
will override the whole configuration file instead of appending it to the upstream configuration file.CONFIG_FILE_NAME
includesbpf_pinning
,ematch_map
,group
,nl_protos
,rt_dsfield
,rt_protos
,rt_realms
,rt_scopes
, andrt_tables
. -
nextcloud26
has been removed since it's not maintained anymore by upstream. The latest available version of Nextcloud is now v29 (available aspkgs.nextcloud29
). The installation logic is as follows:- If
services.nextcloud.package
is specified explicitly, this package will be installed (recommended) - If
system.stateVersion
is >=24.05,pkgs.nextcloud29
will be installed by default. - If
system.stateVersion
is >=23.11,pkgs.nextcloud27
will be installed by default. - Please note that an upgrade from v27 (or older) to v29 directly is not possible. Please upgrade to
nextcloud28
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud28;
. - Known warnings after the upgrade are documented in from now on.
- The "Photos" app only displays Media from inside the
Photos
directory. This can be changed manually in the "Photos" tab below "Photos settings".
- If
-
nitter
requires aguest_accounts.jsonl
to be provided as a path or loaded into the default location at/var/lib/nitter/guest_accounts.jsonl
. See Guest Account Branch Deployment for details. -
nixVersions.unstable
was removed. Instead the following attributes are provided:nixVersions.git
which tracks the latest Nix master and is roughly updated once a week. This is intended to enable people to easily test unreleased changes of Nix to catch regressions earlier.nixVersions.latest
which points to the latest Nix version packaged in nixpkgs.
-
nomad
has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.-
nomad
is now Nomad 1.7.x. -
nomad_1_4
has been removed, as it is now unsupported upstream.
-
-
nvtop
family of packages was reorganized into a nested attrset.nvtop
has been renamed tonvtopPackages.full
, and allnvtop-{amd,nvidia,intel,msm}
packages are renamed tonvtopPackages.{amd,nvidia,intel,msm}
. -
openssh
,openssh_hpn
andopenssh_gssapi
are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading to another signature algorithm. However, for the time being it is possible to restore DSA key support usingoverride
to setdsaKeysSupport = true
. -
optparse-bash
is now dropped due to upstream inactivity. Alternatives available in Nixpkgs includeargc
,argbash
,bashly
andgum
, to name a few. -
paperless
'services.paperless.extraConfig
setting has been removed and converted to the free-form type and option namedservices.paperless.settings
. -
pdns
was updated to version v4.9.x, which introduces breaking changes. Check out the Upgrade Notes for details. -
percona-server
now follows the same two-fold release cycle as Oracle MySQL and provides a Long-Term-Support (LTS) in parallel with a continuous-delivery Innovation release.percona-server
defaults topercona-server_lts
, will be backed by the same release branch throughout the lifetime of this stable NixOS release, and is still available under the versioned attributepercona-server_8_0
. Thepercona-server_innovation
releases however have support periods shorter than the lifetime of this NixOS release and will continuously be updated to newer Percona releases. Note that Oracle considers the Innovation releases to be production-grade, but each release might include backwards-incompatible changes, even in its on-disk format. The same release scheme is applied to the supportingpercona-xtrabackup
tool as well. -
pipewire
andwireplumber
modules have removed support for usingenvironment.etc."pipewire/..."
andenvironment.etc."wireplumber/..."
. Useservices.pipewire.extraConfig
orservices.pipewire.configPackages
for PipeWire andservices.pipewire.wireplumber.configPackages
for WirePlumber instead." -
power.ups
now generatesupsd.conf
,upsd.users
andupsmon.conf
automatically from a set of new configuration options. This breaks compatibility with existingpower.ups
setups where these files were created manually. Back up these files before upgrading NixOS. -
programs.nix-ld.libraries
no longer setsbaseLibraries
via the option's default but in config and now merges any additional libraries with the default ones. This means thatlib.mkForce
must be used to clear the list of default libraries. -
screen
's module has been cleaned, and will now require you to setprograms.screen.enable
in order to populatescreenrc
and add the program to the environment. -
security.pam.enableSSHAgentAuth
now requiresservices.openssh.authorizedKeysFiles
to be non-empty, which is the case whenservices.openssh.enable
is true. Previously,pam_ssh_agent_auth
silently failed to work. -
security.pam.enableSSHAgentAuth
was replaced by thesshAgentAuth
attrset, and onlyauthorized_keys
files listed insshAgentAuth.authorizedKeysFiles
are trusted, defaulting to/etc/ssh/authorized_keys.d/%u
. ::: {.warning} Users of {manpage}pam_ssh_agent_auth(8)
must take care that the pubkeys they use (for instance withsudo
) are listed insshAgentAuth.authorizedKeysFiles
. ::: ::: {.note} Previously, allservices.openssh.authorizedKeysFiles
were trusted, including~/.ssh/authorized_keys
, which results in an insecure configuration; see #31611. :::
-
services.archisteamfarm
no longer uses the abbreviationasf
for its state directory (/var/lib/asf
), user and group (bothasf
). Instead the long namearchisteamfarm
is used. Configurations withsystem.stateVersion
23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. -
frr
was updated to 10.0, which introduces the default ofenforce-first-as
for BGP. Please disable again if needed. -
services.aria2.rpcSecret
has been replaced withservices.aria2.rpcSecretFile
. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have to create a file with the same exact string, and change your module options to point to that file. For example,services.aria2.rpcSecret = "mysecret"
becomesservices.aria2.rpcSecretFile = "/path/to/secret_file"
where the filesecret_file
contains the stringmysecret
. -
services.avahi.nssmdns
was split intoservices.avahi.nssmdns4
andservices.avahi.nssmdns6
which enable the mDNS NSS switches for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. -
services.frp.settings
now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options:- The
settings.common
section in the configuration is no longer valid and all the options form inside it now go directly undersettings
. - Configuration option names have been changed from snake_case to camelCase. For example:
server_addr
becomesserverAddr
,server_port
becomesserverPort
etc. - Proxies are now defined with a new option
settings.proxies
which takes a list of proxies. - Consult the upstream documentation for more details on the changes.
- The
-
services.hledger-web.capabilities
options has been replaced by a new optionservices.hledger-web.allow
.allow = "view"
meanscapabilities = { view = true; }
;allow = "add"
meanscapabilities = { view = true; add = true; }
;allow = "edit"
meanscapabilities = { view = true; add = true; edit = true }
;allow = "sandstorm"
reads permissions from theX-Sandstorm-Permissions
request header.
-
services.homepage-dashboard
now takes its configuration using native Nix expressions, rather than dumping templated configurations into/var/lib/homepage-dashboard
where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. -
services.invidious.settings.db.user
, the default database username has changed fromkemal
toinvidious
. Setups involving an externally-provisioned database (i.e.services.invidious.database.createLocally == false
) should adjust their configuration accordingly. The oldkemal
user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857). -
services.oauth2_proxy
was renamed toservices.oauth2-proxy
. Also the corresponding service, user and group were renamed. -
services.smokeping
now has an optionwebService
. When enabled, smokeping is now served via nginx instead of thttpd. This change brings the following consequences:- The default port for smokeping is now the nginx default port 80 instead of 8081.
- The option
services.smokeping.port
has been removed. To customize the port, useservices.nginx.virtualHosts.smokeping.listen.*.port
.
-
services.neo4j.allowUpgrade
was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades. -
services.nextcloud
has the following options moved intoservices.nextcloud.settings
and renamed to match the name from Nextcloud'sconfig.php
:logLevel
->loglevel
,logType
->log_type
,defaultPhoneRegion
->default_phone_region
,overwriteProtocol
->overwriteprotocol
,skeletonDirectory
->skeletondirectory
,globalProfiles
->profile.enabled
,extraTrustedDomains
->trusted_domains
andtrustedProxies
->trusted_proxies
.
-
services.nginx
will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:{ locations."/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; ''; locations."^~ /assets/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; ''; }
-
services.pgbouncer
now has systemd support enabled and will log to journald. The default setting forservices.pgbouncer.logFile
is nownull
to disable logging to a separate log file. -
services.postgresql.ensureUsers._.ensurePermissions
has been removed as it is not declarative and is broken with newer postgresql versions. Consider using instead or a tool that is more suited for managing the data inside a postgresql database. -
services.redis.vmOverCommit
now defaults totrue
and no longer enforces Transparent Hugepages (THP) to be disabled. Redis only works with THP configured tomadvise
which is the kernel's default. -
services.resolved.fallbackDns
- can now be used to disable the upstream fallback servers entirely by setting it to
[]
- to get previous behaviour of upstream defaults, set it to
null
- default value has changed from
[]
tonull
, in order to preserve default behaviour
- can now be used to disable the upstream fallback servers entirely by setting it to
can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.
-
services.vikunja
systemd service now usesvikunja
as dynamic user instead ofvikunja-api
. Database users might need to be changed. -
services.vikunja.setupNginx
setting has been removed. Users now need to set up the webserver configuration on their own with a proxy pass to the vikunja service. -
services.vmagent
module deprecatesdataDir
,group
anduser
setting in favor of systemd provided CacheDirectory and DynamicUser. -
services.vmagent.remoteWriteUrl
setting has been renamed toservices.vmagent.remoteWrite.url
and now defaults tonull
. -
services.zope2
has been removed, aszope2
is unmaintained and was relying on Python 2. -
spark2014
has been renamed tognatprove
. A version ofgnatprove
matching different GNAT versions is available from the differentgnatPackages
sets. -
stalwart-mail
has been updated to v0.5.3, which includes breaking changes. -
system.etc.overlay.enable
option was added. If enabled,/etc
is mounted via an overlayfs instead of being created by a custom perl script. -
system.forbiddenDependenciesRegex
has been renamed tosystem.forbiddenDependenciesRegexes
and now has the type oflistOf string
instead ofstring
to accept multiple regexes. -
systemd.oomd
module behavior has changed:-
Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit.
-
Remove swap policy. This helps prevent killing processes when user's swap is small.
-
Expand the memory pressure policy to
system.slice
,user-.slice
, and all user owned slices. Reference: commit. -
systemd.oomd.enableUserServices
is renamed tosystemd.oomd.enableUserSlices
.
-
-
systemd.sysusers.enable
option was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script. -
teleport
has been upgraded from major version 14 to major version 15. Refer to upstream upgrade instructions and release notes for v15. -
unifiLTS
,unifi5
andunifi6
have been removed, as they require MongoDB versions which are end-of-life. All these versions can be upgraded tounifi7
directly. -
unrar
was updated to v7. See changelog for more information. -
virtualisation.docker.enableNvidia
andvirtualisation.podman.enableNvidia
options are deprecated.hardware.nvidia-container-toolkit.enable
should be used instead. This option will expose GPUs on containers with the--device
CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. -
virtialisation.incus
now defaults to the newly-addedincus-lts
release (v6.0.x). Users who wish to continue using the non-LTS release will need to setvirtualisation.incus.package = pkgs.incus
. Stable release users are encouraged to stay on the LTS release as non-LTS releases will by default not be backported. -
woodpecker-*
packages have been updated to v2 which includes breaking changes. -
wpaperd
has been updated to 1.0.1, which has a breaking change: previous version 0.3.0 had 2 different configuration files, one for wpaperd and one for the wallpapers. Remove the former and move the latter (wallpaper.toml
) toconfig.toml
. -
writeReferencesToFile
is deprecated in favour of the new trivial build helperwriteClosure
. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. -
xfsprogs
was updated to version 6.6.0, which enables reverse mapping (rmapbt) and large extent counts (nrext64) by default. Support for these features was added in kernel 4.9 and 5.19 and nrext64 was deemed stable in kernel 6.5. Format your filesystems withmkfs.xfs -i nrext64=0
, if they need to be readable by GRUB2 before 2.12 or kernels older than 5.19. -
xxd
has been moved fromvim
default output to its own output to reduce closure size. The canonical way to reference it across all platforms isunixtools.xxd
. -
youtrack
is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details. -
Ada packages (libraries and tools) have been moved into the
gnatPackages
scope.gnatPackages
uses the default GNAT compiler,gnat12Packages
andgnat13Packages
use the respective matching compiler version. -
Paths provided as
restartTriggers
andreloadTriggers
for systemd units will now be copied into the nix store to make the behavior consistent. Previously,restartTriggers = [ ./config.txt ]
, if defined in a flake, would trigger a restart when any part of the flake changed; and if not defined in a flake, would never trigger a restart even if the contents ofconfig.txt
changed. -
A warning has been added for services that are
after = [ "network-online.target" ]
but do not depend on it (e.g. usingwants
), because the dependency thatmulti-user.target
has onnetwork-online.target
is planned for removal. -
switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.
-
services.prometheus.exporters.snmp
's configuration format changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository.
Other Notable Changes
-
addDriverRunpath
has been added to facilitate the deprecation of the oldaddOpenGLRunpath
setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -
appimage
,appimageTools.wrapAppImage
andbuildFHSEnvBubblewrap
now properly acceptpname
andversion
. -
bacula
now allows to configureTLS
for encrypted communication. -
boot.initrd.network.ssh.authorizedKeyFiles
is a new option in the initrd ssh daemon module, for adding authorized keys via list of files. -
boot.kernel.sysctl."net.core.wmem_max"
changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just asboot.kernel.sysctl."net.core.rmem_max"
since 22.11. -
boot.loader.systemd-boot.xbootldrMountPoint
is a new option for setting up a separate XBOOTLDR partition to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. -
boot.loader.systemd-boot
will now verify thatefiSysMountPoint
(andxbootldrMountPoint
if configured) are mounted partitions. -
buildDubPackage
can now be used to build Programs written in D using thedub
build system and package manager. See the D section in the manual for more information. -
castopod
has some migration actions to be taken in case of a S3 setup. Some new features may also need some manual migration actions. See https://code.castopod.org/adaures/castopod/-/releases for more information. -
cinnamon
has been updated to 6.0. Please beware that the Wayland session is still experimental in this release and could potentially affect Xorg sessions. We suggest a reboot when switching between sessions. -
documentation.man.mandoc
now usesMANPATH
by defaultwas to set the directories where mandoc will search for manual pages. This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via themandoc.conf
configuration file like before, usedocumentation.man.mandoc.settings.manpath
instead. -
drbd
out-of-tree Linux kernel driver has been added in version 9.2.7. With it the DRBD 9.x features can be used instead of the 8.x features provided by the 8.4.11 in-tree driver. -
garage
has been updated to v1.x.x. Users should read the upstream release notes and follow the documentation when changing over theirservices.garage.package
and performing this manual upgrade. -
hardware.pulseaudio
module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399. -
kavita
has been updated to 0.8.0, requiring a manual forced library scan on all libraries for migration. Refer to upstream's release notes for details. -
krb5
module has been rewritten and moved tosecurity.krb5
, moving all options butsecurity.krb5.enable
andsecurity.krb5.package
intosecurity.krb5.settings
. -
libass
now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues withmpv
,ffmpeg
, etc. -
libjxl
version bumped from 0.8.2 to 0.9.1 dropped support for the butteraugli API. You will no longer be able to setenableButteraugli
onlibaom
. -
lxd
has been upgraded to v5.21.x, an LTS release. The LTS release is now the only supported LXD release. Users are encouraged to migrate to Incus for better support on NixOS. -
matrix-synapse
homeserver module now supports configuring UNIX domain socketlisteners
through thepath
option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. -
mockgen
has changed to the go.uber.org/mock fork because the original repository is no longer maintained. -
mpich
now requireswithPm
to be a list, e.g."hydra:gforker"
becomes[ "hydra" "gforker" ]
. -
nextcloud-setup.service
no longer changes the group of each file & directory inside/var/lib/nextcloud/{config,data,store-apps}
if one of these directories has the wrong owner group. This was part of transitioning the group used for/var/lib/nextcloud
, but isn't necessary anymore. -
oils-for-unix
, the oil shell's c++ version is now available. The python version is still available asoil
. -
pkgsExtraHardening
, a new top-level package set, was added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). -
portunus
has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11. -
programs.fish.package
now allows you to override the package used in thefish
module. -
qt6.qtmultimedia
has changed its default backend toQT_MEDIA_BACKEND=ffmpeg
(previouslygstreamer
on Linux ordarwin
on macOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform. -
services.btrbk
now automatically selects and provides required compression program depending on the configuredstream_compress
option. Since this replaces the need for theextraPackages
option, this option will be deprecated in future releases. -
services.github-runner
module has been removed. To configure a single GitHub Actions Runner refer toservices.github-runners.*
. Note that this will trigger a new runner registration. -
services.networkmanager.extraConfig
was renamed toservices.networkmanager.settings
and changed to use the ini type instead of using a multiline string. -
services.nextcloud.config.dbport
option of the Nextcloud module was removed to match upstream. The port can be specified inservices.nextcloud.config.dbhost
. -
services.kavita
now uses the free-form optionservices.kavita.settings
for the application settings file. The optionsservices.kavita.ipAdresses
andservices.kavita.port
now exist atservices.kavita.settings.IpAddresses
andservices.kavita.settings.IpAddresses
. The file atservices.kavita.tokenKeyFile
now needs to contain a secret with 512+ bits instead of 128+ bits. -
services.netbird
now allows running multiple tunnels in parallel throughservices.netbird.tunnels
. -
services.nginx.virtualHosts
usingforceSSL
orglobalRedirect
can now have redirect codes other than 301 throughredirectCode
. -
services.openssh
now has an optionauthorizedKeysInHomedir
, controlling whether~/.ssh/authorizedKeys
is added toauthorizedKeysFiles
. ::: {.note} This option currently defaults totrue
for NixOS 24.05, preserving the previous behaviour. This is expected to change in NixOS 24.11. ::: ::: {.warning} Users should check that their SSH keys are inusers.users.*.openssh
, or that they have another way to access and administer the system, before setting this option tofalse
. ::: -
services.paperless
module no longer uses the previously downloaded NLTK data stored in/var/cache/paperless/nltk
. This directory can be removed. -
services.postgresql.extraPlugins
' type has expanded. Previously it was a list of packages, now it can also be a function that returns such a list. For example a config line likeservices.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];
is recommended to be changed toservices.postgresql.extraPlugins = ps: with ps; [ postgis ];
; -
services.slskd
has been refactored to include more configuation options in the free-formservices.slskd.settings
option, and some defaults (including listen ports) have been changed to match the upstream defaults. Additionally, disk logging is now disabled by default, and the log rotation timer has been removed. The nginx virtualhost option is now of thevhost-options
type. -
services.soju
now has a wrapper for thesojuctl
command, pointed at the service config file. It also has the new optionadminSocket.enable
, which creates a unix admin socket at/run/soju/admin
. -
services.stalwart-mail
uses the legacy version 0.6.X as default because newerstalwart-mail
versions require a manual upgrade process. Changeservices.stalwart-mail.package
topkgs.stalwart-mail
if you wish to switch to the new version. -
services.teeworlds
module now has a wealth of configuration options, including a newpackage
option. -
services.xserver.desktopManager.budgie
installsgnome.gnome-terminal
by default (instead ofmate.mate-terminal
). -
services.zfs.zed.enableMail
now uses the globalsendmail
wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. -
sonarr
version bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly. -
stdenv
: The--replace
flag insubstitute
,substituteInPlace
,substituteAll
,substituteAllStream
, andsubstituteStream
is now deprecated if favor of the new--replace-fail
,--replace-warn
and--replace-quiet
. The deprecated--replace
equates to--replace-warn
. -
systemd
: when merging unit options (of typeunitOption
), if at least one definition is a list, all those which aren't are now lifted into a list, making it possible to accumulate definitions without resorting tomkForce
, hence to retain the definitions not anticipating that need. -
systemd
units can now specify theUpholds=
andUpheldBy=
unit dependencies via the aptly namedupholds
andupheldBy
options. These options get systemd to enforce that the dependencies remain continuosly running for as long as the dependent unit is in a running state. -
A stdenv's default set of hardening flags can now be set via its
bintools-wrapper
'sdefaultHardeningFlags
argument. A convenient stdenv adapter,withDefaultHardeningFlags
, can be used to override an existing stdenv'sdefaultHardeningFlags
. -
Programs written in Nim are built with libraries selected by lockfiles. The
nimPackages
andnim2Packages
sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. -
The EC2 image module now enables the Amazon SSM Agent by default.
-
A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.
-
A new hardening flag,
zerocallusedregs
was made available, corresponding to the gcc/clang option-fzero-call-used-regs=used-gpr
. -
A new hardening flag,
trivialautovarinit
was made available, corresponding to the gcc/clang option-ftrivial-auto-var-init=pattern
. -
dnsdist
has new options to enable and configure a DNSCrypt endpoint (seeservices.dnsdist.dnscrypt.enable
, etc.). The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime. -
The kernel Yama LSM is now enabled by default, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set
boot.kernel.sysctl."kernel.yama.ptrace_scope"
to 0. -
Lisp modules: previously deprecated interface based on
common-lisp.sh
has now been removed. -
The
systemd-confinement
module extension is now compatible withDynamicUser=true
and thusProtectSystem=strict
too.