38 KiB
Release 24.05 (“Uakari”, 2024.05/??)
Support is planned until the end of December 2024, handing over to 24.11.
Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
-
cryptsetup
has been upgraded from 2.6.1 to 2.7.0. Cryptsetup is a critical component enabling LUKS-based (but not only) full disk encryption. Take the time to review the release notes. One of the highlight is that it is now possible to use hardware OPAL-based encryption of your disk withcryptsetup
, it has a lot of caveats, see the above notes for the full details. -
screen
's module has been cleaned, and will now require you to setprograms.screen.enable
in order to populatescreenrc
and add the program to the environment. -
linuxPackages_testing_bcachefs
is now fully deprecated bylinuxPackages_latest
, and is therefore no longer available. -
The default kernel package has been updated from 6.1 to 6.6. All supported kernels remain available.
-
NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
- This can be disabled through the
environment.stub-ld.enable
option. - If you use
programs.nix-ld.enable
, no changes are needed. The stub will be disabled automatically.
- This can be disabled through the
-
On flake-based NixOS configurations using
nixpkgs.lib.nixosSystem
, NixOS will automatically setNIX_PATH
and the system-wide flake registry (/etc/nix/registry.json
) to point<nixpkgs>
and the unqualified flake pathnixpkgs
to the version of nixpkgs used to build the system.This makes
nix run nixpkgs#hello
andnix-build '<nixpkgs>' -A hello
work out of the box with no added configuration, reusing dependencies already on the system.This may be undesirable if nix commands are not going to be run on the built system since it adds nixpkgs to the system closure. For such closure-size-constrained non-interactive systems, this setting should be disabled.
To disable this, set nixpkgs.flake.setNixPath and nixpkgs.flake.setFlakeRegistry to false.
-
Julia environments can now be built with arbitrary packages from the ecosystem using the
.withPackages
function. For example:julia.withPackages ["Plots"]
. -
A new option
systemd.sysusers.enable
was added. If enabled, users and groups are created with systemd-sysusers instead of with a custom perl script. -
A new option
virtualisation.containers.cdi
was added. It containsstatic
anddynamic
attributes (corresponding to/etc/cdi
and/run/cdi
respectively) to configure the Container Device Interface (CDI). -
virtualisation.docker.enableNvidia
andvirtualisation.podman.enableNvidia
options are deprecated.virtualisation.containers.cdi.dynamic.nvidia.enable
should be used instead. This option will expose GPUs on containers with the--device
CLI option. This is supported by Docker 25, Podman 3.2.0 and Singularity 4. Any container runtime that supports the CDI specification will take advantage of this feature. -
A new option
system.etc.overlay.enable
was added. If enabled,/etc
is mounted via an overlayfs instead of being created by a custom perl script. -
NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in
nixos/modules/virtualisation/amazon-ec2-amis.nix
will stop being updated and will be removed in the future. -
It is now possible to have a completely perlless system (i.e. a system without perl). Previously, the NixOS activation depended on two perl scripts which can now be replaced via an opt-in mechanism. To make your system perlless, you can use the new perlless profile:
{ modulesPath, ... }: { imports = [ "${modulesPath}/profiles/perlless.nix" ]; }
-
Plasma 6 is now available and can be installed with
services.xserver.desktopManager.plasma6.enable = true;
. Plasma 5 will likely be deprecated in the next release (24.11). Note that Plasma 6 runs as Wayland by default, and the X11 session needs to be explicitly selected if necessary.
New Services
-
Handheld Daemon, support for gaming handhelds like the Legion Go, ROG Ally, and GPD Win. Available as services.handheld-daemon.
-
Guix, a functional package manager inspired by Nix. Available as services.guix.
-
pyLoad, a FOSS download manager written in Python. Available as services.pyload
-
maubot, a plugin-based Matrix bot framework. Available as services.maubot.
-
systemd's gateway, upload, and remote services, which provides ways of sending journals across the network. Enable using services.journald.gateway, services.journald.upload, and services.journald.remote.
-
GNS3, a network software emulator. Available as services.gns3-server.
-
pretalx, a conference planning tool. Available as services.pretalx.
-
rspamd-trainer, script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.
-
ollama, server for running large language models locally.
-
Mihomo, a rule-based proxy in Go. Available as services.mihomo.enable.
-
hebbot, a Matrix bot to generate "This Week in X" like blog posts. Available as services.hebbot.
-
Python Matter Server, a Matter Controller Server exposing websocket connections for use with other services, notably Home Assistant. Available as services.matter-server
-
Anki Sync Server, the official sync server built into recent versions of Anki. Available as services.anki-sync-server. The pre-existing services.ankisyncd has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.
-
transfer-sh, a tool that supports easy and fast file sharing from the command-line. Available as services.transfer-sh.
-
Suwayomi Server, a free and open source manga reader server that runs extensions built for Tachiyomi. Available as services.suwayomi-server.
-
ping_exporter, a Prometheus exporter for ICMP echo requests. Available as services.prometheus.exporters.ping.
-
TigerBeetle, a distributed financial accounting database designed for mission critical safety and performance. Available as services.tigerbeetle.
-
go-camo, a secure image proxy server. Available as services.go-camo.
-
Monado, an open source XR runtime. Available as services.monado.
-
Pretix, an open source ticketing software for events. Available as services.pretix.
-
Clevis, a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as boot.initrd.clevis.enable.
-
fritz-exporter, a Prometheus exporter for extracting metrics from FRITZ! devices. Available as services.prometheus.exporters.fritz.
-
armagetronad, a mid-2000s 3D lightcycle game widely played at iD Tech Camps. You can define multiple servers using
services.armagetronad.<server>.enable
. -
TuxClocker, a hardware control and monitoring program. Available as programs.tuxclocker.
-
ALVR, a VR desktop streamer. Available as programs.alvr
-
RustDesk, a full-featured open source remote control alternative for self-hosting and security with minimal configuration. Alternative to TeamViewer.
-
Scrutiny, a S.M.A.R.T monitoring tool for hard disks with a web frontend.
-
systemd-lock-handler, a bridge between logind D-Bus events and systemd targets. Available as services.systemd-lock-handler.enable.
-
Mealie, a self-hosted recipe manager and meal planner with a RestAPI backend and a reactive frontend application built in NuxtJS for a pleasant user experience for the whole family. Available as services.mealie
Backward Incompatibilities
-
k3s
: was updated to version v1.29, all previous versions (k3s_1_26, k3s_1_27, k3s_1_28) will be removed. See changelog and upgrade notes for more information. -
himalaya
was updated tov1.0.0-beta.3
, which introduces breaking changes. Check out the release note for details. -
The
power.ups
module now generatesupsd.conf
,upsd.users
andupsmon.conf
automatically from a set of new configuration options. This breaks compatibility with existingpower.ups
setups where these files were created manually. Back up these files before upgrading NixOS. -
pdns
was updated to version v4.9.x, which introduces breaking changes. Check out the Upgrade Notes for details. -
unrar
was updated to v7. See changelog for more information. -
k9s
was updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration. -
NixOS AMIs are now uploaded regularly to a new AWS Account. Instructions on how to use them can be found on https://nixos.github.io/amis. We are working on integration the data into the NixOS homepage. The list in
nixos/modules/virtualisation/amazon-ec2-amis.nix
will stop being updated and will be removed in the future. -
The option
services.postgresql.ensureUsers._.ensurePermissions
has been removed as it's not declarative and is broken with newer postgresql versions. Consider using instead or a tool that's more suited for managing the data inside a postgresql database. -
idris2
was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details. -
nvtop
family of packages was reorganized into nested attrset.nvtop
has been renamed tonvtopPackages.full
, and allnvtop-{amd,nvidia,intel,msm}
packages are now named asnvtopPackages.{amd,nvidia,intel,msm}
-
neo4j
has been updated to 5, you may want to read the release notes for Neo4j 5 -
services.neo4j.allowUpgrade
was removed and no longer has any effect. Neo4j 5 supports automatic rolling upgrades. -
nitter
requires aguest_accounts.jsonl
to be provided as a path or loaded into the default location at/var/lib/nitter/guest_accounts.jsonl
. See Guest Account Branch Deployment for details. -
boot.supportedFilesystems
andboot.initrd.supportedFilesystems
are now attribute sets instead of lists. Assignment from lists as done previously is still supported, but checking whether a filesystem is enabled must now by done usingsupportedFilesystems.fs or false
instead of usinglib.elem "fs" supportedFilesystems
as was done previously. -
services.aria2.rpcSecret
has been replaced withservices.aria2.rpcSecretFile
. This was done so that secrets aren't stored in the world-readable nix store. To migrate, you will have create a file with the same exact string, and change your module options to point to that file. For example,services.aria2.rpcSecret = "mysecret"
becomesservices.aria2.rpcSecretFile = "/path/to/secret_file"
where the filesecret_file
contains the stringmysecret
. -
Invidious has changed its default database username from
kemal
toinvidious
. Setups involving an externally provisioned database (i.e.services.invidious.database.createLocally == false
) should adjust their configuration accordingly. The oldkemal
user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) -
writeReferencesToFile
is deprecated in favour of the new trivial build helperwriteClosure
. The latter accepts a list of paths and has an unambiguous name and cleaner implementation. -
inetutils
now has a lower priority to avoid shadowing the commonly usedutil-linux
. If one wishes to restore the default priority, simply uselib.setPrio 5 inetutils
or override withmeta.priority = 5
. -
paperless
'services.paperless.extraConfig
setting has been removed and converted to the freeform type and option namedservices.paperless.settings
. -
services.homepage-dashboard
now takes it's configuration using native Nix expressions, rather than dumping templated configurations into/var/lib/homepage-dashboard
where they were previously managed manually. There are now new options which allow the configuration of bookmarks, services, widgets and custom CSS/JS natively in Nix. -
hare
may now be cross-compiled. For that to work, however,haredoc
needed to stop being built together with it. Thus, the latter is now its own package with the name ofharedoc
. -
The legacy and long deprecated systemd target
network-interfaces.target
has been removed. Usenetwork.target
instead. -
services.frp.settings
now generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.- The
settings.common
section in the configuration is no longer valid and all the options form inside it now goes directly undersettings
. - The
_
separating words in the configuration options is removed so the options are now in camel case. For example:server_addr
becomesserverAddr
,server_port
becomesserverPort
etc. - Proxies are now defined with a new option
settings.proxies
which takes a list of proxies. - Consult the upstream documentation for more details on the changes.
- The
-
mkosi
was updated to v20. Parts of the user interface have changed. Consult the release notes of v19 and v20 for a list of changes. -
The
services.vikunja
systemd service now usesvikunja
as dynamic user instead ofvikunja-api
. Database users might need to be changed. -
The
services.vikunja.setupNginx
setting has been removed. Users now need to setup the webserver configuration on their own with a proxy pass to the vikunja service. -
The
woodpecker-*
packages have been updated to v2 which includes breaking changes. -
services.nginx
will no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:locations."/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; ''; locations."^~ /assets/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; '';
-
The package
optparse-bash
is now dropped due to upstream inactivity. Alternatives available in Nixpkgs includeargc
,argbash
,bashly
andgum
, to name a few. -
The
kanata
package has been updated to v1.5.0, which includes breaking changes. -
The
craftos-pc
package has been updated to v2.8, which includes breaking changes.- Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
- The ROM was updated to match ComputerCraft version v1.109.2.
- The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
- The WebSocket API was rewritten, which introduced breaking changes.
-
The
gtest
package has been updated past v1.13.0, which requires C++14 or higher. -
The latest available version of Nextcloud is v28 (available as
pkgs.nextcloud28
). The installation logic is as follows:- If
services.nextcloud.package
is specified explicitly, this package will be installed (recommended) - If
system.stateVersion
is >=24.05,pkgs.nextcloud28
will be installed by default. - If
system.stateVersion
is >=23.11,pkgs.nextcloud27
will be installed by default. - Please note that an upgrade from v26 (or older) to v28 directly is not possible. Please upgrade to
nextcloud27
(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud27;
.
- If
-
The vendored third party libraries have been mostly removed from
cudaPackages.nsight_systems
, which we now only ship forcudaPackages_11_8
and later due to outdated dependencies. Users comfortable with the vendored dependencies may useoverrideAttrs
to amend thepostPatch
phase and themeta.broken
correspondingly. Alternatively, one could package the deprecatedboost170
locally, as required forcudaPackages_11_4.nsight_systems
. -
The
cudaPackages
package scope has been updated tocudaPackages_12
. -
Ada packages (libraries and tools) have been moved into the
gnatPackages
scope.gnatPackages
uses the default GNAT compiler,gnat12Packages
andgnat13Packages
use the respective matching compiler version. -
spark2014
has been renamed tognatprove
. A version ofgnatprove
matching different GNAT versions is available from the differentgnatPackages
sets. -
services.resolved.fallbackDns
can now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. -
xxd
has been moved fromvim
default output to its own output to reduce closure size. The canonical way to reference it across all platforms isunixtools.xxd
. -
The
stalwart-mail
package has been updated to v0.5.3, which includes breaking changes. -
services.zope2
has been removed aszope2
is unmaintained and was relying on Python2. -
services.avahi.nssmdns
got split intoservices.avahi.nssmdns4
andservices.avahi.nssmdns6
which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. -
A warning has been added for services that are
after = [ "network-online.target" ]
but do not depend on it (e.g. usingwants
), because the dependency thatmulti-user.target
has onnetwork-online.target
is planned for removal. -
services.pgbouncer
now has systemd support enabled and will log to journald. The default setting forservices.pgbouncer.logFile
is nownull
to disable logging to a separate log file. -
services.archisteamfarm
no longer uses the abbreviationasf
for its state directory (/var/lib/asf
), user and group (bothasf
). Instead the long namearchisteamfarm
is used. Configurations withsystem.stateVersion
23.11 or earlier, default to the old stateDirectory until the 24.11 release and must either set the option explicitly or move the data to the new directory. -
networking.iproute2.enable
now does not setenvironment.etc."iproute2/rt_tables".text
.Setting
environment.etc."iproute2/{CONFIG_FILE_NAME}".text
will override the whole configuration file instead of appending it to the upstream configuration file.CONFIG_FILE_NAME
includesbpf_pinning
,ematch_map
,group
,nl_protos
,rt_dsfield
,rt_protos
,rt_realms
,rt_scopes
, andrt_tables
. -
netbox
was updated to v3.7.services.netbox.package
still defaults to v3.6 ifstateVersion
is earlier than 24.05. Refer to upstream's breaking changes for v3.7.0 and upgrade NetBox by changingservices.netbox.package
. Database migrations will be run automatically. -
The executable file names for
firefox-devedition
,firefox-beta
,firefox-esr
now matches their package names, which is consistent with thefirefox-*-bin
packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. -
switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.
-
The
systemd.oomd
module behavior is changed as:-
Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit
-
Remove swap policy. This helps prevent killing processes when user's swap is small.
-
Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: commit
-
systemd.oomd.enableUserServices
is renamed tosystemd.oomd.enableUserSlices
.
-
-
security.pam.enableSSHAgentAuth
now requiresservices.openssh.authorizedKeysFiles
to be non-empty, which is the case whenservices.openssh.enable
is true. Previously,pam_ssh_agent_auth
silently failed to work. -
The configuration format for
services.prometheus.exporters.snmp
changed with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository. -
watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.
-
The
jdt-language-server
package now uses upstream's provided python wrapper instead of our own custom wrapper. This results in the following breaking and notable changes:-
The main binary for the package is now named
jdtls
instead ofjdt-language-server
, equivalent to what most editors expect the binary to be named. -
JVM arguments should now be provided with the
--jvm-arg
flag instead of settingJAVA_OPTS
. -
The
-data
path is no longer required to run the package, and will be set to point to a folder in$TMP
if missing.
-
-
nomad
has been updated - note that HashiCorp recommends updating one minor version at a time. Please check their upgrade guide for information on safely updating clusters and potential breaking changes.-
nomad
is now Nomad 1.7.x. -
nomad_1_4
has been removed, as it is now unsupported upstream.
-
-
The
livebook
package is now built as amix release
instead of anescript
. This means that configuration now has to be done using environment variables instead of command line arguments. This has the further implication that thelivebook
service configuration has changed:- The
erlang_node_short_name
,erlang_node_name
,port
andoptions
configuration parameters are gone, and have been replaced with anenvironment
parameter. Use the appropriate environment variables insideenvironment
to configure the service instead.
- The
Other Notable Changes
-
addDriverRunpath
has been added to facilitate the deprecation of the oldaddOpenGLRunpath
setuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -
Cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release and could potentially affect Xorg sessions. We suggest a reboot when switching between sessions.
-
MATE has been updated to 1.28.
- To properly support panel plugins built with Wayland (in-process) support, we are introducing
services.xserver.desktopManager.mate.extraPanelApplets
option, please use that for installing panel applets. - Similarly, please use
services.xserver.desktopManager.mate.extraCajaExtensions
option for installing Caja extensions. - To use the Wayland session, enable
services.xserver.desktopManager.mate.enableWaylandSession
. This is opt-in for now as it is in early stage and introduces a new set of Wayfire closure. Due to known issues with LightDM, we suggest using SDDM for display manager.
- To properly support panel plugins built with Wayland (in-process) support, we are introducing
-
The Budgie module installs gnome-terminal by default (instead of mate-terminal).
-
New
boot.loader.systemd-boot.xbootldrMountPoint
allows setting up a separate XBOOTLDR partition to store boot files. Useful on systems with a small EFI System partition that cannot be easily repartitioned. -
boot.loader.systemd-boot
will now verify thatefiSysMountPoint
(andxbootldrMountPoint
if configured) are mounted partitions. -
services.postgresql.extraPlugins
changed its type from just a list of packages to also a function that returns such a list. For example a config line likeservices.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];
is recommended to be changed toservices.postgresql.extraPlugins = ps: with ps; [ postgis ];
; -
The Matrix homeserver Synapse module now supports configuring UNIX domain socket listeners through the
path
option. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. -
Programs written in Nim are built with libraries selected by lockfiles. The
nimPackages
andnim2Packages
sets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. -
Portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.
-
A stdenv's default set of hardening flags can now be set via its
bintools-wrapper
'sdefaultHardeningFlags
argument. A convenient stdenv adapter,withDefaultHardeningFlags
, can be used to override an existing stdenv'sdefaultHardeningFlags
. -
libass
now uses the native CoreText backend on Darwin, which may fix subtitle rendering issues withmpv
,ffmpeg
, etc. -
The EC2 image module now enables the Amazon SSM Agent by default.
-
The following options of the Nextcloud module were moved into
services.nextcloud.settings
and renamed to match the name from Nextcloud'sconfig.php
:logLevel
->loglevel
,logType
->log_type
,defaultPhoneRegion
->default_phone_region
,overwriteProtocol
->overwriteprotocol
,skeletonDirectory
->skeletondirectory
,globalProfiles
->profile.enabled
,extraTrustedDomains
->trusted_domains
andtrustedProxies
->trusted_proxies
.
-
The option [
services.nextcloud.config.dbport
] of the Nextcloud module was removed to match upstream. The port can be specified inservices.nextcloud.config.dbhost
. -
A new abstraction to create both read-only as well as writable overlay file systems was added. Available via fileSystems.overlay. See also the NixOS docs.
-
systemd units can now specify the
Upholds=
andUpheldBy=
unit dependencies via the aptly namedupholds
andupheldBy
options. These options get systemd to enforce that the dependencies remain continuosly running for as long as the dependent unit is in a running state. -
stdenv
: The--replace
flag insubstitute
,substituteInPlace
,substituteAll
,substituteAllStream
, andsubstituteStream
is now deprecated if favor of the new--replace-fail
,--replace-warn
and--replace-quiet
. The deprecated--replace
equates to--replace-warn
. -
A new hardening flag,
zerocallusedregs
was made available, corresponding to the gcc/clang option-fzero-call-used-regs=used-gpr
. -
A new hardening flag,
trivialautovarinit
was made available, corresponding to the gcc/clang option-ftrivial-auto-var-init=pattern
. -
New options were added to the dnsdist module to enable and configure a DNSCrypt endpoint (see
services.dnsdist.dnscrypt.enable
, etc.). The module can generate the DNSCrypt provider key pair, certificates and also performs their rotation automatically with no downtime. -
With a bump to
sonarr
v4, existing config database files will be upgraded automatically, but note that some old apparently-working configs might actually be corrupt and fail to upgrade cleanly. -
The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set
boot.kernel.sysctl."kernel.yama.ptrace_scope"
to 0. -
The netbird module now allows running multiple tunnels in parallel through
services.netbird.tunnels
. -
Nginx virtual hosts using
forceSSL
orglobalRedirect
can now have redirect codes other than 301 through -
bacula
now allows to configureTLS
for encrypted communication.redirectCode
. -
libjxl
0.9.0 dropped support for the butteraugli API. You will no longer be able to setenableButteraugli
onlibaom
. -
The source of the
mockgen
package has changed to the go.uber.org/mock fork because the original repository is no longer maintained. -
security.pam.enableSSHAgentAuth
was renamed tosecurity.pam.sshAgentAuth.enable
and anauthorizedKeysFiles
option was added, to control whichauthorized_keys
files are trusted. It defaults to the previous behaviour, which is insecure: see #31611. -
changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as since 22.11.
-
A new top-level package set,
pkgsExtraHardening
is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features). -
services.zfs.zed.enableMail
now uses the globalsendmail
wrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. -
nextcloud-setup.service
no longer changes the group of each file & directory inside/var/lib/nextcloud/{config,data,store-apps}
if one of these directories has the wrong owner group. This was part of transitioning the group used for/var/lib/nextcloud
, but isn't necessary anymore. -
The
krb5
module has been rewritten and moved tosecurity.krb5
, moving all options butsecurity.krb5.enable
andsecurity.krb5.package
intosecurity.krb5.settings
. -
Gitea 1.21 upgrade has several breaking changes, including:
- Custom themes and other assets that were previously stored in
custom/public/*
now belong incustom/public/assets/*
- New instances of Gitea using MySQL now ignore the
[database].CHARSET
config option and always use theutf8mb4
charset, existing instances should migrate via thegitea doctor convert
CLI command.
- Custom themes and other assets that were previously stored in
-
The
services.paperless
module no longer uses the previously downloaded NLTK data stored in/var/cache/paperless/nltk
. This directory can be removed. -
The
services.teeworlds
module now has a wealth of configuration options, including a newpackage
option. -
The
hardware.pulseaudio
module now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399. -
The module
services.github-runner
has been removed. To configure a single GitHub Actions Runner refer toservices.github-runners.*
. Note that this will trigger a new runner registration. -
The
btrbk
module now automatically selects and provides required compression program depending on the configuredstream_compress
option. Since this replaces the need for theextraPackages
option, this option will be deprecated in future releases. -
The
mpich
package expression now requireswithPm
to be a list, e.g."hydra:gforker"
becomes[ "hydra" "gforker" ]
. -
When merging systemd unit options (of type
unitOption
), if at least one definition is a list, all those which aren't are now lifted into a list, making it possible to accumulate definitions without resorting tomkForce
, hence to retain the definitions not anticipating that need. -
YouTrack is bumped to 2023.3. The update is not performed automatically, it requires manual interaction. See the YouTrack section in the manual for details.
-
QtMultimedia has changed its default backend to
QT_MEDIA_BACKEND=ffmpeg
(previouslygstreamer
on Linux ordarwin
on MacOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform. -
The oil shell's c++ version is now available as
oils-for-unix
. The python version is still available asoil
-
documentation.man.mandoc
now by default usesMANPATH
to set the directories where mandoc will search for manual pages. This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via themandoc.conf
configuration file like before, usedocumentation.man.mandoc.settings.manpath
instead.