Signed-off-by: phanirithvij <phanirithvij2000@gmail.com> Co-authored-by: Luflosi <luflosi@luflosi.de>
66 KiB
Release 24.11 (“Vicuña”, 2024.11/??)
Highlights
-
This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15. Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS. Users on old macOS versions should consider upgrading to a supported version (potentially using OpenCore Legacy Patcher for old hardware) or installing NixOS. If neither of those options are viable and you require new versions of software, MacPorts supports back to Mac OS X Snow Leopard 10.6.
-
Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for 2.19, 2.20, 2.21, 2.22, 2.23, 2.24. Notable changes include improvements to Git fetching, documentation comment support in
nix-repl> :doc
, as well as many quality of life improvements. -
This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0. These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release. In future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
-
Convenience options for
amdgpu
, open source driver for Radeon cards, is now available underhardware.amdgpu
. -
AMDVLK, AMD's open source Vulkan driver, is now available to be configured as
hardware.amdgpu.amdvlk
option. This also allows configuring runtime settings of AMDVLK and enabling experimental features. -
The
moonlight-qt
package (Moonlight game streaming) now has HDR support on Linux systems. -
PostgreSQL now defaults to major version 16.
-
authelia
has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the release blog post. This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version. -
compressDrv
can compress selected files in a derivation.compressDrvWeb
compresses files for common web server usage (.gz
withzopfli
,.br
withbrotli
). -
hardware.display
is a new module implementing workarounds for misbehaving monitors through setting up custom EDID files and forcing kernel/framebuffer modes. -
A new display-manager
services.displayManager.ly
was added. It is a tui based replacement of sddm and lightdm for window manager users. Users can use it byservices.displayManager.ly.enable
and config it byservices.displayManager.ly.settings
to generate/etc/ly/config.ini
-
The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire. Users that want to keep PulseAudio will want to set
services.pipewire.enable = false;
andhardware.pulseaudio.enable = true;
. There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs. -
The Rust rewrite of the
switch-to-configuration
program is now used for system activation by default. If you experience any issues, please report them. The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by settingsystem.switch.enableNg
tofalse
. -
Built NixOS configurations now have a
$toplevel/bin/apply
script. Unlikeswitch-to-configuration
, it is capable of performing a completeswitch
operation. If you callswitch-to-configuration
directly, you are recommended to useapply
instead, and remove your call tonix-env --profile /nix/var/nix/profiles/system --set $toplevel
or similar. It will run the switch operation as a systemd unit if available, asnixos-rebuild switch
would.Benefits include:
- The
apply
script reduces the roundtrips required when performing a remote deployment withnixos-rebuild switch --target-host HOST
. - Developers and power users can now update NixOS in a single call.
- Alternative NixOS deployment methods have feature parity with
nixos-rebuild
, and NixOS can evolve all of its switching logic in one place.
- The
-
Support for mounting filesystems from block devices protected with dm-verity was added through the
boot.initrd.systemd.dmVerity
option. -
The Xen Project Hypervisor is once again available as a virtualisation option under
virtualisation.xen
.- This release includes Xen 4.19.0 and support for booting the hypervisor on EFI systems. ::: {.warning} Booting into the Xen Project Hypervisor through a legacy BIOS bootloader or with the legacy script-based Stage 1 initrd have been deprecated. Only EFI booting and the new systemd-based Stage 1 initrd are supported. :::
- The
qemu-xen-traditional
component has been deprecated by the upstream Xen Project, and is no longer included in the Xen build. - The OCaml-based Xen Store can now be configured using
virtualisation.xen.store.settings
. - The
virtualisation.xen.bridge
options have been deprecated in this release cycle. Users who need network bridges are encouraged to set up their own networking configurations.
-
A new option
systemd.enableStrictShellChecks
has been added. When enabled, all systemd scripts generated by NixOS will be checked with shellcheck and any errors or warnings will cause the build to fail. This affects all scripts that have been created through thescript
,reload
,preStart
,postStart
,preStop
andpostStop
options for systemd services. This does not affect commandlines passed directly toExecStart
,ExecReload
,ExecStartPre
,ExecStartPost
,ExecStop
orExecStopPost
. It therefore also does not affect systemd units that are coming from packages and that are not defined through the NixOS config. This option is disabled by default, and although some services have already been fixed, it is still likely that you will encounter build failures when enabling this. We encourage people to enable this option when they are willing and able to submit fixes for potential build failures to nixpkgs. The option can also be enabled or disabled for individual services using theenableStrictShellChecks
option on the service itself, which will take precedence over the global setting.
New Modules
-
Cyrus IMAP, an email, contacts and calendar server. Available as services.cyrus-imap service.
-
TaskChampion Sync-Server, a Taskwarrior 3 sync server, replacing Taskwarrior 2's sync server named
taskserver
. -
FlareSolverr, proxy server to bypass Cloudflare protection. Available as services.flaresolverr service.
-
Gancio, a shared agenda for local communities. Available as services.gancio.
-
Goatcounter, Easy web analytics. No tracking of personal data. Available as services.goatcounter.
-
Privatebin, A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as services.privatebin
-
UWSM, a wayland session manager to wrap Wayland Compositors into useful systemd units such as
graphical-session.target
. Available as programs.uwsm. -
Open-WebUI, a user-friendly WebUI for LLMs. Available as services.open-webui service.
-
Quickwit, sub-second search & analytics engine on cloud storage. Available as services.quickwit.
-
Userborn, a service for declarative user management. This can be used instead of the
update-users-groups.pl
Perl script and instead of systemd-sysusers. To achieve a system without Perl, this is the now recommended tool over systemd-sysusers because it can also create normal users and change passwords. Available as services.userborn -
Hatsu, a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as services.hatsu.
-
Flood, a beautiful WebUI for various torrent clients. Available as services.flood.
-
Niri, a scrollable-tiling Wayland compositor. Available as programs.niri.
-
Firefly-iii Data Importer, a data importer for Firefly-III. Available as services.firefly-iii-data-importer
-
[QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as programs.qgroundcontrol.
-
Eintopf, community event and calendar web application. Available as services.eintopf.
-
Radicle, an open source, peer-to-peer code collaboration stack built on Git. Available as services.radicle.
-
ddns-updater, a service to update DNS records periodically with WebUI for many DNS providers. Available as services.ddns-updater.
-
Immersed, a closed-source coworking platform. Available as programs.immersed.
-
HomeBox: the inventory and organization system built for the Home User. Available as services.homebox.
-
matrix-hookshot, a Matrix bot for connecting to external services. Available as services.matrix-hookshot.
-
Renovate, a dependency updating tool for various git forges and language ecosystems. Available as services.renovate.
-
Music Assistant, a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as services.music-assistant.
-
zeronsd, a DNS server for ZeroTier users. Available with services.zeronsd.servedNetworks.
-
Collabora Online, a collaborative online office suite based on LibreOffice technology. Available as services.collabora-online.
-
wg-access-server, an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at services.wg-access-server.
-
Pingvin Share, a self-hosted file sharing platform and an alternative for WeTransfer. Available as services.pingvin-share.
-
Envision, a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as programs.envision.
-
Localsend, an open source cross-platform alternative to AirDrop. Available as programs.localsend.
-
Gatus, an automated developer-oriented status page. Available as services.gatus.
-
cryptpad, a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as services.cryptpad.
-
realm, a simple, high performance relay server written in rust. Available as services.realm.enable.
-
Gotenberg, an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as services.gotenberg.
-
Suricata, a free and open source, mature, fast and robust network threat detection engine. Available as services.suricata.
-
Playerctld, a daemon to track media player activity. Available as services.playerctld.
-
MenhirLib A support library for verified Coq parsers produced by Menhir.
-
Glance, a self-hosted dashboard that puts all your feeds in one place. Available as services.glance.
-
Apache Tika, a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as services.tika.
-
Misskey, an interplanetary microblogging platform. Available as services.misskey.
-
Improved File Manager, or IFM, a single-file web-based file manager. Available as services.ifm
-
OpenGFW, an implementation of the Great Firewall on Linux. Available as services.opengfw.
-
Rathole, a lightweight and high-performance reverse proxy for NAT traversal. Available as services.rathole.
-
Proton Mail bridge, a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. It lets you add your Proton Mail account to your favorite email client via IMAP/SMTP by creating a local email server on your computer.
-
chromadb, an open-source AI application database. Batteries included. Available as services.chromadb.
-
bitmagnet, A self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with web UI, GraphQL API and Servarr stack integration. Available as services.bitmagnet.
-
Wakapi, a time tracking software for programmers. Available as services.wakapi.
-
foot, a fast, lightweight and minimalistic Wayland terminal emulator. Available as programs.foot.
-
ToDesk, a remote desktop applicaton. Available as services.todesk.enable.
-
Dependency Track, an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as services.dependency-track.
-
Immich, a self-hosted photo and video backup solution. Available as services.immich.
-
saunafs Distributed POSIX file system. Available as services.saunafs.
-
obs-studio, Free and open source software for video recording and live streaming. Available as programs.obs-studio.enable.
-
Veilid, a headless server that enables privacy-focused data sharing and messaging on a peer-to-peer network. Available as services.veilid.
-
Fedimint, a module based system for building federated applications (Federated E-Cash Mint). Available as services.fedimintd.
-
Zapret, a DPI bypass tool. Available as services.zapret.
-
tiny-dfr, a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as hardware.apple.touchBar.enable.
-
Swapspace, a dynamic swap space manager, turns your unused free space into swap automatically. Available as services.swapspace.
Backward Incompatibilities
-
The
sound
options have been removed or renamed, as they had a lot of unintended side effects. See below for details. -
The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set
hardware.nvidia.open
to select the proprietary or open driver. -
The
(buildPythonPackage { ... }).override
attribute is now deprecated and removed in favour ofoverridePythonAttrs
. This change does not affect the override interface of most Python packages, as<pkg>.override
provided bycallPackage
shadows such a locally-definedoverride
attribute. -
All Cinnamon and XApp packages have been moved to top-level (i.e.,
cinnamon.nemo
is nownemo
). -
All GNOME packages have been moved to top-level (i.e.,
gnome.nautilus
is nownautilus
). -
transmission
package has been aliased with atrace
warning totransmission_3
. Since Transmission 4 has been released last year, and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. Theservices.transmission.package
defaults totransmission_3
as well because the upgrade can cause data loss in certain specific usage patterns (examples: #5153, #6796). Please make sure to back up to your data directory per your usage:transmission-gtk
:~/.config/transmission
transmission-daemon
using NixOS module:${config.services.transmission.home}/.config/transmission-daemon
(defaults to/var/lib/transmission/.config/transmission-daemon
)
-
The default
mongodb
version has been updated from 5.0 to 7.0. For more information, see the compatibility changes for MongoDB 6.0 and 7.0. -
unifi
has been updated to UniFi 8.unifi7
was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life. -
androidenv.androidPkgs_9_0
has been removed, and replaced withandroidenv.androidPkgs
for a more complete Android SDK including support for Android 9 and later. -
grafana
has been updated to version 11.1. This version doesn't support settinghttp_addr
to a hostname anymore, an IP address is expected. -
deno
has been updated to v2 which has breaking changes. Upstream will be abandoning v1 soon but for now you can usedeno_1
if you are yet to migrate (will be removed prior to cutting a final 24.11 release). -
gogs
has been removed. Upstream development has stalled and it has several critical vulnerabilities that weren't addressed within a year. Consider migrating toforgejo
orgitea
. -
knot-dns
has been updated to version 3.4.x. Check the migration guide for breaking changes. -
services.kubernetes.kubelet.clusterDns
now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema. -
bluemap
has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2. Unless you are using an SQL storage backend, this should only entail deleting the contents ofconfig.services.bluemap.coreSettings.data
(defaults to/var/lib/bluemap
) andconfig.services.bluemap.webRoot
(defaults to/var/lib/bluemap/web
). -
wstunnel
has had a major version upgrade that entailed rewriting the program in Rust. The module was updated to accommodate for breaking changes. Breaking changes to the module API were minimised as much as possible, but some were nonetheless inevitable due to changes in the upstream CLI. Certain options were moved from separate CLI arguments into the forward specifications, and those options were also removed from the module's API, please consult the wstunnel man page for more detail. Also be aware that if you have set additional options inservices.wstunnel.{clients,servers}.<name>.extraArgs
, that those might have been removed or modified upstream. -
percona-server_8_4
andmysql84
now have password authentication via the deprecatedmysql_native_password
disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods see upstream documentation. The config file directivedefault_authentication_plugin
has been removed. -
Percona has decided not to follow the LTS/ Innovation release scheme of upstream MySQL and thus will only create releases for MySQL LTS versions. Hence, the package names
percona-server_lts
,percona-server_innovation
,percona-xtrabackup_lts
andpercona-xtrabackup_innovation
are deprecated.percona-server
andpercona-server_lts
now point towards the new LTS releasepercona-server_8_4
. The previous LTS continues to be supported and is available aspercona-server_8_0
. The same is true for the supportingpercona-xtrabackup
tooling.
-
clang-tools_<version>
packages have been moved intollvmPackages_<version>
(i.e.clang-tools_18
is nowllvmPackages_18.clang-tools
).- For convenience, the top-level
clang-tools
attribute remains and is now bound tollvmPackages.clang-tools
. - Top-level
clang_tools_<version>
attributes are now aliases; these will be removed in a future release.
- For convenience, the top-level
-
buildbot
was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the upstream release notes. -
headscale
has been updated to version 0.23.0 which reworked large parts of the configuration including DNS, Magic DNS prefixes and ACL policy files. See the upstream changelog for details. -
nginx
package no longer includesgd
andgeoip
dependencies. For enabling it, overridenginx
package with the optionalswithImageFilter
andwithGeoIP
. -
systemd.enableUnifiedCgroupHierarchy
option has been removed. In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. To forcibly reenable cgroup v1 support, you canset boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]
. NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. -
nrfutil
which previously pointed to the now-deprecatedpc-nrfutil
python package, has been repackaged under the same name with the new nrfutil tool. -
openssh
andopenssh_hpn
are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the newopensshWithKerberos
andopenssh_hpnWithKerberos
flavors (e.g.programs.ssh.package = pkgs.openssh_gssapi
). -
security.ipa.ipaHostname
now defaults to the value ofnetworking.fqdn
if it is set, instead of the previous hardcoded default of${networking.hostName}.${security.ipa.domain}
. -
The
MSMTP_QUEUE
andMSMTP_LOG
environment variables accepted bymsmtpq
have now been renamed toMSMTPQ_Q
andMSMTPQ_LOG
respectively. -
The logrotate service has received hardening and now requires enabling
allowNetworking
, if logrotate needs to access the network. -
mautrix-whatsapp
has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required. -
qBittorrent has been updated to major version 5, which drops support for Qt 5. The
qbittorrent-qt5
package has been removed. -
The fcgiwrap module now allows multiple instances running as distinct users. The option
services.fgciwrap
now takes an attribute set of the configuration of each individual instance. This requires migrating any previous configuration keys fromservices.fcgiwrap.*
toservices.fcgiwrap.instances.some-instance.*
. The ownership and mode of the UNIX sockets created by this service are now configurable and private by default. Processes also now run as a dynamically allocated user by default instead of root. -
The
mautrix-signal
module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. In case you want to update your configuration make sure to check the NixOS manual. -
The dhcpcd service (
networking.useDHCP
) has been hardened and now runs exclusively as the "dhcpcd" user. Users that were relying on the root privileges innetworking.dhcpcd.runHook
will have to write specific sudo or polkit rules to allow dhcpcd to perform privileged actions.As part of these changes, the DHCP lease files directory has also been moved from
/var/db/dhcpcd
to/var/lib/dhcpcd
. This migration is performed automatically, but users may have to update their backup configuration. -
singularity-tools
have thestoreDir
argument removed from its override interface and usebuiltins.storeDir
instead. -
Two build helpers in
singularity-tools
, i.e.,mkLayer
andshellScript
, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. -
The
rust.toTargetArch
,rust.toTargetOs
,rust.toTargetFamily
,rust.toTargetVendor
,rust.toRustTarget
,rust.toRustTargetSpec
,rust.toRustTargetSpecShort
, andrust.IsNoStdTarget
functions are deprecated in favour of therust.platform.arch
,rust.platform.os
,rust.platform.target-family
,rust.platform.vendor
,rust.rustcTarget
,rust.rustcTargetSpec
,rust.cargoShortTarget
,rust.cargoEnvVarTarget
, andrust.isNoStdTarget
platform attributes respectively. -
The
budgie
andbudgiePlugins
scope have been removed and their packages moved into the top level scope (i.e.,budgie.budgie-desktop
is nowbudgie-desktop
) -
The method to safely handle secrets in the
networking.wireless
module has been changed to benefit from a new feature of wpa_supplicant. The syntax to refer to secrets has changed slightly and the optionnetworking.wireless.environmentFile
has been replaced bynetworking.wireless.secretsFile
; see the description of the latter for how to upgrade. -
NetBox was updated to
>= 4.1.0
. Have a look at the breaking changes of the 4.0 release and the 4.1 release, make the required changes to your database, if needed, then upgrade by settingservices.netbox.package = pkgs.netbox_4_1;
in your configuration. -
services.cgit
now runs as the cgit user by default instead of root. This change requires granting access to the repositories to this user or setting the appropriate one throughservices.cgit.some-instance.user
. -
nvimpager
was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in-c
and--cmd
now override the respective default settings because they are executed later. -
Kubernetes
featureGates
have changed from alistOf str
toattrsOf bool
. This refactor makes it possible to also disable feature gates, without having to useextraOpts
flags.A previous configuration may have looked like this:
featureGates = [ "EphemeralContainers" ]; extraOpts = pkgs.lib.concatStringsSep " " ( [ ''--feature-gates="CSIMigration=false"'' });
Using an AttrSet instead, the new configuration would be:
featureGates = {EphemeralContainers = true; CSIMigration=false;};
-
pkgs.nextcloud27
has been removed since it's EOL. -
The
environment.noXlibs
option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose. If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about. -
frigate
was updated past 0.14.0. This release includes various breaking changes, so please go read the release notes. Most prominently access to the webinterface and API are now protected by authentication. Retrieve the auto-created admin account from thefrigate.service
journal after upgrading. -
nodePackages.coc-python
was dropped, as its upstream is unmaintained. The associatedvimPlugins.coc-python
was also dropped. The upstream project recommends usingcoc-pyright
orcoc-jedi
as replacements. -
forgejo
has been upgraded from version 7.0 to version 9.0, see the release notes for 8.0 and 9.0. -
services.forgejo.mailerPasswordFile
has been deprecated by the drop-in replacementservices.forgejo.secrets.mailer.PASSWD
, which is part of the new free-formservices.forgejo.secrets
option.services.forgejo.secrets
is a small wrapper over systemd'sLoadCredential=
. It has the same structure (sections/keys) asservices.forgejo.settings
but takes file paths that will be read before service startup instead of some plaintext value.services.forgejo.package
now defaults toforgejo-lts
, the Long Term Support version of Forgejo. -
forgejo
andforgejo-lts
no longer support the opt-in feature PAM (Pluggable Authentication Module). -
gitea
no longer supports the opt-in feature PAM (Pluggable Authentication Module). -
services.ddclient.use
has been deprecated:ddclient
now supports separate IPv4 and IPv6 configuration. Useservices.ddclient.usev4
andservices.ddclient.usev6
instead. -
services.pgbouncer
systemd service is configured withType=notify-reload
and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option namedservices.pgbouncer.settings
according to the NixOS RFC 0042. -
nodePackages.coc-metals
was removed due to being deprecated upstream.vimPlugins.nvim-metals
is its official replacement. -
matrix-sliding-sync
was removed because it has been replaced by the simplified sliding sync functionality introduced in matrix-synapse 114.0. -
nodePackages.coc-tslint
,vimPlugins.coc-tslint
,nodePackages.coc-tslint-plugin
, andvimPlugins.coc-tslint-plugin
were removed due to being deprecated upstream. ThenodePackages.coc-eslint
andvimPlugins.coc-eslint
packages offer comparable features foreslint
, which replacedtslint
. -
Tcl packages have been moved into the
tclPackages
scope. -
teleport
has been upgraded from major version 15 to major version 16. Refer to upstream upgrade instructions and release notes for v16. -
tests.overriding
has itspassthru.tests
restructured as an attribute set instead of a list, making individual tests accessible by their names. -
Package
skk-dict
was split into multiple packages underskkDictionaries
. If in doubt, tryskkDictionaries.l
. As part of this change, the dictionaries were moved from$out/share
to$out/share/skk
. Also, the dictionaries won't be converted to UTF-8 unless theuseUtf8
package option is enabled. UTF-8 converted dictionaries will have the .utf8 suffix appended to its filename. -
vaultwarden
lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allowCAP_NET_BIND_SERVICE
in your local configuration. -
The Invoiceplane module now only accepts the structured
settings
option.extraConfig
is now removed. -
The
ollama
services replaces itssandbox
toggle with options to configure a staticuser
andgroup
. ThewritablePaths
option has been removed and the models directory is now always exempt from sandboxing. -
The
gns3-server
service now runs under thegns3
system user instead of a dynamically created one viaDynamicUser
. The use of SUID wrappers is incompatible with SystemD'sDynamicUser
setting, and GNS3 requires calling ubridge through its SUID wrapper to function properly. This change requires to manually move the following directories:- from
/var/lib/private/gns3
to/var/lib/gns3
- from
/var/log/private/gns3
to/var/log/gns3
and to change the ownership of these directories and their contents togns3
(including/etc/gns3
).
- from
-
Legacy package
stalwart-mail_0_6
was dropped, please note the manual upgrade process before changing the package topkgs.stalwart-mail
inservices.stalwart-mail.package
. -
The
nomad_1_5
package was dropped, as it has reached end-of-life upstream. Evaluating it will throw an error. -
androidndkPkgs
has been updated toandroidndkPkgs_26
. -
Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
-
the
ankisyncd
package and itsservices.ankisyncd
have been removed, useservices.anki-sync-server
instead. -
nodePackages.vscode-css-languageserver-bin
,nodePackages.vscode-html-languageserver-bin
, andnodePackages.vscode-json-languageserver-bin
were dropped due to an unmaintained upstream. Thevscode-langservers-extracted
package is a maintained drop-in replacement. -
nodePackages.prisma
has been replaced byprisma
. -
fetchNextcloudApp
has been rewritten to usefetchurl
rather thanfetchzip
. This invalidates all existing hashes but you can restore the old behavior by passing itunpack = true
. -
haskell.lib.compose.justStaticExecutables
now disallows references to GHC in the output by default, to alert users to closure size issues caused by #164630. See "Packaging Helpers" in the Haskell section of the Nixpkgs manual for information on working aroundoutput '...' is not allowed to refer to the following paths
errors caused by this change. -
The
stalwart-mail
service now runs under thestalwart-mail
system user instead of a dynamically created one viaDynamicUser
, to avoid automatic ownership changes on its large file store each time the service was started. This change requires to manually move the state directory from/var/lib/private/stalwart-mail
to/var/lib/stalwart-mail
and to change the ownership of the directory and its content tostalwart-mail
. -
The
stalwart-mail
module now uses RocksDB as the default storage backend forstateVersion
≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs). -
The
stargazer
service has been hardened to improve security, but these changes make break certain setups, particularly around traditional CGI.- The
stargazer.allowCgiUser
option has been added, enabling Stargazer'scgi-user
option to work, which was previously broken.
- The
-
The
shiori
service now requires an HTTP secret valueSHIORI_HTTP_SECRET_KEY
to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:# This is how a environment file can be generated: # $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file services.shiori.environmentFile = "/path/to/env-file";
-
/share/nano
is now only linked whenprograms.nano.enable
is enabled. -
PPD files for Utax printers got renamed (spaces replaced by underscores) in newest
foomatic-db
package; users of Utax printers might need to adapt theirhardware.printers.ensurePrinters.*.model
value. -
The
kvdo
kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is calleddm-vdo
. -
libe57format
has been updated to>= 3.0.0
, which contains some backward-incompatible API changes. See the release note for more details. -
gitlab
deprecated support for runner registration tokens in GitLab 16.0, disabled their support in GitLab 17.0 and will ultimately remove it in GitLab 18.0, as outlined in the documentation. After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on using registration tokens after GitLab 17.0. GitLab administrators should migrate to the new runner registration workflow with runner authentication tokens until the release of GitLab 18.0. -
gitlab
has been updated from 16.x to 17.x and requires at leastpostgresql
14.9, as stated in the documentation. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation. -
gitaly
(part ofgitlab
) is now using the bundledgit
package instead ofpkgs.git
to maintain compatibility with GitLab. -
nixos/gitlab
no longer addspkgs.git
toenvironment.systemPackages
by default. -
The
replay-sorcery
package and module was removed as it unmaintained upstream. Consider usinggpu-screen-recorder
orobs-studio
instead. -
To follow RFC 0042 a few options of
samba
have been moved fromextraConfig
andconfigText
to the new freeform optionsettings
and renamed, e.g.:services.samba.invalidUsers
toservices.samba.settings.global."invalid users"
services.samba.securityType
toservices.samba.settings.global."security type"
services.samba.shares
toservices.samba.settings
services.samba.enableWinbindd
toservices.samba.winbindd.enable
services.samba.enableNmbd
toservices.samba.nmbd.enable
-
zx
was updated to v8, which introduces several breaking changes. See the v8 changelog for more information. -
feishin
removed support for Navidrome< v0.53.2
due to an API change; more information in the v0.10.0 release notes. -
The
dnscrypt-wrapper
module was removed since the project has been effectively unmaintained since 2018; moreover the NixOS module had to rely on an abandoned version of dnscrypt-proxy v1 for the rotation of keys. To wrap a resolver with DNSCrypt you can instead usednsdist
. See optionsservices.dnsdist.dnscrypt.*
-
The
portunus
package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; }; services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
-
The default value of
services.kubernetes.kubelet.hostname
is now lowercased. Explicitly setkubelet.hostname
tonetworking.fqdnOrHostName
to get back the old default behavior. -
Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after February 1, 2024.
-
postgresql
was split into default and -dev outputs. To make this work without circular dependencies, the output of thepg_config
system view has been removed. Thepg_config
binary is provided in the -dev output and still works as expected. -
keycloak
was updated to version 25, which introduces new hostname related options. See Upgrading Guide for instructions. -
programs.vim.defaultEditor
now only works ifprograms.vim.enable
is enabled. -
services.mautrix-meta
was updated to 0.4. This release makes significant changes to the settings format. If you have custom settings you should migrate them to the new format. Unfortunately upstream provides little guidance for how to do this, but the auto-migration code may serve as a useful reference. The NixOS module should warn you if you still have any old settings configured. -
The
nodePackages.shout
package has been removed because it was deprecated upstream in favor ofthelounge
. Theshout
top-level attribute was an alias to this package. The associatedservices.shout
module has also been removed. -
The
indi-full
package no longer contains non-free drivers. To get the old collection of drivers useindi-full-nonfree
or create your own collection of drivers by overriding indi-with-drivers. E.g.:pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}
-
/share/vim-plugins
now only gets linked ifprograms.vim.enable
is enabled -
The
tracy
package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new packagetracy-x11
. -
The
services.prometheus.exporters.minio
option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in Prometheus metrics exposure, which can be used instead. -
The
services.patroni.raft
option has been removed, as Raft has been deprecated by upstream since 3.0.0 -
services.roundcube.maxAttachmentSize
will multiply the value set with1.37
to offset overhead introduced by the base64 encoding applied to attachments. -
The
services.mxisd
module has been removed as both mxisd and ma1sd are not maintained any longer. Consequently the packagepkgs.ma1sd
has also been removed. -
The
rss-bridge
service drops the support to load a configuration file from${config.services.rss-bridge.dataDir}/config.ini.php
. Consider using theservices.rss-bridge.config
option instead. -
The
xdg.portal.gtkUsePortal
option has been removed, as it had been deprecated for over 2 years. Using theGTK_USE_PORTAL
environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually viaenvironment.sessionVariables
. -
Support for the legacy CUPS browsing and LDAP have been removed from
services.printing
. Ifcups
orldap
are in theBrowseRemoteProtocols
setting inservices.printing.browsedConf
, it needs to be removed. -
The
services.trust-dns
module has been renamed toservices.hickory-dns
. -
The option
services.prometheus.exporters.pgbouncer.connectionStringFile
has been removed since it leaked the connection string (and thus potentially the DB password) into the cmdline of process making it effectively world-readable.Use
services.prometheus.exporters.pgbouncer.connectionEnvFile
instead. -
The
lsh
package and theservices.lshd
module have been removed as they had no maintainer in Nixpkgs and hadn’t seen an upstream release in over a decade. It is recommended to migrate toopenssh
andservices.openssh
. -
ceph
has been upgraded to v19. See the Ceph "squid" release notes for details and recommended upgrade procedure. -
services.frr
has been refactored to use upstream service scripts. The per-daemon configurations have been removed in favour of anintegrated-vtysh-config
style config. The daemon submodules now use the daemon name (e.g.ospfd
) instead of the protocol name (ospf
). The daemonszebra
,mgmtd
andstaticd
are always enabled if a config is present. ThevtyListenAddress
andvtyListenPort
options have been removed; useoptions
orextraOptions
instead, respectively. -
opencv2
andopencv3
have been removed, as they are obsolete and were not used by any other package. External users are encouraged to migrate to OpenCV 4. -
The
tvheadend
package and theservices.tvheadend
module have been removed as nobody was willing to maintain them and they were stuck on an unmaintained version that required FFmpeg 4; please see pull request #332259 if you are interested in maintaining a newer version. -
The
antennas
package and theservices.antennas
module have been removed as they only work withtvheadend
(see above). -
The
system.build.brightboxImage
image has been removed as It did not build anymore and has not seen any maintenance in over 7 years (excluding tree-wide changes). -
The
services.syncplay
module now exposes all currently available command-line arguments forsyncplay-server
as options, as well as auseACMEHost
option for easy TLS setup. The systemd service now usesDynamicUser
/StateDirectory
and theuser
andgroup
options have been deprecated. -
The
openlens
package got removed, suggested replacementlens-desktop
-
The
services.dnsmasq.extraConfig
option has been removed, as it had been deprecated for over 2 years. This option has been replaced byservices.dnsmasq.settings
. -
The NixOS installation media no longer support the ReiserFS or JFS file systems by default.
-
Minimal installer ISOs are no longer built on the small channel. Please obtain installer images from the full release channels.
-
The default FFmpeg version is now 7, and FFmpeg 5 has been removed. Please prefer using the package variants without a version suffix, or pin FFmpeg 6 or 4 if necessary for compatibility. Note that we keep old versions around only as required to support packages in the tree, and FFmpeg 4 especially should be avoided in favour of newer versions as it may be removed soon.
-
openssl
now defaults to the latest version line3.3.x
, instead of3.0.x
before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: OpenSSL security level documentation. -
The
isync
package has been updated to version1.5.0
, which introduces some breaking changes. See the compatibility concerns for more details. -
Legacy package
globalprotect-openconnect
1.x and related moduleglobalprotect-vpn
were dropped. Two new packagesgpauth
andgpclient
from the 2.x version of the GlobalProtect-openconnect project are added in its place. The GUI components related to the project are non-free and not packaged. -
Compatible string matching for
hardware.deviceTree.overlays
has been changed to a more correct behavior. See below for details. -
The
rustic
package was upgrade to0.9.0
, which contains breaking changes to the config file format. -
pkgs.formats.ini
andpkgs.formats.iniWithGlobalSection
withlistsAsDuplicateKeys
orlistToValue
no longer merge non-list values into lists by default. Backwards-compatible behavior can be enabled withatomsCoercedToLists
. -
python3Packages.nose
has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12. Please switch topytest
or another test runner/framework.
Other Notable Changes
-
The
zerocallusedregs
hardening flag is enabled by default on compilers that support it. -
The
stackclashprotection
hardening flag has been added, though disabled by default. -
The
pacret
hardening flag has been added, though disabled by default. -
cargoSha256
inrustPlatform.buildRustPackage
has been deprecated in favor ofcargoHash
which supports SRI hashes. See buildRustPackage: Compiling Rust applications with Cargo for more information. -
The
vendorHash
of Go packages built withbuildGoModule
can now be overridden withoverrideAttrs
.goModules
,modRoot
,vendorHash
,deleteVendor
, andproxyVendor
are now passed as derivation attributes.goModules
andvendorHash
are no longer placed underpassthru
. -
buildFlags
/buildFlagsArray
onbuildGoModule
have been deprecated. 24.11 is the last release wherebuildGoModule
accepts these flags (while throwing a warning). Use theldflags
and/ortags
attributes or the environment instead. -
buildGoPackage
has been deprecated. 24.11 is the last release withbuildGoPackage
available. -
hareHook
has been added as the language framework for Hare. From now on, it, not thehare
package, should be added tonativeBuildInputs
when building Hare programs. -
lib.options.mkPackageOptionMD
is now obsolete; use the identicallib.options.mkPackageOption
instead. -
lib.misc.mapAttrsFlatten
is now formally deprecated and will be removed in future releases; use the identicallib.attrsets.mapAttrsToList
instead. -
Tailscale's
authKeyFile
can now have its corresponding parameters set throughconfig.services.tailscale.authKeyParameters
, allowing for non-ephemeral unsupervised deployment and more. See Registering new nodes using OAuth credentials for the supported options. -
nixosTests
now provide a working IPv6 setup for VLAN 1 by default. -
Kanidm can now be provisioned using the new [
services.kanidm.provision
] option, but requires using a patched version available viapkgs.kanidm.withSecretProvisioning
. -
Kanidm previously had an incorrect systemd service type, causing dependent units with an
after
andrequires
directive to start beforekanidm*
finished startup. The module has now been updated in line with upstream recommendations. -
The kubelet configuration file can now be amended with arbitrary additional content using the
services.kubernetes.kubelet.extraConfig
option. -
The
services.seafile
module was updated to major version 11.- As part of this upgrade, the database backend will be migrated to MySQL. This process should be automatic, but in case of a botched migration, old sqlite files are not removed and can be used to manually migrate the database.
- Additionally, the updated CSRF protection may prevent some users from logging in.
Specific origin addresses can be whitelisted using the
services.seafile.seahubExtraConf
option (e.g.services.seafile.seahubExtraConf = ''CSRF_TRUSTED_ORIGINS = ["https://example.com"]'';
). Note that first solution of the official FAQ answer is not allowed by theservices.nginx
module's config-checker.
-
The latest available version of Nextcloud is v30 (available as
pkgs.nextcloud30
). The installation logic is as follows:- If
services.nextcloud.package
is specified explicitly, this package will be installed (recommended) - If
system.stateVersion
is >=24.05,pkgs.nextcloud29
will be installed by default. - If
system.stateVersion
is >=24.11,pkgs.nextcloud30
will be installed by default. - Please note that an upgrade from v28 (or older) to v30 directly is not possible. Please upgrade to
nextcloud29
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud29;
.
- If
-
To facilitate dependency injection, the
imgui
package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Useimgui.src
if you just want to access the unpacked sources. -
The new
boot.loader.systemd-boot.windows
option makes setting up dual-booting with Windows on a different drive easier -
Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11
-
Unprivileged access to the kernel syslog via
dmesg
is now restricted by default. Users wanting to keep an unrestricted access to it can setboot.kernel.sysctl."kernel.dmesg_restrict" = false
. -
The
i18n.inputMethod
module introduces two new properties:enable
andtype
, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available intype
are the same as the existingenabled
option.enabled
is now deprecated, and will be removed in a future release. -
security.pam.u2f
now follows RFC42. All module options are now settable through the freeform.settings
. -
Mikutter was removed because the package was broken and had no maintainers.
-
The new option
services.getty.autologinOnce
was added to limit the automatic login to once per boot and on the first tty only. When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected. -
Gollum was upgraded to major version 6. Read their migration notes.
-
The hooks
yarnConfigHook
andyarnBuildHook
were added. These should replaceyarn2nix.mkYarnPackage
and otheryarn2nix
related tools. The motivation to get rid ofyarn2nix
tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at #296856. The transition frommkYarnPackage
toyarn{Config,Build}Hook
is tracked at #324246. -
services.timesyncd.servers
now defaults tonull
, allowing systemd-timesyncd to use NTP servers advertised by DHCP. -
services.timesyncd.fallbackServers
was added and defaults tonetworking.timeServers
. -
Cinnamon has been updated to 6.2, please check upstream announcement for more details. Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
-
zfs.latestCompatibleLinuxPackages
is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (defaultlinuxPackages
is not possible then you must explicitly pin a specific kernel release. For example,boot.kernelPackages = pkgs.linuxPackages_6_6
. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention. -
The
shadowstack
hardening flag has been added, though disabled by default. -
xxd
is now provided by thetinyxxd
package, rather thanvim.xxd
, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim'sxxd
utility, there is no user impact. Vim'sxxd
remains available as thevim.xxd
package. -
prometheus-openldap-exporter
was removed since it was unmaintained upstream and had no nixpkgs maintainers. -
restic
module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available asservices.restic.backups.<name>.inhibitsSleep
. -
Mattermost has been updated from 9.5 to 9.11 ESR. See the changelog for more details.
-
cargo-tauri.hook
was introduced to help users build Tauri projects. It is meant to be used alongsiderustPlatform.buildRustPackage
and Node hooks such asnpmConfigHook
,pnpm.configHook
, and the newyarnConfig
-
power.ups
now powers off UPSs during a power outage event. This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage. If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, setpower.ups.upsmon.settings.POWERDOWNFLAG = null;
. -
nixos-firewall-tool
now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled. -
Support for runner registration tokens has been deprecated in
gitlab-runner
15.6 and is expected to be removed ingitlab-runner
18.0. Configuration of existing runners should be changed to using runner authentication tokens by configuring {option}services.gitlab-runner.services.<name>.authenticationTokenConfigFile
instead of the former {option}services.gitlab-runner.services.<name>.registrationConfigFile
option. -
iproute2
now has libbpf support. -
nix.channel.enable = false
no longer impliesnix.settings.nix-path = []
. Since Nix 2.13, anix-path
set innix.conf
cannot be overridden by theNIX_PATH
configuration variable. -
ZFS now imports its pools in
postResumeCommands
rather thanpostDeviceCommands
. If you hadpostDeviceCommands
scripts that depended on ZFS pools being imported, those now need to be inpostResumeCommands
. -
services.automatic-timezoned.enable = true
will now settime.timeZone = null
. This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part. -
services.localtimed.enable = true
will now settime.timeZone = null
. This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part. -
qgis
andqgis-ltr
are now built withoutgrass
by default.grass
support can be enabled withqgis.override { withGrass = true; }
.
Detailed migration information
sound
options removal
The sound
options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled.
If you set sound.enable
in your configuration:
- If you are using Pulseaudio or PipeWire, simply remove that option
- If you are not using an external sound server, and want volumes to be persisted across shutdowns, set
hardware.alsa.enablePersistence = true
instead
If you set sound.enableOSSEmulation
in your configuration:
- Make sure it is still necessary, as very few applications actually use OSS
- If necessary, set
boot.kernelModules = [ "snd_pcm_oss" ]
If you set sound.extraConfig
in your configuration:
- If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that
- If you are not using an external sound server, set
environment.etc."asound.conf".text = yourExtraConfig
instead
If you set sound.mediaKeys
in your configuration:
- Preferably switch to handling media keys in your desktop environment/compositor
- If you want to maintain the exact behavior of the option, use the following snippet
services.actkbd = let
volumeStep = "1%";
in {
enable = true;
bindings = [
# "Mute" media key
{ keys = [ 113 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Master toggle"; }
# "Lower Volume" media key
{ keys = [ 114 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute"; }
# "Raise Volume" media key
{ keys = [ 115 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute"; }
# "Mic Mute" media key
{ keys = [ 190 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Capture toggle"; }
];
};
hardware.deviceTree.overlays
compatible string matching
The original compatible string implementation in older NixOS versions relied on substring matching, which is incorrect for overlays with multiple compatible strings and other cases.
The new behavior is consistent with what other tools already do - the overlay is considered applicable if, and only if, any of the compatible strings in the overlay match any of the compatible strings in the DT.
To provide some examples:
Overlay compatible |
DT compatible |
Pre-24.11 behavior | Correct behavior | Notes |
---|---|---|---|---|
"foo" |
"foo", "bar" |
match | match | Most common use case does not change |
"foo" |
"foobar" |
match | no match | Substrings should not be matched |
"foo bar" |
"foo", "bar" |
match | no match | Separators should not be matched to spaces |
"foo", "bar" |
"baz", "bar" |
no match | match | One compatible string matching is enough |
Note that this also allows writing overlays that explicitly apply to multiple boards.