Follow-up on https://github.com/NixOS/nixpkgs/pull/161426. Explain why having legacy iptables rules installed can lead to confusing firewall behaviour, and provide some guidance on how to fix this.
41 KiB
Release 21.11 (“Porcupine”, 2021/11/30)
- Support is planned until the end of June 2022, handing over to 22.05.
Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
-
Nix has been updated to version 2.4, reference its release notes for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the
nix_2_3
package. -
iptables
is now usingnf_tables
under the hood, by usingiptables-nft
, similar to Debian and Fedora. This means,ip[6]tables
,arptables
andebtables
commands will actually show rules from some specific tables in thenf_tables
kernel subsystem. In case you're migrating from an older release without rebooting, there might be cases where you end up with iptable rules configured both in the legacyiptables
kernel backend, as well as in thenf_tables
backend. This can lead to confusing firewall behaviour. Aniptables-save
after switching will complain about "iptables-legacy tables present". It's probably best to reboot after the upgrade, or manually removing all legacy iptables rules (via theiptables-legacy
package). -
systemd got an
nftables
backend, and configures (networkd) rules in their ownio.systemd.*
tables. Checknft list ruleset
to see these rules, notiptables-save
(which only showsiptables
-created rules. -
PHP now defaults to PHP 8.0, updated from 7.4.
-
kops now defaults to 1.21.1, which uses containerd as the default runtime.
-
python3
now defaults to Python 3.9, updated from Python 3.8. -
PostgreSQL now defaults to major version 13.
-
spark now defaults to spark 3, updated from 2. A migration guide is available.
-
Improvements have been made to the Hadoop module and package:
- HDFS and YARN now support production-ready highly available deployments with automatic failover.
- Hadoop now defaults to Hadoop 3, updated from 2.
- JournalNode, ZKFS and HTTPFS services have been added.
-
Activation scripts can now, optionally, be run during a
nixos-rebuild dry-activate
and can detect the dry activation by reading$NIXOS_ACTION
. This allows activation scripts to output what they would change if the activation was really run. The users/modules activation script supports this and outputs some of is actions. -
KDE Plasma now finally works on Wayland.
-
bash now defaults to major version 5.
-
Systemd was updated to version 249 (from 247).
-
Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn't work for you, please try
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
. -
kubernetes-helm
now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details.helmfile
also defaults to 0.141.0, which is the minimum compatible version. -
GNOME has been upgraded to 41. Please take a look at their Release Notes for details.
-
LXD support was greatly improved:
- building LXD images from configurations is now directly possible with just nixpkgs
- hydra is now building nixOS LXD images that can be used standalone with full nixos-rebuild support
-
OpenSSH was updated to version 8.8p1
- This breaks connections to old SSH daemons as ssh-rsa host keys and ssh-rsa public keys that were signed with SHA-1 are disabled by default now
- These can be re-enabled, see the OpenSSH changelog for details
-
ORY Kratos was updated to version 0.8.0-alpha.3
- This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
- The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.
- The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
- for more details, see Release Notes.
New Services
-
btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.
-
clipcat, an X11 clipboard manager written in Rust. Available at services.clipcat.
-
dex, an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at services.dex.
-
geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.
-
Jibri, a service for recording or streaming a Jitsi Meet conference. Available as services.jibri.
-
Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.
-
owncast, self-hosted video live streaming solution. Available at services.owncast.
-
PeerTube, developed by Framasoft, is the free and decentralized alternative to video platforms. Available at services.peertube.
-
sourcehut, a collection of tools useful for software development. Available as services.sourcehut.
-
ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.
-
Users of flashrom should migrate to programs.flashrom.enable and add themselves to the
flashrom
group to be able to access programmers supported by flashrom. -
vikunja, a to-do list app. Available as services.vikunja.
-
opensnitch, an application firewall. Available as services.opensnitch.
-
snapraid, a backup program for disk arrays. Available as snapraid.
-
Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.
-
buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.
-
influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.
-
mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.
-
MeshCentral, a remote administration service ("TeamViewer but self-hosted and with more features") is now available with a package and a module: services.meshcentral.enable
-
moonraker, an API web server for Klipper. Available as moonraker.
-
influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.
-
isso, a commenting server similar to Disqus. Available as isso
-
navidrome, a personal music streaming server with subsonic-compatible api. Available as navidrome.
-
fluidd, a Klipper web interface for managing 3d printers using moonraker. Available as fluidd.
-
sx, a simple alternative to both xinit and startx for starting a Xorg server. Available as services.xserver.displayManager.sx
-
postfixadmin, a web based virtual user administration interface for Postfix mail servers. Available as postfixadmin.
-
prowlarr, an indexer manager/proxy built on the popular arr .net/reactjs base stack services.prowlarr.
-
soju, a user-friendly IRC bouncer. Available as services.soju.
-
nats, a high performance cloud and edge messaging system. Available as services.nats.
-
git, a distributed version control system. Available as programs.git.
-
parsedmarc, a service which parses incoming DMARC reports and stores or sends them to a downstream service for further analysis. Documented in its manual entry.
-
spark, a unified analytics engine for large-scale data processing.
-
touchegg, a multi-touch gesture recognizer. Available as services.touchegg.
-
pantheon-tweaks, an unofficial system settings panel for Pantheon. Available as programs.pantheon-tweaks.
-
joycond, a service that uses
hid-nintendo
to provide nintendo joycond pairing and better nintendo switch pro controller support. -
multipath, the device mapper multipath (DM-MP) daemon. Available as services.multipath.
-
seafile, an open source file syncing & sharing software. Available as services.seafile.
-
rasdaemon, a hardware error logging daemon. Available as hardware.rasdaemon.
-
code-server
-module now available -
xmrig, a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark.
-
Auto nice daemons ananicy and ananicy-cpp. Available as services.ananicy.
-
smartctl_exporter, a Prometheus exporter for S.M.A.R.T. data. Available as services.prometheus.exporters.smartctl.
Backward Incompatibilities
-
The NixOS VM test framework,
pkgs.nixosTest
/make-test-python.nix
, now requires detaching commands such assucceed("foo &")
andsucceed("foo | xclip -i")
to close stdout. This can be done with a redirect such assucceed("foo >&2 &")
. This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, includingexecute
,succeed
,fail
,wait_until_succeeds
,wait_until_fails
. -
The
services.wakeonlan
option was removed, and replaced withnetworking.interfaces.<name>.wakeOnLan
. -
The
security.wrappers
option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe. -
Since
iptables
now usesnf_tables
backend andipset
doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality. -
The
paperless
module and package have been removed. All users should migrate to the successorpaperless-ng
instead. The Paperless project has been archived and advises all users to usepaperless-ng
instead.Users can use the
services.paperless-ng
module as a replacement while noting the following incompatibilities:services.paperless.ocrLanguages
has no replacement. Users should migrate toservices.paperless-ng.extraConfig
instead:
{ services.paperless-ng.extraConfig = { # Provide languages as ISO 639-2 codes # separated by a plus (+) sign. # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse }; }
-
If you previously specified
PAPERLESS_CONSUME_MAIL_*
settings inservices.paperless.extraConfig
you should remove those options now. You now must define those settings in the admin interface of paperless-ng. -
Option
services.paperless.manage
no longer exists. Use the script at${services.paperless-ng.dataDir}/paperless-ng-manage
instead. Note that this script only exists after thepaperless-ng
service has been started at least once. -
After switching to the new system configuration you should run the Django management command to reindex your documents and optionally create a user, if you don't have one already.
To do so, enter the data directory (the value of
services.paperless-ng.dataDir
,/var/lib/paperless
by default), switch to the paperless user and execute the management command like below:$ cd /var/lib/paperless $ su paperless -s /bin/sh $ ./paperless-ng-manage document_index reindex # if not already done create a user account, paperless-ng requires a login $ ./paperless-ng-manage createsuperuser Username (leave blank to use 'paperless'): my-user-name Email address: me@example.com Password: ********** Password (again): ********** Superuser created successfully.
-
The
staticjinja
package has been upgraded from 1.0.4 to 4.1.1 -
Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.
-
The
erigon
ethereum node has moved to a new database format in2021-05-04
, and requires a full resync -
The
erigon
ethereum node has moved it's database location in2021-08-03
, users upgrading must manually move their chaindata (see release notes). -
users.users.<name>.group no longer defaults to
nogroup
, which was insecure. Out-of-tree modules are likely to require adaptation: instead of{ users.users.foo = { isSystemUser = true; }; }
also create a group for your user:
{ users.users.foo = { isSystemUser = true; group = "foo"; }; users.groups.foo = {}; }
-
services.geoip-updater
was broken and has been replaced by services.geoipupdate. -
ihatemoney
has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie tofalse
. -
PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.
-
Those making use of
buildBazelPackage
will need to regenerate the fetch hashes (preferred), or setfetchConfigured = false;
. -
consul
was upgraded to a new major release with breaking changes, see upstream changelog. -
fsharp41 has been removed in preference to use the latest dotnet-sdk
-
The following F#-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.- ExtCore
- Fake
- Fantomas
- FsCheck
- FsCheck262
- FsCheckNunit
- FSharpAutoComplete
- FSharpCompilerCodeDom
- FSharpCompilerService
- FSharpCompilerTools
- FSharpCore302
- FSharpCore3125
- FSharpCore4001
- FSharpCore4117
- FSharpData
- FSharpData225
- FSharpDataSQLProvider
- FSharpFormatting
- FsLexYacc
- FsLexYacc706
- FsLexYaccRuntime
- FsPickler
- FsUnit
- Projekt
- Suave
- UnionArgParser
- ExcelDnaRegistration
- MathNetNumerics
-
programs.x2goserver
is nowservices.x2goserver
-
The following dotnet-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.- Autofac
- SystemValueTuple
- MicrosoftDiaSymReader
- MicrosoftDiaSymReaderPortablePdb
- SystemCollectionsImmutable
- SystemCollectionsImmutable131
- SystemReflectionMetadata
- NUnit350
- Deedle
- ExcelDna
- GitVersionTree
- NDeskOptions
-
The
antlr
package now defaults to the 4.x release instead of the old 2.7.7 version. -
The
pulseeffects
package updated to version 4.x and renamed toeasyeffects
. -
The
libwnck
package now defaults to the 3.x release instead of the old 2.31.0 version. -
The
bitwarden_rs
packages and modules were renamed tovaultwarden
following upstream. More specifically,-
pkgs.bitwarden_rs
,pkgs.bitwarden_rs-sqlite
,pkgs.bitwarden_rs-mysql
andpkgs.bitwarden_rs-postgresql
were renamed topkgs.vaultwarden
,pkgs.vaultwarden-sqlite
,pkgs.vaultwarden-mysql
andpkgs.vaultwarden-postgresql
, respectively.- Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
- The
bitwarden_rs
executable was also renamed tovaultwarden
in all packages.
-
pkgs.bitwarden_rs-vault
was renamed topkgs.vaultwarden-vault
.pkgs.bitwarden_rs-vault
is preserved as an alias for backwards compatibility, but may be removed in the future.- The static files were moved from
/usr/share/bitwarden_rs
to/usr/share/vaultwarden
.
-
The
services.bitwarden_rs
config module was renamed toservices.vaultwarden
.services.bitwarden_rs
is preserved as an alias for backwards compatibility, but may be removed in the future.
-
systemd.services.bitwarden_rs
,systemd.services.backup-bitwarden_rs
andsystemd.timers.backup-bitwarden_rs
were renamed tosystemd.services.vaultwarden
,systemd.services.backup-vaultwarden
andsystemd.timers.backup-vaultwarden
, respectively.- Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
-
users.users.bitwarden_rs
andusers.groups.bitwarden_rs
were renamed tousers.users.vaultwarden
andusers.groups.vaultwarden
, respectively. -
The data directory remains located at
/var/lib/bitwarden_rs
, for backwards compatibility.
-
-
yggdrasil
was upgraded to a new major release with breaking changes, see upstream changelog. -
icingaweb2
was upgraded to a new release which requires a manual database upgrade, see upstream changelog. -
The
isabelle
package has been upgraded from 2020 to 2021 -
the
mingw-64
package has been upgraded from 6.0.0 to 9.0.0 -
tt-rss
was upgraded to the commit on 2021-06-21, which has breaking changes. If you useservices.tt-rss.extraConfig
you should migrate to theputenv
-style configuration. See this Discourse post in the tt-rss forums for more details. -
The following Visual Studio Code extensions were renamed to keep the naming convention uniform.
bbenoist.Nix
->bbenoist.nix
CoenraadS.bracket-pair-colorizer
->coenraads.bracket-pair-colorizer
golang.Go
->golang.go
-
services.uptimed
now uses/var/lib/uptimed
as its stateDirectory instead of/var/spool/uptimed
. Make sure to move all files to the new directory. -
Deprecated package aliases in
emacs.pkgs.*
have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible. -
programs.neovim.runtime
switched to alinkFarm
internally, making it impossible to use wildcards in thesource
argument. -
The
openrazer
andopenrazer-daemon
packages as well as thehardware.openrazer
module now require users to be members of theopenrazer
group instead ofplugdev
. With this change, users no longer need be granted the entire set ofplugdev
group permissions, which can include permissions other than those required byopenrazer
. This is desirable from a security point of view. The settingharware.openrazer.users
can be used to add users to theopenrazer
group. -
The fontconfig service's dpi option has been removed. Fontconfig should use Xft settings by default so there's no need to override one value in multiple places. The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with
services.xserver.dpi
. -
The
yambar
package has been split intoyambar
andyambar-wayland
, corresponding to the xorg and wayland backend respectively. Please switch toyambar-wayland
if you are on wayland. -
The
services.minio
module gained an additional optionconsoleAddress
, that configures the address and port the web UI is listening, it defaults to:9001
. To be able to access the web UI this port needs to be opened in the firewall. -
The
varnish
package was upgraded from 6.3.x to 7.x.varnish60
for the last LTS release is also still available. -
The
kubernetes
package was upgraded to 1.22. Thekubernetes.apiserver.kubeletHttps
option was removed and HTTPS is always used. -
The attribute
linuxPackages_latest_hardened
was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such aslinuxPackages_5_10_hardened
. -
The
nomad
package now defaults to a 1.1.x release instead of 1.0.x -
If
exfat
is included inboot.supportedFilesystems
and when using kernel 5.7 or later, theexfatprogs
user-space utilities are used instead ofexfat
. -
The
todoman
package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format. -
The
datadog-agent
,datadog-integrations-core
anddatadog-process-agent
packages were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2, respectively. As a resultservices.datadog-agent
has had breaking changes to the configuration file. For details, see the upstream changelog. -
opencv2
no longer includes the non-free libraries by default, and consequentlypfstools
no longer includes OpenCV support by default. Both packages now support anenableUnfree
option to re-enable this functionality. -
services.xserver.displayManager.defaultSession = "plasma5"
does not work anymore, instead use either"plasma"
for the Plasma X11 session or"plasmawayland"
for the Plasma Wayland sesison. -
boot.kernelParams
now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like "param = 12", which would be parsed as 3 parameters. -
nix.daemonNiceLevel
andnix.daemonIONiceLevel
have been removed in favour of the new optionsnix.daemonCPUSchedPolicy
,nix.daemonIOSchedClass
andnix.daemonIOSchedPriority
. Please refer to the options documentation and thesched(7)
andioprio_set(2)
man pages for guidance on how to use them. -
The
coursier
package's binary was renamed fromcoursier
tocs
. Completions which haven't worked for a while should now work with the renamed binary. To keep usingcoursier
, you can create a shell alias. -
The
services.mosquitto
module has been rewritten to support multiple listeners and per-listener configuration. Module configurations from previous releases will no longer work and must be updated. -
The
fluidsynth_1
attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available asfluidsynth
unchanged. -
Nextcloud 20 (
pkgs.nextcloud20
) has been dropped because it was EOLed by upstream in 2021-10. -
The
virtualisation.pathsInNixDB
option was renamedvirtualisation.additionalPaths
. -
The
services.ddclient.password
option was removed, and replaced withservices.ddclient.passwordFile
. -
The default GNAT version has been changed: The
gnat
attribute now points tognat11
instead ofgnat9
. -
retroArchCores
has been removed. This means that usingnixpkgs.config.retroarch
to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example:retroarch.override { cores = with libretro; [ citra snes9x ]; };
. Also,retroarchFull
derivation is available for those who want to have all RetroArch cores available. -
The Linux kernel for security reasons now restricts access to BPF syscalls via
BPF_UNPRIV_DEFAULT_OFF=y
. Unprivileged access can be reenabled via thekernel.unprivileged_bpf_disabled
sysctl knob. -
/usr
will always be included in the initial ramdisk. See thefileSystems.<name>.neededForBoot
option. If any files exist under/usr
(which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent.
Other Notable Changes
-
The linux kernel package infrastructure was moved out of
all-packages.nix
, and restructured. Linux related functions and attributes now live under thepkgs.linuxKernel
attribute set. In particular the versionedlinuxPackages_*
package sets (such aslinuxPackages_5_4
) and kernels frompkgs
were moved there and now live underpkgs.linuxKernel.packages.*
. The unversioned ones (such aslinuxPackages_latest
) remain untouched. -
In NixOS virtual machines (QEMU), the
virtualisation
module has been updated with new options:forwardPorts
to configure IPv4 port forwarding,sharedDirectories
to set up shared host directories,resolution
to set the screen resolution,useNixStoreImage
to use a disk image for the Nix store instead of 9P.
In addition, the default
msize
parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance. -
The setting
services.openssh.logLevel
"VERBOSE"
"INFO"
. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.However, if
services.fail2ban.enable
istrue
, thefail2ban
will override the verbosity to"VERBOSE"
, so thatfail2ban
can observe the failed login attempts from the SSH logs. -
The
services.xserver.extraLayouts
no longer cause additional rebuilds when a layout is added or modified. -
Sway: The terminal emulator
rxvt-unicode
is no longer installed by default viaprograms.sway.extraPackages
. The current default configuration usesalacritty
(and soonfoot
) so this is only an issue when using a customized configuration and not installingrxvt-unicode
explicitly. -
python3
now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What's New In Python 3.9 post for more information. -
qtile
hase been updated from '0.16.0' to '0.18.0', please check qtile changelog for changes. -
The
claws-mail
package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install theclaws-mail-gtk2
package. -
The wordpress module provides a new interface which allows to use different webservers with the new option
services.wordpress.webserver
. Currentlyhttpd
,caddy
andnginx
are supported. The definitions of wordpress sites should now be set inservices.wordpress.sites
.Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
-
The dokuwiki module provides a new interface which allows to use different webservers with the new option
services.dokuwiki.webserver
. Currentlycaddy
andnginx
are supported. The definitions of dokuwiki sites should now be set inservices.dokuwiki.sites
.Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
-
The order of NSS (host) modules has been brought in line with upstream recommendations:
- The
myhostname
module is placed before theresolve
(optional) anddns
entries, but afterfile
(to allow overriding via/etc/hosts
/networking.extraHosts
, and prevent ISPs with catchall-DNS resolvers from hijacking.localhost
domains) - The
mymachines
module, which provides hostname resolution for local containers (registered withsystemd-machined
) is placed to the front, to make sure its mappings are preferred over other resolvers. - If systemd-networkd is enabled, the
resolve
module is placed beforefiles
andmyhostname
, as it provides the same logic internally, with caching. - The
mdns(_minimal)
module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities according to these rules:
- NSS modules which should be queried before
resolved
DNS resolution should use mkBefore. - NSS modules which should be queried after
resolved
,files
andmyhostname
, but beforedns
should use the default priority - NSS modules which should come after
dns
should use mkAfter.
- The
-
The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:
- The automatic discovery of wireless interfaces at boot has been made reliable again (issues #101963, #23196).
- WPA3 and Fast BSS Transition (802.11r) are now enabled by default for all networks.
- Secrets like pre-shared keys and passwords can now be handled safely, meaning without including them in a world-readable file (
wpa_supplicant.conf
under /nix/store). This is achieved by storing the secrets in a secured environmentFile and referring to them though environment variables that are expanded inside the configuration. - With multiple interfaces declared, independent wpa_supplicant daemons are started, one for each interface (the services are named
wpa_supplicant-wlan0
,wpa_supplicant-wlan1
, etc.). - The generated
wpa_supplicant.conf
file is now formatted for easier reading. - A new scanOnLowSignal option has been added to facilitate fast roaming between access points (enabled by default).
- A new networks.<name>.authProtocols option has been added to change the authentication protocols used when connecting to a network.
-
The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.
-
The services.smokeping.host option was added and defaulted to
localhost
. Before,smokeping
listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service forsmokeping
got reworked defaults for increased operational stability, see PR #144127 for details. -
The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running
zfs allow your-pool-name
and usezfs unallow syncoid your-pool-name
to clean this up. -
Zfs:
latestCompatibleLinuxPackages
is now exported on the zfs package. One can useboot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
to always track the latest compatible kernel with a given version of zfs. -
Nginx will use the value of
sslTrustedCertificate
if provided for a virtual host, even ifenableACME
is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates. -
lib.formats.yaml
'sgenerate
will not generate JSON anymore, but instead use more of the YAML-specific syntax. -
MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.
-
The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.
-
GNOME desktop environment now enables
QGnomePlatform
as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually. -
rofi
has been updated from '1.6.1' to '1.7.0', one important thing is the removal of the old xresources based configuration setup. Read more in rofi's changelog. -
ipfs now defaults to not listening on you local network. This setting was change as server providers won't accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting
ipfs.localDiscovery = true;
. localDiscovery enables different instances to discover each other and share data. -
lua
andluajit
interpreters have been patched to avoid looking into /usr/lib directories, thus increasing the purity of the build. -
Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of
/etc/xdg/mimeapps.list
. -
Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.
-
The
systemd.network
module has gained support for the FooOverUDP link type. -
The
networking
module has a newnetworking.fooOverUDP
option to configure Foo-over-UDP encapsulations. -
networking.sits
now supports Foo-over-UDP encapsulation. -
The
virtualisation.libvirtd
module has been refactored and updated with new options:virtualisation.libvirtd.qemu*
options (e.g.:virtualisation.libvirtd.qemuRunAsRoot
) were moved tovirtualisation.libvirtd.qemu
submodule,- software TPM1/TPM2 support (e.g.: Windows 11 guests) (
virtualisation.libvirtd.qemu.swtpm
), - custom OVMF package (e.g.:
pkgs.OVMFFull
with HTTP, CSM and Secure Boot support) (virtualisation.libvirtd.qemu.ovmf.package
).
-
The
cawbird
Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change. -
A new option
services.prometheus.enableReload
has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting. -
The option
services.prometheus.environmentFile
has been removed since it was causing issues and Prometheus now has native support for secret files, i.e.basic_auth.password_file
andauthorization.credentials_file
. -
Dokuwiki now supports caddy! However
- the nginx option has been removed, in the new configuration, please use the
dokuwiki.webserver = "nginx"
instead. - The "${hostname}" option has been deprecated, please use
dokuwiki.sites = [ "${hostname}" ]
instead
- the nginx option has been removed, in the new configuration, please use the
-
The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:
- The
services.unifi.dataDir
option is removed and the data is now always located under/var/lib/unifi/data
. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable. - The unifi logs can now be found under:
/var/log/unifi
instead of/var/lib/unifi/logs
. - The unifi run directory can now be found under:
/run/unifi
instead of/var/lib/unifi/run
.
- The
-
security.pam.services.<name>.makeHomeDir
now usesumask=0077
instead ofumask=0022
when creating the home directory. -
Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.
-
julia
now refers tojulia-stable
instead ofjulia-lts
. In practice this means it has been upgraded from1.0.4
to1.5.4
. -
RetroArch has been upgraded from version
1.8.5
to1.9.13.2
. Since the previous release was quite old, if you're having issues after the upgrade, please delete your$XDG_CONFIG_HOME/retroarch/retroarch.cfg
file. -
hydrus has been upgraded from version
438
to463
. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual. -
More jdk and jre versions are now exposed via
java-packages.compiler
.