Appendix B. Release Notes

cryptsetup has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. Take the time to review the release notes. One of the highlight is that it is now possible to use hardware OPAL-based encryption of your disk with cryptsetup, it has a lot of caveats, see the above notes for the full details.

screen’s module has been cleaned, and will now require you to set programs.screen.enable in order to populate screenrc and add the program to the environment.

linuxPackages_testing_bcachefs is now fully deprecated by linuxPackages_latest, and is therefore no longer available.

The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.

NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.

On flake-based NixOS configurations using nixpkgs.lib.nixosSystem, NixOS will automatically set NIX_PATH and the system-wide flake registry (/etc/nix/registry.json) to point <nixpkgs> and the unqualified flake path nixpkgs to the version of nixpkgs used to build the system.

This makes nix run nixpkgs#hello and nix-build '<nixpkgs>' -A hello work out of the box with no added configuration, reusing dependencies already on the system.

This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.

To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.

Julia environments can now be built with arbitrary packages from the ecosystem using the .withPackages function. For example: julia.withPackages ["Plots"].

A new option systemd.sysusers.enable was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script.

A new option virtualisation.containers.cdi was added. It contains static and dynamic attributes (corresponding to /etc/cdi and /run/cdi respectively) to configure the Container Device Interface (CDI).

virtualisation.docker.enableNvidia and virtualisation.podman.enableNvidia options are deprecated. virtualisation.containers.cdi.dynamic.nvidia.enable should be used instead. This option will expose GPUs on containers with the --device CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature.

A new option system.etc.overlay.enable was added. If enabled, /etc is mounted via an overlayfs instead of being created by a custom perl script.

NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in nixos/modules/virtualisation/amazon-ec2-amis.nix will stop being updated and will be removed in the future.

It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:

{ modulesPath, ... }: {
  imports = [ "${modulesPath}/profiles/perlless.nix" ];
}

Plasma 6 is now available and can be installed with services.xserver.desktopManager.plasma6.enable = true;. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.

Handheld Daemon, support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as services.handheld-daemon.

Guix, a functional package manager inspired by Nix. Available as services.guix.

pyLoad, a FOSS download manager written in Python. Available as services.pyload

maubot, a plugin-based Matrix bot framework. Available as services.maubot.

systemd’s gateway, upload, and remote services, which provides ways of sending journals across the network. Enable using services.journald.gateway, services.journald.upload, and services.journald.remote.

GNS3, a network software emulator. Available as services.gns3-server.

pretalx, a conference planning tool. Available as services.pretalx.

rspamd-trainer, script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.

ollama, server for running large language models locally.

hebbot, a Matrix bot to generate “This Week in X” like blog posts. Available as services.hebbot.

Python Matter Server, a Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. Available as services.matter-server

Anki Sync Server, the official sync server built into recent versions of Anki. Available as services.anki-sync-server. The pre-existing services.ankisyncd has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.

transfer-sh, a tool that supports easy and fast file sharing from the command-line. Available as services.transfer-sh.

Suwayomi Server, a free and open source manga reader server that runs extensions built for Tachiyomi. Available as services.suwayomi-server.

ping_exporter, a Prometheus exporter for ICMP echo requests. Available as services.prometheus.exporters.ping.

TigerBeetle, a distributed financial accounting database designed for mission critical safety and performance. Available as services.tigerbeetle.

go-camo, a secure image proxy server. Available as services.go-camo.

Monado, an open source XR runtime. Available as services.monado.

Clevis, a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as boot.initrd.clevis.enable.

armagetronad, a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using services.armagetronad.<server>.enable.

TuxClocker, a hardware control and monitoring program. Available as programs.tuxclocker.

ALVR, a VR desktop streamer. Available as programs.alvr

RustDesk, a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer.

Scrutiny, a S.M.A.R.T monitoring tool for hard disks with a web frontend.

systemd-lock-handler, a bridge between logind D-Bus events and systemd targets. Available as services.systemd-lock-handler.enable.

Mealie, a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as services.mealie

k3s: was updated to version v1.29, all previous versions (k3s_1_26, k3s_1_27, k3s_1_28) will be removed. See changelog and upgrade notes for more information.

himalaya was updated to v1.0.0-beta.3, which introduces breaking changes. Check out the release note for details.

The power.ups module now generates upsd.conf, upsd.users and upsmon.conf automatically from a set of new configuration options. This breaks compatibility with existing power.ups setups where these files were created manually. Back up these files before upgrading NixOS.

unrar was updated to v7. See changelog for more information.

k9s was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration.

NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in nixos/modules/virtualisation/amazon-ec2-amis.nix will stop being updated and will be removed in the future.

The option services.postgresql.ensureUsers._.ensurePermissions has been removed as it’s not declarative and is broken with newer postgresql versions. Consider using services.postgresql.ensureUsers.*.ensureDBOwnership instead or a tool that’s more suited for managing the data inside a postgresql database.

idris2 was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details.

neo4j has been updated to 5, you may want to read the release notes for Neo4j 5

services.neo4j.allowUpgrade was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades.

nitter requires a guest_accounts.jsonl to be provided as a path or loaded into the default location at /var/lib/nitter/guest_accounts.jsonl. See Guest Account Branch Deployment for details.

boot.supportedFilesystems and boot.initrd.supportedFilesystems are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done using supportedFilesystems.fs or false instead of using lib.elem "fs" supportedFilesystems as was done previously.

services.aria2.rpcSecret has been replaced with services.aria2.rpcSecretFile. This was done so that secrets aren’t stored in the world-readable nix store. To migrate, you will have create a file with the same exact string, and change your module options to point to that file. For example, services.aria2.rpcSecret = "mysecret" becomes services.aria2.rpcSecretFile = "/path/to/secret_file" where the file secret_file contains the string mysecret.

Invidious has changed its default database username from kemal to invidious. Setups involving an externally provisioned database (i.e. services.invidious.database.createLocally == false) should adjust their configuration accordingly. The old kemal user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

inetutils now has a lower priority to avoid shadowing the commonly used util-linux. If one wishes to restore the default priority, simply use lib.setPrio 5 inetutils or override with meta.priority = 5.

paperless’ services.paperless.extraConfig setting has been removed and converted to the freeform type and option named services.paperless.settings.

services.homepage-dashboard now takes it’s configuration using native Nix expressions, rather than dumping templated configurations into /var/lib/homepage-dashboard where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix.

hare may now be cross-compiled. For that to work, however, haredoc needed to stop being built together with it. Thus, the latter is now its own package with the name of haredoc.

The legacy and long deprecated systemd target network-interfaces.target has been removed. Use network.target instead.

services.frp.settings now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.

mkosi was updated to v20. Parts of the user interface have changed. Consult the release notes of v19 and v20 for a list of changes.

The services.vikunja systemd service now uses vikunja as dynamic user instead of vikunja-api. Database users might need to be changed.

The services.vikunja.setupNginx setting has been removed. Users now need to setup the webserver configuration on their own with a proxy pass to the vikunja service.

The woodpecker-* packages have been updated to v2 which includes breaking changes.

services.nginx will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:

  locations."/".extraConfig = ''
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
  '';
  locations."^~ /assets/".extraConfig = ''
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
  '';

The package optparse-bash is now dropped due to upstream inactivity. Alternatives available in Nixpkgs include argc, argbash, bashly and gum, to name a few.

The kanata package has been updated to v1.5.0, which includes breaking changes.

The craftos-pc package has been updated to v2.8, which includes breaking changes.

The gtest package has been updated past v1.13.0, which requires C++14 or higher.

The latest available version of Nextcloud is v28 (available as pkgs.nextcloud28). The installation logic is as follows:

The vendored third party libraries have been mostly removed from cudaPackages.nsight_systems, which we now only ship for cudaPackages_11_8 and later due to outdated dependencies. Users comfortable with the vendored dependencies may use overrideAttrs to amend the postPatch phase and the meta.broken correspondingly. Alternatively, one could package the deprecated boost170 locally, as required for cudaPackages_11_4.nsight_systems.

The cudaPackages package scope has been updated to cudaPackages_12.

Ada packages (libraries and tools) have been moved into the gnatPackages scope. gnatPackages uses the default GNAT compiler, gnat12Packages and gnat13Packages use the respective matching compiler version.

spark2014 has been renamed to gnatprove. A version of gnatprove matching different GNAT versions is available from the different gnatPackages sets.

services.resolved.fallbackDns can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead.

xxd has been moved from vim default output to its own output to reduce closure size. The canonical way to reference it across all platforms is unixtools.xxd.

The stalwart-mail package has been updated to v0.5.3, which includes breaking changes.

services.zope2 has been removed as zope2 is unmaintained and was relying on Python2.

services.avahi.nssmdns got split into services.avahi.nssmdns4 and services.avahi.nssmdns6 which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts.

A warning has been added for services that are after = [ "network-online.target" ] but do not depend on it (e.g. using wants), because the dependency that multi-user.target has on network-online.target is planned for removal.

services.pgbouncer now has systemd support enabled and will log to journald. The default setting for services.pgbouncer.logFile is now null to disable logging to a separate log file.

services.archisteamfarm no longer uses the abbreviation asf for its state directory (/var/lib/asf), user and group (both asf). Instead the long name archisteamfarm is used. Configurations with system.stateVersion 23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory.

networking.iproute2.enable now does not set environment.etc."iproute2/rt_tables".text.

Setting environment.etc."iproute2/{CONFIG_FILE_NAME}".text will override the whole configuration file instead of appending it to the upstream configuration file.

CONFIG_FILE_NAME includes bpf_pinning, ematch_map, group, nl_protos, rt_dsfield, rt_protos, rt_realms, rt_scopes, and rt_tables.

netbox was updated to v3.7. services.netbox.package still defaults to v3.6 if stateVersion is earlier than 24.05. Refer to upstream’s breaking changes for v3.7.0 and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

The executable file names for firefox-devedition, firefox-beta, firefox-esr now matches their package names, which is consistent with the firefox-*-bin packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.

switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.

The systemd.oomd module behavior is changed as:

security.pam.enableSSHAgentAuth now requires services.openssh.authorizedKeysFiles to be non-empty, which is the case when services.openssh.enable is true. Previously, pam_ssh_agent_auth silently failed to work.

The configuration format for services.prometheus.exporters.snmp changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository.

watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.

The jdt-language-server package now uses upstream’s provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:

nomad has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.

The livebook package is now built as a mix release instead of an escript. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that the livebook service configuration has changed:

addDriverRunpath has been added to facilitate the deprecation of the old addOpenGLRunpath setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration.

Cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release.

New boot.loader.systemd-boot.xbootldrMountPoint allows setting up a separate XBOOTLDR partition to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned.

boot.loader.systemd-boot will now verify that efiSysMountPoint (and xbootldrMountPoint if configured) are mounted partitions.

services.postgresql.extraPlugins changed its type from just a list of packages to also a function that returns such a list. For example a config line like services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ]; is recommended to be changed to services.postgresql.extraPlugins = ps: with ps; [ postgis ];;

The Matrix homeserver Synapse module now supports configuring UNIX domain socket listeners through the path option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

Programs written in Nim are built with libraries selected by lockfiles. The nimPackages and nim2Packages sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

Portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.

A stdenv’s default set of hardening flags can now be set via its bintools-wrapper’s defaultHardeningFlags argument. A convenient stdenv adapter, withDefaultHardeningFlags, can be used to override an existing stdenv’s defaultHardeningFlags.

libass now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues with mpv, ffmpeg, etc.

Lilypond and Denemo are now compiled with Guile 3.0.

The following options of the Nextcloud module were moved into services.nextcloud.settings and renamed to match the name from Nextcloud’s config.php:

The option [services.nextcloud.config.dbport] of the Nextcloud module was removed to match upstream. The port can be specified in services.nextcloud.config.dbhost.

A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.

systemd units can now specify the Upholds= and UpheldBy= unit dependencies via the aptly named upholds and upheldBy options. These options get systemd to enforce that the dependencies remain continuosly running for as long as the dependent unit is in a running state.

stdenv: The --replace flag in substitute, substituteInPlace, substituteAll, substituteAllStream, and substituteStream is now deprecated if favor of the new --replace-fail, --replace-warn and --replace-quiet. The deprecated --replace equates to --replace-warn.

A new hardening flag, zerocallusedregs was made available, corresponding to the gcc/clang option -fzero-call-used-regs=used-gpr.

A new hardening flag, trivialautovarinit was made available, corresponding to the gcc/clang option -ftrivial-auto-var-init=pattern.

New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see services.dnsdist.dnscrypt.enable, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime.

With a bump to sonarr v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly.

The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set boot.kernel.sysctl."kernel.yama.ptrace_scope" to 0.

The netbird module now allows running multiple tunnels in parallel through services.netbird.tunnels.

Nginx virtual hosts using forceSSL or globalRedirect can now have redirect codes other than 301 through

bacula now allows to configure TLS for encrypted communication.

redirectCode.

libjxl 0.9.0 dropped support for the butteraugli API. You will no longer be able to set enableButteraugli on libaom.

The source of the mockgen package has changed to the go.uber.org/mock fork because the original repository is no longer maintained.

security.pam.enableSSHAgentAuth was renamed to security.pam.sshAgentAuth.enable and an authorizedKeysFiles option was added, to control which authorized_keys files are trusted. It defaults to the previous behaviour, which is insecure: see #31611.

boot.kernel.sysctl."net.core.wmem_max" changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as boot.kernel.sysctl."net.core.rmem_max" since 22.11.

A new top-level package set, pkgsExtraHardening is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

services.zfs.zed.enableMail now uses the global sendmail wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

nextcloud-setup.service no longer changes the group of each file & directory inside /var/lib/nextcloud/{config,data,store-apps} if one of these directories has the wrong owner group. This was part of transitioning the group used for /var/lib/nextcloud, but isn’t necessary anymore.

The krb5 module has been rewritten and moved to security.krb5, moving all options but security.krb5.enable and security.krb5.package into security.krb5.settings.

Gitea 1.21 upgrade has several breaking changes, including:

The services.paperless module no longer uses the previously downloaded NLTK data stored in /var/cache/paperless/nltk. This directory can be removed.

The services.teeworlds module now has a wealth of configuration options, including a new package option.

The hardware.pulseaudio module now sets permission of pulse user home directory to 755 when running in “systemWide” mode. It fixes issue 114399.

The module services.github-runner has been removed. To configure a single GitHub Actions Runner refer to services.github-runners.*. Note that this will trigger a new runner registration.

The btrbk module now automatically selects and provides required compression program depending on the configured stream_compress option. Since this replaces the need for the extraPackages option, this option will be deprecated in future releases.

The mpich package expression now requires withPm to be a list, e.g. "hydra:gforker" becomes [ "hydra" "gforker" ].

When merging systemd unit options (of type unitOption), if at least one definition is a list, all those which aren’t are now lifted into a list, making it possible to accumulate definitions without resorting to mkForce, hence to retain the definitions not anticipating that need.

YouTrack is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.

QtMultimedia has changed its default backend to QT_MEDIA_BACKEND=ffmpeg (previously gstreamer on Linux or darwin on MacOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.

The oil shell is now using the c++ version by default. The python based build is still available as oil-python

The default Nix version was updated from 2.11 to 2.13. In particular, this includes a small language alteration in the way floats are represented in builtins.toJSON. See the release notes for 2.12 and 2.13 for more information.

The default Linux Kernel was updated from version 5.15 to 6.1, see Kernelnewbies for what has changed. All Kernels currently shown on kernel.org are available.

systemd has been updated from v252 to v253, see the release notes for more information on the changes.

glibc has been updated from version 2.35 to 2.37, see the release notes for what was changed.

libxcrypt, the library providing the crypt(3) password hashing function, is now built without support for algorithms not flagged strong. This affects the availability of password hashing algorithms used for system login (login(1), passwd(1)), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and many other packages.

NixOS now defaults to using nsncd, a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:

services.nscd.enableNsncd = false;

The internal option boot.bootspec.enable is now enabled by default because RFC 0125 was merged. This means you will have a bootspec document called boot.json generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot.

Two changes to nixos-rebuild are important to highlight as well.

Python implements PEP 668, providing better feedback to users that try to run pip install for system-wide or user home installations.

Cinnamon has been updated to version 5.6, see the pull request for what was changed.

GNOME has been updated to version 44, see the the release notes for details.

KDE Plasma has been updated to version 5.27, see the release notes for what was changed.

openra was updated to 20230225. Due to large scope of the update, currently only openraPackages.engines.release and openraPackages.engines.latest packages are available. If you want to use the old engine versions or mods, they were moved to the openraPackages_2019 namespace.

Akkoma, an ActivityPub microblogging server. Available as services.akkoma.

alertmanager-irc-relay, a Prometheus Alertmanager IRC Relay. Available as services.prometheus.alertmanagerIrcRelay.

alice-lg, a looking-glass for BGP sessions. Available as services.alice-lg.

atuin, a sync server for shell history. Available as services.atuin.

authelia, an open-source authentication and authorization server. Available as services.authelia.

birdwatcher, a small HTTP server meant to provide an API defined by Barry O’Donovan’s birds-eye to the BIRD internet routing daemon. Available as services.birdwatcher.

blesh, a line editor written in pure bash. Available as programs.bash.blesh.

Budgie Desktop, a familiar, modern desktop environment. Available as services.xserver.desktopManager.budgie.

clash-verge, a Clash GUI based on tauri. Available as programs.clash-verge.

Cloudlog, a web-based Amateur Radio logging application. Available as services.cloudlog.

consul-template, a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data. Available as services.consul-template.

cups-pdf-to-pdf, a PDF-generating CUPS backend based on cups-pdf. Available as services.printing.cups-pdf.

Deepin Desktop Environment, an elegant, easy to use and reliable desktop environment. Available as services.xserver.desktopManager.deepin.

esphome, a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as services.esphome.

frigate, an open source NVR built around real-time AI object detection. Available as services.frigate.

fzf, a command line fuzzyfinder. Available as programs.fzf.

gemstash, a RubyGems.org cache and private gem server. Available as services.gemstash.

gitea-actions-runner, a CI runner for Gitea/Forgejo Actions. Available as services.gitea-actions-runner.

evdevremapkeys, a daemon to remap key events. Available as services.evdevremapkeys.

gmediarender, a simple, headless UPnP/DLNA renderer. Available as services.gmediarender.

go2rtc, a camera streaming application with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as services.go2rtc.

goeland, an alternative to rss2email written in Golang with many filters. Available as services.goeland.

gonic, a Subsonic music streaming server. Available as services.gonic.

hardware.ipu6, drivers for IPU6 based webcams on Intel Tiger Lake and Alder Lake.

harmonia, a Nix binary cache implemented in Rust using libnixstore. Available as services.harmonia.

hyprland, a dynamic tiling Wayland compositor that doesn’t sacrifice on its looks. Available as programs.hyprland.

imaginary, a microservice for high-level image processing that Nextcloud can use to generate previews. Available as services.imaginary.

ivpn, a secure, private VPN with fast WireGuard connections. Available as services.ivpn.

vmalert, an alerting engine for VictoriaMetrics. Available as services.vmalert.

jellyseerr, a web-based requests manager for Jellyfin, forked from Overseerr. Available as services.jellyseerr.

kavita, a self-hosted digital library. Available as services.kavita.

keyd, a key remapping daemon for Linux. Available as services.keyd.

lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as services.lldap.

minipro, an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as programs.minipro.

mmsd, a lower level daemon that transmits and receives MMSes. Available as services.mmsd.

monica, an open source personal CRM. Available as services.monica.

networkd-dispatcher, a dispatcher service for systemd-networkd connection status changes. Available as services.networkd-dispatcher.

nimdow, a window manager written in Nim, inspired by dwm. Available as services.xserver.windowManager.nimdow.enable.

opensearch, a search server alternative to Elasticsearch. Available as services.opensearch.

openvscode-server, run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as services.openvscode-server.

peroxide, a fork of the official ProtonMail bridge that aims to be similar to Hydroxide. Available as services.peroxide.

photoprism, a AI-powered photos app for the decentralized web. Available as services.photoprism.

Pixelfed, an Instagram-like ActivityPub server. Available as services.pixelfed.

PufferPanel, a game server management panel designed to be easy to use. Available as services.pufferpanel.

QDMR, a GUI application and command line tool for programming DMR radios programs.qdmr.

readarr, book manager and automation (Sonarr for ebooks). Available as services.readarr.

ReGreet, a clean and customizable greeter for greetd. Available as programs.regreet.

rshim, the user-space rshim driver for the BlueField SoC. Available as services.rshim.

SFTPGo, a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as services.sftpgo.

sharing, a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as programs.sharing.

sniffnet, an application to monitor your network traffic. Available as programs.sniffnet.

stargazer, a fast and easy to use Gemini server. Available as services.stargazer.

stevenblack-blocklist, a unified hosts file with base extensions for blocking unwanted websites. Available as networking.stevenblack.

systemd-repart, grow and add partitions to a partition table. Available as systemd.repart and boot.initrd.systemd.repart

trippy, a network diagnostic tool. Available as programs.trippy.

tts, a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below services.tts.servers.

ulogd, a userspace logging daemon for netfilter/iptables related logging. Available as services.ulogd.

v2rayA, a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as services.v2raya.

v4l2-relayd, a streaming relay for v4l2loopback using gstreamer. Available as services.v4l2-relayd.

vault-agent, a template renderer and API auth proxy for HashiCorp Vault, similar to consul-template. Available as services.vault-agent.

webhook, a lightweight webhook server. Available as services.webhook.

wgautomesh, a simple utility to help connect wireguard nodes together in a full mesh topology. Available as services.wgautomesh.

woodpecker, a simple CI engine with great extensibility. Available as services.woodpecker-server and services.woodpecker-agents.

wstunnel, a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Available as services.wstunnel.

services.asusd configuration now uses strings instead of structured configuration, as upstream switched to the RON configuration format. Support for structured configuration may return when RON generation is implemented in nixpkgs.

borgbackup module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as services.borgbackup.jobs.<name>.inhibitsSleep.

The openssh client now comes with the ~C escape sequence disabled by default. It can be re-enabled by setting EnableEscapeCommandline yes

The programs.ssh client module does not read /etc/ssh/ssh_known_hosts2 anymore, since this location is deprecated since 2001.

The services.openssh server module does not read ~/.ssh/authorized_keys2 anymore, since this location is deprecated since 2001.

MAC-then-encrypt algorithms were removed from the default selection of services.openssh.settings.Macs. If you still require these MACs, for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this:

services.openssh.settings.Macs = [
  "hmac-sha2-512"
  "hmac-sha2-256"
  "umac-128@openssh.com"
];

podman now uses the netavark network stack. Users will need to delete all of their local containers, images, volumes, etc, by running podman system reset --force once before upgrading their systems.

git-bug has been updated to at least version 0.8.0, which includes backwards incompatible changes. The git-bug-migration package can be used to upgrade existing repositories.

graylog has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the upgrade path from 3.3 to 4.0 to 4.3 to 5.0.

buildFHSUserEnv is now called buildFHSEnv and uses FlatPak’s Bubblewrap sandboxing tool rather than Nixpkgs’ own chrootenv. The old chrootenv-based implementation is still available via buildFHSEnvChroot but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.

nushell has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as old-alias but it is recommended you migrate to the new format. See Reworked aliases.

gajim has been updated to version 1.7.3 which has disabled legacy ciphers. See changelog for version 1.7.0.

keepassx and keepassx2 have been removed, due to upstream stopping development. Consider KeePassXC as a maintained alternative.

The services.kubo.settings option is now no longer stateful. If you changed any of the options in services.kubo.settings in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you’re unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.

The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the services.kubo.settings.Addresses.API option description for more information.

The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from /etc/ec2-metadata should now have an after dependency on fetch-ec2-metadata.service

The mailman service now defaults to using a randomly generated REST API password instead of a hard-coded one.

minio removed support for its legacy filesystem backend in RELEASE.2022-10-29T06-21-33Z. This means if your storage was created with the old format, minio will no longer start. Unfortunately, minio doesn’t provide an automatic migration, they only provide instructions how to manually convert the node. To facilitate this migration, we keep around the last version that still supports the old filesystem backend as minio_legacy_fs. Use it via services.minio.package = minio_legacy_fs; to export your data before switching to the new version. See the corresponding issue for more details.

services.sourcehut.dispatch and the corresponding package (sourcehut.dispatchsrht) have been removed due to upstream deprecation.

The attributes used by services.snapper.configs.<name> have changed. Migrate from this:

services.snapper.configs.example = {
  subvolume = "/example";
  extraConfig = ''
    ALLOW_USERS="alice"
  '';
};

to this:

services.snapper.configs.example = {
  SUBVOLUME = "/example";
  ALLOW_USERS = [ "alice" ];
};

The default module options for services.snapserver.openFirewall, services.tmate-ssh-server.openFirewall and services.unifi-video.openFirewall have been changed from true to false. You will need to explicitly set this option to true, or configure your firewall.

The option i18n.inputMethod.fcitx5.enableRimeData has been removed. Default RIME data is now included in fcitx5-rime by default, and can be customized using

fcitx5-rime.override {
  rimeDataPkgs = [
    pkgs.rime-data
    # ...
  ];
}

The udev hwdb.bin file is now built with systemd-hwdb rather than the deprecated “udevadm hwdb”. This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for “mute mic” is corrected by this update. This change may impact users who have worked-around previously incorrect mappings.

Kime has been updated from 2.5.6 to 3.0.2 and the i18n.inputMethod.kime.config option has been removed. Users should use daemonModules, iconColor, and extraConfig options under i18n.inputMethod.kime instead.

tut has been updated from 1.0.34 to 2.0.0, and now uses the TOML format for the configuration file instead of INI. Additional information can be found here.

i3status-rust has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found here.

The wordpress derivation no longer contains any built-in plugins or themes. If you need them, you have to add them back to prevent your site from breaking. You can find them in wordpressPackages.{plugins,themes}.

llvmPackages_rocm.llvm will not contain clang or compiler-rt. llvmPackages_rocm.clang will not contain llvm. llvmPackages_rocm.clangNoCompilerRt has been removed in favor of using llvmPackages_rocm.clang-unwrapped.

services.xserver.desktopManager.plasma5.excludePackages has been moved to environment.plasma5.excludePackages, for consistency with other Desktop Environments.

teleport has been updated from major version 10 to major version 12. Please see upstream upgrade instructions and release notes for versions 11 and 12. Note that Teleport does not officially support upgrades across more than one major version at a time. If you’re running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting services.teleport.package = pkgs.teleport_11. Afterwards, this option can be removed to upgrade to the default version (12).

The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing /tmp on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.

The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.

gitlab has been upgraded from major version 15 to major version 16 and requires at least PostgreSQL 13.6. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation.

gitlab 16 deprecates the use of external container registries, in our case pkgs.docker-distribution. Module users who have services.gitlab.registry.enable set to true are advised to back up their state and switch to gitlab’s fork by setting services.gitlab.registry.package to pkgs.gitlab-container-registry.

fail2ban has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 (changelog for 1.0.1, changelog for 1.0.2)

albert has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins (changelog for 0.18.0)

dokuwiki has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has completely removed the options to embed HTML and PHP for security reasons. The htmlok plugin can be used to regain this functionality.

The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead.

The cosmoc package has been removed. The upstream scripts in cosmocc should be used instead.

Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.

The services.wordpress.sites.<name>.plugins and services.wordpress.sites.<name>.themes options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name.

protonmail-bridge package has been updated to major version 3.

Nebula now runs as a system user and group created for each nebula network, using the CAP_NET_ADMIN ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default nebula-${networkName}.

The i18n.inputMethod.fcitx option has been replaced with i18n.inputMethod.fcitx5 because fcitx 4 pkgs.fcitx has been removed.

In mastodon it is now necessary to specify location of file with PostgreSQL database password. In services.mastodon.database.passwordFile parameter default value /var/lib/mastodon/secrets/db-password has been changed to null.

The nix.readOnlyStore option has been renamed to boot.readOnlyNixStore to clarify that it configures the NixOS boot process, not the Nix daemon.

The latest available version of Nextcloud is v26 (available as pkgs.nextcloud26) which uses PHP 8.2 as interpreter by default. The installation logic is as follows:

.NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version. Visit the Support Policy for more information.

The iputils package, which is installed by default, no longer provides the ninfod, rarpd and rdisc tools. See upstream’s release notes for more details and available replacements.

The ppp plugin rp-pppoe.so has been renamed to pppoe.so in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer an alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from plugin rp-pppoe.so to plugin pppoe.so. See upstream change.

services.xserver.videoDrivers now defaults to the modesetting driver over device-specific ones. The radeon, amdgpu and nouveau drivers are still available, but effectively unmaintained and not recommended for use. Note that this does not affect your regular graphics drivers; this only concerns the DDX component of the driver, which most people are not relying on.

services.xserver.libinput.enable is now set by default, enabling the more actively maintained and consistently behaved input device driver.

To enable the HTTP3 (QUIC) protocol for a nginx virtual host, set the quic attribute on it to true, e.g. services.nginx.virtualHosts.<name>.quic = true;.

In services.fail2ban, bantime-increment.<name> options now default to null (except bantime-increment.enable) and are used to set the corresponding option in jail.local only if not null. Also, enforce that bantime-increment.formula and bantime-increment.multipliers are not both specified.

The default asterisk package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in ${asterisk-20}/var/lib/asterisk.

conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don’t silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround.

The services.pipewire.config options have been removed, as they have basically never worked correctly. All behavior defined by the default configuration can be overridden with drop-in files as necessary - see below for details.

The catch-all hardware.video.hidpi.enable option was removed. Users on high density displays may want to:

services.pipewire.media-session and the pipewire-media-session package have been removed, as they are no longer supported upstream. Users are encouraged to use services.pipewire.wireplumber instead.

The baget package and module was removed due to being unmaintained.

The qlandkartegt and garmindev packages were removed due to being unmaintained and insecure.

The go-ethereum package has been updated to v1.11.5 and the puppeth command is no longer available as of v1.11.0.

The pnpm package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required)

The zplug package changes its output path from $out to $out/share/zplug. Users should update their dependency on ${pkgs.zplug}/init.zsh to ${pkgs.zplug}/share/zplug/init.zsh.

The pict-rs package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one.

The shattered-pixel-dungeon game was updated from 1.1.2 to 2.0.2.

espanso has been updated to major version 2. Therefore, migration steps may need to be performed. See the official migration instructions for how to perform these migrations. Further, espanso-wayland can now be used for Wayland support.

Only k3s version 1.26 is included. Users of the k3s_1_24 or k3s_1_25 packages should upgrade to use the 1.26 version of the package.

The nerdfonts package has been updated to major version 3, which includes potential breaking changes.

To follow RFC 0042 a few options of openssh have been moved from extraConfig to the new freeform option settings and renamed, e.g.:

vim_configurable has been renamed to vim-full to avoid confusion: vim-full’s build-time features are configurable, but both vim and vim-full are customizable (in the sense of user configuration, like vimrc).

Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.

The module for the application firewall opensnitch got the ability to configure rules. Available as services.opensnitch.rules

The module usbmuxd now has the ability to change the package used by the daemon. In case you’re experiencing issues with usbmuxd you can try an alternative program like usbmuxd2. Available as services.usbmuxd.package

netbox was updated to 3.5. NixOS’ services.netbox.package still defaults to 3.3 if stateVersion is earlier than 23.05. Please review upstream’s breaking changes for 3.4.0 and for 3.5.0, and upgrade NetBox by changing services.netbox.package. Database migrations will be run automatically.

services.netbox now support RFC42-style options, through services.netbox.settings.

services.mastodon gained a tootctl wrapped named mastodon-tootctl similar to nextcloud-occ which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

services.borgmatic now allows for multiple configurations, placed in /etc/borgmatic.d/, you can define them with services.borgmatic.configurations.

service.openafsServer features a new backup server pkgs.fabs as a replacement for openafs’s own buserver. See FABS to check if this is an viable replacement. It stores backups as volume dump files and thus better integrates into contemporary backup solutions.

services.maddy got several updates:

The dnsmasq service now takes configuration via the services.dnsmasq.settings attribute set. The option services.dnsmasq.extraConfig will be deprecated when NixOS 22.11 reaches end of life.

The dokuwiki service is now configured via services.dokuwiki.sites.<name>.settings attribute set; extraConfig has been removed. The {aclUse,superUser,disableActions} attributes have been renamed accordingly. pluginsConfig now only accepts an attribute set of booleans. Passing plain PHP is no longer possible. Same applies to acl which now also only accepts structured settings.

The zsh package changes the way to set environment variables on NixOS systems where programs.zsh.enable equals false. It now sources /etc/set-environment when reading the system-level zshenv file. Before, it sourced /etc/profile when reading the system-level zprofile file.

The wordpress service now takes configuration via the services.wordpress.sites.<name>.settings attribute set, extraConfig is still available to append additional text to wp-config.php.

To reduce closure size in nixos/modules/profiles/minimal.nix profile disabled installation documentations and manuals. Also disabled logrotate and udisks2 services.

To reduce closure size in nixos/modules/installer/netboot/netboot-minimal.nix profile disabled load linux firmwares, pre-installing the complete stdenv and networking.wireless service.

The minimal ISO image now uses the nixos/modules/profiles/minimal.nix profile.

NixOS installer ISOs can now be built for powerpc64le-linux; see nixos/modules/installer/sd-card/sd-image-powerpc64le.nix and PR 192672. Hydra does not support this platform, so you must build the binaries yourself.

The ghcWithPackages and ghcWithHoogle wrappers will now also symlink GHC’s and all included libraries’ documentation to $out/share/doc for convenience. If undesired, the old behavior can be restored by overriding the builders with { installDocumentation = false; }.

The nftables module now validates its ruleset at build time. The new networking.nftables.checkRuleset option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The networking.nftables.preCheckRuleset option can be used to prepare the environment before the checks are run.

The services.mastodon module now supports connection to a remote PostgreSQL database.

services.nextcloud.database.createLocally now uses socket authentication and is no longer compatible with password authentication.

services.nextcloud.config.objectstore.s3.sseCKeyFile is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud.

NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by cryptsetup(8). One can use these features like so:

swapDevices = [ {
  device = "/dev/disk/by-partlabel/swapspace";
  randomEncryption = {
    enable = true;
    cipher = "aes-xts-plain64";
    keySize = 512;
    sectorSize = 4096;
  };
} ];

New option security.pam.zfs to enable unlocking and mounting of encrypted ZFS home dataset at login.

services.peertube now requires you to specify the secret file secrets.secretsFile. It can be generated by running openssl rand -hex 32. Before upgrading, check the release notes for PeerTube v5.0.0.And backup your data.

services.chronyd is now started with additional systemd sandbox/hardening options for better security.

PostgreSQL has added opt-in support for JIT compilation. It can be enabled like this:

services.postgresql.enableJIT = true;

services.netdata offers a services.netdata.deadlineBeforeStopSec option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn’t start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades.

services.dhcpcd service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses. If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter networking.dhcpcd.IPv6rs = true;.

The module services.headscale was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:

services.kubo now unmounts ipfsMountDir and ipnsMountDir even if it is killed unexpectedly when autoMount is enabled.

services.grafana listens only on localhost by default again. This was changed to the upstream default of 0.0.0.0 by accident in the freeform setting conversion.

Grafana Tempo has been updated to version 2.0. See the upstream upgrade guide for migration instructions.

A new virtualisation.rosetta module was added to allow running x86_64 binaries through Rosetta inside virtualised NixOS guests on Apple Silicon. This feature works by default with the UTM virtualisation package.

The new option users.motdFile allows configuring a Message Of The Day that can be updated dynamically.

The root package is now built with the "-Dgnuinstall=ON" CMake flag, making the output conform the bin lib share layout. In this layout, tutorials is under share/doc/ROOT/; cmake, font, icons, js and macro under share/root; Makefile.comp and Makefile.config under etc/root.

There are various new options in the services.nginx module:

The nginx module also received an update to services.nginx.recommendedGzipSettings:

Garage version is based on system.stateVersion, existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow upstream instructions and configure services.garage.package.

Nebula now supports the services.nebula.networks.<name>.isRelay and services.nebula.networks.<name>.relays configuration options for setting up or allowing traffic relaying. See the announcement for more details about relays.

Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.

The firewall and nat modules can now optionally rely on an nftables based implementation. Enable networking.nftables to use it.

The services.fwupd module now allows arbitrary daemon settings to be configured in a structured manner (services.fwupd.daemonSettings).

services.xserver.desktopManager.plasma5.phononBackend now defaults to vlc according to upstrean recommendation

The zramSwap is now implemented with zram-generator, and the option zramSwap.numDevices for using ZRAM devices as general purpose ephemeral block devices has been removed.

As Singularity has renamed to Apptainer to distinguish from an un-renamed fork by Sylabs Inc., there are now two packages of Singularity/Apptainer:

singularity-tools.buildImage got a new input argument singularity to specify which package to use.

The new option programs.singularity.enableFakeroot, if set to true, provides --fakeroot support for apptainer and singularity.

The new option services.tailscale.useRoutingFeatures controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to server, otherwise if you wish to use an exit node you can set this setting to client. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting.

openjdk from version 11 and above is not build with openjfx (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: openjdk11.override { enableJavaFX = true; };.

Xastir can now access AX.25 interfaces via the libax25 package.

nixos-version now accepts --configuration-revision to display more information about the current generation revision

The option services.nomad.extraSettingsPlugins has been fixed to allow more than one plugin in the path.

The option services.prometheus.exporters.pihole.interval does not exist anymore and has been removed.

The option services.gpsd.device has been replaced with services.gpsd.devices, which supports multiple devices.

k3s can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store.

The gitea module options have been moved into a freeform attribute set below services.gitea.settings.

boot.initrd.luks.device.<name> has a new tryEmptyPassphrase option, this is useful for OEMs who need to install an encrypted disk with a future settable passphrase

The bind module now allows the per-zone allow-query setting to be configured (previously it was hard-coded to any; it still defaults to any to retain compatibility).

The option services.jitsi-videobridge.apis has been renamed to colibriRestApi and turned into a boolean. Setting it to true will enable the private rest API, useful for monitoring using services.prometheus.exporters.jitsi.enable. Learn more about the API: “The COLIBRI control interface (/colibri/)”.

Booting from a volume managed by the Stratis storage management daemon is now supported. Use fileSystems.<name>.stratis.poolUuid to configure the pool containing the fs.

buildDunePackage now defaults to strictDeps = true which means that any library should go into buildInputs or checkInputs. Any executable that is run on the building machine should go into nativeBuildInputs or nativeCheckInputs respectively. Example of executables are ocaml, findlib and menhir. PPXs are libraries which are built by dune and should therefore not go into nativeBuildInputs.

buildFHSUserEnv is now called buildFHSEnv and uses FlatPak’s Bubblewrap sandboxing tool rather than Nixpkgs’ own chrootenv. The old chrootenv-based implementation is still available via buildFHSEnvChroot but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs.

Top-level buildPlatform, hostPlatform, targetPlatform have been deprecated, use stdenv.X instead.

carnix and cratesIO has been removed due to being unmaintained, use alternatives such as naersk and crate2nix instead.

checkInputs have been renamed to nativeCheckInputs, because they behave the same as nativeBuildInputs when doCheck is set. checkInputs now denote a new type of dependencies, added to buildInputs when doCheck is set. As a rule of thumb, nativeCheckInputs are tools on $PATH used during the tests, and checkInputs are libraries which are linked to executables built as part of the tests. Similarly, installCheckInputs are renamed to nativeInstallCheckInputs, corresponding to nativeBuildInputs, and installCheckInputs are a new type of dependencies added to buildInputs when doInstallCheck is set. (Note that this change will not cause breakage to derivations with strictDeps unset, which are most packages except python, rust, ocaml and go packages).

DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in the section called “Option Declarations” to silence this warning.

DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors.

lib.systems.examples.ghcjs and consequently pkgsCross.ghcjs now use the target triplet javascript-unknown-ghcjs instead of js-unknown-ghcjs. This has been done to match an upstream decision to follow Cabal’s platform naming more closely. Nixpkgs will also reject js as an architecture name.

Lisp gained a manual section, documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.

Calling makeSetupHook without passing a name argument is deprecated.

nixos/lib/make-disk-image.nix handles contents arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended target.

nixos/lib/make-disk-image.nix can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual.

Nixpkgs now uses IEEE-standard floating point arithmetic on powerpc64le-linux.

Deprecated xlibsWrapper transitional package has been removed in favour of direct use of its constituents: xorg.libX11, freetype and others.

Software that uses the crypt password hashing API is now using the implementation provided by libxcrypt instead of glibc’s, which enables support for more secure algorithms.

The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it’s a big step towards the full migration.

aarch64-linux is now included in the nixos-22.11 and nixos-22.11-small channels. This means that when those channel update, both x86_64-linux and aarch64-linux will be available in the binary cache.

aarch64-linux ISOs are now available on the downloads page.

nsncd is now available as a replacement of nscd.

nscd is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes.

More context in this issue.

Help us test the new implementation by setting services.nscd.enableNsncd to true.

We plan to use nsncd by default in NixOS 23.05.

Linode cloud images are now supported by importing ${modulesPath}/virtualisation/linode-image.nix and accessing system.build.linodeImage on the output.

hardware.nvidia has a new option, hardware.nvidia.open, that can be used to enable the usage of NVIDIA’s open-source kernel driver. Note that the driver’s support for GeForce and Workstation GPUs is still alpha quality, see the release announcement for more information.

The emacs package now makes use of native compilation which means:

Haskell ghcWithPackages is now up to 15 times faster to evaluate, thanks to changing lib.closePropagation from a quadratic to linear complexity. Please see backward incompatibilities notes below. https://github.com/NixOS/nixpkgs/pull/194391

For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the pkgsStatic and pkgsLLVM package sets or i686 packages on x86_64 machines.

To simplify cross-compilation in NixOS, this release introduces the nixpkgs.hostPlatform and nixpkgs.buildPlatform options. These cover and override the nixpkgs.{system,localSystem,crossSystem} options.

The new options convey the same information, but with fewer options, and following the Nixpkgs terminology.

The existing options nixpkgs.{system,localSystem,crossSystem} have not been formally deprecated, to allow for evaluation of the change and to allow for a transition period so that in time the ecosystem can switch without breaking compatibility with any supported NixOS release.

Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for 2.9, 2.10 and 2.11.

OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.

GNOME has been upgraded to version 43. Please see the release notes for details.

KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for v5.25 and v5.26 for more details on the included changes.

Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream.

PHP now defaults to PHP 8.1, updated from 8.0.

Perl has been updated to 5.36, and its core module HTTP::Tiny was patched to verify SSL/TLS certificates by default.

Python now defaults to 3.10, updated from 3.9.

Nixpkgs now requires Nix 2.3 or newer.

The isCompatible predicate checking CPU compatibility is no longer exposed by the platform sets generated using lib.systems.elaborate. In most cases you will want to use the new canExecute predicate instead which also takes the kernel / syscall interface into account. lib.systems.parse.isCompatible still exists, but has changed semantically: Architectures with differing endianness modes are no longer considered compatible.

ngrok has been upgraded from 2.3.40 to 3.0.4. Please see the upgrade guide and changelog. Notably, breaking changes are that the config file format has changed and support for single hyphen arguments was dropped.

i18n.supportedLocales is now only generated with the locales set in i18n.defaultLocale and i18n.extraLocaleSettings.

Deprecated settings logrotate.paths and logrotate.extraConfig have been removed. Please convert any uses to services.logrotate.settings instead.

The isPowerPC predicate, found on platform attrsets (hostPlatform, buildPlatform, targetPlatform, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace foo.isPowerPC with (with foo; isPower && is32bit && isBigEndian).

The fetchgit fetcher now uses cone mode by default for sparse checkouts. Non-cone mode can be enabled by passing nonConeMode = true, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice.

The fetchgit fetcher supports sparse checkouts via the sparseCheckout option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings.

openssh was updated to version 9.1, disabling the generation of DSA keys when using ssh-keygen -A as they are insecure. Also, SetEnv directives in ssh_config and sshd_config are now first-match-wins.

bsp-layout no longer uses the command cycle to switch to other window layouts, as it got replaced by the commands previous and next.

The Barco ClickShare driver/client package pkgs.clickshare-csc1 and the option programs.clickshare-csc1.enable have been removed, as it requires qt4, which reached its end-of-life 2015 and will no longer be supported by nixpkgs. According to Barco many of their base unit models can be used with Google Chrome and the Google Cast extension.

services.hbase has been renamed to services.hbase-standalone. For production HBase clusters, use services.hadoop.hbase instead.

The p4 package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries p4d, p4broker, and p4p. To install the Helix Core Server binaries, use the p4d package instead.

The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if system.stateVersion is below 22.11. This is to make sure that people using server-side encryption don’t lose access to their files.

In any other case, it’s safe to use OpenSSL 3 for PHP’s OpenSSL extension. This can be done by setting services.nextcloud.enableBrokenCiphersForSSE to false.

The coq package and versioned variants starting at coq_8_14 no longer include CoqIDE, which is now available through coqPackages.coqide. It is still possible to get CoqIDE as part of the coq package by overriding the buildIde argument of the derivation.

PHP 7.4 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 22.11 release.

The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style settings option instead of extraConfig and the gatewayAddress, apiAddress and swarmAddress options were renamed. Using the old names will print a warning but still work.

pkgs.cosign does not provide the cosigned binary anymore. The sget binary has been moved into its own package.

Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. Users who still wish to remain using GTK can do so by using emacs-gtk.

kanidm has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start https and-–-if enabled-–-an LDAPS server and no HTTP and LDAP server anymore.

riak package removed along with services.riak module, due to lack of maintainer to update the package.

ppd files in pkgs.cups-drv-rastertosag-gdi are now gzipped. If you refer to such a ppd file with its path (e.g. via hardware.printers.ensurePrinters) you will need to append .gz to the path.

xow package removed along with the hardware.xow module, due to the project being deprecated in favor of xone, which is available via the hardware.xone module.

dd-agent package removed along with the services.dd-agent module, due to the project being deprecated in favor of datadog-agent, which is available via the services.datadog-agent module.

teleport has been upgraded to major version 10. Please see upstream upgrade instructions and release notes.

lib.closePropagation now needs that all gathered sets have an outPath attribute.

lemmy module option services.lemmy.settings.database.createLocally moved to services.lemmy.database.createLocally.

virtlyst package and services.virtlyst module removed, due to lack of maintainers.

The nix.checkConfig option now fully disables the config check. The new nix.checkAllErrors option behaves like nix.checkConfig previously did.

generateOptparseApplicativeCompletions and generateOptparseApplicativeCompletion from haskell.lib.compose (and haskell.lib) have been deprecated in favor of generateOptparseApplicativeCompletions (plural!) as provided by the haskell package sets (so haskellPackages.generateOptparseApplicativeCompletions etc.). The latter allows for cross-compilation (by automatically disabling generation of completion in the cross case). For it to work properly you need to make sure that the function comes from the same context as the package you are trying to override, i.e. always use the same package set as your package is coming from or – even better – use self.generateOptparseApplicativeCompletions if you are overriding a haskell package set. The old functions are retained for backwards compatibility, but yield are warning.

The services.graphite.api and services.graphite.beacon NixOS options, and the python3.pkgs.graphite_api, python3.pkgs.graphite_beacon and python3.pkgs.influxgraph packages, have been removed due to lack of upstream maintenance.

The trace binary from perf-linux package has been removed, due to being a duplicate of the perf binary.

The aws package has been removed due to being abandoned by the upstream. It is recommended to use awscli or awscli2 instead.

The CEmu TI-84 Plus CE emulator package has been renamed to cemu-ti. The Cemu Wii U emulator is now packaged as cemu.

systemd-networkd v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes:

arangodb versions 3.3, 3.4, and 3.5 have been removed because they are at EOL upstream. The default is now 3.10.0. Support for aarch64-linux has been removed since the target cannot be built reproducibly. By default arangodb is now built for the haswell architecture. If you wish to build for a different architecture, you may override the targetArchitecture argument with a value from this list supported upstream. Some architecture specific optimizations are also conditionally enabled. You may alter this behavior by overriding the asmOptimizations parameter. You may also add additional architecture support by adding more -DHAS_XYZ flags to cmakeFlags via overrideAttrs.

The meta.mainProgram attribute of packages in wineWowPackages now defaults to "wine64".

The paperless module now defaults PAPERLESS_TIME_ZONE to your configured system timezone.

The top-level termonad-with-packages alias for termonad has been removed.

Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11.

(Neo)Vim can not be configured with configure.pathogen anymore to reduce maintenance burden. Use configure.packages instead.

Neovim can not be configured with plug anymore (still works for vim).

The adguardhome module no longer uses host and port options, use settings.bind_host and settings.bind_port instead.

The default kops version is now 1.25.1 and support for 1.22 and older has been dropped.

The zrepl package has been updated from 0.5.0 to 0.6.0. See the changelog for details.

k3s no longer supports Docker as runtime due to upstream dropping support.

cassandra_2_1 and cassandra_2_2 have been removed. Please update to cassandra_3_11 or cassandra_3_0. See the changelog for more information about the upgrade process.

mysql57 has been removed. Please update to mysql80 or mariadb. See the upgrade guide for more information.

Consequently, cqrlog and amorok now use mariadb instead of mysql57 for their embedded databases. Running mysql_upgrade may be necessary.

k3s supports clusterInit option, and it is enabled by default, for servers.

percona-server56 has been removed. Please migrate to mysql or mariadb if possible.

obs-studio hase been updated to version 28. If you have packaged custom plugins, check if they are compatible. obs-websocket has been integrated into obs-studio.

signald has been bumped to 0.23.0. For the upgrade, a migration process is necessary. It can be done by running a command like this before starting signald.service:

signald -d /var/lib/signald/db \
  --database sqlite:/var/lib/signald/db \
  --migrate-data

For further information, please read the upstream changelogs.

stylua no longer accepts lua52Support and luauSupport overrides. Use features instead, which defaults to [ "lua54" "luau" ].

ocamlPackages.ocaml_extlib has been renamed to ocamlPackages.extlib.

pkgs.fetchNextcloudApp has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes are out-of-date and the (previously required) attributes name and version are no longer accepted.

The Syncthing service now only allows absolute paths—starting with / or ~/—for services.syncthing.folders.<name>.path. In a future release other paths will be allowed again and interpreted relative to services.syncthing.dataDir.

services.github-runner and services.github-runners.<name> gained the option serviceOverrides which allows overriding the systemd serviceConfig. If you have been overriding the systemd service configuration (i.e., by defining systemd.services.github-runner.serviceConfig), you have to use the serviceOverrides option now. Example:

services.github-runner.serviceOverrides.SupplementaryGroups = [
  "docker"
];

PHP is now built in NTS (Non-Thread Safe) mode by default.

firefox, thunderbird and librewolf now come with Wayland support by default. The firefox-wayland, firefox-esr-wayland, thunderbird-wayland and librewolf-wayland attributes are obsolete and have been aliased to their generic attribute.

The xplr package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the upstream release notes for more details.

Configuring multiple GitHub runners is now possible through services.github-runners.<name>. The options under services.github-runner remain, to configure a single runner.

github-runner gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See services.github-runner.ephemeral and services.github-runner.tokenFile for details.

A new module was added to provide hardware support for the Saleae Logic device family, providing the options hardware.saleae-logic.enable and hardware.saleae-logic.package.

ZFS module will no longer allow hibernation by default.

Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through services.mastodon.mediaAutoRemove.

The Redis module now disables RDB persistence when services.redis.servers.<name>.save = [] instead of using the Redis default.

Neo4j was updated from version 3 to version 4. See upstream’s migration guide for information on how to migrate your instance.

The networking.wireguard module now can set the mtu on interfaces and tag its packets with an fwmark.

The option overrideStrategy was added to the different systemd unit options (systemd.services.<name>, systemd.sockets.<name>, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to asDropin. This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to systemd.packages. See the fix proposed in NixOS’s systemd abstraction doesn’t work with systemd template units for an example.

The polymc package has been removed due to a rogue maintainer. It has been replaced by prismlauncher, a fork by the rest of the maintainers. For more details, see the PR that made this change and the issue detailing the vulnerability. Users with existing installations should rename ~/.local/share/polymc to ~/.local/share/PrismLauncher. The main config file’s path has also moved from ~/.local/share/polymc/polymc.cfg to ~/.local/share/PrismLauncher/prismlauncher.cfg.

The bloat package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See this upstream commit message for details.

Synapse’s systemd unit has been hardened.

The module services.grafana was refactored to be compliant with RFC 0042. To be precise, this means that the following things have changed:

The services.grafana.provision.alerting option was added. It includes suboptions for every alerting-related objects (with the exception of notifiers), which means it’s now possible to configure modern Grafana alerting declaratively.

Synapse now requires entries in the state_group_edges table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.

The diamond package has been update from 0.8.36 to 2.0.15. See the upstream release notes for more details.

The guake package has been updated from 3.6.3 to 3.9.0, see the changelog for more details.

The netlify-cli package has been updated from 6.13.2 to 12.2.4, see the changelog for more details.

dockerTools.buildImage’s contents parameter has been deprecated in favor of copyToRoot. Use copyToRoot = buildEnv { ... }; or similar if you intend to add packages to /bin.

The proxmox.qemuConf.bios option was added, it corresponds to Hardware->BIOS field in Proxmox web interface. Use "ovmf" value to build UEFI image, default value remains "bios". New option proxmox.partitionTableType defaults to either "legacy" or "efi", depending on the bios value. Setting partitionTableType to "hybrid" results in an image, which supports both methods ("bios" and "ovmf"), thereby remaining bootable after change to Proxmox Hardware->BIOS field.

memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot’s fork is no longer available.

Option descriptions, examples, and defaults writing in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release.

The documentation.nixos.options.allowDocBook option was added to ease the transition to CommonMark option documentation. Setting this option to false causes an error for every option included in the manual that uses DocBook documentation; it defaults to true to preserve the previous behavior and will be removed once the transition to CommonMark is complete.

The Redis module now persists each instance’s configuration file in the state directory, in order to support some more advanced use cases like Sentinel.

protonup has been aliased to and replaced by protonup-ng due to upstream not maintaining it.

The udisks2 service, available at services.udisks2.enable, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. This also means that polkit will now actually be disabled by default. The default for security.polkit.enable was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.

Nextcloud has been updated to version 25. Additionally the following things have changed for Nextcloud in NixOS:

systemd-oomd is enabled by default. Depending on which systemd units have ManagedOOMSwap=kill or ManagedOOMMemoryPressure=kill, systemd-oomd will SIGKILL all the processes under the appropriate descendant cgroups when the configured limits are exceeded. NixOS does currently not configure cgroups with oomd by default, this can be enabled using systemd.oomd.enableRootSlice, systemd.oomd.enableSystemSlice, and systemd.oomd.enableUserServices.

The tt-rss service performs two database migrations when you first use its web UI after upgrade. Consider backing up its database before updating.

The pass-secret-service package now includes systemd units from upstream, so adding it to the NixOS services.dbus.packages option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.

The Wordpress module now has support for installing language packs through a new option, services.wordpress.sites.<site>.languages.

The default package for services.mullvad-vpn.package was changed to pkgs.mullvad, allowing cross-platform usage of Mullvad. pkgs.mullvad only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to pkgs.mullvad-vpn, or add pkgs.mullvad-vpn to their environment.

PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied.

There is a new module for the thunar program (the Xfce file manager), which depends on the xfconf dbus service, and also has a dbus service and a systemd unit. The option services.xserver.desktopManager.xfce.thunarPlugins has been renamed to programs.thunar.plugins, and may be removed in a future release.

There is a new module for xfconf (the Xfce configuration storage system), which has a dbus service.

The Mastodon package has been upgraded to v4.0.0. See the v4.0.0 release notes for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.

The nomad package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older.

The nodePackages package set now defaults to the LTS release in the nodejs package again, instead of being pinned to nodejs-14_x. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new postRebuild hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies.

boot.kernel.sysctl is defined as a freeformType and adds a custom merge option for net.core.rmem_max (taking the highest value defined to avoid conflicts between 2 services trying to set that value).

The mame package does not ship with its tools anymore in the default output. They were moved to a separate tools output instead. For convenience, mame-tools package was added for those who want to use it.

A NixOS module for Firefox has been added which allows preferences and policies to be set. This also allows extensions to be installed via the ExtensionSettings policy. The new options are under programs.firefox.

The option services.picom.experimentalBackends was removed since it is now the default and the option will cause picom to quit instead.

haskellPackages.callHackage is not always invalidated if all-cabal-hashes changes, leading to less rebuilds of haskell dependencies.

haskellPackages.callHackage and haskellPackages.callCabal2nix (and related functions) no longer keep a reference to the cabal2nix call used to generate them. As a result, they will be garbage collected more often.

alps, a simple and extensible webmail. Available as services.alps.

appvm, Nix based app VMs. Available as virtualisation.appvm.

AusweisApp2, the authentication software for the German ID card. Available as programs.ausweisapp.

automatic-timezoned. a Linux daemon to automatically update the system timezone based on location. Available as services.automatic-timezoned.

Dolibarr, an enterprise resource planning and customer relationship manager. Enable using services.dolibarr.

dragonflydb, a modern replacement for Redis and Memcached. Available as services.dragonflydb.

endlessh-go, an SSH tarpit that exposes Prometheus metrics. Available as services.endlessh-go.

endlessh, an SSH tarpit. Available as services.endlessh.

EVCC is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as services.evcc.

expressvpn, the CLI client for ExpressVPN. Available as services.expressvpn.

FreshRSS, a free, self-hostable RSS feed aggregator. Available as services.freshrss.

Garage, a simple object storage server for geodistributed deployments, alternative to MinIO. Available as services.garage.

go-autoconfig, IMAP/SMTP autodiscover server. Available as services.go-autoconfig.

Grafana Tempo, a distributed tracing store. Available as services.tempo.

HBase cluster, a distributed, scalable, big data store. Available as services.hadoop.hbase.

infnoise, a hardware True Random Number Generator dongle. Available as services.infnoise.

kanata, a tool to improve keyboard comfort and usability with advanced customization. Available as services.kanata.

karma, an alert dashboard for Prometheus Alertmanager. Available as services.karma

Komga, a free and open source comics/mangas media server. Available as services.komga.

kthxbye, an alert acknowledgement management daemon for Prometheus Alertmanager. Available as services.kthxbye

languagetool, a multilingual grammar, style, and spell checker. Available as services.languagetool.

Listmonk, a self-hosted newsletter manager. Enable using services.listmonk.

Mepo, a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as programs.mepo.enable.

merecat, a small and easy HTTP server based on thttpd. Available as services.merecat

netbird, a zero configuration VPN. Available as services.netbird.

ntfy.sh, a push notification service. Available as services.ntfy-sh

OpenRGB, a FOSS tool for controlling RGB lighting. Available as services.hardware.openrgb.enable.

Outline, a wiki and knowledge base similar to Notion. Available as services.outline.

Patroni, a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as services.patroni.

persistent-evdev, a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as services.persistent-evdev.

Please, a Sudo clone written in Rust. Available as security.please.

Prometheus IPMI exporter, an IPMI exporter for Prometheus. Available as services.prometheus.exporters.ipmi.

Sachet, an SMS alerting tool for the Prometheus Alertmanager. Available as services.prometheus.sachet.

schleuder, a mailing list manager with PGP support. Enable using services.schleuder.

syncstorage-rs, a self-hostable sync server for Firefox. Available as services.firefox-syncserver.

Tandoor Recipes, a self-hosted multi-tenant recipe collection. Available as services.tandoor-recipes.

TAYGA, an out-of-kernel stateless NAT64 implementation. Available as services.tayga.

tmate-ssh-server, server side part of tmate. Available as services.tmate-ssh-server.

Uptime Kuma, a fancy self-hosted monitoring tool. Available as services.uptime-kuma.

WriteFreely, a simple blogging platform with ActivityPub support. Available as services.writefreely.

xray, a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as services.xray.

Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the nix command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the release notes for nix-2.4, nix-2.5, nix-2.6, nix-2.7 and nix-2.8

The firefox browser on x86_64-linux now makes use of profile-guided optimisation, resulting in a much more responsive browsing experience.

GNOME has been upgraded to 42. Please take a look at their Release Notes for details. In particular, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross) and GNOME Screenshot by a tool integrated into the Shell.

PHP 8.1 is now available.

systemd services can now set systemd.services.<name>.reloadTriggers instead of reloadIfChanged for a more granular distinction between reloads and restarts.

Systemd has been upgraded to the version 250.

Pulseaudio has been updated to version 15.0 and now optionally supports additional Bluetooth audio codecs such as aptX or LDAC, with codec switching available in pavucontrol. This feature is disabled by default, but can be enabled with the option hardware.pulseaudio.package = pkgs.pulseaudioFull;. Existing third-party modules that offered similar functions, such as pulseaudio-modules-bt or pulseaudio-hsphfpd, are obsolete and have been removed.

PostgreSQL now defaults to major version 14.

Module authors can use mkRenamedOptionModuleWith to automate the deprecation cycle without annoying out-of-tree module authors and their users.

The default GHC version has been updated from 8.10.7 to 9.0.2. pkgs.haskellPackages and pkgs.ghc will now use this version by default.

The GNOME and Plasma installation CDs now use pkgs.calamares and pkgs.calamares-nixos-extensions to allow users to easily install and set up NixOS with a GUI.

security.acme.defaults has been added to simplify the configuration of settings for many certificates at once. This also opens up the option to use DNS-01 validation when using enableACME web server virtual hosts (e.g. services.nginx.virtualHosts.*.enableACME).

1password, command-lines and graphic interface for 1Password. Available as programs._1password and programs._1password-gui.

aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd.

agate, a very simple server for the Gemini hypertext protocol. Available as services.agate.

apfs, a kernel module for mounting the Apple File System (APFS).

argonone, a replacement daemon for the Raspberry Pi Argon One power button and cooler. Available at services.hardware.argonone.

ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm.

BaGet, a lightweight NuGet and symbol server. Available at services.baget.

bird-lg, a BGP looking glass for Bird Routing. Available as services.bird-lg.

blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as services.blocky.

cloudflare-dyndns, CloudFlare Dynamic DNS client. Available as services.cloudflare-dyndns.

Corosync and Pacemaker, A open-source high availability resource manager. Available as services.corosync and services.pacemaker.

create_ap, a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as services.create_ap.

Envoy, a high-performance reverse proxy. Available as services.envoy.

ergochat, a modern IRC with IRCv3 features. Available as services.ergochat.

ethercalc, an online collaborative spreadsheet. Available as services.ethercalc.

filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.

FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as services.frr.

Grafana Mimir, an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as services.mimir.

Haste, a pastebin written in node.js. Available as services.haste.

headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale.

heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge.

https-dns-proxy, DNS to DNS over HTTPS (DoH) proxy. Available as services.https-dns-proxy.

input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper.

InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane.

k3b, the KDE disk burning application. Available as programs.k3b.

K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the k40 group to be able to access the device.

kanidm, an identity management server written in Rust. Available as services.kanidm

Maddy, a free an open source mail server. Available as services.maddy.

matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.

Moosefs, fault tolerant petabyte distributed file system. Available as moosefs.

mozillavpn, the client for the Mozilla VPN service. Available as services.mozillavpn.

mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter.

nbd, a Network Block Device server. Available as services.nbd.

netbox, infrastructure resource modeling (IRM) tool. Available as services.netbox.

nethoscope, listen to your network traffic. Available as programs.nethoscope.

nifi, an easy to use, powerful, and reliable system to process and distribute data. Available as services.nifi.

nix-ld, Run unpatched dynamic binaries on NixOS. Available as programs.nix-ld.

NNCP, NNCP (Node to Node copy) utilities and configuration, Available as programs.nncp.

pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin.

PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin.

prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve.

prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer.

Public Inbox, an “archives first” approach to mailing lists. Available as services.public-inbox.

r53-ddns, a small tool to run your own DDNS service via AWS Route53. Available as services.r53-ddns.

rmfakecloud, a clone of the cloud sync the remarkable tablet. Available as services.rmfakecloud.

rootless Docker, a systemd --user Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable.

rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server.

mediamtx, ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as services.mediamtx.

Snipe-IT, a free open source IT asset/license management system. Available as services.snipe-it.

snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy.

sslmate-agent, a daemon for managing SSL/TLS certificates on a server. Available as services.sslmate-agent.

starship, a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at programs.startship.

systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.

teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport.

tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd.

uptermd, an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at services.uptermd.

usbrelayd, an USB Relay MQTT daemon. Available as services.usbrelayd.

webdav-server-rs, Webdav server in rust. Available as services.webdav-server-rs.

wg-netmanager, the Wireguard network manager. Available as services.wg-netmanager.

Zammad, a web-based, open source user support/ticketing solution. Available as services.zammad.

pkgs.ghc now refers to pkgs.targetPackages.haskellPackages.ghc. This only makes a difference if you are cross-compiling and will ensure that pkgs.ghc always runs on the host platform and compiles for the target platform (similar to pkgs.gcc for example). haskellPackages.ghc still behaves as before, running on the build platform and compiling for the host platform (similar to stdenv.cc). This means you don’t have to adjust your derivations if you use haskellPackages.callPackage, but when using pkgs.callPackage and taking ghc as an input, you should now use buildPackages.ghc instead to ensure cross compilation keeps working (or switch to haskellPackages.callPackage).

pkgs.ghc.withPackages as well as haskellPackages.ghcWithPackages etc. now needs be overridden directly, as opposed to overriding the result of calling it. Additionally, the withLLVM parameter has been renamed to useLLVM. So instead of (ghc.withPackages (p: [])).override { withLLVM = true; }, one needs to use (ghc.withPackages.override { useLLVM = true; }) (p: []).

The update of the haskell package set brings with it a new version of the xmonad module, which will break your configuration if you use launch as entrypoint. The example code the corresponding nixos module was adjusted, you may want to have a look at it.

The home-assistant module now requires users that don’t want their configuration to be managed declaratively to set services.home-assistant.config = null;. This is required due to the way default settings are handled with the new settings style.

Additionally the default list of extraComponents now includes the minimal dependencies to successfully complete the onboarding procedure.

pkgs.emacsPackages.orgPackages is removed because org elpa is deprecated. The packages in the top level of pkgs.emacsPackages, such as org and org-contrib, refer to the ones in pkgs.emacsPackages.elpaPackages and pkgs.emacsPackages.nongnuPackages where the new versions will release.

The configuration and state directories used by nixos-containers have been moved from /etc/containers and /var/lib/containers to /etc/nixos-containers and /var/lib/nixos-containers.

If you are changing system.stateVersion to "22.05" manually on an existing system you are responsible for migrating these directories yourself.

This is to improve compatibility with libcontainer based software such as Podman and Skopeo which assumes they have ownership over /etc/containers.

lib.systems.supported has been removed, as it was overengineered for determining the systems to support in the nixpkgs flake. The list of systems exposed by the nixpkgs flake can now be accessed as lib.systems.flakeExposed.

For new installations virtualisation.oci-containers.backend is now set to podman by default. If you still want to use Docker on systems where system.stateVersion is set to to "22.05" set virtualisation.oci-containers.backend = "docker";.Old systems with older stateVersions stay with “docker”.

security.klogd was removed. Logging of kernel messages is handled by systemd since Linux 3.5.

pkgs.ssmtp has been dropped due to the program being unmaintained. pkgs.msmtp can be used instead as a substitute sendmail implementation. The corresponding options services.ssmtp.* have been removed as well. programs.msmtp.* can be used instead for an equivalent setup. For example:

{
  # Original ssmtp configuration:
  services.ssmtp = {
    enable = true;
    useTLS = true;
    useSTARTTLS = true;
    hostName = "smtp.example:587";
    authUser = "someone";
    authPassFile = "/secrets/password.txt";
  };

  # Equivalent msmtp configuration:
  programs.msmtp = {
    enable = true;
    accounts.default = {
      tls = true;
      tls_starttls = true;
      auth = true;
      host = "smtp.example";
      port = 587;
      user = "someone";
      passwordeval = "cat /secrets/password.txt";
    };
  };
}

services.kubernetes.addons.dashboard was removed due to it being an outdated version.

services.kubernetes.scheduler.{port,address} now set --secure-port and --bind-address instead of --port and --address, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading.

In the PowerDNS Recursor module (services.pdns-recursor), default values of several IP address-related NixOS options have been updated to match the default upstream behavior. In particular, Recursor by default will:

In the ncdns module, the default value of services.ncdns.address has been changed to the IPv6 loopback address (::1).

openldap (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database slapcat -n 1 in LDIF format, and reimport it after updating your services.openldap.settings, which represents your cn=config.

Additionally with 2.5 the argon2 module was included in the standard distribution and renamed from pw-argon2 to argon2. Remember to update your olcModuleLoad entry in cn=config.

openssh has been update to 8.9p1, changing the FIDO security key middleware interface.

git no longer hardcodes the path to openssh’ ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your environment consider adding openssh to it or switching to gitFull.

services.k3s.enable no longer implies systemd.enableUnifiedCgroupHierarchy = false, and will default to the ‘systemd’ cgroup driver when using services.k3s.docker = true. This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly setting systemd.enableUnifiedCgroupHierarchy = false in your configuration.

fonts.fonts no longer includes ancient bitmap fonts when both config.services.xserver.enable and config.nixpkgs.config.allowUnfree are enabled. If you still want these fonts, use:

{
  fonts.fonts = [
    pkgs.xorg.fontbhlucidatypewriter100dpi
    pkgs.xorg.fontbhlucidatypewriter75dpi
    pkgs.xorg.fontbh100dpi
  ];
}

services.prometheus.alertManagerTimeout has been removed as it has been deprecated upstream and has no effect.

The DHCP server (services.dhcpd4, services.dhcpd6) has been hardened. The service is now using the systemd’s DynamicUser mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in /var/lib/dhcpd{4,6} and the services.dhcpd4.stateDir and service.dhcpd6.stateDir options have been removed. If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. systemd.services.dhcpd6.serviceConfig.AmbientCapabilities.

The mailpile email webclient (services.mailpile) has been removed due to its reliance on python2.

services.ipfs.extraFlags is now escaped with utils.escapeSystemdExecArgs. If you rely on systemd interpolating extraFlags in the service ExecStart, this will no longer work.

hbase version 0.98.24 has been removed. The package now defaults to version 2.4.11. Versions 1.7.1 and 3.0.0-alpha-2 are also available.

services.paperless-ng was renamed to services.paperless. Accordingly, the paperless-ng-manage script (located in dataDir) was renamed to paperless-manage. services.paperless now uses paperless-ngx.

The matrix-synapse service (services.matrix-synapse) has been converted to use the settings option defined in RFC42. This means that options that are part of your homeserver.yaml configuration, and that were specified at the top-level of the module (services.matrix-synapse) now need to be moved into services.matrix-synapse.settings. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.

The listeners.*.bind_address option was renamed to bind_addresses in order to match the upstream homeserver.yaml option name. It is now also a list of strings instead of a string.

An example to make the required migration clearer:

Before:

{
  services.matrix-synapse = {
    enable = true;

    server_name = "example.com";
    public_baseurl = "https://example.com:8448";

    enable_registration = false;
    registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
    macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";

    tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
    tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

    listeners = [ {
      port = 8448;
      bind_address = "";
      type = "http";
      tls = true;
      resources = [ {
        names = [ "client" ];
        compress = true;
      } {
        names = [ "federation" ];
        compress = false;
      } ];
    } ];

  };
}

After:

{
  services.matrix-synapse = {
    enable = true;

    # this attribute set holds all values that go into your homeserver.yaml configuration
    # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
    # possible values.
    settings = {
      server_name = "example.com";
      public_baseurl = "https://example.com:8448";

      enable_registration = false;
      # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

      listeners = [ {
        port = 8448;
        bind_addresses = [
          "::"
          "0.0.0.0"
        ];
        type = "http";
        tls = true;
        resources = [ {
          names = [ "client" ];
          compress = true;
        } {
          names = [ "federation" ];
          compress = false;
        } ];
      } ];
    };

    extraConfigFiles = [
      "/run/keys/matrix-synapse/secrets.yaml"
    ];
  };
}

The secrets in your original config should be migrated into a YAML file that is included via extraConfigFiles. The filename must be quoted to prevent nix from copying it to the (world readable) store.

Additionally a few option defaults have been synced up with upstream default values, for example the max_upload_size grew from 10M to 50M. For the same reason, the default media_store_path was changed from ${dataDir}/media to ${dataDir}/media_store if system.stateVersion is at least 22.05. Files will need to be manually moved to the new location if the stateVersion is updated.

As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0.

The Keycloak package (pkgs.keycloak) has been switched from the Wildfly version, which will soon be deprecated, to the Quarkus based version. The Keycloak service (services.keycloak) has been updated to accommodate the change and now differs from the previous version in a few ways:

For example, when using a reverse proxy the migration could look like this:

Before:

  services.keycloak = {
    enable = true;
    httpPort = "8080";
    frontendUrl = "https://keycloak.example.com/auth";
    database.passwordFile = "/run/keys/db_password";
    extraConfig = {
      "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
    };
  };

After:

  services.keycloak = {
    enable = true;
    settings = {
      http-port = 8080;
      hostname = "keycloak.example.com";
      http-relative-path = "/auth";
      proxy = "edge";
    };
    database.passwordFile = "/run/keys/db_password";
  };

The MoinMoin wiki engine (services.moinmoin) has been removed, because Python 2 is being retired from nixpkgs.

Services in the hadoop module previously set openFirewall to true by default. This has now been changed to false. Node definitions for multi-node clusters would need openFirewall = true; to be added to to hadoop services when upgrading from NixOS 21.11.

services.hadoop.yarn.nodemanager now uses cgroup-based CPU limit enforcement by default. Additionally, the option useCGroups was added to nodemanagers as an easy way to switch back to the old behavior.

The wafHook hook now honors NIX_BUILD_CORES when enableParallelBuilding is not set explicitly. Packages can restore the old behaviour by setting enableParallelBuilding=false.

pkgs.claws-mail-gtk2, representing Claws Mail’s older release version three, was removed in order to get rid of Python 2. Please switch to claws-mail, which is Claws Mail’s latest release based on GTK+3 and Python 3.

The writers.writePython2 and corresponding writers.writePython2Bin convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use with writers.writePython3 or writers.writePyPy2 needs to be used.

buildGoModule was updated to use go_1_17, third party derivations that specify >= go 1.17 in the main go.mod will need to regenerate their vendorSha256 hash.

The gnome-passwordsafe package updated to version 6.x and renamed to gnome-secrets.

services.gnome.experimental-features.realtime-scheduling option has been removed, as GNOME Shell now uses rtkit. Use security.rtkit.enable = true; instead. As before, you will need to have it enabled using GSettings.

services.telepathy will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari.

If you previously used /etc/docker/daemon.json, you need to incorporate the changes into the new option virtualisation.docker.daemon.settings.

Ntopng (services.ntopng) is updated to 5.2.1 and uses a separate Redis instance if system.stateVersion is at least 22.05. Existing setups shouldn’t be affected.

The backward compatibility in services.wordpress to configure sites with the old interface has been removed. Please use services.wordpress.sites instead.

The backward compatibility in services.dokuwiki to configure sites with the old interface has been removed. Please use services.dokuwiki.sites instead.

opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs

services.miniflux.adminCredentialFiles is now required, instead of defaulting to admin and password.

The taskserver module no longer implicitly opens ports in the firewall configuration. This is now controlled through the option services.taskserver.openFirewall.

The autorestic package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details.

teleport has been upgraded to major version 9. Please see upstream upgrade instructions and release notes.

For pkgs.python3.pkgs.ipython, its direct dependency pkgs.python3.pkgs.matplotlib-inline (which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend on pkgs.python3.pkgs.matplotlib anymore. This is closer to a non-Nix install of ipython. This has the added benefit to reduce the closure size of ipython from ~400MB to ~160MB (including ~100MB for python itself).

documentation.man has been refactored to support choosing a man implementation other than GNU’s man-db. For this, documentation.man.manualPages has been renamed to documentation.man.man-db.manualPages. If you want to use the new alternative man implementation mandoc, add documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; } to your configuration.

Normal users (with isNormalUser = true) which have non-empty subUidRanges or subGidRanges set no longer have additional implicit ranges allocated. To enable automatic allocation back set autoSubUidGidRange = true.

idris2 now requires --package when using packages contrib and network, while previously these idris2 packages were automatically loaded.

The iputils package, which is installed by default, no longer provides the legacy tools tftpd and traceroute6. More tools (ninfod, rarpd, and rdisc) are going to be removed in the next release. See upstream’s release notes for more details and available replacements.

services.thelounge.private was removed in favor of services.thelounge.public, to follow with upstream changes.

pkgs.docbookrx was removed since it’s unmaintained

pkgs._7zz is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code

The vim.customize function produced by vimUtils.makeCustomizable now has a slightly different interface:

See the comments in pkgs/applications/editors/vim/plugins/vim-utils.nix for more details.

vimUtils.vimWithRC was removed. You should instead use customize on a Vim derivation, which now accepts vimrcFile and gvimrcFile arguments.

tilp2 was removed together with its module

The F-PROT antivirus (fprot package) and its service module were removed because it reached end-of-life.

bird1 and its modules services.bird as well as services.bird6 have been removed. Upgrade to services.bird2.

The options networking.interfaces.<name>.ipv4.routes and networking.interfaces.<name>.ipv6.routes are no longer ignored when using networkd instead of the default scripted network backend by setting networking.useNetworkd to true.

The miller package has been upgraded from 5.10.3 to 6.2.0. See What’s new in Miller 6.

MultiMC has been replaced with the fork PrismLauncher due to upstream developers being hostile to 3rd party package maintainers. PrismLauncher removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename ~/.local/share/multimc to ~/.local/share/PrismLauncher. The main config file’s path has also moved from ~/.local/share/multimc/multimc.cfg to ~/.local/share/PrismLauncher/prismlauncher.cfg.

systemd-nspawn@.service settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set systemd.nspawn.<name>.execConfig.PrivateUsers = false

systemd-shutdown is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using systemd.shutdownRamfs.enable.

The Tor SOCKS proxy is now actually disabled if services.tor.client.enable is set to false (the default). If you are using this functionality but didn’t change the setting or set it to false, you now need to set it to true.

services.github-runner has been hardened. Notably address families and system calls have been restricted, which may adversely affect some kinds of testing, e.g. using AF_BLUETOOTH to test bluetooth devices.

The terraform 0.12 compatibility has been removed and the terraform.withPlugins and terraform-providers.mkProvider implementations simplified. Providers now need to be stored under $out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version> (which mkProvider does).

This breaks back-compat so it’s not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly.

The dendrite package has been upgraded from 0.5.1 to 0.6.5. Instances configured with split sqlite databases, which has been the default in NixOS, require merging of the federation sender and signing key databases. See upstream release notes on version 0.6.0 for details on database changes.

The existing pkgs.opentelemetry-collector has been moved to pkgs.opentelemetry-collector-contrib to match the actual source being the “contrib” edition. pkgs.opentelemetry-collector is now the actual core release of opentelemetry-collector. If you use the community contributions you should change the package you refer to. If you don’t need them update your commands from otelcontribcol to otelcorecol and enjoy a 7x smaller binary.

services.zookeeper has a new option jre for specifying the JRE to start zookeeper with. It defaults to the JRE that pkgs.zookeeper was wrapped with, instead of pkgs.jre. This changes the JRE to pkgs.jdk11_headless by default.

pkgs.pgadmin now refers to pkgs.pgadmin4. pgadmin3 has been removed.

pkgs.minetestclient_4 and pkgs.minetestserver_4 have been removed, as the last 4.x release was in 2018. pkgs.minetestclient (equivalent to pkgs.minetest ) and pkgs.minetestserver can be used instead.

pkgs.noto-fonts-cjk is now deprecated in favor of pkgs.noto-fonts-cjk-sans and pkgs.noto-fonts-cjk-serif because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs, pkgs.noto-fonts-cjk is currently an alias of pkgs.noto-fonts-cjk-sans and doesn’t include serif fonts.

pkgs.epgstation has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format.

Some top-level settings under services.epgstation is now deprecated because it was redundant due to the same options being present in services.epgstation.settings.

The option services.epgstation.basicAuth was removed because basic authentication support was dropped by upstream.

The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary.

The services.epgstation.settings option now expects options for config.yml in EPGStation v2.

Existing data for the services.epgstation module would have to be backed up prior to the upgrade. To back up existing data to /tmp/epgstation.bak, run sudo -u epgstation epgstation run backup /tmp/epgstation.bak. To import that data after to the upgrade, run sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak

switch-to-configuration (the script that is run when running nixos-rebuild switch for example) has been reworked

The services.bookstack.cacheDir option has been removed, since the cache directory is now handled by systemd.

The services.bookstack.extraConfig option has been replaced by services.bookstack.config which implements a settings-style configuration.

lib.assertMsg and lib.assertOneOf no longer return false if the passed condition is false, throwing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for assert conditions.

The vpnc package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons.

The default version of nextcloud is nextcloud24. Please note that it’s not possible to upgrade nextcloud across multiple major versions! This means it’s e.g. not possible to upgrade from nextcloud22 to nextcloud24 in a single deploy and most 21.11 users will have to upgrade to nextcloud23 first.

pkgs.vimPlugins.onedark-nvim now refers to navarasu/onedark.nvim (formerly refers to olimorris/onedarkpro.nvim).

services.pipewire.enable will default to enabling the WirePlumber session manager instead of pipewire-media-session. pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting services.pipewire.media-session.enable to true and services.pipewire.wireplumber.enable to false.

pkgs.makeDesktopItem has been refactored to provide a more idiomatic API. Specifically:

See the vscode package for a more detailed example.

Existing resholve* functions have been renamed and nested under pkgs.resholve. Update uses to:

pkgs.cosmopolitan no longer provides the cosmoc command. It has been moved to pkgs.cosmoc.

pkgs.graalvmXX-ce packages no longer provide support for Python/Ruby/WASM, instead focusing only in Java and Native Image Support. If you need to add support back, please see the pkgs.graalvmCEPackages.mkGraal function to create your own customized version of GraalVM with support for what you need.

The option services.redis.servers was added to support per-application redis-server which is more secure since Redis databases are only mere key prefixes without any configuration or ACL of their own. Backward-compatibility is preserved by mapping old services.redis.settings to services.redis.servers."".settings, but you are strongly encouraged to name each redis-server instance after the application using it, instead of keeping that nameless one. Except for the nameless services.redis.servers."" still accessible at 127.0.0.1:6379, and to the members of the Unix group redis through the Unix socket /run/redis/redis.sock, all other services.redis.servers.${serverName} are only accessible by default to the members of the Unix group redis-${serverName} through the Unix socket /run/redis-${serverName}/redis.sock.

The option virtualisation.vmVariant was added to allow users to make changes to the nixos-rebuild build-vm configuration that do not apply to their normal system.

The config.system.build.vm attribute now always exists and defaults to the value from vmVariant. Configurations that import the virtualisation/qemu-vm.nix module themselves will override this value, such that vmVariant is not used.

Similarly virtualisation.vmVariantWithBootloader was added.

The configuration portion of the nix-daemon module has been reworked and exposed as nix.settings:

kops defaults to 1.23.2, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS has changed from true to false. Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the 1.22 release notes and 1.23 release notes for more details, including other significant changes.

Mattermost has been upgraded to extended support version 6.3 as the previously packaged extended support version 5.37 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.

The writers.writePyPy2/writers.writePyPy3 and corresponding writers.writePyPy2Bin/writers.writePyPy3Bin convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.

Some improvements have been made to the hadoop module:

The auto-upgrade service now accepts persistent (default: true) parameter. By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive.

Mastodon now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.

Note that this will recreate the redis database, although according to the Mastodon docs, this is almost harmless:

If you do want to save the redis database, you can use the following commands:

redis-cli save
cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"

Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.

Redis database is used for storage only cache and job queue. More information can be found here - Peertube architecture.

If you do want to save the redis database, you can use the following commands before upgrade OS:

redis-cli save
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb

Added the keter NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.

If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable NIXOS_OZONE_WL=1 (for example via environment.sessionVariables.NIXOS_OZONE_WL = "1"). This is not enabled by default because Ozone Wayland is still under heavy development and behavior is not always flawless. Furthermore, not all Electron apps use the latest Electron versions.

A new option group systemd.network.wait-online was added, with options to configure systemd-networkd-wait-online.service:

The influxdb2 package was split into influxdb2-server and influxdb2-cli, matching the split that took place upstream. A combined influxdb2 package is still provided in this release for backwards compatibility, but will be removed at a later date.

The unifi package was switched from unifi6 to unifi7. Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6.

programs.zsh.autosuggestions.strategy now takes a list of strings instead of a string.

The asterisk and asterisk-stable packages were switched from asterisk_18 to the newly-packaged asterisk_19. Asterisk 13 and 17 have been removed as they have reached their end of life.

The services.unifi.openPorts option default value of true is now deprecated and will be changed to false in 22.11. Configurations using this default will print a warning when rebuilt.

The services.unifi-video.openPorts option default value of true is now deprecated and will be changed to false in 22.11. Configurations using this default will print a warning when rebuilt.

security.acme certificates will now correctly check for CA revokation before reaching their minimum age.

Removing domains from security.acme.certs._name_.extraDomainNames will now correctly remove those domains during rebuild/renew.

MariaDB is now offered in several versions, not just the newest one. So if you have a need for running MariaDB 10.4 for example, you can now just set services.mysql.package = pkgs.mariadb_104;. In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience. Sometimes software is also incompatible with the newest version of MariaDB.

The option programs.ssh.enableAskPassword was added, decoupling the setting of SSH_ASKPASS from services.xserver.enable. This allows easy usage in non-X11 environments, e.g. Wayland.

programs.ssh.knownHosts has gained an extraHostNames option to augment hostNames. It is now possible to use the attribute name of a knownHosts entry as the primary host name and specify secondary host names using extraHostNames without having to duplicate the primary host name.

The services.stubby module was converted to a settings-style configuration.

The option services.xserver.desktopManager.runXdgAutostartIfNone was added in order to automatically run XDG autostart files for sessions without a desktop manager. This replaces helpers like the dex package.

When setting i18n.inputMethod.enabled to fcitx5, it no longer creates corresponding systemd user services. It now relies on XDG autostart files to start and work properly in your desktop sessions. If you are using only a window manager without a desktop manager, you need to enable services.xserver.desktopManager.runXdgAutostartIfNone or using the dex package to make fcitx5 work.

The option services.duplicati.dataDir has been added to allow changing the location of duplicati’s files.

The options boot.extraModprobeConfig and boot.blacklistedKernelModules now also take effect in the initrd by copying the file /etc/modprobe.d/nixos.conf into the initrd.

nixos-generate-config now puts the dhcp configuration in hardware-configuration.nix instead of configuration.nix.

ORY Kratos was updated to version 0.9.0-alpha.3, which introduces some breaking changes:

fetchFromSourcehut now allows fetching repositories recursively using fetchgit or fetchhg if the argument fetchSubmodules is set to true.

A module for declarative configuration of openconnect VPN profiles was added under networking.openconnect.

The element-desktop package now has an useKeytar option (defaults to true), which allows disabling keytar and in turn libsecret usage (which binds to native credential managers / keychain libraries).

The option services.thelounge.plugins has been added to allow installing plugins for The Lounge. Plugins can be found in pkgs.theLoungePlugins.plugins and pkgs.theLoungePlugins.themes.

The option services.xserver.videoDriver = [ "nvidia" ]; will now also install nvidia VA-API drivers by default.

The firmwareLinuxNonfree package has been renamed to linux-firmware.

It is now possible to specify wordlists to include as handy to access environment variables using the config.environment.wordlist configuration options.

The services.mbpfan module was converted to a RFC 0042 configuration.

The default value for programs.spacefm.settings.graphical_su got unset. It previously pointed to gksu which has been removed.

The Dino XMPP client was updated to 0.3, adding support for audio and video calls.

services.mattermost.plugins has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf.

services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default.

The logrotate module also has been updated to freeform syntax: services.logrotate.paths and services.logrotate.extraConfig will work, but issue deprecation warnings and services.logrotate.settings should now be used instead.

security.pam.ussh has been added, which allows authorizing PAM sessions based on SSH certificates held within an SSH agent, using pam-ussh.

The vscode-extensions.ionide.ionide-fsharp package has been updated to 6.0.0 and now requires .NET 6.0.

The phpPackages.box package has been updated from 2.7.5 to 3.16.0. See the upgrade guide for more details.

The zrepl package has been updated from 0.4.0 to 0.5:

The polybar package has been updated from 3.5.7 to 3.6.2. See the changelog for more details.

Renamed option services.openssh.challengeResponseAuthentication to services.openssh.kbdInteractiveAuthentication. Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning.

services.autorandr now allows for adding hooks and profiles declaratively.

The pomerium-cli command has been moved out of the pomerium package into the pomerium-cli package, following upstream’s repository split. If you are using the pomerium-cli command, you should now install the pomerium-cli package.

The option services.networking.networkmanager.enableFccUnlock was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See the docs for more details.

programs.tmux has a new option plugins that accepts a list of packages from the tmuxPlugins group. The specified packages are added to the system and loaded by tmux.

The polkit service, available at security.polkit.enable, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.

mercury was updated to 22.01.1, which has some breaking changes (Mercury 22.01 news).

xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with mkfs.xfs -m bigtime=0 -m inobtcount=0.

services.xserver.desktopManager.xfce now includes Xfce’s screen locker, xfce4-screensaver that is enabled by default. You can disable it by setting false to services.xserver.desktopManager.xfce.enableScreensaver.

The hadoop package has added support for aarch64-linux and aarch64-darwin as of 3.3.1 (#158613).

The R package now builds again on aarch64-darwin (#158992).

The nss package was split into nss_esr and nss_latest, with nss being an alias for nss_esr. This was done to ease maintenance of nss and dependent high-profile packages like firefox.

The default scribus version is now 1.5, while version 1.4 is still available as scribus_1_4 (#172700).

The Nextcloud module now supports to create a Mysql database automatically with services.nextcloud.database.createLocally enabled.

The Nextcloud module now allows setting the value of the max-age directive of the Strict-Transport-Security HTTP header, which is now controlled by the services.nextcloud.https option, rather than services.nginx.recommendedHttpHeaders.

The spark3 package has been updated from 3.1.2 to 3.2.1 (#160075):

The option services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. Enable it explicitly if you need to control Snapserver remotely or connect streamig clients from other hosts.

The option networking.useDHCP isn’t deprecated anymore. When using systemd-networkd, a generic .network-unit is added which enables DHCP for each interface matching en*, eth* or wl* with priority 99 (which means that it doesn’t have any effect if such an interface is matched by a .network-unit with a lower priority). In case of scripted networking, no behavior was changed.

The new postgresqlTestHook runs a PostgreSQL server for the duration of package checks.

zfs was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18.

stdenv.mkDerivation now supports a self-referencing finalAttrs: parameter containing the final mkDerivation arguments including overrides. drv.overrideAttrs now supports two parameters finalAttrs: previousAttrs:. This allows packaging configuration to be overridden in a consistent manner by providing an alternative to rec {} syntax.

Additionally, passthru can now reference finalAttrs.finalPackage containing the final package, including attributes such as the output paths and overrideAttrs.

New language integrations can be simplified by overriding a “prototype” package containing the language-specific logic. This removes the need for a extra layer of overriding for the “generic builder” arguments, thus removing a usability problem and source of error.

Nix has been updated to version 2.4, reference its release notes for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the nix_2_3 package.

iptables is now using nf_tables under the hood, by using iptables-nft, similar to Debian and Fedora. This means, ip[6]tables, arptables and ebtables commands will actually show rules from some specific tables in the nf_tables kernel subsystem. In case you’re migrating from an older release without rebooting, there might be cases where you end up with iptable rules configured both in the legacy iptables kernel backend, as well as in the nf_tables backend. This can lead to confusing firewall behaviour. An iptables-save after switching will complain about “iptables-legacy tables present”. It’s probably best to reboot after the upgrade, or manually removing all legacy iptables rules (via the iptables-legacy package).

systemd got an nftables backend, and configures (networkd) rules in their own io.systemd.* tables. Check nft list ruleset to see these rules, not iptables-save (which only shows iptables-created rules.

PHP now defaults to PHP 8.0, updated from 7.4.

kops now defaults to 1.21.1, which uses containerd as the default runtime.

python3 now defaults to Python 3.9, updated from Python 3.8.

PostgreSQL now defaults to major version 13.

spark now defaults to spark 3, updated from 2. A migration guide is available.

Improvements have been made to the Hadoop module and package:

Activation scripts can now, optionally, be run during a nixos-rebuild dry-activate and can detect the dry activation by reading $NIXOS_ACTION. This allows activation scripts to output what they would change if the activation was really run. The users/modules activation script supports this and outputs some of is actions.

KDE Plasma now finally works on Wayland.

bash now defaults to major version 5.

Systemd was updated to version 249 (from 247).

Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn’t work for you, please try gsettings set org.gnome.desktop.lockdown disable-lock-screen false.

kubernetes-helm now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details. helmfile also defaults to 0.141.0, which is the minimum compatible version.

GNOME has been upgraded to 41. Please take a look at their Release Notes for details.

LXD support was greatly improved:

OpenSSH was updated to version 8.8p1

ORY Kratos was updated to version 0.8.0-alpha.3

btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.

clipcat, an X11 clipboard manager written in Rust. Available at services.clipcat.

dex, an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at services.dex.

geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.

Jibri, a service for recording or streaming a Jitsi Meet conference. Available as services.jibri.

Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.

owncast, self-hosted video live streaming solution. Available at services.owncast.

PeerTube, developed by Framasoft, is the free and decentralized alternative to video platforms. Available at services.peertube.

sourcehut, a collection of tools useful for software development. Available as services.sourcehut.

ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.

Users of flashrom should migrate to programs.flashrom.enable and add themselves to the flashrom group to be able to access programmers supported by flashrom.

vikunja, a to-do list app. Available as services.vikunja.

opensnitch, an application firewall. Available as services.opensnitch.

snapraid, a backup program for disk arrays. Available as snapraid.

Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.

buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.

influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.

mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.

MeshCentral, a remote administration service (“TeamViewer but self-hosted and with more features”) is now available with a package and a module: services.meshcentral.enable

moonraker, an API web server for Klipper. Available as moonraker.

influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.

isso, a commenting server similar to Disqus. Available as isso

navidrome, a personal music streaming server with subsonic-compatible api. Available as navidrome.

fluidd, a Klipper web interface for managing 3d printers using moonraker. Available as fluidd.

sx, a simple alternative to both xinit and startx for starting a Xorg server. Available as services.xserver.displayManager.sx

postfixadmin, a web based virtual user administration interface for Postfix mail servers. Available as postfixadmin.

prowlarr, an indexer manager/proxy built on the popular arr .net/reactjs base stack services.prowlarr.

soju, a user-friendly IRC bouncer. Available as services.soju.

nats, a high performance cloud and edge messaging system. Available as services.nats.

git, a distributed version control system. Available as programs.git.

parsedmarc, a service which parses incoming DMARC reports and stores or sends them to a downstream service for further analysis. Documented in its manual entry.

spark, a unified analytics engine for large-scale data processing.

touchegg, a multi-touch gesture recognizer. Available as services.touchegg.

pantheon-tweaks, an unofficial system settings panel for Pantheon. Available as programs.pantheon-tweaks.

joycond, a service that uses hid-nintendo to provide nintendo joycond pairing and better nintendo switch pro controller support.

multipath, the device mapper multipath (DM-MP) daemon. Available as services.multipath.

seafile, an open source file syncing & sharing software. Available as services.seafile.

rasdaemon, a hardware error logging daemon. Available as hardware.rasdaemon.

code-server-module now available

xmrig, a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark.

Auto nice daemons ananicy and ananicy-cpp. Available as services.ananicy.

smartctl_exporter, a Prometheus exporter for S.M.A.R.T. data. Available as services.prometheus.exporters.smartctl.

twingate, a high performance, easy to use zero trust solution that enables access to private resources from any device with better security than a VPN.

The NixOS VM test framework, pkgs.nixosTest/make-test-python.nix (pkgs.testers.nixosTest since 22.05), now requires detaching commands such as succeed("foo &") and succeed("foo | xclip -i") to close stdout. This can be done with a redirect such as succeed("foo >&2 &"). This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, including execute, succeed, fail, wait_until_succeeds, wait_until_fails.

The services.wakeonlan option was removed, and replaced with networking.interfaces.<name>.wakeOnLan.

The security.wrappers option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.

Since iptables now uses nf_tables backend and ipset doesn’t support it, some applications (ferm, shorewall, firehol) may have limited functionality.

The paperless module and package have been removed. All users should migrate to the successor paperless-ng instead. The Paperless project has been archived and advises all users to use paperless-ng instead.

Users can use the services.paperless-ng module as a replacement while noting the following incompatibilities:

{
  services.paperless-ng.extraConfig = {
    # Provide languages as ISO 639-2 codes
    # separated by a plus (+) sign.
    # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
    PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
  };
}

The staticjinja package has been upgraded from 1.0.4 to 4.1.1

Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.

The erigon ethereum node has moved to a new database format in 2021-05-04, and requires a full resync

The erigon ethereum node has moved its database location in 2021-08-03, users upgrading must manually move their chaindata (see release notes).

users.users.<name>.group no longer defaults to nogroup, which was insecure. Out-of-tree modules are likely to require adaptation: instead of

{
  users.users.foo = {
    isSystemUser = true;
  };
}

also create a group for your user:

{
  users.users.foo = {
    isSystemUser = true;
    group = "foo";
  };
  users.groups.foo = {};
}

services.geoip-updater was broken and has been replaced by services.geoipupdate.

ihatemoney has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie to false.

PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

Those making use of buildBazelPackage will need to regenerate the fetch hashes (preferred), or set fetchConfigured = false;.

consul was upgraded to a new major release with breaking changes, see upstream changelog.

fsharp41 has been removed in preference to use the latest dotnet-sdk

The following F#-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

programs.x2goserver is now services.x2goserver

The following dotnet-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

The antlr package now defaults to the 4.x release instead of the old 2.7.7 version.

The pulseeffects package updated to version 4.x and renamed to easyeffects.

The libwnck package now defaults to the 3.x release instead of the old 2.31.0 version.

The bitwarden_rs packages and modules were renamed to vaultwarden following upstream. More specifically,

yggdrasil was upgraded to a new major release with breaking changes, see upstream changelog.

icingaweb2 was upgraded to a new release which requires a manual database upgrade, see upstream changelog.

The isabelle package has been upgraded from 2020 to 2021

the mingw-64 package has been upgraded from 6.0.0 to 9.0.0

tt-rss was upgraded to the commit on 2021-06-21, which has breaking changes. If you use services.tt-rss.extraConfig you should migrate to the putenv-style configuration. See this Discourse post in the tt-rss forums for more details.

The following Visual Studio Code extensions were renamed to keep the naming convention uniform.

services.uptimed now uses /var/lib/uptimed as its stateDirectory instead of /var/spool/uptimed. Make sure to move all files to the new directory.

Deprecated package aliases in emacs.pkgs.* have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible.

programs.neovim.runtime switched to a linkFarm internally, making it impossible to use wildcards in the source argument.

The openrazer and openrazer-daemon packages as well as the hardware.openrazer module now require users to be members of the openrazer group instead of plugdev. With this change, users no longer need be granted the entire set of plugdev group permissions, which can include permissions other than those required by openrazer. This is desirable from a security point of view. The setting hardware.openrazer.users can be used to add users to the openrazer group.

The fontconfig service’s dpi option has been removed. Fontconfig should use Xft settings by default so there’s no need to override one value in multiple places. The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with services.xserver.dpi.

The yambar package has been split into yambar and yambar-wayland, corresponding to the xorg and wayland backend respectively. Please switch to yambar-wayland if you are on wayland.

The services.minio module gained an additional option consoleAddress, that configures the address and port the web UI is listening, it defaults to :9001. To be able to access the web UI this port needs to be opened in the firewall.

The varnish package was upgraded from 6.3.x to 7.x. varnish60 for the last LTS release is also still available.

The kubernetes package was upgraded to 1.22. The kubernetes.apiserver.kubeletHttps option was removed and HTTPS is always used.

The attribute linuxPackages_latest_hardened was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such as linuxPackages_5_10_hardened.

The nomad package now defaults to a 1.1.x release instead of 1.0.x

If exfat is included in boot.supportedFilesystems and when using kernel 5.7 or later, the exfatprogs user-space utilities are used instead of exfat.

The todoman package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format.

The datadog-agent, datadog-integrations-core and datadog-process-agent packages were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2, respectively. As a result services.datadog-agent has had breaking changes to the configuration file. For details, see the upstream changelog.

opencv2 no longer includes the non-free libraries by default, and consequently pfstools no longer includes OpenCV support by default. Both packages now support an enableUnfree option to re-enable this functionality.

services.xserver.displayManager.defaultSession = "plasma5" does not work anymore, instead use either "plasma" for the Plasma X11 session or "plasmawayland" for the Plasma Wayland sesison.

boot.kernelParams now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like “param = 12”, which would be parsed as 3 parameters.

nix.daemonNiceLevel and nix.daemonIONiceLevel have been removed in favour of the new options nix.daemonCPUSchedPolicy, nix.daemonIOSchedClass and nix.daemonIOSchedPriority. Please refer to the options documentation and the sched(7) and ioprio_set(2) man pages for guidance on how to use them.

The coursier package’s binary was renamed from coursier to cs. Completions which haven’t worked for a while should now work with the renamed binary. To keep using coursier, you can create a shell alias.

The services.mosquitto module has been rewritten to support multiple listeners and per-listener configuration. Module configurations from previous releases will no longer work and must be updated.

The fluidsynth_1 attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available as fluidsynth unchanged.

Nextcloud 20 (pkgs.nextcloud20) has been dropped because it was EOLed by upstream in 2021-10.

The virtualisation.pathsInNixDB option was renamed virtualisation.additionalPaths.

The services.ddclient.password option was removed, and replaced with services.ddclient.passwordFile.

The default GNAT version has been changed: The gnat attribute now points to gnat12 instead of gnat9.

retroArchCores has been removed. This means that using nixpkgs.config.retroarch to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: retroarch.override { cores = with libretro; [ citra snes9x ]; };. Also, retroarchFull derivation is available for those who want to have all RetroArch cores available.

The Linux kernel for security reasons now restricts access to BPF syscalls via BPF_UNPRIV_DEFAULT_OFF=y. Unprivileged access can be reenabled via the kernel.unprivileged_bpf_disabled sysctl knob.

/usr will always be included in the initial ramdisk. See the fileSystems.<name>.neededForBoot option. If any files exist under /usr (which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent.

pkgs.haskell-language-server will now by default be linked dynamically to improve TemplateHaskell compatibility. To mitigate the increased closure size it will now by default only support our current default ghc (at the moment 9.0.2). Add other ghc versions via e.g. pkgs.haskell-language-server.override { supportedGhcVersions = [ "90" "92" ]; }.

pkgs.redis is now built using the system jemalloc. This disables the experimental active defragmentation feature of redis. Users who require this feature can switch back to redis’ vendored version of jemalloc by setting services.redis.package = pkgs.redis.override { useSystemJemalloc = false; };.

The linux kernel package infrastructure was moved out of all-packages.nix, and restructured. Linux related functions and attributes now live under the pkgs.linuxKernel attribute set. In particular the versioned linuxPackages_* package sets (such as linuxPackages_5_4) and kernels from pkgs were moved there and now live under pkgs.linuxKernel.packages.*. The unversioned ones (such as linuxPackages_latest) remain untouched.

In NixOS virtual machines (QEMU), the virtualisation module has been updated with new options:

In addition, the default msize parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance.

The setting services.openssh.logLevel "VERBOSE" "INFO". This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

However, if services.fail2ban.enable is true, the fail2ban will override the verbosity to "VERBOSE", so that fail2ban can observe the failed login attempts from the SSH logs.

The services.xserver.extraLayouts no longer cause additional rebuilds when a layout is added or modified.

Sway: The terminal emulator rxvt-unicode is no longer installed by default via programs.sway.extraPackages. The current default configuration uses alacritty (and soon foot) so this is only an issue when using a customized configuration and not installing rxvt-unicode explicitly.

python3 now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What’s New In Python 3.9 post for more information.

qtile hase been updated from ‘0.16.0’ to ‘0.18.0’, please check qtile changelog for changes.

The claws-mail package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the claws-mail-gtk2 package.

The wordpress module provides a new interface which allows to use different webservers with the new option services.wordpress.webserver. Currently httpd, caddy and nginx are supported. The definitions of wordpress sites should now be set in services.wordpress.sites.

Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

The dokuwiki module provides a new interface which allows to use different webservers with the new option services.dokuwiki.webserver. Currently caddy and nginx are supported. The definitions of dokuwiki sites should now be set in services.dokuwiki.sites.

Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

The order of NSS (host) modules has been brought in line with upstream recommendations:

If you use your own NSS host modules, make sure to update your priorities according to these rules:

The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:

The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.

The services.smokeping.host option was added and defaulted to localhost. Before, smokeping listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service for smokeping got reworked defaults for increased operational stability, see PR #144127 for details.

The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn’t clean up after execution. You can manually look this up for your pools by running zfs allow your-pool-name and use zfs unallow syncoid your-pool-name to clean this up.

Zfs: latestCompatibleLinuxPackages is now exported on the zfs package. One can use boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; to always track the latest compatible kernel with a given version of zfs.

Nginx will use the value of sslTrustedCertificate if provided for a virtual host, even if enableACME is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

lib.formats.yaml’s generate will not generate JSON anymore, but instead use more of the YAML-specific syntax.

MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.

The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.

GNOME desktop environment now enables QGnomePlatform as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually.

rofi has been updated from ‘1.6.1’ to ‘1.7.0’, one important thing is the removal of the old xresources based configuration setup. Read more in rofi’s changelog.

ipfs now defaults to not listening on you local network. This setting was change as server providers won’t accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting ipfs.localDiscovery = true;. localDiscovery enables different instances to discover each other and share data.

lua and luajit interpreters have been patched to avoid looking into /usr/lib directories, thus increasing the purity of the build.

Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of /etc/xdg/mimeapps.list.

Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.

The systemd.network module has gained support for the FooOverUDP link type.

The networking module has a new networking.fooOverUDP option to configure Foo-over-UDP encapsulations.

networking.sits now supports Foo-over-UDP encapsulation.

The virtualisation.libvirtd module has been refactored and updated with new options:

The cawbird Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change.

A new option services.prometheus.enableReload has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting.

The option services.prometheus.environmentFile has been removed since it was causing issues and Prometheus now has native support for secret files, i.e. basic_auth.password_file and authorization.credentials_file.

Dokuwiki now supports caddy! However

The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:

security.pam.services.<name>.makeHomeDir now uses umask=0077 instead of umask=0022 when creating the home directory.

Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.

julia now refers to julia-stable instead of julia-lts. In practice this means it has been upgraded from 1.0.4 to 1.5.4.

RetroArch has been upgraded from version 1.8.5 to 1.9.13.2. Since the previous release was quite old, if you’re having issues after the upgrade, please delete your $XDG_CONFIG_HOME/retroarch/retroarch.cfg file.

hydrus has been upgraded from version 438 to 463. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual.

More jdk and jre versions are now exposed via java-packages.compiler.

The sets haskell.packages and haskell.compiler now contain for every ghc version an attribute with the minor version dropped. E.g. for ghc8107 there also now exists ghc810. Those attributes point to the same compilers and packagesets but have the advantage that e.g. ghc92 stays stable when we update from ghc925 to ghc926.

Core version changes:

Desktop Environments:

Programming Languages and Frameworks:

The linux_latest kernel was updated to the 5.13 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one).

GNURadio 3.8 and 3.9 were finally packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute gnuradio (3.9), gnuradio3_8 and gnuradio3_7 now point to an externally wrapped by default derivations, that allow you to also add `extraPythonPackages` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added (#75478).

Keycloak, an open source identity and access management server with support for OpenID Connect, OAUTH 2.0 and SAML 2.0.

See the Keycloak section of the NixOS manual for more information.

services.samba-wsdd.enable Web Services Dynamic Discovery host daemon

Discourse, a modern and open source discussion platform.

See the Discourse section of the NixOS manual for more information.

services.nebula.networks Nebula VPN

GNOME desktop environment was upgraded to 40, see the release notes for 40.0 and 3.38. The gnome3 attribute set has been renamed to gnome and so have been the NixOS options.

If you are using services.udev.extraRules to assign custom names to network interfaces, this may stop working due to a change in the initialisation of dhcpcd and systemd networkd. To avoid this, either move them to services.udev.initrdRules or see the new Assigning custom names section of the NixOS manual for an example using networkd links.

The security.hideProcessInformation module has been removed. It was broken since the switch to cgroups-v2.

The linuxPackages.ati_drivers_x11 kernel modules have been removed. The drivers only supported kernels prior to 4.2, and thus have become obsolete.

The systemConfig kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.

systemd-journal2gelf no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue.

If the services.dbus module is enabled, then the user D-Bus session is now always socket activated. The associated options services.dbus.socketActivated and services.xserver.startDbusSession have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins.

The networking.wireless.iwd module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to “keep kernel”, to avoid race conditions between iwd and networkd. If you don’t want this, you can set systemd.network.links."80-iwd" = lib.mkForce {}.

rubyMinimal was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it’s compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting jitSupport = false; in an overlay. See #90151 for more info.

Setting services.openssh.authorizedKeysFiles now also affects which keys security.pam.enableSSHAgentAuth will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in services.openssh.authorizedKeysFiles!

The option fonts.enableFontDir has been renamed to fonts.fontDir.enable. The path of font directory has also been changed to /run/current-system/sw/share/X11/fonts, for consistency with other X11 resources.

A number of options have been renamed in the kicad interface. oceSupport has been renamed to withOCE, withOCCT has been renamed to withOCC, ngspiceSupport has been renamed to withNgspice, and scriptingSupport has been renamed to withScripting. Additionally, kicad/base.nix no longer provides default argument values since these are provided by kicad/default.nix.

The socket for the pdns-recursor module was moved from /var/lib/pdns-recursor to /run/pdns-recursor to match upstream.

Paperwork was updated to version 2. The on-disk format slightly changed, and it is not possible to downgrade from Paperwork 2 back to Paperwork 1.3. Back your documents up before upgrading. See this thread for more details.

PowerDNS has been updated from 4.2.x to 4.3.x. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the service now runs entirely as a dedicated pdns user, instead of starting as root and dropping privileges, as well as the default socket-dir location changing from /var/lib/powerdns to /run/pdns.

The mediatomb service is now using by default the new and maintained fork gerbera package instead of the unmaintained mediatomb package. If you want to keep the old behavior, you must declare it with:

{
  services.mediatomb.package = pkgs.mediatomb;
}

One new option openFirewall has been introduced which defaults to false. If you relied on the service declaration to add the firewall rules itself before, you should now declare it with:

{
  services.mediatomb.openFirewall = true;
}

xfsprogs was update from 4.19 to 5.11. It now enables reflink support by default on filesystem creation. Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them with mkfs.xfs -m reflink=0.

The uWSGI server is now built with POSIX capabilities. As a consequence, root is no longer required in emperor mode and the service defaults to running as the unprivileged uwsgi user. Any additional capability can be added via the new option services.uwsgi.capabilities. The previous behaviour can be restored by setting:

{
  services.uwsgi.user = "root";
  services.uwsgi.group = "root";
  services.uwsgi.instance =
    {
      uid = "uwsgi";
      gid = "uwsgi";
    };
}

Another incompatibility from the previous release is that vassals running under a different user or group need to use immediate-{uid,gid} instead of the usual uid,gid options.

btc1 has been abandoned upstream, and removed.

cpp_ethereum (aleth) has been abandoned upstream, and removed.

riak-cs package removed along with services.riak-cs module.

stanchion package removed along with services.stanchion module.

mutt has been updated to a new major version (2.x), which comes with some backward incompatible changes that are described in the release notes for Mutt 2.0.

vim and neovim switched to Python 3, dropping all Python 2 support.

networking.wireguard.interfaces.<name>.generatePrivateKeyFile, which is off by default, had a chmod race condition fixed. As an aside, the parent directory’s permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read #121294.

boot.zfs.forceImportAll previously did nothing, but has been fixed. However its default has been changed to false to preserve the existing default behaviour. If you have this explicitly set to true, please note that your non-root pools will now be forcibly imported.

openafs now points to openafs_1_8, which is the new stable release. OpenAFS 1.6 was removed.

The WireGuard module gained a new option networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds that implements refreshing the IP of DNS-based endpoints periodically (which WireGuard itself cannot do).

MariaDB has been updated to 10.5. Before you upgrade, it would be best to take a backup of your database and read Incompatible Changes Between 10.4 and 10.5. After the upgrade you will need to run mysql_upgrade.

The TokuDB storage engine dropped in mariadb 10.5 and removed in mariadb 10.6. It is recommended to switch to RocksDB. See also TokuDB and MDEV-19780: Remove the TokuDB storage engine.

The openldap module now has support for OLC-style configuration, users of the configDir option may wish to migrate. If you continue to use configDir, ensure that olcPidFile is set to /run/slapd/slapd.pid.

As a result, extraConfig and extraDatabaseConfig are removed. To help with migration, you can convert your slapd.conf file to OLC configuration with the following script (find the location of this configuration file by running systemctl status openldap, it is the -f option.

$ TMPDIR=$(mktemp -d)
$ slaptest -f /path/to/slapd.conf -F $TMPDIR
$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'

This will dump your current configuration in LDIF format, which should be straightforward to convert into Nix settings. This does not show your schema configuration, as this is unnecessarily verbose for users of the default schemas and slaptest is buggy with schemas directly in the config file.

Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data.

The rspamd services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in /run/rspamd instead of /run.

Enabling the Tor client no longer silently also enables and configures Privoxy, and the services.tor.client.privoxy.enable option has been removed. To enable Privoxy, and to configure it to use Tor’s faster port, use the following configuration:

{
  opt-services.privoxy.enable = true;
  opt-services.privoxy.enableTor = true;
}

The services.tor module has a new exhaustively typed services.tor.settings option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. The corresponding systemd service has been hardened, but there is a chance that the service still requires more permissions, so please report any related trouble on the bugtracker. Onion services v3 are now supported in services.tor.relay.onionServices. A new services.tor.openFirewall option as been introduced for allowing connections on all the TCP ports configured.

The options services.slurm.dbdserver.storagePass and services.slurm.dbdserver.configFile have been removed. Use services.slurm.dbdserver.storagePassFile instead to provide the database password. Extra config options can be given via the option services.slurm.dbdserver.extraConfig. The actual configuration file is created on the fly on startup of the service. This avoids that the password gets exposed in the nix store.

The wafHook hook does not wrap Python anymore. Packages depending on wafHook need to include any Python into their nativeBuildInputs.

Starting with version 1.7.0, the project formerly named CodiMD is now named HedgeDoc. New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. Based on system.stateVersion, existing installations will continue to work.

The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the vendor_functions.d directory to be loaded automatically.

The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter’s /probe endpoint. In the prometheus scrape configuration the scrape target might look like this:

http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint

Existing configuration for the exporter needs to be updated, but can partially be re-used. Documentation is available in the upstream repository and a small example for NixOS is available in the corresponding NixOS test.

These changes also affect services.prometheus.exporters.rspamd.enable, which is just a preconfigured instance of the json exporter.

For more information, take a look at the official documentation of the json_exporter.

Androidenv was updated, removing the includeDocs and lldbVersions arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, and both are no longer available to download from the Android package repositories. Additionally, since the package lists have been updated, some older versions of Android packages may not be bundled. If you depend on older versions of Android packages, we recommend overriding the repo.

Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments repoJson and repoXmls have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the extraLicenses argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.

The attribute mpi is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used mpi ? null in the input for optional MPI builds, have been changed to the boolean input parameter useMpi to enable building with MPI. Building all packages with mpich instead of the default openmpi can now be achieved like this:

self: super:
{
  mpi = super.mpich;
}

The Searx module has been updated with the ability to configure the service declaratively and uWSGI integration. The option services.searx.configFile has been renamed to services.searx.settingsFile for consistency with the new services.searx.settings. In addition, the searx uid and gid reservations have been removed since they were not necessary: the service is now running with a dynamically allocated uid.

The libinput module has been updated with the ability to configure mouse and touchpad settings separately. The options in services.xserver.libinput have been renamed to services.xserver.libinput.touchpad, while there is a new services.xserver.libinput.mouse for mouse related configuration.

Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in mouse section.

ALSA OSS emulation (sound.enableOSSEmulation) is now disabled by default.

Thinkfan as been updated to 1.2.x, which comes with a new YAML based configuration format. For this reason, several NixOS options of the thinkfan module have been changed to non-backward compatible types. In addition, a new services.thinkfan.settings option has been added.

Please read the thinkfan documentation before updating.

Adobe Flash Player support has been dropped from the tree. In particular, the following packages no longer support it:

Additionally, packages flashplayer and hal-flash were removed along with the services.flashpolicyd module.

The security.rngd module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel’s RNG.

The default SMTP port for GitLab has been changed to 25 from its previous default of 465. If you depended on this default, you should now set the services.gitlab.smtp.port option.

The default version of ImageMagick has been updated from 6 to 7. You can use imagemagick6, imagemagick6_light, and imagemagick6Big if you need the older version.

services.xserver.videoDrivers no longer uses the deprecated cirrus and vesa device dependent X drivers by default. It also enables both amdgpu and nouveau drivers by default now.

The kindlegen package is gone, because it is no longer supported or hosted by Amazon. Sadly, its replacement, Kindle Previewer, has no Linux support. However, there are other ways to generate MOBI files. See the discussion for more info.

The apacheKafka packages are now built with version-matched JREs. Versions 2.6 and above, the ones that recommend it, use jdk11, while versions below remain on jdk8. The NixOS service has been adjusted to start the service using the same version as the package, adjustable with the new services.apache-kafka.jre option. Furthermore, the default list of services.apache-kafka.jvmOptions have been removed. You should set your own according to the upstream documentation for your Kafka version.

The kodi package has been modified to allow concise addon management. Consider the following configuration from previous releases of NixOS to install kodi, including the kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons:

{
  environment.systemPackages = [
    pkgs.kodi
  ];

  nixpkgs.config.kodi = {
    enableInputStreamAdaptive = true;
    enableVFSSFTP = true;
  };
}

All Kodi config flags have been removed, and as a result the above configuration should now be written as:

{
  environment.systemPackages = [
    (pkgs.kodi.withPackages (p: with p; [
      inputstream-adaptive
      vfs-sftp
    ]))
  ];
}

environment.defaultPackages now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the EDITOR environment variable is set to it. Environment variables can be set using environment.variables.