-
FoundationDB now defaults to major version 7.
-
PostgreSQL now defaults to major version 15.
-
Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the
hostapdpackage, along with a significant rework of the hostapd module. -
LXD now supports virtual machine instances to complement the existing container support
-
The
nixos-rebuildcommand has been given alist-generationssubcommand. Seeman nixos-rebuildfor more details. -
systemd has been updated from v253 to v254, see the release notes for more information on the changes.
boot.resumeDevicemust be specified when hibernating if not in EFI mode.- systemd may warn your system about the permissions of your ESP partition (often
/boot), this warning can be ignored for now, we are looking into a satisfying solution regarding this problem. - Updating with
nixos-rebuild bootand rebooting is recommended, since in some rare cases thenixos-rebuild switchinto the new generation on a live system might fail due to missing mount units.
-
sudo-rs, a reimplementation ofsudoin Rust, is now supported. An experimental new modulesecurity.sudo-rswas added. Switching to it (viasecurity.sudo.enable = false; security.sudo-rs.enable = true;) introduces slight changes in sudo behaviour, due tosudo-rs' current limitations:- terminfo-related environment variables aren't preserved for
rootandwheel; rootandwheelare not given the ability to set (or preserve) arbitrary environment variables.
- terminfo-related environment variables aren't preserved for
-
glibc has been updated from version 2.37 to 2.38, see the release notes for what was changed.
-
All ROCm packages have been updated to 5.7.0.
- ROCm package attribute sets are versioned:
rocmPackages->rocmPackages_5.
- ROCm package attribute sets are versioned:
-
yarn-berryhas been updated to 4.0.1. This means that NodeJS versions less than18.12are no longer supported by it. More details at the upstream changelog. -
If the user has a custom shell enabled via
users.users.${USERNAME}.shell = ${CUSTOMSHELL}, the assertion will require them to also setprograms.${CUSTOMSHELL}.enable = true. This is generally safe behavior, but for anyone needing to opt out from the checkusers.users.${USERNAME}.ignoreShellProgramCheck = truewill do the job. -
Cassandra now defaults to 4.x, updated from 3.11.x.
-
MCHPRS, a multithreaded Minecraft server built for redstone. Available as services.mchprs.
-
acme-dns, a limited DNS server to handle ACME DNS challenges easily and securely. Available as services.acme-dns.
-
frp, a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. Available as services.frp.
-
river, A dynamic tiling wayland compositor. Available as programs.river.
-
wayfire, A modular and extensible wayland compositor. Available as programs.wayfire.
-
mautrix-whatsapp A Matrix-WhatsApp puppeting bridge
-
hddfancontrol, a service to regulate fan speeds based on hard drive temperature. Available as services.hddfancontrol.
-
GoToSocial, an ActivityPub social network server, written in Golang. Available as services.gotosocial.
-
Castopod, an open-source hosting platform made for podcasters who want to engage and interact with their audience. Available as services.castopod.
-
Typesense, a fast, typo-tolerant search engine for building delightful search experiences. Available as services.typesense.
- NS-USBLoader, an all-in-one tool for managing Nintendo Switch homebrew. Available as programs.ns-usbloader.
-
Mobilizon, a Fediverse platform for publishing events.
-
Anuko Time Tracker, a simple, easy to use, open source time tracking system. Available as services.anuko-time-tracker.
-
Prometheus MySQL exporter, a MySQL server exporter for Prometheus. Available as services.prometheus.exporters.mysqld.
-
LibreNMS, a auto-discovering PHP/MySQL/SNMP based network monitoring. Available as services.librenms.
-
Livebook, an interactive notebook with support for Elixir, graphs, machine learning, and more.
-
sitespeed-io, a tool that can generate metrics (timings, diagnostics) for websites. Available as services.sitespeed-io.
-
stalwart-mail, an all-in-one email server (SMTP, IMAP, JMAP). Available as services.stalwart-mail.
-
tang, a server for binding data to network presence. Available as services.tang.
-
Jool, a kernelspace NAT64 and SIIT implementation, providing translation between IPv4 and IPv6. Available as networking.jool.enable.
-
[Home Assistant Satellite], a streaming audio satellite for Home Assistant voice pipelines, where you can reuse existing mic/speaker hardware. Available as services.homeassistant-satellite.
-
Apache Guacamole, a cross-platform, clientless remote desktop gateway. Available as services.guacamole-server and services.guacamole-client services.
-
pgBouncer, a PostgreSQL connection pooler. Available as services.pgbouncer.
-
Goss, a YAML based serverspec alternative tool for validating a server's configuration. Available as services.goss.
-
trust-dns, a Rust based DNS server built to be safe and secure from the ground up. Available as services.trust-dns.
-
osquery, a SQL powered operating system instrumentation, monitoring, and analytics.
-
ebusd, a daemon for handling communication with eBUS devices connected to a 2-wire bus system (“energy bus” used by numerous heating systems). Available as services.ebusd.
-
systemd-sysupdate, atomically updates the host OS, container images, portable service images or other sources. Available as systemd.sysupdate.
-
eris-server. ERIS is an encoding for immutable storage and this server provides block exchange as well as content decoding over HTTP and through a FUSE file-system. Available as services.eris-server.
-
hardware/infiniband.nix adds infiniband subnet manager support using an opensm systemd-template service, instantiated on card guids. The module also adds kernel modules and cli tooling to help administrators debug and measure performance. Available as hardware.infiniband.enable.
-
zwave-js, a small server wrapper around Z-Wave JS to access it via a WebSocket. Available as services.zwave-js.
-
Honk, a complete ActivityPub server with minimal setup and support costs. Available as services.honk.
-
ferretdb, an open-source proxy, converting the MongoDB 6.0+ wire protocol queries to PostgreSQL or SQLite. Available as services.ferretdb.
-
MicroBin, a feature rich, performant and secure text and file sharing web application, a "paste bin". Available as services.microbin.
-
NNCP. Added nncp-daemon and nncp-caller services. Configuration is set with programs.nncp.settings and the daemons are enabled at services.nncp.
-
FastNetMon Advanced, a commercial high performance DDoS detector / sensor. Available as services.fastnetmon-advanced.
-
tuxedo-rs, Rust utilities for interacting with hardware from TUXEDO Computers.
-
certspotter, a certificate transparency log monitor. Available as services.certspotter.
-
audiobookshelf, a self-hosted audiobook and podcast server. Available as services.audiobookshelf.
-
ZITADEL, a turnkey identity and access management platform. Available as services.zitadel.
-
netclient, an automated WireGuard® Management Client. Available as services.netclient.
-
trunk-ng, A fork of
trunk: Build, bundle & ship your Rust WASM application to the web -
virt-manager, an UI for managing virtual machines in libvirt, is now available as
programs.virt-manager. -
Soft Serve, a tasty, self-hostable Git server for the command line. Available as services.soft-serve.
-
Rosenpass, a service for post-quantum-secure VPNs with WireGuard. Available as services.rosenpass.
-
c2FmZQ, an application that can securely encrypt, store, and share files, including but not limited to pictures and videos. Available as services.c2fmzq-server.
-
network-online.targethas been fixed to no longer time out for systems withnetworking.useDHCP = trueandnetworking.useNetworkd = true. Workarounds for this can be removed. -
The
boot.loader.raspberryPioptions have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs (before mid-2019) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. -
python3.pkgs.sequoiawas removed in favor ofpython3.pkgs.pysequoia. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from gitlab:sequoia-pgp/sequoia were removed long ago. -
writeTextFilenow requiresexecutableto be boolean, values likenullor""will now fail to evaluate. -
The latest version of
cloneheronow stores custom content in~/.clonehero. See the migration instructions. Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in~/.config/unity3d/srylain Inc_/Clone Hero. -
The
services.hostapdmodule was rewritten to supportpasswordFilelike options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.hostapdis now started with additional systemd sandbox/hardening options for better security.services.hostapd.interfacewas replaced with a per-radio and per-bss configuration scheme using services.hostapd.radios.services.hostapd.wpahas been replaced by services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword and services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords which configure WPA2-PSK and WP3-SAE respectively.- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
-
python3.pkgs.fetchPypi(andpython3Packages.fetchPypi) has been deprecated in favor of top-levelfetchPypi. -
passnow does not containpassword-store.el. Users should getpassword-store.elfrom Emacs lisp package setemacs.pkgs.password-store. -
services.knotnow supports.settingsfrom RFC42. The previous.extraConfigstill works the same, but it displays a warning now. -
munow does not installmu4efiles by default. Users should getmu4efrom Emacs lisp package setemacs.pkgs.mu4e. -
mariadbnow defaults tomariadb_1011instead ofmariadb_106, meaning the default version was upgraded from 10.6.x to 10.11.x. See the upgrade notes for potential issues. -
getenthas been moved fromglibc'sbinoutput to its own dedicated output, reducing closure size for many dependents. Dependents using thegetentalias should not be affected; others should move from usingglibc.binorgetBin glibctogetent(which also improves compatibility with non-glibc platforms). -
maintainers/scripts/update-luarocks-packagesis now a proper packageluarocks-packages-updaterthat can be run to maintain out-of-tree luarocks packages -
The
users.users.<name>.passwordFilehas been renamed tousers.users.<name>.hashedPasswordFileto avoid possible confusions. The option is in fact the file-based version ofhashedPassword, notpassword, and expects a file containing the {manpage}crypt(3)hash of the user password. -
chromiumBetaandchromiumDevhave been removed due to the lack of maintenance in nixpkgs. Consider usingchromiuminstead. -
google-chrome-betaandgoogle-chrome-devhave been removed due to the lack of maintenance in nixpkgs. Consider usinggoogle-chromeinstead. -
The
services.ananicy.extraRulesoption now has the type oflistOf attrsinstead ofstring. -
buildVimPluginFrom2Nixhas been renamed tobuildVimPlugin, which now now skipsconfigurePhaseandbuildPhase -
JACK tools (
jack_*exceptjack_control) have moved from thejack2package tojack-example-tools -
The
matrix-synapsepackage & module have undergone some significant internal changes, for most setups no intervention is needed, though:- The option
services.matrix-synapse.packageis now read-only. For modifying the package, use an overlay which modifiesmatrix-synapse-unwrappedinstead. More on that below. - The
enableSystemd&enableRedisarguments have been removed andmatrix-synapsehas been renamed tomatrix-synapse-unwrapped. Also, several optional dependencies (such aspsycopg2orauthlib) have been removed. - These optional dependencies are automatically added via a wrapper (
pkgs.matrix-synapse.override { extras = ["redis"]; }forhiredis&txredisapifor instance) if the relevant config section is declared inservices.matrix-synapse.settings. For instance, ifservices.matrix-synapse.settings.redis.enabledis set totrue,"redis"will be automatically added to theextraslist ofpkgs.matrix-synapse. - A list of all extras (and the extras enabled by default) can be found at the option's reference for
services.matrix-synapse.extras. - In some cases (e.g. for running synapse workers) it was necessary to re-use the
PYTHONPATHofmatrix-synapse.service's environment to have all plugins available. This isn't necessary anymore, insteadconfig.services.matrix-synapse.packagecan be used as it points to the wrapper with properly configuredextrasand also all plugins defined viaservices.matrix-synapse.pluginsavailable. This is also the reason for why the option is read-only now, it's supposed to be set by the module only.
- The option
-
netboxwas updated to 3.6. NixOS'services.netbox.packagestill defaults to 3.5 ifstateVersionis earlier than 23.11. Please review upstream's breaking changes for 3.6.0 and upgrade NetBox by changingservices.netbox.package. Database migrations will be run automatically. -
etcdhas been updated to 3.5, you will want to read the 3.3 to 3.4 and 3.4 to 3.5 upgrade guides -
gitlabinstallations created or updated between versions [15.11.0, 15.11.2] have an incorrect database schema. This will become a problem when upgrading togitlab>=16.2.0. A workaround for affected users can be found in the GitLab docs. -
consulhas been updated to1.16.0. See the release note for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version. -
llvmPackages_rocmhas been moved torocmPackages.llvm. -
hip,rocm-opencl-runtime,rocm-opencl-icd, androcclrhave been combined intorocmPackages.clr. -
clang-ocl,clr,composable_kernel,hipblas,hipcc,hip-common,hipcub,hipfft,hipfort,hipify,hipsolver,hipsparse,migraphx,miopen,miopengemm,rccl,rdc,rocalution,rocblas,rocdgbapi,rocfft,rocgdb,rocm-cmake,rocm-comgr,rocm-core,rocm-device-libs,rocminfo,rocmlir,rocm-runtime,rocm-smi,rocm-thunk,rocprim,rocprofiler,rocrand,rocr-debug-agent,rocsolver,rocsparse,rocthrust,roctracer,rocwmma, andtensilehave been moved torocmPackages. -
himalayahas been updated to0.8.0, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the release note for more details. -
nix-prefetch-gitnow ignores global and user git config, to improve reproducibility. -
The services.caddy.acmeCA option now defaults to
nullinstead of"https://acme-v02.api.letsencrypt.org/directory", to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream. -
The default priorities of
services.nextcloud.phpOptionshave changed. This means that e.g.services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23";doesn't discard all of the other defaults from this option anymore. The attribute values ofphpOptionsare still defaults, these can be overridden as shown here.To override all of the options (including including
upload_max_filesize,post_max_sizeandmemory_limitwhich all point toservices.nextcloud.maxUploadSizeby default) can be done like this:{ services.nextcloud.phpOptions = lib.mkForce { /* ... */ }; }
-
php80is no longer supported due to upstream not supporting this version anymore. -
PHP now defaults to PHP 8.2, updated from 8.1.
-
GraalVM has been updated to the latest version, and this brings significant changes. Upstream don't release multiple versions targeting different JVMs anymore, so now we only have one GraalVM derivation (
graalvm-ce). While at first glance the version may seem a downgrade (22.3.1 -> 21.0.0), the major version is now following the JVM it targets (so this latest version targets JVM 21). Also some products likellvm-installable-svmandnative-image-svmwere incorporate to the main GraalVM derivation, so they're included by default. -
GraalPy (
graalCEPackages.graalpy), TruffleRuby (graalCEPackages.truffleruby), GraalJS (graalCEPackages.graaljs) and GraalNodeJS (grallCEPackages.graalnodejs) are now indepedent from the main GraalVM derivation. -
The ISC DHCP package and corresponding module have been removed, because they are end of life upstream. See https://www.isc.org/blogs/isc-dhcp-eol/ for details and switch to a different DHCP implementation like kea or dnsmasq.
-
prometheus-unbound-exporterhas been replaced by the Let's Encrypt maintained version, since the previous version was archived. This requires some changes to the module configuration, most notablecontrolInterfaceneeds migration towardsunbound.hostand requires either thetcp://orunix://URI scheme. -
odoonow defaults to 16, updated from 15. -
varnishwas upgraded from 7.2.x to 7.4.x, see https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html and https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html for upgrade notes. The current LTS version is still offered asvarnish60. -
util-linuxis now supported on Darwin and is no longer an alias tounixtools. Use theunixtools.util-linuxpackage for access to the Apple variants of the utilities. -
services.keydchanged API. Now you can create multiple configuration files. -
baloo, the file indexer/search engine used by KDE now has a patch to prevent files from constantly being reindexed when the device ids of the their underlying storage changes. This happens frequently when using btrfs or LVM. The patch has not yet been accepted upstream but it provides a significantly improved experience. When upgrading, reset baloo to get a clean index:balooctl disable ; balooctl purge ; balooctl enable. -
The
vlockprogram from thekbdpackage has been moved into its own package output and should now be referenced explicitly askbd.vlockor replaced with an alternative such as the standalonevlockpackage orphyslock. -
fileSystems.<name>.autoFormatnow usessystemd-makefs, which does not accept formatting options. Therefore,fileSystems.<name>.formatOptionshas been removed. -
fileSystems.<name>.autoResizenow usessystemd-growfsto resize the file system online in stage 2. This means thatf2fsandext2can no longer be auto resized, whilexfsandbtrfsnow can be. -
nixos-rebuild {switch,boot,test,dry-activate}now runs the system activation insidesystemd-run, creating an ephemeral systemd service and protecting the system switch against issues like network disconnections during remote (e.g. SSH) sessions. This has the side effect of running the switch in an isolated environment, that could possible break post-switch scripts that depends on things like environment variables being set. If you want to opt-out from this behavior for now, you may set theNIXOS_SWITCH_USE_DIRTY_ENVenvironment variable before runningnixos-rebuild. However, keep in mind that this option will be removed in the future. -
The
services.vaultwarden.configoption default value was changed to make Vaultwarden only listen on localhost, following the secure defaults for most NixOS services. -
services.lemmy.settings.federationwas removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the release notes for more details. -
pict-rswas upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems withstateVersion = "23.05";or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and setservices.pict-rs.package = pkgs.pict-rs;. -
The following packages in
haskellPackageshave now a separate bin output:cabal-fmt,calligraphy,eventlog2html,ghc-debug-brick,hindent,nixfmt,releaser. This means you need to replace e.g."${pkgs.haskellPackages.nixfmt}/bin/nixfmt"with"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"or"${lib.getExe pkgs.haskellPackages.nixfmt}". The binaries also won’t be in scope if you rely on them being installed e.g. viaghcWithPackages.environment.packagespicks thebinoutput automatically, so for normal installation no intervention is required. Also, toplevel attributes likepkgs.nixfmtare not impacted negatively by this change. -
spamassassinno longer supports theHashcashmodule. The module needs to be removed from theloadpluginlist if it was copied over from the defaultinitPreConfoption. -
nanowas removed fromenvironment.defaultPackages. To not leave systems without a editor, nowprograms.nano.enableis enabled by default. -
programs.nano.nanorcandprograms.nano.syntaxHighlightno longer have an effect unlessprograms.nano.enableis set to true which is the default. -
services.outline.sequelizeArgumentshas been removed, asoutlineno longer executes database migrations via thesequelizecli. -
The binary of the package
cloud-sql-proxyhas changed fromcloud_sql_proxytocloud-sql-proxy. -
Garage has been upgraded to 0.9.x.
services.garage.packagenow needs to be explicitly set, so version upgrades can be done in a controlled fashion. For this, we exposegarage_x_yattributes which can be set here. -
vomsandxrootdnow moves the$out/etccontent to the$etcoutput instead of$out/etc.orig, when input argumentexternalEtcis notnull. -
The
woodpecker-*CI packages have been updated to 1.0.0. This release is wildly incompatible with the 0.15.X versions that were previously packaged. Please read upstream's documentation to learn how to update your CI configurations. -
The Caddy module gained a new option named
services.caddy.enableReloadwhich is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the Caddy admin API. If you keep this option enabled, you should consider settinggrace_periodto a non-infinite value to prevent Caddy from delaying the reload indefinitely. -
mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by
stateVersion), but the appropriate settings will be generated bynixos-generate-configwhen installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you usestateVersioncorrectly or setboot.swraid.enablemanually. On systems with an updatedstateVersionwe now also emit warnings ifmdadm.confdoes not contain the minimum required configuration necessary to run the dynamically enabled monitoring daemons. -
The
go-ethereumpackage has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed fromleveldbtopebblebutleveldbcan be forced with the --db.engine=leveldb flag. Thecheckpoint-admincommand was removed along with trusted checkpoints. -
The
aseprite-unfreepackage has been upgraded from 1.2.16.3 to 1.2.40. The free version of aseprite has been dropped because it is EOL and the package attribute now points to the unfree version. A maintained fork of the last free version of Aseprite, named 'LibreSprite', is available in thelibrespritepackage. -
The default
kopsversion is now 1.28.0 and support for 1.25 and older has been dropped. -
pharohas been updated to latest stable (PharoVM 10.0.5), which is compatible with the latest stable and oldstable images (Pharo 10 and 11). The VM in question is the 64bit Spur. The 32bit version has been dropped due to lack of maintenance. The Cog VM has been deleted because it is severily outdated. Finally, thepharo-launcherpackage has been deleted because it was not compatible with the newer VM, and due to lack of maintenance. -
Emacs mainline version 29 was introduced. This new version includes many major additions, most notably
tree-sittersupport (enabled by default) and the pgtk variant (useful for Wayland users), which is available under the attributeemacs29-pgtk. -
Emacs macport version 29 was introduced.
-
The option
services.networking.networkmanager.enableFccUnlockwas removed in favor ofnetworking.networkmanager.fccUnlockScripts, which allows specifying unlock scripts explicitly. The previous option enabled all unlock scripts bundled with ModemManager, which is risky, and didn't allow using vendor-provided unlock scripts at all. -
The
html-prooferpackage has been updated from major version 3 to major version 5, which includes breaking changes. -
kratoshas been updated from 0.10.1 to the first stable version 1.0.0, please read the 0.10.1 to 0.11.0, 0.11.0 to 0.11.1, 0.11.1 to 0.13.0 and 0.13.0 to 1.0.0 upgrade guides. The most notable breaking change is the introduction of one-time passwords (code) and update of the default recovery strategy fromlinktocode. -
The
hailNixOS module was removed, ashailwas unmaintained since 2017. -
Package
noto-fonts-emojiwas renamed tonoto-fonts-color-emoji; see #221181. -
Package
cloud-sql-proxywas renamed togoogle-cloud-sql-proxyas it cannot be used with other cloud providers.; -
Package
pashwas removed due to being archived upstream. Usepowershellas an alternative. -
security.sudo.extraRulesnow includesroot's default rule, with ordering priority 400. This is functionally identical for users not specifying rule order, or relying onmkBeforeandmkAfter, but may impact users callingmkOrder nwith n ≤ 400. -
X keyboard extension (XKB) options have been reorganized into a single attribute set,
services.xserver.xkb. Specifically,services.xserver.layoutis nowservices.xserver.xkb.layout,services.xserver.extraLayoutsis nowservices.xserver.xkb.extraLayouts,services.xserver.xkbModelis nowservices.xserver.xkb.model,services.xserver.xkbOptionsis nowservices.xserver.xkb.options,services.xserver.xkbVariantis nowservices.xserver.xkb.variant, andservices.xserver.xkbDiris nowservices.xserver.xkb.dir. -
networking.networkmanager.firewallBackendwas removed as NixOS is now using iptables-nftables-compat even when using iptables, therefore Networkmanager now uses the nftables backend unconditionally. -
lib.lists.foldl'now always evaluates the initial accumulator argument first. If you depend on the lazier behavior, consider usinglib.lists.foldlorbuiltins.foldl'instead. -
lib.attrsets.foldlAttrsnow always evaluates the initial accumulator argument first. -
romewas removed because it is no longer maintained and is succeeded bybiome. -
The
prometheus-knot-exporterwas migrated to a version maintained by CZ.NIC. Various metric names have changed, so checking existing rules is recommended. -
The
services.mtr-exporter.targethas been removed in favor ofservices.mtr-exporter.jobswhich allows specifying multiple targets. -
blender-with-packageshas been deprecated in favor ofblender.withPackages, for exampleblender.withPackages (ps: [ps.bpycv]). It behaves similarly topython3.withPackages. -
Setting
nixpkgs.configoptions while providing an externalpkgsinstance will now raise an error instead of silently ignoring the options. NixOS modules no longer setnixpkgs.configto accomodate this. This specifically affectsservices.locate,services.xserver.displayManager.lightdm.greeters.tinyandprograms.firefoxNixOS modules. No manual intervention should be required in most cases, however, configurations relying on those modules affecting packages outside the system environment should switch to explicit overlays. -
service.borgmatic.settings.locationandservices.borgmatic.configurations.<name>.locationare deprecated, please move your options out of sections to the global scope. -
privacyidea(and the correspondingprivacyidea-ldap-proxy) has been removed from nixpkgs because it has severely outdated dependencies that became unmaintainable with nixpkgs' python package-set. -
daggerwas removed because using a package calleddaggerand packaging it from source violates their trademark policy. -
win-virtiopackage was renamed tovirtio-winto be consistent with the upstream package name. -
ps3netsrvhas been replaced with the webman-mod fork, the executable has been renamed fromps3netsrv++tops3netsrvand cli parameters have changed. -
ssm-agentpackage and module were renamed toamazon-ssm-agentto be consistent with the upstream package name. -
services.kea.{ctrl-agent,dhcp-ddns,dhcp,dhcp6}now use separate runtime directories instead of/run/keato work around the runtime directory being cleared on service start. -
mkDerivationnow rejects MD5 hashes. -
The
junicodefont package has been updated to major version 2, which is now a font family. In particular, plainJunicode.ttfno longer exists. In addition, TrueType font files are now placed infont/truetypeinstead offont/junicode-ttf; this change does not affect use viafonts.packagesNixOS option. -
The
prayerpackage as well asservices.prayerhave been removed because it's been unmaintained for several years and the author's website has vanished.
-
A new option
system.switch.enablewas added. By default, this is option is enabled. Disabling it makes the system unable to be reconfigured vianixos-rebuild. This is good for image based appliances where updates are handled outside the image. -
The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];from your NixOS configuration. -
GNOME, Pantheon, Cinnamon module no longer forces Qt applications to use Adwaita style since it was buggy and is no longer maintained upstream (specifically, Cinnamon now defaults to the gtk2 style instead, following the default in Linux Mint). If you still want it, you can add the following options to your configuration but it will probably be eventually removed:
qt = { enable = true; platformTheme = "gnome"; style = "adwaita"; };
-
fontconfignow defaults to using greyscale antialiasing instead of subpixel antialiasing because of a recommendation from one of the downstreams. You can change this value by configuring accordingly. -
The latest available version of Nextcloud is v27 (available as
pkgs.nextcloud27). The installation logic is as follows:- If
services.nextcloud.packageis specified explicitly, this package will be installed (recommended) - If
system.stateVersionis >=23.11,pkgs.nextcloud27will be installed by default. - If
system.stateVersionis >=23.05,pkgs.nextcloud26will be installed by default. - Please note that an upgrade from v25 (or older) to v27 directly is not possible. Please upgrade to
nextcloud26(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud26;.
- If
-
New options were added to
services.searxfor better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server. -
jqwas updated to 1.7, its first release in 5 years. -
zfswas updated from 2.1.x to 2.2.0, enabling newer kernel support and adding new features. -
Elixir now defaults to version v1.15.
-
A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing
virtualisation.vlansis still supported for cases where the name of the network interface is irrelevant. -
DocBook option documentation is no longer supported, all module documentation now uses markdown.
-
services.outlinecan now be configured to use local filesystem storage instead of S3 storage using services.outline.storage.storageType. -
paperworkwas updated to version 2.2. Documents scanned with this version will not be visible to previous versions if you downgrade. See the upstream announcement for details and workarounds. -
buildGoModulego-modulesattrs have been renamed togoModules. -
The
fonts.fontsandfonts.enableDefaultFontsoptions have been renamed tofonts.packagesandfonts.enableDefaultPackagesrespectively. -
The
services.sslhmodule has been updated to follow RFC 0042. As such, several options have been moved to the freeform attribute set services.sslh.settings, which allows to change any of the settings in {manpage}sslh(8). In addition, the newly added option services.sslh.method allows to switch between the {manpage}fork(2), {manpage}select(2)andlibev-based connection handling method; see the sslh docs for a comparison. -
pkgs.openvpn3now optionally supports systemd-resolved.programs.openvpn3will automatically enable systemd-resolved support ifconfig.services.resolved.enableis enabled. -
services.fail2ban.jailscan now be configured with attribute sets defining settings and filters instead of lines. The stringed optionsdaemonConfigandextraSettingshave respectively been replaced bydaemonSettingsandjails.DEFAULT.settingswhich use attribute sets. -
The application firewall
opensnitchnow uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting services.opensnitch.settings.ProcMonitorMethod. -
services.hedgedochas been heavily refactored, reducing the amount of declared options in the module. Most of the options should still work without any changes. Some options have been deprecated, as they no longer have any effect. See #244941 for more details. -
The services.woodpecker-server type was changed to list of paths to be more consistent to the woodpecker-agent module
-
The module services.ankisyncd has been switched to anki-sync-server-rs from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action.
-
services.matrix-synapsehas new options to configure worker processes for matrix-synapse usingservices.matrix-synapse.workers. It's also now possible to configure a local redis server usingservices.matrix-synapse.configureRedisLocally. -
services.nginxgained adefaultListenoption at server-level with support for PROXY protocol listeners, alsoproxyProtocolis now exposed inservices.nginx.virtualHosts.<name>.listenoption. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see #213510 for more details. -
services.restic.backupsnow adds wrapper scripts to your system path, which set the same environment variables as the service, so restic operations can easily be run from the command line. This behavior can be disabled by settingcreateWrappertofalse, per backup configuration. -
services.prometheus.exportershas a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called Scaphandre, see #239803 for more details. -
The MariaDB C client library was upgraded from 3.2.x to 3.3.x. It is recommended to review the upstream release notes.
-
The module
services.calibre-serverhas new options to configure thehost,port,auth.enable,auth.modeandauth.userDbpath, see #216497 for more details. -
Mattermost has been upgraded to extended support version 8.1 as the previously packaged extended support version 7.8 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.
-
services.prometheus.exportershas a new exporter to monitor PHP-FPM processes, see #240394 for more details. -
services.github-runner/services.github-runners.<name>gained the optionnodeRuntimes. The option defaults to[ "node20" ], i.e., the service supports Node.js 20 GitHub Actions only. The list of Node.js versions accepted bynodeRuntimestracks the versions the upstream GitHub Actions runner supports. See #249103 for details. -
programs.gnupg.agent.pinentryFlavoris now set in/etc/gnupg/gpg-agent.conf, and will no longer take precedence over apinentry-programset in~/.gnupg/gpg-agent.conf. -
programs.gnupgnow has the optionagent.settingsto set verbatim config values in/etc/gnupg/gpg-agent.conf. -
dockerTools.buildImage,dockerTools.buildLayeredImageanddockerTools.streamLayeredImagenow uselib.makeOverridableto allowdockerTools-based images to be customized more efficiently at the nix-level. -
services.influxdb2now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see #249502 for more details. -
wrapHelmnow exposespassthru.pluginsDirwhich can be passed tohelmfile. For convenience, a top-level packagehelmfile-wrappedhas been added, which inheritspassthru.pluginsDirfromkubernetes-helm-wrapped. See #217768 for details. -
boot.initrd.network.udhcp.enableallows control over dhcp during stage 1 regardless of whatnetworking.useDHCPis set to. -
Suricata was upgraded from 6.0 to 7.0 and no longer considers HTTP/2 support as experimental, see upstream release notes for more details.
-
Cloud support in the
netdatapackage is now disabled by default. To enable it use thenetdataCloudpackage. -
networking.nftablesnow has the optionnetworking.nftables.table.<table>to create tables and have them be updated atomically, instead of flushing the ruleset. -
networking.nftablesis no longer flushing all rulesets on every reload. Usenetworking.nftables.flushRuleset = true;to get back the old behaviour. -
The
cawbirdpackage is dropped from nixpkgs, as it got broken by the Twitter API closing down and has been abandoned upstream. -
hardware.nvidiagaineddatacenteroptions for enabling NVIDIA Data Center drivers and configuration of NVLink/NVSwitch topologies throughnv-fabricmanager. -
Certificate generation via the
security.acmenow limits the concurrent number of running certificate renewals and generation jobs, to avoid spiking resource usage when processing many certificates at once. The limit defaults to 5 and can be adjusted viamaxConcurrentRenewals. Setting it to 0 disables the limits altogether. -
New
boot.bcache.enable(default enabled) allows completely removingbcachemount support. -
The module
services.mbpfannow has the optionaggressiveenabled by default for better heat moderation. You can disable it for upstream defaults. -
security.sudonow provides two extra options, that do not change the module's default behaviour:defaultOptionscontrols the options used for the default rules;keepTerminfocontrols whetherTERMINFOandTERMINFO_DIRSare preserved forrootand thewheelgroup.
-
virtualisation.googleComputeImagenow providesefioption to support UEFI booting. -
CoreDNS can now be built with external plugins by overriding
externalPluginsandvendorHasharguments like this:services.coredns = { enable = true; package = pkgs.coredns.override { externalPlugins = [ {name = "fanout"; repo = "github.com/networkservicemesh/fanout"; version = "v1.9.1";} ]; vendorHash = "<SRI hash>"; }; };To get the necessary SRI hash, set
vendorHash = "";. The build will fail and produce the correctvendorHashin the error message.If you use this feature, updates to CoreDNS may require updating
vendorHashby following these steps again. -
postgresql_11has been removed since it'll stop receiving fixes on November 9 2023. -
ffmpegdefault upgraded fromffmpeg_5toffmpeg_6. -
fusumanow enables the following plugins: appmatcher, keypress, sendkey, tap and wmctrl. -
services.bitcoindnow properly respects theenableoption. -
The Home Assistant module now offers support for installing custom components and lovelace modules. Available at
services.home-assistant.customComponentsandservices.home-assistant.customLovelaceModules. -
The argument
vendorSha256ofbuildGoModuleis deprecated. UsevendorHashinstead. (#259999)
-
The use of
sourceRoot = "source";,sourceRoot = "source/subdir";, and similar lines in package derivations using the defaultunpackPhaseis deprecated as it requiresunpackPhaseto always produce a directory named "source". UsesourceRoot = src.name,sourceRoot = "${src.name}/subdir";, orsetSourceRoot = "sourceRoot=$(echo */subdir)";or similar instead. -
The
djangoalias in the python package set was upgraded to Django 4.x. Applications that consume Django should always pin their python environment to a compatible major version, so they can move at their own pace.python = python3.override { packageOverrides = self: super: { django = super.django_3; }; };
-
The
qemu-vm.nixmodule by default now identifies block devices via persistent names available in/dev/disk/by-*. Because the rootDevice is identified by its filesystem label, it needs to be formatted before the VM is started. The functionality of automatically formatting the rootDevice in the initrd is removed from the QEMU module. However, for tests that depend on this functionality, a test utility for the scripted initrd is added (nixos/tests/common/auto-format-root-device.nix). To use this in a NixOS test, import the module, e.g.imports = [ ./common/auto-format-root-device.nix ];When you use the systemd initrd, you can automatically format the root device by settingvirtualisation.fileSystems."/".autoFormat = true;. -
python3.pkgs.flitBuildHookhas been removed. Useflit-coreandformat = "pyproject"instead. -
The
extendfunction ofllvmPackageshas been removed due it coming from thetoolsattrset thus only extending thetoolattrset. A possible replacement is to construct the set fromlibrariesandtools, or patch nixpkgs. -
The
qemu-vm.nixmodule now supports disabling overridingfileSystemswithvirtualisation.fileSystems. This enables the user to boot VMs from "external" disk images not created by the qemu-vm module. You can stop the qemu-vm module from overridingfileSystemsby settingvirtualisation.fileSystems = lib.mkForce { };. -
The
electronpackages now places its application files in$out/libexec/electroninstead of$out/lib/electron. Packages using electron-builder will fail to build and need to be adjusted by changinglibtolibexec. -
teleporthas been upgraded from major version 12 to major version 14. Please see upstream upgrade instructions and release notes for versions 13 and 14. Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 13.x version by settingservices.teleport.package = pkgs.teleport_13. Afterwards, this option can be removed to upgrade to the default version (14). -
The Linux kernel module
msr(seemsr(4)), which provides an interface to read and write the model-specific registers (MSRs) of an x86 CPU, can now be configured viahardware.cpu.x86.msr. -
There is a new NixOS option when writing NixOS tests
testing.initrdBackdoor, that enablesbackdoor.servicein initrd. Requiresboot.initrd.systemd.enableto be enabled. Boot will pause in stage 1 atinitrd.target, and will listen for commands from theMachinepython interface, just like stage 2 normally does. This enables commands to be sent to test and debug stage 1. Usemachine.switch_root()to leave stage 1 and proceed to stage 2.