Appendix B. Release Notes

The firefox browser on x86_64-linux now makes use of profile-guided optimisation, resulting in a much more responsive browsing experience.

GNOME has been upgraded to 42. Please take a look at their Release Notes for details. In particular, it replaces gedit with GNOME Text Editor, GNOME Terminal with GNOME Console (formerly King’s Cross) and GNOME Screenshot by a tool integrated into the Shell.

PHP 8.1 is now available.

systemd services can now set systemd.services.<name>.reloadTriggers instead of reloadIfChanged for a more granular distinction between reloads and restarts.

Systemd has been upgraded to the version 250.

Pulseaudio has been updated to version 15.0 and now optionally supports additional Bluetooth audio codecs such as aptX or LDAC, with codec switching available in pavucontrol. This feature is disabled by default, but can be enabled with the option hardware.pulseaudio.package = pkgs.pulseaudioFull;. Existing third-party modules that offered similar functions, such as pulseaudio-modules-bt or pulseaudio-hsphfpd, are obsolete and have been removed.

PostgreSQL now defaults to major version 14.

Module authors can use mkRenamedOptionModuleWith to automate the deprecation cycle without annoying out-of-tree module authors and their users.

The default GHC version has been updated from 8.10.7 to 9.0.2. pkgs.haskellPackages and pkgs.ghc will now use this version by default.

The GNOME and Plasma installation CDs now use pkgs.calamares and pkgs.calamares-nixos-extensions to allow users to easily install and set up NixOS with a GUI.

security.acme.defaults has been added to simplify the configuration of settings for many certificates at once. This also opens up the option to use DNS-01 validation when using enableACME web server virtual hosts (e.g. services.nginx.virtualHosts.*.enableACME).

1password, command-lines and graphic interface for 1Password. Available as programs._1password and programs._1password-gui.

aesmd, the Intel SGX Architectural Enclave Service Manager. Available as services.aesmd.

agate, a very simple server for the Gemini hypertext protocol. Available as services.agate.

rootless Docker, a systemd --user Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable.

matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.

nethoscope, listen to your network traffic. Available as programs.nethoscope.

filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.

apfs, a kernel module for mounting the Apple File System (APFS).

ArchiSteamFarm, a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as services.archisteamfarm.

BaGet, a lightweight NuGet and symbol server. Available at services.baget.

blocky, fast and lightweight DNS proxy as ad-blocker for local network with many features. Available as services.blocky.

cloudflare-dyndns, CloudFlare Dynamic DNS client. Available as services.cloudflare-dyndns.

Corosync and Pacemaker, A open-source high availability resource manager. Available as services.corosync and services.pacemaker.

create_ap, a module for creating wifi hotspots using the program linux-wifi-hotspot. Available as services.create_ap.

Envoy, a high-performance reverse proxy. Available as services.envoy.

ergochat, a modern IRC with IRCv3 features. Available as services.ergochat.

ethercalc, an online collaborative spreadsheet. Available as services.ethercalc.

filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.

FRRouting, a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VRRP and others). Available as services.frr.

Grafana Mimir, an open source, horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus. Available as services.mimir.

Haste, a pastebin written in node.js. Available as services.haste.

headscale, an Open Source implementation of the Tailscale Control Server. Available as services.headscale.

heisenbridge, a bouncer-style Matrix IRC bridge. Available as services.heisenbridge.

https-dns-proxy, DNS to DNS over HTTPS (DoH) proxy. Available as services.https-dns-proxy.

input-remapper, an easy to use tool to change the mapping of your input device buttons. Available at services.input-remapper.

InvoicePlane, web application for managing and creating invoices. Available at services.invoiceplane.

k3b, the KDE disk burning application. Available as programs.k3b.

K40-Whisperer, a program to control cheap Chinese laser cutters. Available as programs.k40-whisperer.enable. Users must add themselves to the k40 group to be able to access the device.

kanidm, an identity management server written in Rust. Available as services.kanidm

maddy, a composable all-in-one mail server. Available as services.maddy.

Maddy, a free an open source mail server. Availabe as services.maddy.

matrix-conduit, a simple, fast and reliable chat server powered by matrix. Available as services.matrix-conduit.

Moosefs, fault tolerant petabyte distributed file system. Available as moosefs.

mozillavpn, the client for the Mozilla VPN service. Available as services.mozillavpn.

mtr-exporter, a Prometheus exporter for mtr metrics. Available as services.mtr-exporter.

nbd, a Network Block Device server. Available as services.nbd.

netbox, infrastructure resource modeling (IRM) tool. Available as services.netbox.

nethoscope, listen to your network traffic. Available as programs.nethoscope.

nifi, an easy to use, powerful, and reliable system to process and distribute data. Available as services.nifi.

nix-ld, Run unpatched dynamic binaries on NixOS. Available as programs.nix-ld.

NNCP, NNCP (Node to Node copy) utilities and configuration, Available as programs.nncp.

pgadmin4, an admin interface for the PostgreSQL database. Available at services.pgadmin.

PowerDNS-Admin, a web interface for the PowerDNS server. Available at services.powerdns-admin.

prometheus-pve-exporter, a tool that exposes information from the Proxmox VE API for use by Prometheus. Available as services.prometheus.exporters.pve.

prosody-filer, a server for handling XMPP HTTP Upload requests. Available at services.prosody-filer.

Public Inbox, an “archives first” approach to mailing lists. Available as services.public-inbox.

r53-ddns, a small tool to run your own DDNS service via AWS Route53. Available as services.r53-ddns.

rmfakecloud, a clone of the cloud sync the remarkable tablet. Available as services.rmfakecloud.

rootless Docker, a systemd --user Docker service which runs without root permissions. Available as virtualisation.docker.rootless.enable.

rstudio-server, a browser-based version of the RStudio IDE for the R programming language. Available as services.rstudio-server.

rtsp-simple-server, ready-to-use RTSP / RTMP / HLS server and proxy that allows to read, publish and proxy video and audio streams. Available as services.rtsp-simple-server.

Snipe-IT, a free open source IT asset/license management system. Available as services.snipe-it.

snowflake-proxy, a system to defeat internet censorship. Available as services.snowflake-proxy.

sslmate-agent, a daemon for managing SSL/TLS certificates on a server. Available as services.sslmate-agent.

starship, a minimal, blazing-fast, and infinitely customizable prompt for any shell. Available at programs.startship.

systembus-notify, allow system level notifications to reach the users. Available as services.systembus-notify. Please keep in mind that this service should only be enabled on machines with fully trusted users, as any local user is able to DoS user sessions by spamming notifications.

teleport, allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at services.teleport.

tetrd, share your internet connection from your device to your PC and vice versa through a USB cable. Available at services.tetrd.

uptermd, an open-source solution for sharing terminal sessions instantly over the public internet via secure tunnels. Available at services.uptermd.

usbrelayd, an USB Relay MQTT daemon. Available as services.usbrelayd.

webdav-server-rs, Webdav server in rust. Available as services.webdav-server-rs.

wg-netmanager, the Wireguard network manager. Available as services.wg-netmanager.

Zammad, a web-based, open source user support/ticketing solution. Available as services.zammad.

pkgs.ghc now refers to pkgs.targetPackages.haskellPackages.ghc. This only makes a difference if you are cross-compiling and will ensure that pkgs.ghc always runs on the host platform and compiles for the target platform (similar to pkgs.gcc for example). haskellPackages.ghc still behaves as before, running on the build platform and compiling for the host platform (similar to stdenv.cc). This means you don’t have to adjust your derivations if you use haskellPackages.callPackage, but when using pkgs.callPackage and taking ghc as an input, you should now use buildPackages.ghc instead to ensure cross compilation keeps working (or switch to haskellPackages.callPackage).

pkgs.ghc.withPackages as well as haskellPackages.ghcWithPackages etc. now needs be overridden directly, as opposed to overriding the result of calling it. Additionally, the withLLVM parameter has been renamed to useLLVM. So instead of (ghc.withPackages (p: [])).override { withLLVM = true; }, one needs to use (ghc.withPackages.override { useLLVM = true; }) (p: []).

The update of the haskell package set brings with it a new version of the xmonad module, which will break your configuration if you use launch as entrypoint. The example code the corresponding nixos module was adjusted, you may want to have a look at it.

The home-assistant module now requires users that don’t want their configuration to be managed declaratively to set services.home-assistant.config = null;. This is required due to the way default settings are handled with the new settings style.

Additionally the default list of extraComponents now includes the minimal dependencies to successfully complete the onboarding procedure.

pkgs.emacsPackages.orgPackages is removed because org elpa is deprecated. The packages in the top level of pkgs.emacsPackages, such as org and org-contrib, refer to the ones in pkgs.emacsPackages.elpaPackages and pkgs.emacsPackages.nongnuPackages where the new versions will release.

The configuration and state directories used by nixos-containers have been moved from /etc/containers and /var/lib/containers to /etc/nixos-containers and /var/lib/nixos-containers.

If you are changing system.stateVersion to "22.05" manually on an existing system you are responsible for migrating these directories yourself.

This is to improve compatibility with libcontainer based software such as Podman and Skopeo which assumes they have ownership over /etc/containers.

lib.systems.supported has been removed, as it was overengineered for determining the systems to support in the nixpkgs flake. The list of systems exposed by the nixpkgs flake can now be accessed as lib.systems.flakeExposed.

For new installations virtualisation.oci-containers.backend is now set to podman by default. If you still want to use Docker on systems where system.stateVersion is set to to "22.05" set virtualisation.oci-containers.backend = "docker";.Old systems with older stateVersions stay with “docker”.

security.klogd was removed. Logging of kernel messages is handled by systemd since Linux 3.5.

pkgs.ssmtp has been dropped due to the program being unmaintained. pkgs.msmtp can be used instead as a substitute sendmail implementation. The corresponding options services.ssmtp.* have been removed as well. programs.msmtp.* can be used instead for an equivalent setup. For example:

{
  # Original ssmtp configuration:
  services.ssmtp = {
    enable = true;
    useTLS = true;
    useSTARTTLS = true;
    hostName = "smtp.example:587";
    authUser = "someone";
    authPassFile = "/secrets/password.txt";
  };

  # Equivalent msmtp configuration:
  programs.msmtp = {
    enable = true;
    accounts.default = {
      tls = true;
      tls_starttls = true;
      auth = true;
      host = "smtp.example";
      port = 587;
      user = "someone";
      passwordeval = "cat /secrets/password.txt";
    };
  };
}

services.kubernetes.addons.dashboard was removed due to it being an outdated version.

services.kubernetes.scheduler.{port,address} now set --secure-port and --bind-address instead of --port and --address, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading.

In the PowerDNS Recursor module (services.pdns-recursor), default values of several IP address-related NixOS options have been updated to match the default upstream behavior. In particular, Recursor by default will:

In the ncdns module, the default value of services.ncdns.address has been changed to the IPv6 loopback address (::1).

openldap (and therefore the slapd LDAP server) were updated to version 2.6.2. The project introduced backwards-incompatible changes, namely the removal of the bdb, hdb, ndb, and shell backends in slapd. Therefore before updating, dump your database slapcat -n 1 in LDIF format, and reimport it after updating your services.openldap.settings, which represents your cn=config.

Additionally with 2.5 the argon2 module was included in the standard distrubtion and renamed from pw-argon2 to argon2. Remember to update your olcModuleLoad entry in cn=config.

openssh has been update to 8.9p1, changing the FIDO security key middleware interface.

git no longer hardcodes the path to openssh’ ssh binary to reduce the amount of rebuilds. If you are using git with ssh remotes and do not have a ssh binary in your enviroment consider adding openssh to it or switching to gitFull.

services.k3s.enable no longer implies systemd.enableUnifiedCgroupHierarchy = false, and will default to the “systemd” cgroup driver when using services.k3s.docker = true. This change may require a reboot to take effect, and k3s may not be able to run if the boot cgroup hierarchy does not match its configuration. The previous behavior may be retained by explicitly setting systemd.enableUnifiedCgroupHierarchy = false in your configuration.

fonts.fonts no longer includes ancient bitmap fonts when both config.services.xserver.enable and config.nixpkgs.config.allowUnfree are enabled. If you still want these fonts, use:

{
  fonts.fonts = [
    pkgs.xorg.fontbhlucidatypewriter100dpi
    pkgs.xorg.fontbhlucidatypewriter75dpi
    pkgs.xorg.fontbh100dpi
  ];
}

services.prometheus.alertManagerTimeout has been removed as it has been deprecated upstream and has no effect.

The DHCP server (services.dhcpd4, services.dhcpd6) has been hardened. The service is now using the systemd’s DynamicUser mechanism to run as an unprivileged dynamically-allocated user with limited capabilities. The dhcpd state files are now always stored in /var/lib/dhcpd{4,6} and the services.dhcpd4.stateDir and service.dhcpd6.stateDir options have been removed. If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. systemd.services.dhcpd6.serviceConfig.AmbientCapabilities.

The mailpile email webclient (services.mailpile) has been removed due to its reliance on python2.

services.ipfs.extraFlags is now escaped with utils.escapeSystemdExecArgs. If you rely on systemd interpolating extraFlags in the service ExecStart, this will no longer work.

hbase version 0.98.24 has been removed. The package now defaults to version 2.4.11. Versions 1.7.1 and 3.0.0-alpha-2 are also available.

services.paperless-ng was renamed to services.paperless. Accordingly, the paperless-ng-manage script (located in dataDir) was renamed to paperless-manage. services.paperless now uses paperless-ngx.

The matrix-synapse service (services.matrix-synapse) has been converted to use the settings option defined in RFC42. This means that options that are part of your homeserver.yaml configuration, and that were specified at the top-level of the module (services.matrix-synapse) now need to be moved into services.matrix-synapse.settings. And while not all options you may use are defined in there, they are still supported, because you can set arbitrary values in this freeform type.

The listeners.*.bind_address option was renamed to bind_addresses in order to match the upstream homeserver.yaml option name. It is now also a list of strings instead of a string.

An example to make the required migration clearer:

Before:

{
  services.matrix-synapse = {
    enable = true;

    server_name = "example.com";
    public_baseurl = "https://example.com:8448";

    enable_registration = false;
    registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
    macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";

    tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
    tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

    listeners = [ {
      port = 8448;
      bind_address = "";
      type = "http";
      tls = true;
      resources = [ {
        names = [ "client" ];
        compress = true;
      } {
        names = [ "federation" ];
        compress = false;
      } ];
    } ];

  };
}

After:

{
  services.matrix-synapse = {
    enable = true;

    # this attribute set holds all values that go into your homeserver.yaml configuration
    # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
    # possible values.
    settings = {
      server_name = "example.com";
      public_baseurl = "https://example.com:8448";

      enable_registration = false;
      # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
      tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

      listeners = [ {
        port = 8448;
        bind_addresses = [
          "::"
          "0.0.0.0"
        ];
        type = "http";
        tls = true;
        resources = [ {
          names = [ "client" ];
          compress = true;
        } {
          names = [ "federation" ];
          compress = false;
        } ];
      } ];
    };

    extraConfigFiles = [
      "/run/keys/matrix-synapse/secrets.yaml"
    ];
  };
}

The secrets in your original config should be migrated into a YAML file that is included via extraConfigFiles. The filename must be quoted to prevent nix from copying it to the (world readable) store.

Additionally a few option defaults have been synced up with upstream default values, for example the max_upload_size grew from 10M to 50M. For the same reason, the default media_store_path was changed from ${dataDir}/media to ${dataDir}/media_store if system.stateVersion is at least 22.05. Files will need to be manually moved to the new location if the stateVersion is updated.

As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0.

The Keycloak package (pkgs.keycloak) has been switched from the Wildfly version, which will soon be deprecated, to the Quarkus based version. The Keycloak service (services.keycloak) has been updated to accommodate the change and now differs from the previous version in a few ways:

For example, when using a reverse proxy the migration could look like this:

Before:

  services.keycloak = {
    enable = true;
    httpPort = "8080";
    frontendUrl = "https://keycloak.example.com/auth";
    database.passwordFile = "/run/keys/db_password";
    extraConfig = {
      "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
    };
  };

After:

  services.keycloak = {
    enable = true;
    settings = {
      http-port = 8080;
      hostname = "keycloak.example.com";
      http-relative-path = "/auth";
      proxy = "edge";
    };
    database.passwordFile = "/run/keys/db_password";
  };

The MoinMoin wiki engine (services.moinmoin) has been removed, because Python 2 is being retired from nixpkgs.

Services in the hadoop module previously set openFirewall to true by default. This has now been changed to false. Node definitions for multi-node clusters would need openFirewall = true; to be added to to hadoop services when upgrading from NixOS 21.11.

services.hadoop.yarn.nodemanager now uses cgroup-based CPU limit enforcement by default. Additionally, the option useCGroups was added to nodemanagers as an easy way to switch back to the old behavior.

The wafHook hook now honors NIX_BUILD_CORES when enableParallelBuilding is not set explicitly. Packages can restore the old behaviour by setting enableParallelBuilding=false.

pkgs.claws-mail-gtk2, representing Claws Mail’s older release version three, was removed in order to get rid of Python 2. Please switch to claws-mail, which is Claws Mail’s latest release based on GTK+3 and Python 3.

The writers.writePython2 and corresponding writers.writePython2Bin convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter. Scripts have to be converted to Python 3 for use with writers.writePython3 or writers.writePyPy2 needs to be used.

buildGoModule was updated to use go_1_17, third party derivations that specify >= go 1.17 in the main go.mod will need to regenerate their vendorSha256 hash.

The gnome-passwordsafe package updated to version 6.x and renamed to gnome-secrets.

services.gnome.experimental-features.realtime-scheduling option has been removed, as GNOME Shell now uses rtkit. Use security.rtkit.enable = true; instead. As before, you will need to have it enabled using GSettings.

services.telepathy will no longer be enabled by default for GNOME desktops, one should enable it in their configs if using Empathy or Polari.

If you previously used /etc/docker/daemon.json, you need to incorporate the changes into the new option virtualisation.docker.daemon.settings.

Ntopng (services.ntopng) is updated to 5.2.1 and uses a separate Redis instance if system.stateVersion is at least 22.05. Existing setups shouldn’t be affected.

The backward compatibility in services.wordpress to configure sites with the old interface has been removed. Please use services.wordpress.sites instead.

The backward compatibility in services.dokuwiki to configure sites with the old interface has been removed. Please use services.dokuwiki.sites instead.

opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs

services.miniflux.adminCredentialFiles is now required, instead of defaulting to admin and password.

The taskserver module no longer implicitly opens ports in the firewall configuration. This is now controlled through the option services.taskserver.openFirewall.

The autorestic package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check their migration guide for more details.

teleport has been upgraded to major version 9. Please see upstream upgrade instructions and release notes.

For pkgs.python3.pkgs.ipython, its direct dependency pkgs.python3.pkgs.matplotlib-inline (which is really an adapter to integrate matplotlib in ipython if it is installed) does not depend on pkgs.python3.pkgs.matplotlib anymore. This is closer to a non-Nix install of ipython. This has the added benefit to reduce the closure size of ipython from ~400MB to ~160MB (including ~100MB for python itself).

documentation.man has been refactored to support choosing a man implementation other than GNU’s man-db. For this, documentation.man.manualPages has been renamed to documentation.man.man-db.manualPages. If you want to use the new alternative man implementation mandoc, add documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; } to your configuration.

Normal users (with isNormalUser = true) which have non-empty subUidRanges or subGidRanges set no longer have additional implicit ranges allocated. To enable automatic allocation back set autoSubUidGidRange = true.

idris2 now requires --package when using packages contrib and network, while previously these idris2 packages were automatically loaded.

The iputils package, which is installed by default, no longer provides the legacy tools tftpd and traceroute6. More tools (ninfod, rarpd, and rdisc) are going to be removed in the next release. See upstream’s release notes for more details and available replacements.

services.thelounge.private was removed in favor of services.thelounge.public, to follow with upstream changes.

pkgs.docbookrx was removed since it’s unmaintained

pkgs._7zz is now correctly licensed as LGPL3+ and BSD3 with optional unfree unRAR licensed code

The vim.customize function produced by vimUtils.makeCustomizable now has a slightly different interface:

See the comments in pkgs/applications/editors/vim/plugins/vim-utils.nix for more details.

vimUtils.vimWithRC was removed. You should instead use customize on a Vim derivation, which now accepts vimrcFile and gvimrcFile arguments.

tilp2 was removed together with its module

The F-PROT antivirus (fprot package) and its service module were removed because it reached end-of-life.

bird1 and its modules services.bird as well as services.bird6 have been removed. Upgrade to services.bird2.

The options networking.interfaces.<name>.ipv4.routes and networking.interfaces.<name>.ipv6.routes are no longer ignored when using networkd instead of the default scripted network backend by setting networking.useNetworkd to true.

The miller package has been upgraded from 5.10.3 to 6.2.0. See What’s new in Miller 6.

MultiMC has been replaced with the fork PrismLauncher due to upstream developers being hostile to 3rd party package maintainers. PrismLauncher removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename ~/.local/share/multimc to ~/.local/share/PrismLauncher. The main config file’s path has also moved from ~/.local/share/multimc/multimc.cfg to ~/.local/share/PrismLauncher/prismlauncher.cfg.

systemd-nspawn@.service settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set systemd.nspawn.<name>.execConfig.PrivateUsers = false

systemd-shutdown is now properly linked on shutdown to unmount all filesystems and device mapper devices cleanly. This can be disabled using systemd.shutdownRamfs.enable.

The Tor SOCKS proxy is now actually disabled if services.tor.client.enable is set to false (the default). If you are using this functionality but didn’t change the setting or set it to false, you now need to set it to true.

services.github-runner has been hardened. Notably address families and system calls have been restricted, which may adversely affect some kinds of testing, e.g. using AF_BLUETOOTH to test bluetooth devices.

The terraform 0.12 compatibility has been removed and the terraform.withPlugins and terraform-providers.mkProvider implementations simplified. Providers now need to be stored under $out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version> (which mkProvider does).

This breaks back-compat so it’s not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from nixpkgs-terraform-providers-bin directly.

The dendrite package has been upgraded from 0.5.1 to 0.6.5. Instances configured with split sqlite databases, which has been the default in NixOS, require merging of the federation sender and signing key databases. See upstream release notes on version 0.6.0 for details on database changes.

The existing pkgs.opentelemetry-collector has been moved to pkgs.opentelemetry-collector-contrib to match the actual source being the “contrib” edition. pkgs.opentelemetry-collector is now the actual core release of opentelemetry-collector. If you use the community contributions you should change the package you refer to. If you don’t need them update your commands from otelcontribcol to otelcorecol and enjoy a 7x smaller binary.

services.zookeeper has a new option jre for specifying the JRE to start zookeeper with. It defaults to the JRE that pkgs.zookeeper was wrapped with, instead of pkgs.jre. This changes the JRE to pkgs.jdk11_headless by default.

pkgs.pgadmin now refers to pkgs.pgadmin4. pgadmin3 has been removed.

pkgs.minetestclient_4 and pkgs.minetestserver_4 have been removed, as the last 4.x release was in 2018. pkgs.minetestclient (equivalent to pkgs.minetest ) and pkgs.minetestserver can be used instead.

pkgs.noto-fonts-cjk is now deprecated in favor of pkgs.noto-fonts-cjk-sans and pkgs.noto-fonts-cjk-serif because they each have different release schedules. To maintain compatibility with prior releases of Nixpkgs, pkgs.noto-fonts-cjk is currently an alias of pkgs.noto-fonts-cjk-sans and doesn’t include serif fonts.

pkgs.epgstation has been upgraded from v1 to v2, resulting in incompatible changes in the database scheme and configuration format.

Some top-level settings under services.epgstation is now deprecated because it was redudant due to the same options being present in services.epgstation.settings.

The option services.epgstation.basicAuth was removed because basic authentication support was dropped by upstream.

The option services.epgstation.database.passwordFile no longer has a default value. Make sure to set this option explicitly before upgrading. Change the database password if necessary.

The services.epgstation.settings option now expects options for config.yml in EPGStation v2.

Existing data for the services.epgstation module would have to be backed up prior to the upgrade. To back up exising data to /tmp/epgstation.bak, run sudo -u epgstation epgstation run backup /tmp/epgstation.bak. To import that data after to the upgrade, run sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bak

switch-to-configuration (the script that is run when running nixos-rebuild switch for example) has been reworked

The services.bookstack.cacheDir option has been removed, since the cache directory is now handled by systemd.

The services.bookstack.extraConfig option has been replaced by services.bookstack.config which implements a settings-style configuration.

lib.assertMsg and lib.assertOneOf no longer return false if the passed condition is false, throwing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for assert conditions.

The vpnc package has been changed to use GnuTLS instead of OpenSSL by default for licensing reasons.

The default version of nextcloud is nextcloud24. Please note that it’s not possible to upgrade nextcloud across multiple major versions! This means it’s e.g. not possible to upgrade from nextcloud22 to nextcloud24 in a single deploy and most 21.11 users will have to upgrade to nextcloud23 first.

pkgs.vimPlugins.onedark-nvim now refers to navarasu/onedark.nvim (formerly refers to olimorris/onedarkpro.nvim).

services.pipewire.enable will default to enabling the WirePlumber session manager instead of pipewire-media-session. pipewire-media-session is deprecated by upstream and not recommended, but can still be manually enabled by setting services.pipewire.media-session.enable to true and services.pipewire.wireplumber.enable to false.

pkgs.makeDesktopItem has been refactored to provide a more idiomatic API. Specifically:

See the vscode package for a more detailed example.

Existing resholve* functions have been renamed and nested under pkgs.resholve. Update uses to:

pkgs.cosmopolitan no longer provides the cosmoc command. It has been moved to pkgs.cosmoc.

pkgs.graalvmXX-ce packages no longer provide support for Python/Ruby/WASM, instead focusing only in Java and Native Image Support. If you need to add support back, please see the pkgs.graalvmCEPackages.mkGraal function to create your own customized version of GraalVM with support for what you need.

The option services.redis.servers was added to support per-application redis-server which is more secure since Redis databases are only mere key prefixes without any configuration or ACL of their own. Backward-compatibility is preserved by mapping old services.redis.settings to services.redis.servers."".settings, but you are strongly encouraged to name each redis-server instance after the application using it, instead of keeping that nameless one. Except for the nameless services.redis.servers."" still accessible at 127.0.0.1:6379, and to the members of the Unix group redis through the Unix socket /run/redis/redis.sock, all other services.redis.servers.${serverName} are only accessible by default to the members of the Unix group redis-${serverName} through the Unix socket /run/redis-${serverName}/redis.sock.

The option virtualisation.vmVariant was added to allow users to make changes to the nixos-rebuild build-vm configuration that do not apply to their normal system.

The config.system.build.vm attribute now always exists and defaults to the value from vmVariant. Configurations that import the virtualisation/qemu-vm.nix module themselves will override this value, such that vmVariant is not used.

Similarly virtualisation.vmVariantWithBootloader was added.

The configuration portion of the nix-daemon module has been reworked and exposed as nix.settings:

kops defaults to 1.23.2, which will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes >= 1.22. This will increase security by default, but may break some types of workloads. The default behaviour for spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS has changed from true to false. Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields. Support for Kubernetes 1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS 7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been removed. See the 1.22 release notes and 1.23 release notes for more details, including other significant changes.

Mattermost has been upgraded to extended support version 6.3 as the previously packaged extended support version 5.37 is reaching end of life. Migration may take some time, see the changelog and important upgrade notes.

The writers.writePyPy2/writers.writePyPy3 and corresponding writers.writePyPy2Bin/writers.writePyPy3Bin convenience functions to create executable Python 2/3 scripts using the PyPy interpreter were added.

Some improvements have been made to the hadoop module:

The auto-upgrade service now accepts persistent (default: true) parameter. By default auto-upgrade will now run immediately if it would have been triggered at least once during the time when the timer was inactive.

Mastodon now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.

Note that this will recreate the redis database, although according to the Mastodon docs, this is almost harmless:

If you do want to save the redis database, you can use the following commands:

redis-cli save
cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"

Peertube now uses services.redis.servers to start a new redis server, instead of using a global redis server. This improves compatibility with other services that use redis.

Redis database is used for storage only cache and job queue. More information can be found here - Peertube architecture.

If you do want to save the redis database, you can use the following commands before upgrade OS:

redis-cli save
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb

If you are using Wayland you can choose to use the Ozone Wayland support in Chrome and several Electron apps by setting the environment variable NIXOS_OZONE_WL=1 (for example via environment.sessionVariables.NIXOS_OZONE_WL = "1"). This is not enabled by default because Ozone Wayland is still under heavy development and behavior is not always flawless. Furthermore, not all Electron apps use the latest Electron versions.

A new option group systemd.network.wait-online was added, with options to configure systemd-networkd-wait-online.service:

The influxdb2 package was split into influxdb2-server and influxdb2-cli, matching the split that took place upstream. A combined influxdb2 package is still provided in this release for backwards compatibilty, but will be removed at a later date.

The unifi package was switched from unifi6 to unifi7. Direct downgrades from Unifi 7 to Unifi 6 are not possible and require restoring from a backup made by Unifi 6.

programs.zsh.autosuggestions.strategy now takes a list of strings instead of a string.

The asterisk and asterisk-stable packages were switched from asterisk_18 to the newly-packaged asterisk_19. Asterisk 13 and 17 have been removed as they have reached their end of life.

The services.unifi.openPorts option default value of true is now deprecated and will be changed to false in 22.11. Configurations using this default will print a warning when rebuilt.

The services.unifi-video.openPorts option default value of true is now deprecated and will be changed to false in 22.11. Configurations using this default will print a warning when rebuilt.

security.acme certificates will now correctly check for CA revokation before reaching their minimum age.

Removing domains from security.acme.certs._name_.extraDomainNames will now correctly remove those domains during rebuild/renew.

MariaDB is now offered in several versions, not just the newest one. So if you have a need for running MariaDB 10.4 for example, you can now just set services.mysql.package = pkgs.mariadb_104;. In general, it is recommended to run the newest version, to get the newest features, while sticking with an LTS version will most likely provide a more stable experience. Sometimes software is also incompatible with the newest version of MariaDB.

The option programs.ssh.enableAskPassword was added, decoupling the setting of SSH_ASKPASS from services.xserver.enable. This allows easy usage in non-X11 environments, e.g. Wayland.

programs.ssh.knownHosts has gained an extraHostNames option to augment hostNames. It is now possible to use the attribute name of a knownHosts entry as the primary host name and specify secondary host names using extraHostNames without having to duplicate the primary host name.

The services.stubby module was converted to a settings-style configuration.

The option services.xserver.desktopManager.runXdgAutostartIfNone was added in order to automatically run XDG autostart files for sessions without a desktop manager. This replaces helpers like the dex package.

When setting i18n.inputMethod.enabled to fcitx5, it no longer creates corresponding systemd user services. It now relies on XDG autostart files to start and work properly in your desktop sessions. If you are using only a window manager without a desktop manager, you need to enable services.xserver.desktopManager.runXdgAutostartIfNone or using the dex package to make fcitx5 work.

The option services.duplicati.dataDir has been added to allow changing the location of duplicati’s files.

The options boot.extraModprobeConfig and boot.blacklistedKernelModules now also take effect in the initrd by copying the file /etc/modprobe.d/nixos.conf into the initrd.

nixos-generate-config now puts the dhcp configuration in hardware-configuration.nix instead of configuration.nix.

ORY Kratos was updated to version 0.9.0-alpha.3, which introduces some breaking changes:

fetchFromSourcehut now allows fetching repositories recursively using fetchgit or fetchhg if the argument fetchSubmodules is set to true.

A module for declarative configuration of openconnect VPN profiles was added under networking.openconnect.

The element-desktop package now has an useKeytar option (defaults to true), which allows disabling keytar and in turn libsecret usage (which binds to native credential managers / keychain libraries).

The option services.thelounge.plugins has been added to allow installing plugins for The Lounge. Plugins can be found in pkgs.theLoungePlugins.plugins and pkgs.theLoungePlugins.themes.

The option services.xserver.videoDriver = [ "nvidia" ]; will now also install nvidia VA-API drivers by default.

The firmwareLinuxNonfree package has been renamed to linux-firmware.

It is now possible to specify wordlists to include as handy to access environment variables using the config.environment.wordlist configuration options.

The services.mbpfan module was converted to a RFC 0042 configuration.

The default value for programs.spacefm.settings.graphical_su got unset. It previously pointed to gksu which has been removed.

The Dino XMPP client was updated to 0.3, adding support for audio and video calls.

services.mattermost.plugins has been added to allow the declarative installation of Mattermost plugins. Plugins are automatically repackaged using autoPatchelf.

services.logrotate.enable now defaults to true if any rotate path has been defined, and some paths have been added by default.

The logrotate module also has been updated to freeform syntax: services.logrotate.paths and services.logrotate.extraConfig will work, but issue deprecation warnings and services.logrotate.settings should now be used instead.

security.pam.ussh has been added, which allows authorizing PAM sessions based on SSH certificates held within an SSH agent, using pam-ussh.

The vscode-extensions.ionide.ionide-fsharp package has been updated to 6.0.0 and now requires .NET 6.0.

The phpPackages.box package has been updated from 2.7.5 to 3.16.0. See the upgrade guide for more details.

The zrepl package has been updated from 0.4.0 to 0.5:

The polybar package has been updated from 3.5.7 to 3.6.2. See the changelog for more details.

Renamed option services.openssh.challengeResponseAuthentication to services.openssh.kbdInteractiveAuthentication. Reason is that the old name has been deprecated upstream. Using the old option name will still work, but produce a warning.

services.autorandr now allows for adding hooks and profiles declaratively.

The pomerium-cli command has been moved out of the pomerium package into the pomerium-cli package, following upstream’s repository split. If you are using the pomerium-cli command, you should now install the pomerium-cli package.

The option services.networking.networkmanager.enableFccUnlock was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer automatically performs the FCC unlock procedure by default. See the docs for more details.

programs.tmux has a new option plugins that accepts a list of packages from the tmuxPlugins group. The specified packages are added to the system and loaded by tmux.

The polkit service, available at security.polkit.enable, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.

mercury was updated to 22.01.1, which has some breaking changes (Mercury 22.01 news).

xfsprogs was update to version 5.15, which enables inobtcount and bigtime by default on filesystem creation. Support for these features was added in kernel 5.10 and deemed stable in kernel 5.15. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than 5.10, you need to format them with mkfs.xfs -m bigtime=0 -m inobtcount=0.

services.xserver.desktopManager.xfce now includes Xfce’s screen locker, xfce4-screensaver that is enabled by default. You can disable it by setting false to services.xserver.desktopManager.xfce.enableScreensaver.

The hadoop package has added support for aarch64-linux and aarch64-darwin as of 3.3.1 (#158613).

The R package now builds again on aarch64-darwin (#158992).

The nss package was split into nss_esr and nss_latest, with nss being an alias for nss_esr. This was done to ease maintenance of nss and dependent high-profile packages like firefox.

The default scribus version is now 1.5, while version 1.4 is still available as scribus_1_4 (#172700).

The Nextcloud module now supports to create a Mysql database automatically with services.nextcloud.database.createLocally enabled.

Matrix Synapse now requires entries in the state_group_edges table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.

The Nextcloud module now allows setting the value of the max-age directive of the Strict-Transport-Security HTTP header, which is now controlled by the services.nextcloud.https option, rather than services.nginx.recommendedHttpHeaders.

The spark3 package has been updated from 3.1.2 to 3.2.1 (#160075):

The option services.snapserver.openFirewall will no longer default to true starting with NixOS 22.11. Enable it explicitly if you need to control Snapserver remotely or connect streamig clients from other hosts.

The option networking.useDHCP isn’t deprecated anymore. When using systemd-networkd, a generic .network-unit is added which enables DHCP for each interface matching en*, eth* or wl* with priority 99 (which means that it doesn’t have any effect if such an interface is matched by a .network-unit with a lower priority). In case of scripted networking, no behavior was changed.

The new postgresqlTestHook runs a PostgreSQL server for the duration of package checks.

zfs was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18.

stdenv.mkDerivation now supports a self-referencing finalAttrs: parameter containing the final mkDerivation arguments including overrides. drv.overrideAttrs now supports two parameters finalAttrs: previousAttrs:. This allows packaging configuration to be overridden in a consistent manner by providing an alternative to rec {} syntax.

Additionally, passthru can now reference finalAttrs.finalPackage containing the final package, including attributes such as the output paths and overrideAttrs.

New language integrations can be simplified by overriding a “prototype” package containing the language-specific logic. This removes the need for a extra layer of overriding for the “generic builder” arguments, thus removing a usability problem and source of error.

Nix has been updated to version 2.4, reference its release notes for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the nix_2_3 package.

iptables is now using nf_tables under the hood, by using iptables-nft, similar to Debian and Fedora. This means, ip[6]tables, arptables and ebtables commands will actually show rules from some specific tables in the nf_tables kernel subsystem. In case you’re migrating from an older release without rebooting, there might be cases where you end up with iptable rules configured both in the legacy iptables kernel backend, as well as in the nf_tables backend. This can lead to confusing firewall behaviour. An iptables-save after switching will complain about “iptables-legacy tables present”. It’s probably best to reboot after the upgrade, or manually removing all legacy iptables rules (via the iptables-legacy package).

systemd got an nftables backend, and configures (networkd) rules in their own io.systemd.* tables. Check nft list ruleset to see these rules, not iptables-save (which only shows iptables-created rules.

PHP now defaults to PHP 8.0, updated from 7.4.

kops now defaults to 1.21.1, which uses containerd as the default runtime.

python3 now defaults to Python 3.9, updated from Python 3.8.

PostgreSQL now defaults to major version 13.

spark now defaults to spark 3, updated from 2. A migration guide is available.

Improvements have been made to the Hadoop module and package:

Activation scripts can now, optionally, be run during a nixos-rebuild dry-activate and can detect the dry activation by reading $NIXOS_ACTION. This allows activation scripts to output what they would change if the activation was really run. The users/modules activation script supports this and outputs some of is actions.

KDE Plasma now finally works on Wayland.

bash now defaults to major version 5.

Systemd was updated to version 249 (from 247).

Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn’t work for you, please try gsettings set org.gnome.desktop.lockdown disable-lock-screen false.

kubernetes-helm now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details. helmfile also defaults to 0.141.0, which is the minimum compatible version.

GNOME has been upgraded to 41. Please take a look at their Release Notes for details.

LXD support was greatly improved:

OpenSSH was updated to version 8.8p1

ORY Kratos was updated to version 0.8.0-alpha.3

btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.

clipcat, an X11 clipboard manager written in Rust. Available at services.clipcat.

dex, an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at services.dex.

geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.

Jibri, a service for recording or streaming a Jitsi Meet conference. Available as services.jibri.

Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.

owncast, self-hosted video live streaming solution. Available at services.owncast.

PeerTube, developed by Framasoft, is the free and decentralized alternative to video platforms. Available at services.peertube.

sourcehut, a collection of tools useful for software development. Available as services.sourcehut.

ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.

Users of flashrom should migrate to programs.flashrom.enable and add themselves to the flashrom group to be able to access programmers supported by flashrom.

vikunja, a to-do list app. Available as services.vikunja.

opensnitch, an application firewall. Available as services.opensnitch.

snapraid, a backup program for disk arrays. Available as snapraid.

Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.

buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.

influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.

mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.

MeshCentral, a remote administration service (“TeamViewer but self-hosted and with more features”) is now available with a package and a module: services.meshcentral.enable

moonraker, an API web server for Klipper. Available as moonraker.

influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.

isso, a commenting server similar to Disqus. Available as isso

navidrome, a personal music streaming server with subsonic-compatible api. Available as navidrome.

fluidd, a Klipper web interface for managing 3d printers using moonraker. Available as fluidd.

sx, a simple alternative to both xinit and startx for starting a Xorg server. Available as services.xserver.displayManager.sx

postfixadmin, a web based virtual user administration interface for Postfix mail servers. Available as postfixadmin.

prowlarr, an indexer manager/proxy built on the popular arr .net/reactjs base stack services.prowlarr.

soju, a user-friendly IRC bouncer. Available as services.soju.

nats, a high performance cloud and edge messaging system. Available as services.nats.

git, a distributed version control system. Available as programs.git.

parsedmarc, a service which parses incoming DMARC reports and stores or sends them to a downstream service for further analysis. Documented in its manual entry.

spark, a unified analytics engine for large-scale data processing.

touchegg, a multi-touch gesture recognizer. Available as services.touchegg.

pantheon-tweaks, an unofficial system settings panel for Pantheon. Available as programs.pantheon-tweaks.

joycond, a service that uses hid-nintendo to provide nintendo joycond pairing and better nintendo switch pro controller support.

multipath, the device mapper multipath (DM-MP) daemon. Available as services.multipath.

seafile, an open source file syncing & sharing software. Available as services.seafile.

rasdaemon, a hardware error logging daemon. Available as hardware.rasdaemon.

code-server-module now available

xmrig, a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark.

Auto nice daemons ananicy and ananicy-cpp. Available as services.ananicy.

smartctl_exporter, a Prometheus exporter for S.M.A.R.T. data. Available as services.prometheus.exporters.smartctl.

The NixOS VM test framework, pkgs.nixosTest/make-test-python.nix (pkgs.testers.nixosTest since 22.05), now requires detaching commands such as succeed("foo &") and succeed("foo | xclip -i") to close stdout. This can be done with a redirect such as succeed("foo >&2 &"). This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, including execute, succeed, fail, wait_until_succeeds, wait_until_fails.

The services.wakeonlan option was removed, and replaced with networking.interfaces.<name>.wakeOnLan.

The security.wrappers option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.

Since iptables now uses nf_tables backend and ipset doesn’t support it, some applications (ferm, shorewall, firehol) may have limited functionality.

The paperless module and package have been removed. All users should migrate to the successor paperless-ng instead. The Paperless project has been archived and advises all users to use paperless-ng instead.

Users can use the services.paperless-ng module as a replacement while noting the following incompatibilities:

{
  services.paperless-ng.extraConfig = {
    # Provide languages as ISO 639-2 codes
    # separated by a plus (+) sign.
    # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
    PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
  };
}

The staticjinja package has been upgraded from 1.0.4 to 4.1.1

Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.

The erigon ethereum node has moved to a new database format in 2021-05-04, and requires a full resync

The erigon ethereum node has moved it’s database location in 2021-08-03, users upgrading must manually move their chaindata (see release notes).

users.users.<name>.group no longer defaults to nogroup, which was insecure. Out-of-tree modules are likely to require adaptation: instead of

{
  users.users.foo = {
    isSystemUser = true;
  };
}

also create a group for your user:

{
  users.users.foo = {
    isSystemUser = true;
    group = "foo";
  };
  users.groups.foo = {};
}

services.geoip-updater was broken and has been replaced by services.geoipupdate.

ihatemoney has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie to false.

PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

Those making use of buildBazelPackage will need to regenerate the fetch hashes (preferred), or set fetchConfigured = false;.

consul was upgraded to a new major release with breaking changes, see upstream changelog.

fsharp41 has been removed in preference to use the latest dotnet-sdk

The following F#-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

programs.x2goserver is now services.x2goserver

The following dotnet-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

The antlr package now defaults to the 4.x release instead of the old 2.7.7 version.

The pulseeffects package updated to version 4.x and renamed to easyeffects.

The libwnck package now defaults to the 3.x release instead of the old 2.31.0 version.

The bitwarden_rs packages and modules were renamed to vaultwarden following upstream. More specifically,

yggdrasil was upgraded to a new major release with breaking changes, see upstream changelog.

icingaweb2 was upgraded to a new release which requires a manual database upgrade, see upstream changelog.

The isabelle package has been upgraded from 2020 to 2021

the mingw-64 package has been upgraded from 6.0.0 to 9.0.0

tt-rss was upgraded to the commit on 2021-06-21, which has breaking changes. If you use services.tt-rss.extraConfig you should migrate to the putenv-style configuration. See this Discourse post in the tt-rss forums for more details.

The following Visual Studio Code extensions were renamed to keep the naming convention uniform.

services.uptimed now uses /var/lib/uptimed as its stateDirectory instead of /var/spool/uptimed. Make sure to move all files to the new directory.

Deprecated package aliases in emacs.pkgs.* have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible.

programs.neovim.runtime switched to a linkFarm internally, making it impossible to use wildcards in the source argument.

The openrazer and openrazer-daemon packages as well as the hardware.openrazer module now require users to be members of the openrazer group instead of plugdev. With this change, users no longer need be granted the entire set of plugdev group permissions, which can include permissions other than those required by openrazer. This is desirable from a security point of view. The setting harware.openrazer.users can be used to add users to the openrazer group.

The fontconfig service’s dpi option has been removed. Fontconfig should use Xft settings by default so there’s no need to override one value in multiple places. The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with services.xserver.dpi.

The yambar package has been split into yambar and yambar-wayland, corresponding to the xorg and wayland backend respectively. Please switch to yambar-wayland if you are on wayland.

The services.minio module gained an additional option consoleAddress, that configures the address and port the web UI is listening, it defaults to :9001. To be able to access the web UI this port needs to be opened in the firewall.

The varnish package was upgraded from 6.3.x to 7.x. varnish60 for the last LTS release is also still available.

The kubernetes package was upgraded to 1.22. The kubernetes.apiserver.kubeletHttps option was removed and HTTPS is always used.

The attribute linuxPackages_latest_hardened was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such as linuxPackages_5_10_hardened.

The nomad package now defaults to a 1.1.x release instead of 1.0.x

If exfat is included in boot.supportedFilesystems and when using kernel 5.7 or later, the exfatprogs user-space utilities are used instead of exfat.

The todoman package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format.

The datadog-agent, datadog-integrations-core and datadog-process-agent packages were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2, respectively. As a result services.datadog-agent has had breaking changes to the configuration file. For details, see the upstream changelog.

opencv2 no longer includes the non-free libraries by default, and consequently pfstools no longer includes OpenCV support by default. Both packages now support an enableUnfree option to re-enable this functionality.

services.xserver.displayManager.defaultSession = "plasma5" does not work anymore, instead use either "plasma" for the Plasma X11 session or "plasmawayland" for the Plasma Wayland sesison.

boot.kernelParams now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like “param = 12”, which would be parsed as 3 parameters.

nix.daemonNiceLevel and nix.daemonIONiceLevel have been removed in favour of the new options nix.daemonCPUSchedPolicy, nix.daemonIOSchedClass and nix.daemonIOSchedPriority. Please refer to the options documentation and the sched(7) and ioprio_set(2) man pages for guidance on how to use them.

The coursier package’s binary was renamed from coursier to cs. Completions which haven’t worked for a while should now work with the renamed binary. To keep using coursier, you can create a shell alias.

The services.mosquitto module has been rewritten to support multiple listeners and per-listener configuration. Module configurations from previous releases will no longer work and must be updated.

The fluidsynth_1 attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available as fluidsynth unchanged.

Nextcloud 20 (pkgs.nextcloud20) has been dropped because it was EOLed by upstream in 2021-10.

The virtualisation.pathsInNixDB option was renamed virtualisation.additionalPaths.

The services.ddclient.password option was removed, and replaced with services.ddclient.passwordFile.

The default GNAT version has been changed: The gnat attribute now points to gnat11 instead of gnat9.

retroArchCores has been removed. This means that using nixpkgs.config.retroarch to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: retroarch.override { cores = with libretro; [ citra snes9x ]; };. Also, retroarchFull derivation is available for those who want to have all RetroArch cores available.

The Linux kernel for security reasons now restricts access to BPF syscalls via BPF_UNPRIV_DEFAULT_OFF=y. Unprivileged access can be reenabled via the kernel.unprivileged_bpf_disabled sysctl knob.

/usr will always be included in the initial ramdisk. See the fileSystems.<name>.neededForBoot option. If any files exist under /usr (which is not typical for NixOS), they will be included in the initial ramdisk, increasing its size to a possibly problematic extent.

The linux kernel package infrastructure was moved out of all-packages.nix, and restructured. Linux related functions and attributes now live under the pkgs.linuxKernel attribute set. In particular the versioned linuxPackages_* package sets (such as linuxPackages_5_4) and kernels from pkgs were moved there and now live under pkgs.linuxKernel.packages.*. The unversioned ones (such as linuxPackages_latest) remain untouched.

In NixOS virtual machines (QEMU), the virtualisation module has been updated with new options:

In addition, the default msize parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance.

The setting services.openssh.logLevel "VERBOSE" "INFO". This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

However, if services.fail2ban.enable is true, the fail2ban will override the verbosity to "VERBOSE", so that fail2ban can observe the failed login attempts from the SSH logs.

The services.xserver.extraLayouts no longer cause additional rebuilds when a layout is added or modified.

Sway: The terminal emulator rxvt-unicode is no longer installed by default via programs.sway.extraPackages. The current default configuration uses alacritty (and soon foot) so this is only an issue when using a customized configuration and not installing rxvt-unicode explicitly.

python3 now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What’s New In Python 3.9 post for more information.

qtile hase been updated from “0.16.0” to “0.18.0”, please check qtile changelog for changes.

The claws-mail package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the claws-mail-gtk2 package.

The wordpress module provides a new interface which allows to use different webservers with the new option services.wordpress.webserver. Currently httpd, caddy and nginx are supported. The definitions of wordpress sites should now be set in services.wordpress.sites.

Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

The dokuwiki module provides a new interface which allows to use different webservers with the new option services.dokuwiki.webserver. Currently caddy and nginx are supported. The definitions of dokuwiki sites should now be set in services.dokuwiki.sites.

Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

The order of NSS (host) modules has been brought in line with upstream recommendations:

If you use your own NSS host modules, make sure to update your priorities according to these rules:

The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:

The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.

The services.smokeping.host option was added and defaulted to localhost. Before, smokeping listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service for smokeping got reworked defaults for increased operational stability, see PR #144127 for details.

The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn’t clean up after execution. You can manually look this up for your pools by running zfs allow your-pool-name and use zfs unallow syncoid your-pool-name to clean this up.

Zfs: latestCompatibleLinuxPackages is now exported on the zfs package. One can use boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; to always track the latest compatible kernel with a given version of zfs.

Nginx will use the value of sslTrustedCertificate if provided for a virtual host, even if enableACME is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

lib.formats.yaml’s generate will not generate JSON anymore, but instead use more of the YAML-specific syntax.

MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.

The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.

GNOME desktop environment now enables QGnomePlatform as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually.

rofi has been updated from “1.6.1” to “1.7.0”, one important thing is the removal of the old xresources based configuration setup. Read more in rofi’s changelog.

ipfs now defaults to not listening on you local network. This setting was change as server providers won’t accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting ipfs.localDiscovery = true;. localDiscovery enables different instances to discover each other and share data.

lua and luajit interpreters have been patched to avoid looking into /usr/lib directories, thus increasing the purity of the build.

Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of /etc/xdg/mimeapps.list.

Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.

The systemd.network module has gained support for the FooOverUDP link type.

The networking module has a new networking.fooOverUDP option to configure Foo-over-UDP encapsulations.

networking.sits now supports Foo-over-UDP encapsulation.

The virtualisation.libvirtd module has been refactored and updated with new options:

The cawbird Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change.

A new option services.prometheus.enableReload has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting.

The option services.prometheus.environmentFile has been removed since it was causing issues and Prometheus now has native support for secret files, i.e. basic_auth.password_file and authorization.credentials_file.

Dokuwiki now supports caddy! However

The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:

security.pam.services.<name>.makeHomeDir now uses umask=0077 instead of umask=0022 when creating the home directory.

Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.

julia now refers to julia-stable instead of julia-lts. In practice this means it has been upgraded from 1.0.4 to 1.5.4.

RetroArch has been upgraded from version 1.8.5 to 1.9.13.2. Since the previous release was quite old, if you’re having issues after the upgrade, please delete your $XDG_CONFIG_HOME/retroarch/retroarch.cfg file.

hydrus has been upgraded from version 438 to 463. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual.

More jdk and jre versions are now exposed via java-packages.compiler.

Core version changes:

Desktop Environments:

Programming Languages and Frameworks:

The linux_latest kernel was updated to the 5.13 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one).

GNURadio 3.8 and 3.9 were finally packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute gnuradio (3.9), gnuradio3_8 and gnuradio3_7 now point to an externally wrapped by default derivations, that allow you to also add `extraPythonPackages` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added (#75478).

Keycloak, an open source identity and access management server with support for OpenID Connect, OAUTH 2.0 and SAML 2.0.

See the Keycloak section of the NixOS manual for more information.

services.samba-wsdd.enable Web Services Dynamic Discovery host daemon

Discourse, a modern and open source discussion platform.

See the Discourse section of the NixOS manual for more information.

services.nebula.networks Nebula VPN

GNOME desktop environment was upgraded to 40, see the release notes for 40.0 and 3.38. The gnome3 attribute set has been renamed to gnome and so have been the NixOS options.

If you are using services.udev.extraRules to assign custom names to network interfaces, this may stop working due to a change in the initialisation of dhcpcd and systemd networkd. To avoid this, either move them to services.udev.initrdRules or see the new Assigning custom names section of the NixOS manual for an example using networkd links.

The security.hideProcessInformation module has been removed. It was broken since the switch to cgroups-v2.

The linuxPackages.ati_drivers_x11 kernel modules have been removed. The drivers only supported kernels prior to 4.2, and thus have become obsolete.

The systemConfig kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.

systemd-journal2gelf no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue.

If the services.dbus module is enabled, then the user D-Bus session is now always socket activated. The associated options services.dbus.socketActivated and services.xserver.startDbusSession have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins.

The networking.wireless.iwd module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to "keep kernel", to avoid race conditions between iwd and networkd. If you don't want this, you can set systemd.network.links."80-iwd" = lib.mkForce {}.

rubyMinimal was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it's compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting jitSupport = false; in an overlay. See #90151 for more info.

Setting services.openssh.authorizedKeysFiles now also affects which keys security.pam.enableSSHAgentAuth will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in services.openssh.authorizedKeysFiles!

The option fonts.enableFontDir has been renamed to fonts.fontDir.enable. The path of font directory has also been changed to /run/current-system/sw/share/X11/fonts, for consistency with other X11 resources.

A number of options have been renamed in the kicad interface. oceSupport has been renamed to withOCE, withOCCT has been renamed to withOCC, ngspiceSupport has been renamed to withNgspice, and scriptingSupport has been renamed to withScripting. Additionally, kicad/base.nix no longer provides default argument values since these are provided by kicad/default.nix.

The socket for the pdns-recursor module was moved from /var/lib/pdns-recursor to /run/pdns-recursor to match upstream.

Paperwork was updated to version 2. The on-disk format slightly changed, and it is not possible to downgrade from Paperwork 2 back to Paperwork 1.3. Back your documents up before upgrading. See this thread for more details.

PowerDNS has been updated from 4.2.x to 4.3.x. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the service now runs entirely as a dedicated pdns user, instead of starting as root and dropping privileges, as well as the default socket-dir location changing from /var/lib/powerdns to /run/pdns.

The mediatomb service is now using by default the new and maintained fork gerbera package instead of the unmaintained mediatomb package. If you want to keep the old behavior, you must declare it with:

{
  services.mediatomb.package = pkgs.mediatomb;
}

One new option openFirewall has been introduced which defaults to false. If you relied on the service declaration to add the firewall rules itself before, you should now declare it with:

{
  services.mediatomb.openFirewall = true;
}

xfsprogs was update from 4.19 to 5.11. It now enables reflink support by default on filesystem creation. Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them with mkfs.xfs -m reflink=0.

The uWSGI server is now built with POSIX capabilities. As a consequence, root is no longer required in emperor mode and the service defaults to running as the unprivileged uwsgi user. Any additional capability can be added via the new option services.uwsgi.capabilities. The previous behaviour can be restored by setting:

{
  services.uwsgi.user = "root";
  services.uwsgi.group = "root";
  services.uwsgi.instance =
    {
      uid = "uwsgi";
      gid = "uwsgi";
    };
}

Another incompatibility from the previous release is that vassals running under a different user or group need to use immediate-{uid,gid} instead of the usual uid,gid options.

btc1 has been abandoned upstream, and removed.

cpp_ethereum (aleth) has been abandoned upstream, and removed.

riak-cs package removed along with services.riak-cs module.

stanchion package removed along with services.stanchion module.

mutt has been updated to a new major version (2.x), which comes with some backward incompatible changes that are described in the release notes for Mutt 2.0.

vim and neovim switched to Python 3, dropping all Python 2 support.

networking.wireguard.interfaces.<name>.generatePrivateKeyFile, which is off by default, had a chmod race condition fixed. As an aside, the parent directory's permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read #121294.

boot.zfs.forceImportAll previously did nothing, but has been fixed. However its default has been changed to false to preserve the existing default behaviour. If you have this explicitly set to true, please note that your non-root pools will now be forcibly imported.

openafs now points to openafs_1_8, which is the new stable release. OpenAFS 1.6 was removed.

The WireGuard module gained a new option networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds that implements refreshing the IP of DNS-based endpoints periodically (which WireGuard itself cannot do).

MariaDB has been updated to 10.5. Before you upgrade, it would be best to take a backup of your database and read Incompatible Changes Between 10.4 and 10.5. After the upgrade you will need to run mysql_upgrade.

The TokuDB storage engine dropped in mariadb 10.5 and removed in mariadb 10.6. It is recommended to switch to RocksDB. See also TokuDB and MDEV-19780: Remove the TokuDB storage engine.

The openldap module now has support for OLC-style configuration, users of the configDir option may wish to migrate. If you continue to use configDir, ensure that olcPidFile is set to /run/slapd/slapd.pid.

As a result, extraConfig and extraDatabaseConfig are removed. To help with migration, you can convert your slapd.conf file to OLC configuration with the following script (find the location of this configuration file by running systemctl status openldap, it is the -f option.

$ TMPDIR=$(mktemp -d)
$ slaptest -f /path/to/slapd.conf -F $TMPDIR
$ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'

This will dump your current configuration in LDIF format, which should be straightforward to convert into Nix settings. This does not show your schema configuration, as this is unnecessarily verbose for users of the default schemas and slaptest is buggy with schemas directly in the config file.

Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data.

The rspamd services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in /run/rspamd instead of /run.

Enabling the Tor client no longer silently also enables and configures Privoxy, and the services.tor.client.privoxy.enable option has been removed. To enable Privoxy, and to configure it to use Tor's faster port, use the following configuration:

{
  opt-services.privoxy.enable = true;
  opt-services.privoxy.enableTor = true;
}

The services.tor module has a new exhaustively typed services.tor.settings option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. The corresponding systemd service has been hardened, but there is a chance that the service still requires more permissions, so please report any related trouble on the bugtracker. Onion services v3 are now supported in services.tor.relay.onionServices. A new services.tor.openFirewall option as been introduced for allowing connections on all the TCP ports configured.

The options services.slurm.dbdserver.storagePass and services.slurm.dbdserver.configFile have been removed. Use services.slurm.dbdserver.storagePassFile instead to provide the database password. Extra config options can be given via the option services.slurm.dbdserver.extraConfig. The actual configuration file is created on the fly on startup of the service. This avoids that the password gets exposed in the nix store.

The wafHook hook does not wrap Python anymore. Packages depending on wafHook need to include any Python into their nativeBuildInputs.

Starting with version 1.7.0, the project formerly named CodiMD is now named HedgeDoc. New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. Based on system.stateVersion, existing installations will continue to work.

The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the vendor_functions.d directory to be loaded automatically.

The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's /probe endpoint. In the prometheus scrape configuration the scrape target might look like this:

http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint

Existing configuration for the exporter needs to be updated, but can partially be re-used. Documentation is available in the upstream repository and a small example for NixOS is available in the corresponding NixOS test.

These changes also affect services.prometheus.exporters.rspamd.enable, which is just a preconfigured instance of the json exporter.

For more information, take a look at the official documentation of the json_exporter.

Androidenv was updated, removing the includeDocs and lldbVersions arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, and both are no longer available to download from the Android package repositories. Additionally, since the package lists have been updated, some older versions of Android packages may not be bundled. If you depend on older versions of Android packages, we recommend overriding the repo.

Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments repoJson and repoXmls have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the extraLicenses argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.

The attribute mpi is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used mpi ? null in the input for optional MPI builds, have been changed to the boolean input paramater useMpi to enable building with MPI. Building all packages with mpich instead of the default openmpi can now be achived like this:

self: super:
{
  mpi = super.mpich;
}

The Searx module has been updated with the ability to configure the service declaratively and uWSGI integration. The option services.searx.configFile has been renamed to services.searx.settingsFile for consistency with the new services.searx.settings. In addition, the searx uid and gid reservations have been removed since they were not necessary: the service is now running with a dynamically allocated uid.

The libinput module has been updated with the ability to configure mouse and touchpad settings separately. The options in services.xserver.libinput have been renamed to services.xserver.libinput.touchpad, while there is a new services.xserver.libinput.mouse for mouse related configuration.

Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in mouse section.

ALSA OSS emulation (sound.enableOSSEmulation) is now disabled by default.

Thinkfan as been updated to 1.2.x, which comes with a new YAML based configuration format. For this reason, several NixOS options of the thinkfan module have been changed to non-backward compatible types. In addition, a new services.thinkfan.settings option has been added.

Please read the thinkfan documentation before updating.

Adobe Flash Player support has been dropped from the tree. In particular, the following packages no longer support it:

Additionally, packages flashplayer and hal-flash were removed along with the services.flashpolicyd module.

The security.rngd module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel's RNG.

The default SMTP port for GitLab has been changed to 25 from its previous default of 465. If you depended on this default, you should now set the services.gitlab.smtp.port option.

The default version of ImageMagick has been updated from 6 to 7. You can use imagemagick6, imagemagick6_light, and imagemagick6Big if you need the older version.

services.xserver.videoDrivers no longer uses the deprecated cirrus and vesa device dependent X drivers by default. It also enables both amdgpu and nouveau drivers by default now.

The kindlegen package is gone, because it is no longer supported or hosted by Amazon. Sadly, its replacement, Kindle Previewer, has no Linux support. However, there are other ways to generate MOBI files. See the discussion for more info.

The apacheKafka packages are now built with version-matched JREs. Versions 2.6 and above, the ones that recommend it, use jdk11, while versions below remain on jdk8. The NixOS service has been adjusted to start the service using the same version as the package, adjustable with the new services.apache-kafka.jre option. Furthermore, the default list of services.apache-kafka.jvmOptions have been removed. You should set your own according to the upstream documentation for your Kafka version.

The kodi package has been modified to allow concise addon management. Consider the following configuration from previous releases of NixOS to install kodi, including the kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons:

{
  environment.systemPackages = [
    pkgs.kodi
  ];

  nixpkgs.config.kodi = {
    enableInputStreamAdaptive = true;
    enableVFSSFTP = true;
  };
}

All Kodi config flags have been removed, and as a result the above configuration should now be written as:

{
  environment.systemPackages = [
    (pkgs.kodi.withPackages (p: with p; [
      inputstream-adaptive
      vfs-sftp
    ]))
  ];
}

environment.defaultPackages now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and the EDITOR environment variable is set to it. Environment variables can be set using environment.variables.

services.minio.dataDir changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements.

All CUDA toolkit versions prior to CUDA 10 have been removed.

The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use dvorak-programmer in console.keyMap now instead of dvp. In services.xserver.xkbVariant it's still dvp.

The babeld service is now being run as an unprivileged user. To achieve that the module configures skip-kernel-setup true and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface in services.babeld.interfaces.

The services.zigbee2mqtt.config option has been renamed to services.zigbee2mqtt.settings and now follows RFC 0042.

Instead of determining services.radicale.package automatically based on system.stateVersion, the latest version is always used because old versions are not officially supported.

Furthermore, Radicale's systemd unit was hardened which might break some deployments. In particular, a non-default filesystem_folder has to be added to systemd.services.radicale.serviceConfig.ReadWritePaths if the deprecated services.radicale.config is used.

In the security.acme module, use of --reuse-key parameter for Lego has been removed. It was introduced for HKPK, but this security feature is now deprecated. It is a better security practice to rotate key pairs instead of always keeping the same. If you need to keep this parameter, you can add it back using extraLegoRenewFlags as an option for the appropriate certificate.

stdenv.lib has been deprecated and will break eval in 21.11. Please use pkgs.lib instead. See #108938 for details.

GNURadio has a pkgs attribute set, and there's a gnuradio.callPackage function that extends pkgs with a mkDerivation, and a mkDerivationWith, like Qt5. Now all gnuradio.pkgs are defined with gnuradio.callPackage and some packages that depend on gnuradio are defined with this as well.

Privoxy has been updated to version 3.0.32 (See announcement). Compared to the previous release, Privoxy has gained support for HTTPS inspection (still experimental), Brotli decompression, several new filters and lots of bug fixes, including security ones. In addition, the package is now built with compression and external filters support, which were previously disabled.

Regarding the NixOS module, new options for HTTPS inspection have been added and services.privoxy.extraConfig has been replaced by the new services.privoxy.settings (See RFC 0042 for the motivation).

Kodi has been updated to version 19.1 "Matrix". See the announcement for further details.

The services.packagekit.backend option has been removed as it only supported a single setting which would always be the default. Instead new RFC 0042 compliant services.packagekit.settings and services.packagekit.vendorSettings options have been introduced.

Nginx has been updated to stable version 1.20.0. Now nginx uses the zlib-ng library by default.

KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its release notes for details.

The kdeApplications package set is now kdeGear, in keeping with the new name. The old name remains for compatibility, but it is deprecated.

Libreswan has been updated to version 4.4. The package now includes example configurations and manual pages by default. The NixOS module has been changed to use the upstream systemd units and write the configuration in the /etc/ipsec.d/ directory. In addition, two new options have been added to specify connection policies (services.libreswan.policies) and disable send/receive redirects (services.libreswan.disableRedirects).

The Mailman NixOS module (services.mailman) has a new option services.mailman.enablePostfix, defaulting to true, that controls integration with Postfix.

If this option is disabled, default MTA config becomes not set and you should set the options in services.mailman.settings.mta according to the desired configuration as described in Mailman documentation.

The default-version of nextcloud is nextcloud21. Please note that it's not possible to upgrade nextcloud across multiple major versions! This means that it's e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most 20.09 users will have to upgrade to nextcloud20 first.

The package can be manually upgraded by setting services.nextcloud.package to nextcloud21.

The setting services.redis.bind defaults to 127.0.0.1 now, making Redis listen on the loopback interface only, and not all public network interfaces.

NixOS now emits a deprecation warning if systemd's StartLimitInterval setting is used in a serviceConfig section instead of in a unitConfig; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details.

All services should use systemd.services.name.startLimitIntervalSec or StartLimitIntervalSec in systemd.services.name.unitConfig instead.

The mediatomb service declares new options. It also adapts existing options so the configuration generation is now lazy. The existing option customCfg (defaults to false), when enabled, stops the service configuration generation completely. It then expects the users to provide their own correct configuration at the right location (whereas the configuration was generated and not used at all before). The new option transcodingOption (defaults to no) allows a generated configuration. It makes the mediatomb service pulls the necessary runtime dependencies in the nix store (whereas it was generated with hardcoded values before). The new option mediaDirectories allows the users to declare autoscan media directories from their nixos configuration:

{
  services.mediatomb.mediaDirectories = [
    { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
    { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
  ];
}

The Unbound DNS resolver service (services.unbound) has been refactored to allow reloading, control sockets and to fix startup ordering issues.

It is now possible to enable a local UNIX control socket for unbound by setting the services.unbound.localControlSocketPath option.

Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities.

As of this we are (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound as unbound user with the required capabilities instead of letting unbound do the chroot & uid/gid changes.

The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the Type set to notify, therefore we are now also using the unbound-with-systemd package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit active (running). This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Services depending on nss-lookup.target or unbound.service are now be able to use unbound when those targets have been reached.

Additionally to the much stricter runtime environment the /dev/urandom mount lines we previously had in the code (that randomly failed during the stop-phase) have been removed as systemd will take care of those for us.

The preStart script is now only required if we enabled the trust anchor updates (which are still enabled by default).

Another benefit of the refactoring is that we can now issue reloads via either pkill -HUP unbound and systemctl reload unbound to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. We are using the path /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use unbound-control without passing a custom configuration location.

The module has also been reworked to be RFC 0042 compliant. As such, sevices.unbound.extraConfig has been removed and replaced by services.unbound.settings. services.unbound.interfaces has been renamed to services.unbound.settings.server.interface.

services.unbound.forwardAddresses and services.unbound.allowedAccess have also been changed to use the new settings interface. You can follow the instructions when executing nixos-rebuild to upgrade your configuration to use the new interface.

The services.dnscrypt-proxy2 module now takes the upstream's example configuration and updates it with the user's settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch.

NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the Fedora Article for 31 for details on why this is desirable, and how it impacts containers.

If you want to run containers with a runtime that does not yet support cgroupsv2, you can switch back to the old behaviour by setting systemd.enableUnifiedCgroupHierarchy = false; and rebooting.

PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. See its release notes.

GNOME users may wish to delete their ~/.config/pulse due to the changes to stream routing logic. See PulseAudio bug 832 for more information.

The zookeeper package does not provide zooInspector.sh anymore, as that "contrib" has been dropped from upstream releases.

In the ACME module, the data used to build the hash for the account directory has changed to accomodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling.

users.users.name.createHome now always ensures home directory permissions to be 0700. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly.

When defining a new user, one of users.users.name.isNormalUser and users.users.name.isSystemUser is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as users.users.name.isSystemUser has no effect for those.

The security.apparmor module, for the AppArmor Mandatory Access Control system, has been substantialy improved along with related tools, so that module maintainers can now more easily write AppArmor profiles for NixOS. The most notable change on the user-side is the new option security.apparmor.policies, replacing the previous profiles option to provide a way to disable a profile and to select whether to confine in enforce mode (default) or in complain mode (see journalctl -b --grep apparmor). Security-minded users may also want to enable security.apparmor.killUnconfinedConfinables, at the cost of having some of their processes killed when updating to a NixOS version introducing new AppArmor profiles.

The GNOME desktop manager once again installs gnome.epiphany by default.

NixOS now generates empty /etc/netgroup. /etc/netgroup defines network-wide groups and may affect to setups using NIS.

Platforms, like stdenv.hostPlatform, no longer have a platform attribute. It has been (mostly) flattened away:

Additionally, platform.kernelArch moved to the top level as linuxArch to match the other *Arch variables.

The platform grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.

services.restic now uses a dedicated cache directory for every backup defined in services.restic.backups. The old global cache directory, /root/.cache/restic, is now unused and can be removed to free up disk space.

isync: The isync compatibility wrapper was removed and the Master/Slave terminology has been deprecated and should be replaced with Far/Near in the configuration file.

The nix-gc service now accepts randomizedDelaySec (default: 0) and persistent (default: true) parameters. By default nix-gc will now run immediately if it would have been triggered at least once during the time when the timer was inactive.

The rustPlatform.buildRustPackage function is split into several hooks: cargoSetupHook to set up vendoring for Cargo-based projects, cargoBuildHook to build a project using Cargo, cargoInstallHook to install a project using Cargo, and cargoCheckHook to run tests in Cargo-based projects. With this change, mixed-language projects can use the relevant hooks within builders other than buildRustPackage. However, these changes also required several API changes to buildRustPackage itself:

The rustPlatform.maturinBuildHook hook was added. This hook can be used with buildPythonPackage to build Python packages that are written in Rust and use Maturin as their build tool.

Kubernetes has deprecated docker as container runtime. As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default. Note that containerd is more strict regarding container image OCI-compliance. As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker. Please test your setup and container images with containerd prior to upgrading.

The GitLab module now has support for automatic backups. A schedule can be set with the services.gitlab.backup.startAt option.

Prior to this release, systemd would also read system units from an undocumented /etc/systemd-mutable/system path. This path has been dropped from the defaults. That path (or others) can be re-enabled by adding it to the boot.extraSystemdUnitPaths list.

PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle and has been removed.

Xfce4 relies on GIO/GVfs for userspace virtual filesystem access in applications like thunar and gigolo. For that to work, the gvfs nixos service is enabled by default, and it can be configured with the specific package that provides GVfs. Until now Xfce4 was setting it to use a lighter version of GVfs (without support for samba). To avoid conflicts with other desktop environments this setting has been dropped. Users that still want it should add the following to their system configuration:

{
  services.gvfs.package = pkgs.gvfs.override { samba = null; };
}

The newly enabled systemd-pstore.service now automatically evacuates crashdumps and panic logs from the persistent storage to /var/lib/systemd/pstore. This prevents NVRAM from filling up, which ensures the latest diagnostic data is always stored and alleviates problems with writing new boot configurations.

Nixpkgs now contains automatically packaged GNOME Shell extensions from the GNOME Extensions portal. You can find them, filed by their UUID, under gnome38Extensions attribute for GNOME 3.38 and under gnome40Extensions for GNOME 40. Finally, the gnomeExtensions attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work.

Erlang/OTP versions older than R21 got dropped. We also dropped the cuter package, as it was purely an example of how to build a package. We also dropped lfe_1_2 as it could not build with R21+. Moving forward, we expect to only support 3 yearly releases of OTP.

Core version changes:

Desktop Environments:

Programming Languages and Frameworks:

Databases and Service Monitoring:

Major module changes:

NixOS module changes:

Starting with this release, the hydra-build-result nixos-YY.MM branches no longer exist in the deprecated nixpkgs-channels repository. These branches are now in the main nixpkgs repository.

Hardware:

Programs:

Security:

System:

Virtualization:

Services:

MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster instead. Before doing the upgrade read Incompatible Changes Between 10.3 and 10.4. After the upgrade you will need to run mysql_upgrade. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See Authentication from MariaDB 10.4. unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following:

{
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
  ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret");
'';
}

When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.

MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when calling LOAD DATA INFILE or SELECT * INTO OUTFILE. In this scenario a variant of the following may be required: - allow MySQL to read from /home and /tmp directories when using LOAD DATA INFILE

{
  systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
}

- allow MySQL to write to custom folder /var/data when using SELECT * INTO OUTFILE, assuming the mysql user has write access to /var/data

{
  systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
}

The MySQL service no longer runs its systemd service startup script as root anymore. A dedicated non root super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements as a super admin user before upgrading:

CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket;
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;

If you use MySQL instead of MariaDB please replace unix_socket with auth_socket. If you have changed the value of services.mysql.user from the default of mysql to a different user please change 'mysql'@'localhost' to the corresponding user instead.

Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through the upgrade guide and apply any changes required. Be sure to take special note of the section on enabling extended range of numeric (float) values as you will need to apply this database migration manually.

If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of utf8 and a collate of utf8_bin has become mandatory with this release. See the upstream issue for further discussion. Before upgrading you should check the character set and collation used by your database and ensure they are correct:

SELECT
  default_character_set_name,
  default_collation_name
FROM
  information_schema.schemata
WHERE
  schema_name = 'zabbix';

If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an example of how to do so, taken from the Zabbix forums:

ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin;

-- the following will produce a list of SQL commands you should subsequently execute
SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString
FROM information_schema.`COLUMNS`
WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";

maxx package removed along with services.xserver.desktopManager.maxx module. Please migrate to cdesktopenv and services.xserver.desktopManager.cde module.

The matrix-synapse module no longer includes optional dependencies by default, they have to be added through the plugins option.

buildGoModule now internally creates a vendor directory in the source tree for downloaded modules instead of using go's module proxy protocol. This storage format is simpler and therefore less likely to break with future versions of go. As a result buildGoModule switched from modSha256 to the vendorSha256 attribute to pin fetched version data.

Grafana is now built without support for phantomjs by default. Phantomjs support has been deprecated in Grafana and the phantomjs project is currently unmaintained. It can still be enabled by providing phantomJsSupport = true to the package instantiation:

{
  services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
    phantomJsSupport = true;
  });
}

The supybot module now uses /var/lib/supybot as its default stateDir path if stateVersion is 20.09 or higher. It also enables a number of systemd sandboxing options which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in systemd.services.supybot.serviceConfig.

The security.duosec.skey option, which stored a secret in the nix store, has been replaced by a new security.duosec.secretKeyFile option for better security.

security.duosec.ikey has been renamed to security.duosec.integrationKey.

vmware has been removed from the services.x11.videoDrivers defaults. For VMWare guests set virtualisation.vmware.guest.enable to true which will include the appropriate drivers.

The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified.

If you used the boot.initrd.network.ssh.host*Key options, you'll get an error explaining how to convert your host keys and migrate to the new boot.initrd.network.ssh.hostKeys option. Otherwise, if you don't have any host keys set, you'll need to generate some; see the hostKeys option documentation for instructions.

Since this release there's an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions imagick, opcache, pdo and pdo_mysql loaded:

{
  environment.systemPackages = [
    (pkgs.php.withExtensions
      ({ all, ... }: with all; [
        imagick
        opcache
        pdo
        pdo_mysql
      ])
    )
  ];
}

The default php attribute hasn't lost any extensions. The opcache extension has been added. All upstream PHP extensions are available under php.extensions.<name?>.

All PHP config flags have been removed for the following reasons:

The updated php attribute is now easily customizable to your liking by using php.withExtensions or php.buildEnv instead of writing config files or changing configure flags.

The remaining configuration flags can now be set directly on the php attribute. For example, instead of

{
  php.override {
    config.php.embed = true;
    config.php.apxs2 = false;
  }
}

you should now write

{
  php.override {
    embedSupport = true;
    apxs2Support = false;
  }
}

The ACME module has been overhauled for simplicity and maintainability. Cert generation now implicitly uses the acme user, and the security.acme.certs._name_.user option has been removed. Instead, certificate access from other services is now managed through group permissions. The module no longer runs lego twice under certain conditions, and will correctly renew certificates if their configuration is changed. Services which reload nginx and httpd after certificate renewal are now properly configured too so you no longer have to do this manually if you are using HTTPS enabled virtual hosts. A mechanism for regenerating certs on demand has also been added and documented.

Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found here.

Deluge 2.x was added and is used as default for new NixOS installations where stateVersion is >= 20.09. If you are upgrading from a previous NixOS version, you can set service.deluge.package = pkgs.deluge-2_x to upgrade to Deluge 2.x and migrate the state to the new format. Be aware that backwards state migrations are not supported by Deluge.

Nginx web server now starting with additional sandbox/hardening options. By default, write access to /var/log/nginx and /var/cache/nginx is allowed. To allow writing to other folders, use systemd.services.nginx.serviceConfig.ReadWritePaths

{
  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
}

Nginx is also started with the systemd option ProtectHome = mkDefault true; which forbids it to read anything from /home, /root and /run/user (see ProtectHome docs for details). If you require serving files from home directories, you may choose to set e.g.

{
  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
}

The NixOS options nesting.clone and nesting.children have been deleted, and replaced with named specialisation configurations.

Replace a nesting.clone entry with:

{
  specialisation.example-sub-configuration = {
    configuration = {
      ...
    };
};

Replace a nesting.children entry with:

{
  specialisation.example-sub-configuration = {
    inheritParentConfig = false;
    configuration = {
      ...
    };
};

To switch to a specialised configuration at runtime you need to run:

$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test

Before you would have used:

$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test

The Nginx log directory has been moved to /var/log/nginx, the cache directory to /var/cache/nginx. The option services.nginx.stateDir has been removed.

The httpd web server previously started its main process as root privileged, then ran worker processes as a less privileged identity user. This was changed to start all of httpd as a less privileged user (defined by services.httpd.user and services.httpd.group). As a consequence, all files that are needed for httpd to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.

The default value for services.httpd.mpm has been changed from prefork to event. Along with this change the default value for services.httpd.virtualHosts.<name>.http2 has been set to true.

The systemd-networkd option systemd.network.networks.<name>.dhcp.CriticalConnection has been removed following upstream systemd's deprecation of the same. It is recommended to use systemd.network.networks.<name>.networkConfig.KeepConfiguration instead. See systemd.network 5 for details.

The systemd-networkd option systemd.network.networks._name_.dhcpConfig has been renamed to systemd.network.networks.name.dhcpV4Config following upstream systemd's documentation change. See systemd.network 5 for details.

In the picom module, several options that accepted floating point numbers encoded as strings (for example services.picom.activeOpacity) have been changed to the (relatively) new native float type. To migrate your configuration simply remove the quotes around the numbers.

When using buildBazelPackage from Nixpkgs, flat hash mode is now used for dependencies instead of recursive. This is to better allow using hashed mirrors where needed. As a result, these hashes will have changed.

The syntax of the PostgreSQL configuration file is now checked at build time. If your configuration includes a file inaccessible inside the build sandbox, set services.postgresql.checkConfig to false.

The rkt module has been removed, it was archived by upstream.

The Bazaar VCS is unmaintained and, as consequence of the Python 2 EOL, the packages bazaar and bazaarTools were removed. Breezy, the backward compatible fork of Bazaar (see the announcement), was packaged as breezy and can be used instead.

Regarding Nixpkgs, fetchbzr, nix-prefetch-bzr and Bazaar support in Hydra will continue to work through Breezy.

In addition to the hostname, the fully qualified domain name (FQDN), which consists of ${networking.hostName} and ${networking.domain} is now added to /etc/hosts, to allow local FQDN resolution, as used by the hostname --fqdn command and other applications that try to determine the FQDN. These new entries take precedence over entries from the DNS which could cause regressions in some very specific setups. Additionally the hostname is now resolved to 127.0.0.2 instead of 127.0.1.1 to be consistent with what nss-myhostname (from systemd) returns. The old behaviour can e.g. be restored by using networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };.

The hostname (networking.hostName) must now be a valid DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part. This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname (uname --nodename) the option boot.kernel.sysctl."kernel.hostname" can be used as a workaround (but be aware of the 64 character limit).

The GRUB specific option boot.loader.grub.extraInitrd has been replaced with the generic option boot.initrd.secrets. This option creates a secondary initrd from the specified files, rather than using a manually created initrd file. Due to an existing bug with boot.loader.grub.extraInitrd, it is not possible to directly boot an older generation that used that option. It is still possible to rollback to that generation if the required initrd file has not been deleted.

The DNSChain package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can't be built. For more information see issue #89205.

In the resilio module, services.resilio.httpListenAddr has been changed to listen to [::1] instead of 0.0.0.0.

sslh has been updated to version 1.21. The ssl probe must be renamed to tls in services.sslh.appendConfig.

Users of OpenAFS 1.6 must upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package version 1.6.24 is marked broken but can be used during transition to OpenAFS 1.8.x. Use the options services.openafsClient.packages.module, services.openafsClient.packages.programs and services.openafsServer.package to select a different OpenAFS package. OpenAFS 1.6 will be removed in the next release. The package openafs and the service options will then silently point to the OpenAFS 1.8 release.

See also the OpenAFS Administrator Guide for instructions. Beware of the following when updating servers:

Radicale's default package has changed from 2.x to 3.x. An upgrade checklist can be found here. You can use the newer version in the NixOS service by setting the package to radicale3, which is done automatically if stateVersion is 20.09 or higher.

udpt experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. The new configuration documentation can be found at the official website and example configuration is packaged in ${udpt}/share/udpt/udpt.toml.

We now have a unified services.xserver.displayManager.autoLogin option interface to be used for every display-manager in NixOS.

The bitcoind module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. To use this new multi-instance config with an existing bitcoind data directory and user, you have to adjust the original config, e.g.:

{
  services.bitcoind = {
    enable = true;
    extraConfig = "...";
    ...
  };
}

To something similar:

{
  services.bitcoind.mainnet = {
    enable = true;
    dataDir = "/var/lib/bitcoind";
    user = "bitcoin";
    extraConfig = "...";
    ...
  };
}

The key settings are:

Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. When updating Graylog from a version before 3.3.3 make sure to check the Graylog release info for information on how to avoid the issue.

The dokuwiki module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so nginx.forceSSL and nginx.enableACME are no longer set to true. To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:

{
  services.dokuwiki = {
    enable = true;
    ...
  };
}

To something similar:

{
  services.dokuwiki."mywiki" = {
    enable = true;
    nginx = {
      forceSSL = true;
      enableACME = true;
    };
    ...
  };
}

The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading.

The services.postgresql.dataDir option is now set to "/var/lib/postgresql/${cfg.package.psqlSchema}" regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of 17.03 or below should double check what the value of their services.postgresql.dataDir option is (/var/db/postgresql) and then explicitly set this value to maintain compatibility:

{
  services.postgresql.dataDir = "/var/db/postgresql";
}

The postgresql module now expects there to be a database super user account called postgres regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of 17.03 or below should run the following SQL statements as a database super admin user before upgrading:

CREATE ROLE postgres LOGIN SUPERUSER;

The USBGuard module now removes options and instead hardcodes values for IPCAccessControlFiles, ruleFiles, and auditFilePath. Audit logs can be found in the journal.

The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. As a result, what previously evaluated may not do so anymore. See the PR that changed this for more info.

For NixOS configuration options, the type loaOf, after its initial deprecation in release 20.03, has been removed. In NixOS and Nixpkgs options using this type have been converted to attrsOf. For more information on this change have look at these links: issue #1800, PR #63103.

config.systemd.services.${name}.path now returns a list of paths instead of a colon-separated string.

Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting services.caddy.package to pkgs.caddy1.

New option services.caddy.adapter has been added.

The jellyfin module will use and stay on the Jellyfin version 10.5.5 if stateVersion is lower than 20.09. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting your stateVersion to 20.09 or higher, or set the services.jellyfin.package to pkgs.jellyfin. If you do not wish to upgrade Jellyfin, but want to change your stateVersion, you can set the value of services.jellyfin.package to pkgs.jellyfin_10_5.

The security.rngd service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundent.

The hardware.nvidia.optimus_prime.enable service has been renamed to hardware.nvidia.prime.sync.enable and has many new enhancements. Related nvidia prime settings may have also changed.

The package nextcloud17 has been removed and nextcloud18 was marked as insecure since both of them will will be EOL (end of life) within the lifetime of 20.09.

It's necessary to upgrade to nextcloud19:

The GNOME desktop manager no longer default installs gnome3.epiphany. It was chosen to do this as it has a usability breaking issue (see issue #98819) that makes it unsuitable to be a default app.

If you want to manage the configuration of wpa_supplicant outside of NixOS you must ensure that none of networking.wireless.networks, networking.wireless.extraConfig or networking.wireless.userControlled.enable is being used or true. Using any of those options will cause wpa_supplicant to be started with a NixOS generated configuration file instead of your own.

SD images are now compressed by default using zstd. The compression for ISO images has also been changed to zstd, but ISO images are still not compressed by default.

services.journald.rateLimitBurst was updated from 1000 to 10000 to follow the new upstream systemd default.

The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They're not part of the default out output anymore - if you relied on the notmuch-emacs-mua binary or the emacs lisp files, access them via the notmuch.emacs output.

Device tree overlay support was improved in #79370 and now uses hardware.deviceTree.kernelPackage instead of hardware.deviceTree.base. hardware.deviceTree.overlays configuration was extended to support .dts files with symbols. Device trees can now be filtered by setting hardware.deviceTree.filter option.

The default output of buildGoPackage is now $out instead of $bin.

buildGoModule doCheck now defaults to true.

Packages built using buildRustPackage now use release mode for the checkPhase by default.

Please note that Rust packages utilizing a custom build/install procedure (e.g. by using a Makefile) or test suites that rely on the structure of the target/ directory may break due to those assumptions. For further information, please read the Rust section in the Nixpkgs manual.

The cc- and binutils-wrapper's "infix salt" and _BUILD_ and _TARGET_ user infixes have been replaced with with a "suffix salt" and suffixes and _FOR_BUILD and _FOR_TARGET. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.

Additional Git documentation (HTML and text files) is now available via the git-doc package.

Default algorithm for ZRAM swap was changed to zstd.

The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.

The scripted networking system now uses .link files in /etc/systemd/network to configure mac address and link MTU, instead of the sometimes buggy network-link-* units, which have been removed. Bringing the interface up has been moved to the beginning of the network-addresses-* unit. Note this doesn't require systemd-networkd - it's udev that parses .link files. Extra care needs to be taken in the presence of legacy udev rules to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a 10-*.link file through systemd.network.links and set both name and MAC Address / MTU there.

Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found in the Grafana documentation.

The hardware.u2f module, which was installing udev rules was removed, as udev gained native support to handle FIDO security tokens.

The services.transmission module was enhanced with the new options: services.transmission.credentialsFile, services.transmission.openFirewall, and services.transmission.performanceNetParameters.

transmission-daemon is now started with additional systemd sandbox/hardening options for better security. Please report any use case where this is not working well. In particular, the RootDirectory option newly set forbids uploading or downloading a torrent outside of the default directory configured at settings.download-dir. If you really need Transmission to access other directories, you must include those directories into the BindPaths of the service:

{
  systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
}

Also, connection to the RPC (Remote Procedure Call) of transmission-daemon is now only available on the local network interface by default. Use:

{
  services.transmission.settings.rpc-bind-address = "0.0.0.0";
}

to get the previous behavior of listening on all network interfaces.

With this release systemd-networkd (when enabled through networking.useNetworkd) has it's netlink socket created through a systemd.socket unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough.

On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available.

By having systemd-networkd start with a netlink socket created by systemd we can configure the ReceiveBufferSize= parameter in the socket options (i.e. systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize) without recompiling systemd-networkd.

Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn't currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of systemd-networkd for rtnl: kernel receive buffer overrun spam and increase the memory limit as they see fit.

Note: Increasing the ReceiveBufferSize= doesn't allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket.

Specifying mailboxes in the dovecot2 module as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the name should be the key of the attribute.

This means that a configuration like this

{
  services.dovecot2.mailboxes = [
    { name = "Junk";
      auto = "create";
    }
  ];
}

should now look like this:

{
  services.dovecot2.mailboxes = {
    Junk.auto = "create";
  };
}

netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.

nextcloud has been updated to v19.

If you have an existing installation, please make sure that you're on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn't support upgrades across multiple major versions.

The nixos-run-vms script now deletes the previous run machines states on test startup. You can use the --keep-vm-state flag to match the previous behaviour and keep the same VM state between different test runs.

The nix.buildMachines option is now type-checked. There are no functional changes, however this may require updating some configurations to use correct types for all attributes.

The fontconfig module stopped generating config and cache files for fontconfig 2.10.x, the /etc/fonts/fonts.conf now belongs to the latest fontconfig, just like on other Linux distributions, and we will no longer be versioning the config directories.

Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t been used in any Nixpkgs package for years now.

Nginx module nginxModules.fastcgi-cache-purge renamed to official name nginxModules.cache-purge. Nginx module nginxModules.ngx_aws_auth renamed to official name nginxModules.aws-auth.

The option defaultPackages was added. It installs the packages perl, rsync and strace for now. They were added unconditionally to systemPackages before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break.

The undervolt option no longer needs to apply its settings every 30s. If they still become undone, open an issue and restore the previous behaviour using undervolt.useTimer.

Agda has been heavily reworked.

See the new documentation for more information.

The deepin package set has been removed from nixpkgs. It was a work in progress to package the Deepin Desktop Environment (DDE), including libraries, tools and applications, and it was still missing a service to launch the desktop environment. It has shown to no longer be a feasible goal due to reasons discussed in issue #94870. The package netease-cloud-music has also been removed, as it depends on libraries from deepin.

The opendkim module now uses systemd sandboxing features to limit the exposure of the system towards the opendkim service.

Kubernetes has been upgraded to 1.19.1, which also means that the golang version to build it has been bumped to 1.15. This may have consequences for your existing clusters and their certificates. Please consider the release notes for Kubernetes 1.19 carefully before upgrading.

For AMD GPUs, Vulkan can now be used by adding amdvlk to hardware.opengl.extraPackages.

Similarly, still for AMD GPUs, the ROCm OpenCL stack can now be used by adding rocm-opencl-icd to hardware.opengl.extraPackages.

Support is planned until the end of October 2020, handing over to 20.09.

Core version changes:

gcc: 8.3.0 -> 9.2.0

glibc: 2.27 -> 2.30

linux: 4.19 -> 5.4

mesa: 19.1.5 -> 19.3.3

openssl: 1.0.2u -> 1.1.1d

Desktop version changes:

plasma5: 5.16.5 -> 5.17.5

kdeApplications: 19.08.2 -> 19.12.3

gnome3: 3.32 -> 3.34

pantheon: 5.0 -> 5.1.3

Linux kernel is updated to branch 5.4 by default (from 4.19).

Grub is updated to 2.04, adding support for booting from F2FS filesystems and Btrfs volumes using zstd compression. Note that some users have been unable to boot after upgrading to 2.04 - for more information, please see this discussion.

Postgresql for NixOS service now defaults to v11.

The graphical installer image starts the graphical session automatically. Before you'd be greeted by a tty and asked to enter systemctl start display-manager. It is now possible to disable the display-manager from running by selecting the Disable display-manager quirk in the boot menu.

GNOME 3 has been upgraded to 3.34. Please take a look at their Release Notes for details.

If you enable the Pantheon Desktop Manager via services.xserver.desktopManager.pantheon.enable, we now default to also use Pantheon's newly designed greeter . Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible.

By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the services.zfs.trim.enable varname. The zfs scrub service (services.zfs.autoScrub.enable) and the zfs autosnapshot service (services.zfs.autoSnapshot.enable) are now only enabled if zfs is set in config.boot.initrd.supportedFilesystems or config.boot.supportedFilesystems. These lists will automatically contain zfs as soon as any zfs mountpoint is configured in fileSystems.

nixos-option has been rewritten in C++, speeding it up, improving correctness, and adding a -r option which prints all options and their values recursively.

services.xserver.desktopManager.default and services.xserver.windowManager.default options were replaced by a single services.xserver.displayManager.defaultSession option to improve support for upstream session files. If you used something like:

{
  services.xserver.desktopManager.default = "xfce";
  services.xserver.windowManager.default = "icewm";
}

you should change it to:

{
  services.xserver.displayManager.defaultSession = "xfce+icewm";
}

The testing driver implementation in NixOS is now in Python make-test-python.nix. This was done by Jacek Galowicz (@tfc), and with the collaboration of Julian Stecklina (@blitz) and Jana Traue (@jtraue). All documentation has been updated to use this testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation, make-test.nix, is slated for removal. This should give users of the NixOS integration framework a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see this warning everytime they use it:

$ warning: Perl VM tests are deprecated and will be removed for 20.09.
Please update your tests to use the python test driver.
See https://github.com/NixOS/nixpkgs/pull/71684 for details.

API compatibility is planned to be kept for at least the next release with the perl driver.

The kubernetes kube-proxy now supports a new hostname configuration services.kubernetes.proxy.hostname which has to be set if the hostname of the node should be non default.

UPower's configuration is now managed by NixOS and can be customized via services.upower.

To use Geary you should enable programs.geary.enable instead of just adding it to environment.systemPackages. It was created so Geary could function properly outside of GNOME.

./config/console.nix

./hardware/brillo.nix

./hardware/tuxedo-keyboard.nix

./programs/bandwhich.nix

./programs/bash-my-aws.nix

./programs/liboping.nix

./programs/traceroute.nix

./services/backup/sanoid.nix

./services/backup/syncoid.nix

./services/backup/zfs-replication.nix

./services/continuous-integration/buildkite-agents.nix

./services/databases/victoriametrics.nix

./services/desktops/gnome3/gnome-initial-setup.nix

./services/desktops/neard.nix

./services/games/openarena.nix

./services/hardware/fancontrol.nix

./services/mail/sympa.nix

./services/misc/freeswitch.nix

./services/misc/mame.nix

./services/monitoring/do-agent.nix

./services/monitoring/prometheus/xmpp-alerts.nix

./services/network-filesystems/orangefs/server.nix

./services/network-filesystems/orangefs/client.nix

./services/networking/3proxy.nix

./services/networking/corerad.nix

./services/networking/go-shadowsocks2.nix

./services/networking/ntp/openntpd.nix

./services/networking/shorewall.nix

./services/networking/shorewall6.nix

./services/networking/spacecookie.nix

./services/networking/trickster.nix

./services/networking/v2ray.nix

./services/networking/xandikos.nix

./services/networking/yggdrasil.nix

./services/web-apps/dokuwiki.nix

./services/web-apps/gotify-server.nix

./services/web-apps/grocy.nix

./services/web-apps/ihatemoney

./services/web-apps/moinmoin.nix

./services/web-apps/trac.nix

./services/web-apps/trilium.nix

./services/web-apps/shiori.nix

./services/web-servers/ttyd.nix

./services/x11/picom.nix

./services/x11/hardware/digimend.nix

./services/x11/imwheel.nix

./virtualisation/cri-o.nix

The dhcpcd package does not request IPv4 addresses for tap and bridge interfaces anymore by default. In order to still get an address on a bridge interface, one has to disable networking.useDHCP and explicitly enable networking.interfaces.<name>.useDHCP on every interface, that should get an address via DHCP. This way, dhcpcd is configured in an explicit way about which interface to run on.

GnuPG is now built without support for a graphical passphrase entry by default. Please enable the gpg-agent user service via the NixOS option programs.gnupg.agent.enable. Note that upstream recommends using gpg-agent and will spawn a gpg-agent on the first invocation of GnuPG anyway.

The dynamicHosts option has been removed from the NetworkManager module. Allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. Consider setting system-wide host entries using networking.hosts, provide them via the DNS server in your network, or use environment.etc to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.

The 99-main.network file was removed. Matching all network interfaces caused many breakages, see #18962 and #71106.

We already don't support the global networking.useDHCP, networking.defaultGateway and networking.defaultGateway6 options if networking.useNetworkd is enabled, but direct users to configure the per-device networking.interfaces.<name>…. options.

The stdenv now runs all bash with set -u, to catch the use of undefined variables. Before, it itself used set -u but was careful to unset it so other packages' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.

The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc.

The Way Cooler wayland compositor has been removed, as the project has been officially canceled. There are no more way-cooler attribute and programs.way-cooler options.

The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled.

There is now only one Xfce package-set and module. This means that attributes xfce4-14 and xfceUnstable all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release's development (if viable).

The phpfpm module now sets PrivateTmp=true in its systemd units for better process isolation. If you rely on /tmp being shared with other services, explicitly override this by setting serviceConfig.PrivateTmp to false for each phpfpm unit.

KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have enableQt4Support option any more.

The BeeGFS module has been removed.

The osquery module has been removed.

Going forward, ~/bin in the users home directory will no longer be in PATH by default. If you depend on this you should set the option environment.homeBinInPath to true. The aforementioned option was added this release.

The buildRustCrate infrastructure now produces lib outputs in addition to the out output. This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the lib output.

Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 and bitmap fonts are no longer supported in applications relying on Pango for font rendering (notably, GTK application). See upstream issue for more information.

The roundcube module has been hardened.

The packages openobex and obexftp are no longer installed when enabling Bluetooth via hardware.bluetooth.enable.

The dump1090 derivation has been changed to use FlightAware's dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the share/dump1090 directory of the derivation can be used in conjunction with an external webserver to replace this functionality.

The fourStore and fourStoreEndpoint modules have been removed.

Polkit no longer has the user of uid 0 (root) as an admin identity. We now follow the upstream default of only having every member of the wheel group admin privileged. Before it was root and members of wheel. The positive outcome of this is pkexec GUI popups or terminal prompts will no longer require the user to choose between two essentially equivalent choices (whether to perform the action as themselves with wheel permissions, or as the root user).

NixOS containers no longer build NixOS manual by default. This saves evaluation time, especially if there are many declarative containers defined. Note that this is already done when <nixos/modules/profiles/minimal.nix> module is included in container config.

The kresd services deprecates the interfaces option in favor of the listenPlain option which requires full systemd.socket compatible declaration which always include a port.

Virtual console options have been reorganized and can be found under a single top-level attribute: console. The full set of changes is as follows:

The awstats module has been rewritten to serve stats via static html pages, updated on a timer, over nginx, instead of dynamic cgi pages over apache.

Minor changes will be required to migrate existing configurations. Details of the required changes can seen by looking through the awstats module.

The httpd module no longer provides options to support serving web content without defining a virtual host. As a result of this the services.httpd.logPerVirtualHost option now defaults to true instead of false. Please update your configuration to make use of services.httpd.virtualHosts.

The services.httpd.virtualHosts.<name> option has changed type from a list of submodules to an attribute set of submodules, better matching services.nginx.virtualHosts.<name>.

This change comes with the addition of the following options which mimic the functionality of their nginx counterparts: services.httpd.virtualHosts.<name>.addSSL, services.httpd.virtualHosts.<name>.forceSSL, services.httpd.virtualHosts.<name>.onlySSL, services.httpd.virtualHosts.<name>.enableACME, services.httpd.virtualHosts.<name>.acmeRoot, and services.httpd.virtualHosts.<name>.useACMEHost.

For NixOS configuration options, the loaOf type has been deprecated and will be removed in a future release. In nixpkgs, options of this type will be changed to attrsOf instead. If you were using one of these in your configuration, you will see a warning suggesting what changes will be required.

For example, users.users is a loaOf option that is commonly used as follows:

{
  users.users =
    [ { name = "me";
        description = "My personal user.";
        isNormalUser = true;
      }
    ];
}

This should be rewritten by removing the list and using the value of name as the name of the attribute set:

{
  users.users.me =
    { description = "My personal user.";
      isNormalUser = true;
    };
}

For more information on this change have look at these links: issue #1800, PR #63103.

For NixOS modules, the types types.submodule and types.submoduleWith now support paths as allowed values, similar to how imports supports paths. Because of this, if you have a module that defines an option of type either (submodule ...) path, it will break since a path is now treated as the first type instead of the second. To fix this, change the type to either path (submodule ...).

The Buildkite Agent module and corresponding packages have been updated to 3.x, and to support multiple instances of the agent running at the same time. This means you will have to rename services.buildkite-agent to services.buildkite-agents.<name>. Furthermore, the following options have been changed:

The citrix_workspace_19_3_0 package has been removed as it will be EOLed within the lifespan of 20.03. For further information, please refer to the support and maintenance information from upstream.

The gcc5 and gfortran5 packages have been removed.

The services.xserver.displayManager.auto module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it's actually LightDM. Please use the services.xserver.displayManager.lightdm.autoLogin options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like:

{
  security.pam.services.lightdm-autologin.text = lib.mkForce ''
      auth     requisite pam_nologin.so
      auth     required  pam_succeed_if.so quiet
      auth     required  pam_permit.so

      account  include   lightdm

      password include   lightdm

      session  include   lightdm
  '';
}

The difference is the:

auth required pam_succeed_if.so quiet

line, where default it's:

 auth required pam_succeed_if.so uid >= 1000 quiet

not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this.

There have been lots of improvements to the Mailman module. As a result,

The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.

The networking.interfaces.*.preferTempAddress option has been replaced by networking.interfaces.*.tempAddress. The new option allows better control of the IPv6 temporary addresses, including completely disabling them for interfaces where they are not needed.

Rspamd was updated to version 2.2. Read the upstream migration notes carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis.

The *psu versions of oraclejdk8 have been removed as they aren't provided by upstream anymore.

The services.dnscrypt-proxy module has been removed as it used the deprecated version of dnscrypt-proxy. We've added services.dnscrypt-proxy2.enable to use the supported version. This module supports configuration via the Nix attribute set services.dnscrypt-proxy2.settings, or by passing a TOML configuration file via services.dnscrypt-proxy2.configFile.

{
  # Example configuration:
  services.dnscrypt-proxy2.enable = true;
  services.dnscrypt-proxy2.settings = {
    listen_addresses = [ "127.0.0.1:43" ];
    sources.public-resolvers = {
      urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
      cache_file = "public-resolvers.md";
      minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
      refresh_delay = 72;
    };
  };

  services.dnsmasq.enable = true;
  services.dnsmasq.servers = [ "127.0.0.1#43" ];
}

qesteidutil has been deprecated in favor of qdigidoc.

sqldeveloper_18 has been removed as it's not maintained anymore, sqldeveloper has been updated to version 19.4. Please note that this means that this means that the oraclejdk is now required. For further information please read the release notes.

Haskell env and shellFor dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.

This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a buildDepends or run-time Haskell dependency as a setupDepends, whereas things would have worked before they may not work now.

The gcc-snapshot-package has been removed. It's marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch.

The nixos-build-vms8 -script now uses the python test-driver.

The riot-web package now accepts configuration overrides as an attribute set instead of a string. A formerly used JSON configuration can be converted to an attribute set with builtins.fromJSON.

The new default configuration also disables automatic guest account registration and analytics to improve privacy. The previous behavior can be restored by setting config.riot-web.conf = { disable_guests = false; piwik = true; }.

Stand-alone usage of Upower now requires services.upower.enable instead of just installing into environment.systemPackages.

nextcloud has been updated to v18.0.2. This means that users from NixOS 19.09 can't upgrade directly since you can only move one version forward and 19.09 uses v16.0.8.

To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken:

Hydra has gained a massive performance improvement due to some database schema changes by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps:

Automatically fill the newly added ID columns on the server by running the following command:

$ hydra-backfill-ids

Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes flake-support and is therefore compiled against pkgs.nixFlakes.

Please note that Hydra is currently not available with nixStable as this doesn't compile anymore.

The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also TokuDB.

SD images are now compressed by default using bzip2.

The nginx web server previously started its master process as root privileged, then ran worker processes as a less privileged identity user (the nginx user). This was changed to start all of nginx as a less privileged user (defined by services.nginx.user and services.nginx.group). As a consequence, all files that are needed for nginx to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.

To continue to use the old approach, you can configure:

{
  services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
  systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
}

OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features but with potential incompatibilities. Consult the release announcement for more information.

PRETTY_NAME in /etc/os-release now uses the short rather than full version string.

The ACME module has switched from simp-le to lego which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added: security.acme.acceptTerms, security.acme.certs.<name>.dnsProvider, security.acme.certs.<name>.credentialsFile, security.acme.certs.<name>.dnsPropagationCheck. As well as this, the options security.acme.acceptTerms and either security.acme.email or security.acme.certs.<name>.email must be set in order to use the ACME module. Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le. In particular private keys will not be preserved. However, the credentials for simp-le are preserved and thus it is possible to roll back to previous versions without breaking certificate generation. Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can have consequences if you embed your public key in apps.

It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token via boot.initrd.luks.fido2Support.

Predictably named network interfaces get renamed in stage-1. This means that it is possible to use the proper interface name for e.g. Dropbear setups.

For further reference, please read #68953 or the corresponding discourse thread.

The matrix-synapse-package has been updated to v1.11.1. Due to stricter requirements for database configuration when using postgresql, the automated database setup of the module has been removed to avoid any further edge-cases.

matrix-synapse expects postgresql-databases to have the options LC_COLLATE and LC_CTYPE set to 'C' which basically instructs postgresql to ignore any locale-based preferences.

Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03:

If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the services.postgresql.initialScript option). An example for this can be found in the documentation of the Matrix module.

If you initially deployed your matrix-synapse on nixos-unstable after the 19.09-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it's recommended to reconfigure the database to set the values LC_COLLATE and LC_CTYPE to 'C'.

The systemd.network.links option is now respected even when systemd-networkd is disabled. This mirrors the behaviour of systemd - It's udev that parses .link files, not systemd-networkd.

mongodb has been updated to version 3.4.24.

End of support is planned for end of April 2020, handing over to 20.03.

Nix has been updated to 2.3; see its release notes.

Core version changes:

systemd: 239 -> 243

gcc: 7 -> 8

glibc: 2.27 (unchanged)

linux: 4.19 LTS (unchanged)

openssl: 1.0 -> 1.1

Desktop version changes:

plasma5: 5.14 -> 5.16

gnome3: 3.30 -> 3.32

PHP now defaults to PHP 7.3, updated from 7.2.

PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.

The binfmt module is now easier to use. Additional systems can be added through boot.binfmt.emulatedSystems. For instance, boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]; will set up binfmt interpreters for each of those listed systems.

The installer now uses a less privileged nixos user whereas before we logged in as root. To gain root privileges use sudo -i without a password.

We've updated to Xfce 4.14, which brings a new module services.xserver.desktopManager.xfce4-14. If you'd like to upgrade, please switch from the services.xserver.desktopManager.xfce module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support thunarPlugins and it isn't recommended to use services.xserver.desktopManager.xfce and services.xserver.desktopManager.xfce4-14 simultaneously or to downgrade from Xfce 4.14 after upgrading.

The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.

With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use environment.gnome3.excludePackages which only excluded the optional applications. environment.gnome3.excludePackages is now unguarded, it can exclude any package installed with environment.systemPackages in the GNOME 3 module.

Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.

The following changes were enacted in services.gnome3.core-utilities.enable

The following changes were enacted in services.gnome3.core-shell.enable

./programs/dwm-status.nix

The new hardware.printers module allows to declaratively configure CUPS printers via the ensurePrinters and ensureDefaultPrinter options. ensurePrinters will never delete existing printers, but will make sure that the given printers are configured as declared.

There is a new services.system-config-printer.enable and programs.system-config-printer.enable module for the program of the same name. If you previously had system-config-printer enabled through some other means you should migrate to using one of these modules.

services.blueman.enable has been added. If you previously had blueman installed via environment.systemPackages please migrate to using the NixOS module, as this would result in an insufficiently configured blueman.

Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.

PostgreSQL now uses /run/postgresql as its socket directory instead of /tmp. So if you run an application like eg. Nextcloud, where you need to use the Unix socket path as the database host name, you need to change it accordingly.

PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.

The options services.prometheus.alertmanager.user and services.prometheus.alertmanager.group have been removed because the alertmanager service is now using systemd's DynamicUser mechanism which obviates these options.

The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.

The services.nzbget.configFile and services.nzbget.openFirewall options were removed as they are managed internally by the nzbget. The services.nzbget.dataDir option hadn't actually been used by the module for some time and so was removed as cleanup.

The services.mysql.pidDir option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) /run/mysqld/mysql.sock file to appear.

The services.emby.enable module has been removed, see services.jellyfin.enable instead for a free software fork of Emby. See the Jellyfin documentation: Migrating from Emby to Jellyfin

IPv6 Privacy Extensions are now enabled by default for undeclared interfaces. The previous behaviour was quite misleading — even though the default value for networking.interfaces.*.preferTempAddress was true, undeclared interfaces would not prefer temporary addresses. Now, interfaces not mentioned in the config will prefer temporary addresses. EUI64 addresses can still be set as preferred by explicitly setting the option to false for the interface in question.

Since Bittorrent Sync was superseded by Resilio Sync in 2016, the bittorrentSync, bittorrentSync14, and bittorrentSync16 packages have been removed in favor of resilio-sync.

The corresponding module, services.btsync has been replaced by the services.resilio module.

The httpd service no longer attempts to start the postgresql service. If you have come to depend on this behaviour then you can preserve the behavior with the following configuration: systemd.services.httpd.after = [ "postgresql.service" ];

The option services.httpd.extraSubservices has been marked as deprecated. You may still use this feature, but it will be removed in a future release of NixOS. You are encouraged to convert any httpd subservices you may have written to a full NixOS module.

Most of the httpd subservices packaged with NixOS have been replaced with full NixOS modules including LimeSurvey, WordPress, and Zabbix. These modules can be enabled using the services.limesurvey.enable, services.mediawiki.enable, services.wordpress.enable, and services.zabbixWeb.enable options.

The option systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink was renamed to systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink (capital L). This follows upstreams renaming of the setting.

As of this release the NixOps feature autoLuks is deprecated. It no longer works with our systemd version without manual intervention.

Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.

A new knob named nixops.enableDeprecatedAutoLuks has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates.

Make sure you set the _netdev option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore.

If you are actively using the autoLuks module please let us know in issue #62211.

The setopt declarations will be evaluated at the end of /etc/zshrc, so any code in programs.zsh.interactiveShellInit, programs.zsh.loginShellInit and programs.zsh.promptInit may break if it relies on those options being set.

The prometheus-nginx-exporter package now uses the offical exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the official repo.

The shibboleth-sp package has been updated to version 3. It is largely backward compatible, for further information refer to the release notes and upgrade guide.

Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.

By default, prometheus exporters are now run with DynamicUser enabled. Exporters that need a real user, now run under a seperate user and group which follow the pattern <exporter-name>-exporter, instead of the previous default nobody and nogroup. Only some exporters are affected by the latter, namely the exporters dovecot, node, postfix and varnish.

The ibus-qt package is not installed by default anymore when i18n.inputMethod.enabled is set to ibus. If IBus support in Qt 4.x applications is required, add the ibus-qt package to your environment.systemPackages manually.

The CUPS Printing service now uses socket-based activation by default, only starting when needed. The previous behavior can be restored by setting services.cups.startWhenNeeded to false.

The services.systemhealth module has been removed from nixpkgs due to lack of maintainer.

The services.mantisbt module has been removed from nixpkgs due to lack of maintainer.

Squid 3 has been removed and the squid derivation now refers to Squid 4.

The services.pdns-recursor.extraConfig option has been replaced by services.pdns-recursor.settings. The new option allows setting extra configuration while being better type-checked and mergeable.

No service depends on keys.target anymore which is a systemd target that indicates if all NixOps keys were successfully uploaded. Instead, <key-name>-key.service should be used to define a dependency of a key in a service. The full issue behind the keys.target dependency is described at NixOS/nixpkgs#67265.

The following services are affected by this:

The security.acme.directory option has been replaced by a read-only security.acme.certs.<cert>.directory option for each certificate you define. This will be a subdirectory of /var/lib/acme. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example, the services.nginx.virtualhosts.<name>.enableACME option will use this directory option to find the certs for the virtual host.

security.acme.preDelay and security.acme.activationDelay options have been removed. To execute a service before certificates are provisioned or renewed add a RequiredBy=acme-${cert}.service to any service.

Furthermore, the acme module will not automatically add a dependency on lighttpd.service anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service acme-${cert}.service> manually.

For nginx, the dependencies are still automatically managed when services.nginx.virtualhosts.<name>.enableACME is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all acme-certificates.target. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at NixOS/nixpkgs#60180.

The old deprecated emacs package sets have been dropped. What used to be called emacsPackagesNg is now simply called emacsPackages.

services.xserver.desktopManager.xterm is now disabled by default if stateVersion is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default.

The WeeChat plugin pkgs.weechatScripts.weechat-xmpp has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules.

Old unsupported versions (logstash5, kibana5, filebeat5, heartbeat5, metricbeat5, packetbeat5) of the ELK-stack and Elastic beats have been removed.

For NixOS 19.03, both Prometheus 1 and 2 were available to allow for a seamless transition from version 1 to 2 with existing setups. Because Prometheus 1 is no longer developed, it was removed. Prometheus 2 is now configured with services.prometheus.

Citrix Receiver (citrix_receiver) has been dropped in favor of Citrix Workspace (citrix_workspace).

The services.gitlab module has had its literal secret options (services.gitlab.smtp.password, services.gitlab.databasePassword, services.gitlab.initialRootPassword, services.gitlab.secrets.secret, services.gitlab.secrets.db, services.gitlab.secrets.otp and services.gitlab.secrets.jws) replaced by file-based versions (services.gitlab.smtp.passwordFile, services.gitlab.databasePasswordFile, services.gitlab.initialRootPasswordFile, services.gitlab.secrets.secretFile, services.gitlab.secrets.dbFile, services.gitlab.secrets.otpFile and services.gitlab.secrets.jwsFile). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword" becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the file secret_file contains the string supersecurepassword.

The state path (services.gitlab.statePath) now has the following restriction: no parent directory can be owned by any other user than root or the user specified in services.gitlab.user; i.e. if services.gitlab.statePath is set to /var/lib/gitlab/state, gitlab and all parent directories must be owned by either root or the user specified in services.gitlab.user.

The networking.useDHCP option is unsupported in combination with networking.useNetworkd in anticipation of defaulting to it. It has to be set to false and enabled per interface with networking.interfaces.<name>.useDHCP = true;

The Twitter client corebird has been dropped as it is discontinued and does not work against the new Twitter API. Please use the fork cawbird instead which has been adapted to the API changes and is still maintained.

The nodejs-11_x package has been removed as it's EOLed by upstream.

Because of the systemd upgrade, systemd-timesyncd will no longer work if system.stateVersion is not set correctly. When upgrading from NixOS 19.03, please make sure that system.stateVersion is set to "19.03", or lower if the installation dates back to an earlier version of NixOS.

Due to the short lifetime of non-LTS kernel releases package attributes like linux_5_1, linux_5_2 and linux_5_3 have been removed to discourage dependence on specific non-LTS kernel versions in stable NixOS releases. Going forward, versioned attributes like linux_4_9 will exist for LTS versions only. Please use linux_latest or linux_testing if you depend on non-LTS releases. Keep in mind that linux_latest and linux_testing will change versions under the hood during the lifetime of a stable release and might include breaking changes.

Because of the systemd upgrade, some network interfaces might change their name. For details see upstream docs or our ticket.

The documentation module gained an option named documentation.nixos.includeAllModules which makes the generated configuration.nix 5 manual page include all options from all NixOS modules included in a given configuration.nix configuration file. Currently, it is set to false by default as enabling it frequently prevents evaluation. But the plan is to eventually have it set to true by default. Please set it to true now in your configuration.nix and fix all the bugs it uncovers.

The vlc package gained support for Chromecast streaming, enabled by default. TCP port 8010 must be open for it to work, so something like networking.firewall.allowedTCPPorts = [ 8010 ]; may be required in your configuration. Also consider enabling Accelerated Video Playback for better transcoding performance.

The following changes apply if the stateVersion is changed to 19.09 or higher. For stateVersion = "19.03" or lower the old behavior is preserved.

The hunspellDicts.fr-any dictionary now ships with fr_FR.{aff,dic} which is linked to fr-toutesvariantes.{aff,dic}.

The mysql service now runs as mysql user. Previously, systemd did execute it as root, and mysql dropped privileges itself. This includes ExecStartPre= and ExecStartPost= phases. To accomplish that, runtime and data directory setup was delegated to RuntimeDirectory and tmpfiles.

With the upgrade to systemd version 242 the systemd-timesyncd service is no longer using DynamicUser=yes. In order for the upgrade to work we rely on an activation script to move the state from the old to the new directory. The older directory (prior 19.09) was /var/lib/private/systemd/timesync.

As long as the system.config.stateVersion is below 19.09 the state folder will migrated to its proper location (/var/lib/systemd/timesync), if required.

The package avahi is now built to look up service definitions from /etc/avahi/services instead of its output directory in the nix store. Accordingly the module avahi now supports custom service definitions via services.avahi.extraServiceFiles, which are then placed in the aforementioned directory. See avahi.service5 for more information on custom service definitions.

Since version 0.1.19, cargo-vendor honors package includes that are specified in the Cargo.toml file of Rust crates. rustPlatform.buildRustPackage uses cargo-vendor to collect and build dependent crates. Since this change in cargo-vendor changes the set of vendored files for most Rust packages, the hash that use used to verify the dependencies, cargoSha256, also changes.

The cargoSha256 hashes of all in-tree derivations that use buildRustPackage have been updated to reflect this change. However, third-party derivations that use buildRustPackage may have to be updated as well.

The consul package was upgraded past version 1.5, so its deprecated legacy UI is no longer available.

The default resample-method for PulseAudio has been changed from the upstream default speex-float-1 to speex-float-5. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set hardware.pulseaudio.daemon.config.resample-method back to speex-float-1.

The phabricator package and associated httpd.extraSubservice, as well as the phd service have been removed from nixpkgs due to lack of maintainer.

The mercurial httpd.extraSubservice has been removed from nixpkgs due to lack of maintainer.

The trac httpd.extraSubservice has been removed from nixpkgs because it was unmaintained.

The foswiki package and associated httpd.extraSubservice have been removed from nixpkgs due to lack of maintainer.

The tomcat-connector httpd.extraSubservice has been removed from nixpkgs.

It's now possible to change configuration in services.nextcloud after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating /var/lib/nextcloud.

There exists now lib.forEach, which is like map, but with arguments flipped. When mapping function body spans many lines (or has nested maps), it is often hard to follow which list is modified.

Previous solution to this problem was either to use lib.flip map idiom or extract that anonymous mapping function to a named one. Both can still be used but lib.forEach is preferred over lib.flip map.

The /etc/sysctl.d/nixos.conf file containing all the options set via boot.kernel.sysctl was moved to /etc/sysctl.d/60-nixos.conf, as sysctl.d5 recommends prefixing all filenames in /etc/sysctl.d with a two-digit number and a dash to simplify the ordering of the files.

We now install the sysctl snippets shipped with systemd.

This also configures the kernel to pass core dumps to systemd-coredump, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in /etc/sysctl.d/50-*.conf, and overridden via boot.kernel.sysctl (which will place the parameters in /etc/sysctl.d/60-nixos.conf).

Core dumps are now processed by systemd-coredump by default. systemd-coredump behaviour can still be modified via systemd.coredump.extraConfig. To stick to the old behaviour (having the kernel dump to a file called core in the working directory), without piping it through systemd-coredump, set systemd.coredump.enable to false.

systemd.packages option now also supports generators and shutdown scripts. Old systemd.generator-packages option has been removed.

The rmilter package was removed with associated module and options due deprecation by upstream developer. Use rspamd in proxy mode instead.

systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.

We no longer enable custom font rendering settings with fonts.fontconfig.penultimate.enable by default. The defaults from fontconfig are sufficient.

The crashplan package and the crashplan service have been removed from nixpkgs due to crashplan shutting down the service, while the crashplansb package and crashplan-small-business service have been removed from nixpkgs due to lack of maintainer.

The redis module was hardcoded to use the redis user, /run/redis as runtime directory and /var/lib/redis as state directory. Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).

Using fonts.enableDefaultFonts adds a default emoji font noto-fonts-emoji.

The altcoins categorization of packages has been removed. You now access these packages at the top level, ie. nix-shell -p dogecoin instead of nix-shell -p altcoins.dogecoin, etc.

Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.

pkgs.weechat is now compiled against pkgs.python3. Weechat also recommends to use Python3 in their docs.

End of support is planned for end of October 2019, handing over to 19.09.

The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.

Added the Pantheon desktop environment. It can be enabled through services.xserver.desktopManager.pantheon.enable.

Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet.

A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: Chapter 56, Kubernetes for details.

There is now a set of confinement options for systemd.services, which allows to restrict services into a chroot 2 ed environment that only contains the store paths from the runtime closure of the service.

./programs/nm-applet.nix

There is a new security.googleOsLogin module for using OS Login to manage SSH access to Google Compute Engine instances, which supersedes the imperative and broken google-accounts-daemon used in nixos/modules/virtualisation/google-compute-config.nix.

./services/misc/beanstalkd.nix

There is a new services.cockroachdb module for running CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available on x86_64-linux and aarch64-linux.

./security/duosec.nix

The PAM module for Duo Security has been enabled for use. One can configure it using the security.duosec options along with the corresponding PAM option in security.pam.services.<name?>.duoSecurity.enable.

The minimum version of Nix required to evaluate Nixpkgs is now 2.0.

The buildPythonPackage function now sets strictDeps = true to help distinguish between native and non-native dependencies in order to improve cross-compilation compatibility. Note however that this may break user expressions.

The buildPythonPackage function now sets LANG = C.UTF-8 to enable Unicode support. The glibcLocales package is no longer needed as a build input.

The Syncthing state and configuration data has been moved from services.syncthing.dataDir to the newly defined services.syncthing.configDir, which default to /var/lib/syncthing/.config/syncthing. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start.

The ntp module now has sane default restrictions. If you're relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set services.ntp.restrictDefault and services.ntp.restrictSource to [].

Package rabbitmq_server is renamed to rabbitmq-server.

The light module no longer uses setuid binaries, but udev rules. As a consequence users of that module have to belong to the video group in order to use the executable (i.e. users.users.yourusername.extraGroups = ["video"];).

Buildbot now supports Python 3 and its packages have been moved to pythonPackages. The options services.buildbot-master.package and services.buildbot-worker.package can be used to select the Python 2 or 3 version of the package.

Options services.znc.confOptions.networks.name.userName and services.znc.confOptions.networks.name.modulePackages were removed. They were never used for anything and can therefore safely be removed.

Package wasm has been renamed proglodyte-wasm. The package wasm will be pointed to ocamlPackages.wasm in 19.09, so make sure to update your configuration if you want to keep proglodyte-wasm

When the nixpkgs.pkgs option is set, NixOS will no longer ignore the nixpkgs.overlays option. The old behavior can be recovered by setting nixpkgs.overlays = lib.mkForce [];.

OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See man smtpd.conf for more information on the new file format.

The versioned postgresql have been renamed to use underscore number seperators. For example, postgresql96 has been renamed to postgresql_9_6.

Package consul-ui and passthrough consul.ui have been removed. The package consul now uses upstream releases that vendor the UI into the binary. See #48714 for details.

Slurm introduces the new option services.slurm.stateSaveLocation, which is now set to /var/spool/slurm by default (instead of /var/spool). Make sure to move all files to the new directory or to set the option accordingly.

The slurmctld now runs as user slurm instead of root. If you want to keep slurmctld running as root, set services.slurm.user = root.

The options services.slurm.nodeName and services.slurm.partitionName are now sets of strings to correctly reflect that fact that each of these options can occour more than once in the configuration.

The solr package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. The services.solr module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.

Package ckb is renamed to ckb-next, and options hardware.ckb.* are renamed to hardware.ckb-next.*.

The option services.xserver.displayManager.job.logToFile which was previously set to true when using the display managers lightdm, sddm or xpra has been reset to the default value (false).

Network interface indiscriminate NixOS firewall options (networking.firewall.allow*) are now preserved when also setting interface specific rules such as networking.firewall.interfaces.en0.allow*. These rules continue to use the pseudo device "default" (networking.firewall.interfaces.default.*), and assigning to this pseudo device will override the (networking.firewall.allow*) options.

The nscd service now disables all caching of passwd and group databases by default. This was interferring with the correct functioning of the libnss_systemd.so module which is used by systemd to manage uids and usernames in the presence of DynamicUser= in systemd services. This was already the default behaviour in presence of services.sssd.enable = true because nscd caching would interfere with sssd in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.

If the old behaviour is desired, this can be restored by setting the services.nscd.config option with the desired caching parameters.

{
  services.nscd.config =
  ''
  server-user             nscd
  threads                 1
  paranoia                no
  debug-level             0

  enable-cache            passwd          yes
  positive-time-to-live   passwd          600
  negative-time-to-live   passwd          20
  suggested-size          passwd          211
  check-files             passwd          yes
  persistent              passwd          no
  shared                  passwd          yes

  enable-cache            group           yes
  positive-time-to-live   group           3600
  negative-time-to-live   group           60
  suggested-size          group           211
  check-files             group           yes
  persistent              group           no
  shared                  group           yes

  enable-cache            hosts           yes
  positive-time-to-live   hosts           600
  negative-time-to-live   hosts           5
  suggested-size          hosts           211
  check-files             hosts           yes
  persistent              hosts           no
  shared                  hosts           yes
  '';
}

See #50316 for details.

GitLab Shell previously used the nix store paths for the gitlab-shell command in its authorized_keys file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As gitlab-shell has now been changed to use /var/run/current-system/sw/bin/gitlab-shell, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the authorized_keys file via sudo -u git -H gitlab-rake gitlab:shell:setup in that case.

The pam_unix account module is now loaded with its control field set to required instead of sufficient, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to pam_unix. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting security.pam.services.<name?>.text.

The pam_unix password module is now loaded with its control field set to sufficient instead of required, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by pam_unix, preventing pam_ldap to manage the password as it should.

fish has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the fish release notes for more information.

The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See this commit message for details.

NixOS module system type types.optionSet and lib.mkOption argument options are deprecated. Use types.submodule instead. (#54637)

matrix-synapse has been updated to version 0.99. It will no longer generate a self-signed certificate on first launch and will be the last version to accept self-signed certificates. As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new manual chapter on Matrix contains a working example of using nginx as a reverse proxy in front of matrix-synapse, using Let's Encrypt certificates.

mailutils now works by default when sendmail is not in a setuid wrapper. As a consequence, the sendmailPath argument, having lost its main use, has been removed.

graylog has been upgraded from version 2.* to 3.*. Some setups making use of extraConfig (especially those exposing Graylog via reverse proxies) need to be updated as upstream removed/replaced some settings. See Upgrading Graylog for details.

The option users.ldap.bind.password was renamed to users.ldap.bind.passwordFile, and needs to be readable by the nslcd user. Same applies to the new users.ldap.daemon.rootpwmodpwFile option.

nodejs-6_x is end-of-life. nodejs-6_x, nodejs-slim-6_x and nodePackages_6_x are removed.

The services.matomo module gained the option services.matomo.package which determines the used Matomo version.

The Matomo module now also comes with the systemd service matomo-archive-processing.service and a timer that automatically triggers archive processing every hour. This means that you can safely disable browser triggers for Matomo archiving at Administration > System > General Settings.

Additionally, you can enable to delete old visitor logs at Administration > System > Privacy, but make sure that you run systemctl start matomo-archive-processing.service at least once without errors if you have already collected data before, so that the reports get archived before the source data gets deleted.

composableDerivation along with supporting library functions has been removed.

The deprecated truecrypt package has been removed and truecrypt attribute is now an alias for veracrypt. VeraCrypt is backward-compatible with TrueCrypt volumes. Note that cryptsetup also supports loading TrueCrypt volumes.

The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This change is made in accordance with Kubernetes making CoreDNS the official default starting from Kubernetes v1.11. Please beware that upgrading DNS-addon on existing clusters might induce minor downtime while the DNS-addon terminates and re-initializes. Also note that the DNS-service now runs with 2 pod replicas by default. The desired number of replicas can be configured using: services.kubernetes.addons.dns.replicas.

The quassel-webserver package and module was removed from nixpkgs due to the lack of maintainers.

The manual gained a new chapter on self-hosting matrix-synapse and riot-web , the most prevalent server and client implementations for the Matrix federated communication network.

The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.

The httpd service now saves log files with a .log file extension by default for easier integration with the logrotate service.

The owncloud server packages and httpd subservice module were removed from nixpkgs due to the lack of maintainers.

It is possible now to uze ZRAM devices as general purpose ephemeral block devices, not only as swap. Using more than 1 device as ZRAM swap is no longer recommended, but is still possible by setting zramSwap.swapDevices explicitly.

ZRAM algorithm can be changed now.

Changes to ZRAM algorithm are applied during nixos-rebuild switch, so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively, use nixos-rebuild boot; reboot.

Flat volumes are now disabled by default in hardware.pulseaudio. This has been done to prevent applications, which are unaware of this feature, setting their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.

The ndppd module now supports all config options provided by the current upstream version as service options. Additionally the ndppd package doesn't contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.

New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in services.redmine.package while existing installs of NixOS will default to the Redmine 3.x series.

The Grafana module now supports declarative datasource and dashboard provisioning.

The use of insecure ports on kubernetes has been deprecated. Thus options: services.kubernetes.apiserver.port and services.kubernetes.controllerManager.port has been renamed to .insecurePort, and default of both options has changed to 0 (disabled).

Note that the default value of services.kubernetes.apiserver.bindAddress has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from outside the master node itself. If the apiserver insecurePort is enabled, it is strongly recommended to only bind on the loopback interface. See: services.kubernetes.apiserver.insecurebindAddress.

The option services.kubernetes.apiserver.allowPrivileged and services.kubernetes.kubelet.allowPrivileged now defaults to false. Disallowing privileged containers on the cluster.

The kubernetes module does no longer add the kubernetes package to environment.systemPackages implicitly.

The intel driver has been removed from the default list of X.org video drivers. The modesetting driver should take over automatically, it is better maintained upstream and has less problems with advanced X11 features. This can lead to a change in the output names used by xrandr. Some performance regressions on some GPU models might happen. Some OpenCL and VA-API applications might also break (Beignet seems to provide OpenCL support with modesetting driver, too). Kernel mode setting API does not support backlight control, so xbacklight tool will not work; backlight level can be controlled directly via /sys/ or with brightnessctl. Users who need this functionality more than multi-output XRandR are advised to add `intel` to `videoDrivers` and report an issue (or provide additional details in an existing one)

Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols. This may break some older applications that still rely on those symbols. An upgrade guide can be found here.

The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using services.nginx.sslProtocols.

A new subcommand nixos-rebuild edit was added.

End of support is planned for end of April 2019, handing over to 19.03.

Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.

Nix has been updated to 2.1; see its release notes.

Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.

Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.

Support for wrapping binaries using firejail has been added through programs.firejail.wrappedBinaries.

For example

{
  programs.firejail = {
    enable = true;
    wrappedBinaries = {
      firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
      mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
    };
  };
}

This will place firefox and mpv binaries in the global path wrapped by firejail.

User channels are now in the default NIX_PATH, allowing users to use their personal nix-channel defined channels in nix-build and nix-shell commands, as well as in imports like import <mychannel>.

For example

$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
$ nix-channel --update
$ nix-build '<nixpkgsunstable>' -A gitFull
$ nix run -f '<nixpkgsunstable>' gitFull
$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'

The services.cassandra module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of Apache Cassandra.

There is a new services.foundationdb module for deploying FoundationDB clusters.

When enabled the iproute2 will copy the files expected by ip route (e.g., rt_tables) in /etc/iproute2. This allows to write aliases for routing tables for instance.

services.strongswan-swanctl is a modern replacement for services.strongswan. You can use either one of them to setup IPsec VPNs but not both at the same time.

services.strongswan-swanctl uses the swanctl command which uses the modern vici Versatile IKE Configuration Interface. The deprecated ipsec command used in services.strongswan is using the legacy stroke configuration interface.

The new services.elasticsearch-curator service periodically curates or manages, your Elasticsearch indices and snapshots.

./config/xdg/autostart.nix

./config/xdg/icons.nix

./config/xdg/menus.nix

./config/xdg/mime.nix

./hardware/brightnessctl.nix

./hardware/onlykey.nix

./hardware/video/uvcvideo/default.nix

./misc/documentation.nix

./programs/firejail.nix

./programs/iftop.nix

./programs/sedutil.nix

./programs/singularity.nix

./programs/xss-lock.nix

./programs/zsh/zsh-autosuggestions.nix

./services/admin/oxidized.nix

./services/backup/duplicati.nix

./services/backup/restic.nix

./services/backup/restic-rest-server.nix

./services/cluster/hadoop/default.nix

./services/databases/aerospike.nix

./services/databases/monetdb.nix

./services/desktops/bamf.nix

./services/desktops/flatpak.nix

./services/desktops/zeitgeist.nix

./services/development/bloop.nix

./services/development/jupyter/default.nix

./services/hardware/lcd.nix

./services/hardware/undervolt.nix

./services/misc/clipmenu.nix

./services/misc/gitweb.nix

./services/misc/serviio.nix

./services/misc/safeeyes.nix

./services/misc/sysprof.nix

./services/misc/weechat.nix

./services/monitoring/datadog-agent.nix

./services/monitoring/incron.nix

./services/networking/dnsdist.nix

./services/networking/freeradius.nix

./services/networking/hans.nix

./services/networking/morty.nix

./services/networking/ndppd.nix

./services/networking/ocserv.nix

./services/networking/owamp.nix

./services/networking/quagga.nix

./services/networking/shadowsocks.nix

./services/networking/stubby.nix

./services/networking/zeronet.nix

./services/security/certmgr.nix

./services/security/cfssl.nix

./services/security/oauth2_proxy_nginx.nix

./services/web-apps/virtlyst.nix

./services/web-apps/youtrack.nix

./services/web-servers/hitch/default.nix

./services/web-servers/hydron.nix

./services/web-servers/meguca.nix

./services/web-servers/nginx/gitweb.nix

./virtualisation/kvmgt.nix

./virtualisation/qemu-guest-agent.nix

Some licenses that were incorrectly not marked as unfree now are. This is the case for:

The deprecated services.cassandra module has seen a complete rewrite. (See above.)

lib.strict is removed. Use builtins.seq instead.

The clementine package points now to the free derivation. clementineFree is removed now and clementineUnfree points to the package which is bundled with the unfree libspotify package.

The netcat package is now taken directly from OpenBSD's libressl, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command.

The services.docker-registry.extraConfig object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in the docker/distribution docs.

gnucash has changed from version 2.4 to 3.x. If you've been using gnucash (version 2.4) instead of gnucash26 (version 2.6) you must open your Gnucash data file(s) with gnucash26 and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade documentation. Gnucash 2.4 is still available under the attribute gnucash24.

services.munge now runs as user (and group) munge instead of root. Make sure the key file is accessible to the daemon.

dockerTools.buildImage now uses null as default value for tag, which indicates that the nix output hash will be used as tag.

The ELK stack: elasticsearch, logstash and kibana has been upgraded from 2.* to 6.3.*. The 2.* versions have been unsupported since last year so they have been removed. You can still use the 5.* versions under the names elasticsearch5, logstash5 and kibana5.

The elastic beats: filebeat, heartbeat, metricbeat and packetbeat have had the same treatment: they now target 6.3.* as well. The 5.* versions are available under the names: filebeat5, heartbeat5, metricbeat5 and packetbeat5

The ELK-6.3 stack now comes with X-Pack by default. Since X-Pack is licensed under the Elastic License the ELK packages now have an unfree license. To use them you need to specify allowUnfree = true; in your nixpkgs configuration.

Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names: elasticsearch-oss, logstash-oss and kibana-oss.

Options boot.initrd.luks.devices.name.yubikey.ramfsMountPoint boot.initrd.luks.devices.name.yubikey.storage.mountPoint were removed. luksroot.nix module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues.

stdenv.system and system in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, and stdenv.buildPlatform.system can be used instead for the old behavior. They should be using that anyways for clarity.

Groups kvm and render are introduced now, as systemd requires them.

dockerTools.pullImage relies on image digest instead of image tag to download the image. The sha256 of a pulled image has to be updated.

lib.attrNamesToStr has been deprecated. Use more specific concatenation (lib.concat(Map)StringsSep) instead.

lib.addErrorContextToAttrs has been deprecated. Use builtins.addErrorContext directly.

lib.showVal has been deprecated. Use lib.traceSeqN instead.

lib.traceXMLVal has been deprecated. Use lib.traceValFn builtins.toXml instead.

lib.traceXMLValMarked has been deprecated. Use lib.traceValFn (x: str + builtins.toXML x) instead.

The pkgs argument to NixOS modules can now be set directly using nixpkgs.pkgs. Previously, only the system, config and overlays arguments could be used to influence pkgs.

A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:

{
  inherit (pkgs.nixos {
    boot.loader.grub.enable = false;
    fileSystems."/".device = "/dev/xvda1";
  }) toplevel kernel initialRamdisk manual;
}

This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.

lib.traceValIfNot has been deprecated. Use if/then/else and lib.traceValSeq instead.

lib.traceCallXml has been deprecated. Please complain if you use the function regularly.

The attribute lib.nixpkgsVersion has been deprecated in favor of lib.version. Please refer to the discussion in NixOS/nixpkgs#39416 for further reference.

lib.recursiveUpdateUntil was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added.

The module for security.dhparams has two new options now:

{ config, ... }:

{
  security.dhparams.params.myservice = {};
  environment.etc."myservice.conf".text = ''
    dhparams = ${config.security.dhparams.params.myservice.path}
  '';
}

networking.networkmanager.useDnsmasq has been deprecated. Use networking.networkmanager.dns instead.

The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.

The option services.kubernetes.apiserver.admissionControl was renamed to services.kubernetes.apiserver.enableAdmissionPlugins.

Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.

The option services.kubernetes.apiserver.address was renamed to services.kubernetes.apiserver.bindAddress. Note that the default value has changed from 127.0.0.1 to 0.0.0.0.

The option services.kubernetes.apiserver.publicAddress was not used and thus has been removed.

The option services.kubernetes.addons.dashboard.enableRBAC was renamed to services.kubernetes.addons.dashboard.rbac.enable.

The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set services.kubernetes.addons.dashboard.rbac.clusterAdmin to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: kubectl delete clusterrolebinding kubernetes-dashboard

The programs.screen module provides allows to configure /etc/screenrc, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 pkgs.screen will be added to environment.systemPackages.

The module services.networking.hostapd now uses WPA2 by default.

s6Dns, s6Networking, s6LinuxUtils and s6PortableUtils renamed to s6-dns, s6-networking, s6-linux-utils and s6-portable-utils respectively.

The module option nix.useSandbox is now defaulted to true.

The config activation script of nixos-rebuild now reloads all user units for each authenticated user.

The default display manager is now LightDM. To use SLiM set services.xserver.displayManager.slim.enable to true.

NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use </para><para> to start a new paragraph.

Top-level buildPlatform, hostPlatform, and targetPlatform in Nixpkgs are deprecated. Please use their equivalents in stdenv instead: stdenv.buildPlatform, stdenv.hostPlatform, and stdenv.targetPlatform.

End of support is planned for end of October 2018, handing over to 18.09.

Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.

Nix now defaults to 2.0; see its release notes.

Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.

Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.

MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:

PHP now defaults to PHP 7.2, updated from 7.1.

./config/krb5/default.nix

./hardware/digitalbitbox.nix

./misc/label.nix

./programs/ccache.nix

./programs/criu.nix

./programs/digitalbitbox/default.nix

./programs/less.nix

./programs/npm.nix

./programs/plotinus.nix

./programs/rootston.nix

./programs/systemtap.nix

./programs/sway.nix

./programs/udevil.nix

./programs/way-cooler.nix

./programs/yabar.nix

./programs/zsh/zsh-autoenv.nix

./services/backup/borgbackup.nix

./services/backup/crashplan-small-business.nix

./services/desktops/dleyna-renderer.nix

./services/desktops/dleyna-server.nix

./services/desktops/pipewire.nix

./services/desktops/gnome3/chrome-gnome-shell.nix

./services/desktops/gnome3/tracker-miners.nix

./services/hardware/fwupd.nix

./services/hardware/interception-tools.nix

./services/hardware/u2f.nix

./services/hardware/usbmuxd.nix

./services/mail/clamsmtp.nix

./services/mail/dkimproxy-out.nix

./services/mail/pfix-srsd.nix

./services/misc/gitea.nix

./services/misc/home-assistant.nix

./services/misc/ihaskell.nix

./services/misc/logkeys.nix

./services/misc/novacomd.nix

./services/misc/osrm.nix

./services/misc/plexpy.nix

./services/misc/pykms.nix

./services/misc/tzupdate.nix

./services/monitoring/fusion-inventory.nix

./services/monitoring/prometheus/exporters.nix

./services/network-filesystems/beegfs.nix

./services/network-filesystems/davfs2.nix

./services/network-filesystems/openafs/client.nix

./services/network-filesystems/openafs/server.nix

./services/network-filesystems/ceph.nix

./services/networking/aria2.nix

./services/networking/monero.nix

./services/networking/nghttpx/default.nix

./services/networking/nixops-dns.nix

./services/networking/rxe.nix

./services/networking/stunnel.nix

./services/web-apps/matomo.nix

./services/web-apps/restya-board.nix

./services/web-servers/mighttpd2.nix

./services/x11/fractalart.nix

./system/boot/binfmt.nix

./system/boot/grow-partition.nix

./tasks/filesystems/ecryptfs.nix

./virtualisation/hyperv-guest.nix

sound.enable now defaults to false.

Dollar signs in options under services.postfix are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options in the previous release, but not for list-valued options. If you need to pass literal dollar signs through Postfix, double them.

The postage package (for web-based PostgreSQL administration) has been renamed to pgmanage. The corresponding module has also been renamed. To migrate please rename all services.postage options to services.pgmanage.

Package attributes starting with a digit have been prefixed with an underscore sign. This is to avoid quoting in the configuration and other issues with command-line tools like nix-env. The change affects the following packages:

The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.

DSA support was deprecated in OpenSSH 7.0, due to it being too weak. To re-enable support, add PubkeyAcceptedKeyTypes +ssh-dss to the end of your services.openssh.extraConfig.

After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.

The openssh package now includes Kerberos support by default; the openssh_with_kerberos package is now a deprecated alias. If you do not want Kerberos support, you can do openssh.override { withKerberos = false; }. Note, this also applies to the openssh_hpn package.

cc-wrapper has been split in two; there is now also a bintools-wrapper. The most commonly used files in nix-support are now split between the two wrappers. Some commonly used ones, like nix-support/dynamic-linker, are duplicated for backwards compatability, even though they rightly belong only in bintools-wrapper. Other more obscure ones are just moved.

The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many propagatedNativeBuildInputs should instead be propagatedBuildInputs. Thankfully, that was and is the least used type of dependency. Also, it means that some propagatedBuildInputs should instead be depsTargetTargetPropagated. Other types dependencies should be unaffected.

lib.addPassthru drv passthru is removed. Use lib.extendDerivation true passthru drv instead.

The memcached service no longer accept dynamic socket paths via services.memcached.socket. Unix sockets can be still enabled by services.memcached.enableUnixSocket and will be accessible at /run/memcached/memcached.sock.

The hardware.amdHybridGraphics.disable option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.

The merging of config options for services.postfix.config was buggy. Previously, if other options in the Postfix module like services.postfix.useSrs were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden, lib.mkForce or lib.mkOverride can be used.

The following changes apply if the stateVersion is changed to 18.03 or higher. For stateVersion = "17.09" or lower the old behavior is preserved.

The jid package has been removed, due to maintenance overhead of a go package having non-versioned dependencies.

When using services.xserver.libinput (enabled by default in GNOME), it now handles all input devices, not just touchpads. As a result, you might need to re-evaluate any custom Xorg configuration. In particular, Option "XkbRules" "base" may result in broken keyboard layout.

The attic package was removed. A maintained fork called Borg should be used instead. Migration instructions can be found here.

The Piwik analytics software was renamed to Matomo:

nodejs-4_x is end-of-life. nodejs-4_x, nodejs-slim-4_x and nodePackages_4_x are removed.

The pump.io NixOS module was removed. It is now maintained as an external module.

The Prosody XMPP server has received a major update. The following modules were renamed:

Many new modules are now core modules, most notably services.prosody.modules.carbons and services.prosody.modules.mam.

The better-performing libevent backend is now enabled by default.

withCommunityModules now passes through the modules to services.prosody.extraModules. Use withOnlyInstalledCommunityModules for modules that should not be enabled directly, e.g lib_ldap.

All prometheus exporter modules are now defined as submodules. The exporters are configured using services.prometheus.exporters.

ZNC option services.znc.mutable now defaults to true. That means that old configuration is not overwritten by default when update to the znc options are made.

The option networking.wireless.networks.<name>.auth has been added for wireless networks with WPA-Enterprise authentication. There is also a new extraConfig option to directly configure wpa_supplicant and hidden to connect to hidden networks.

In the module networking.interfaces.<name> the following options have been removed:

To assign static addresses to an interface the options ipv4.addresses and ipv6.addresses should be used instead. The options ip4 and ip6 have been renamed to ipv4.addresses ipv6.addresses respectively. The new options ipv4.routes and ipv6.routes have been added to set up static routing.

The option services.logstash.listenAddress is now 127.0.0.1 by default. Previously the default behaviour was to listen on all interfaces.

services.btrfs.autoScrub has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

displayManager.lightdm.greeters.gtk.clock-format. has been added, the clock format string (as expected by strftime, e.g. %H:%M) to use with the lightdm gtk greeter panel.

If set to null the default clock format is used.

displayManager.lightdm.greeters.gtk.indicators has been added, a list of allowed indicator modules to use with the lightdm gtk greeter panel.

Built-in indicators include ~a11y, ~language, ~session, ~power, ~clock, ~host, ~spacer. Unity indicators can be represented by short name (e.g. sound, power), service file name, or absolute path.

If set to null the default indicators are used.

In order to have the previous default configuration add

{
  services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
    "~host" "~spacer"
    "~clock" "~spacer"
    "~session"
    "~language"
    "~a11y"
    "~power"
  ];
}

to your configuration.nix.

The NixOS test driver supports user services declared by systemd.user.services. The methods waitForUnit, getUnitInfo, startJob and stopJob provide an optional $user argument for that purpose.

Enabling bash completion on NixOS, programs.bash.enableCompletion, will now also enable completion for the Nix command line tools by installing the nix-bash-completions package.

The vim/kakoune plugin updater now reads from a CSV file: check pkgs/applications/editors/vim/plugins/vim-plugin-names out to see the new format

The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.

The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.

The module option services.xserver.xrandrHeads now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example:

{ services.xserver.xrandrHeads = [
    "HDMI-0"
    {
      output = "DVI-0";
      primary = true;
      monitorConfig = ''
        Option "Rotate" "right"
      '';
    }
  ];
}

This will set the DVI-0 output to be the primary head, even though HDMI-0 is the first head in the list.

The handling of SSL in the services.nginx module has been cleaned up, renaming the misnamed enableSSL to onlySSL which reflects its original intention. This is not to be used with the already existing forceSSL which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove the enableSSL option to keep the previous behaviour.

Another addSSL option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.

Options to configure resolver options and upstream blocks have been introduced. See their information for further details.

The port option has been replaced by a more generic listen option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.

config/fonts/fontconfig-penultimate.nix

config/fonts/fontconfig-ultimate.nix

config/terminfo.nix

hardware/sensor/iio.nix

hardware/nitrokey.nix

hardware/raid/hpsa.nix

programs/browserpass.nix

programs/gnupg.nix

programs/qt5ct.nix

programs/slock.nix

programs/thefuck.nix

security/auditd.nix

security/lock-kernel-modules.nix

service-managers/docker.nix

service-managers/trivial.nix

services/admin/salt/master.nix

services/admin/salt/minion.nix

services/audio/slimserver.nix

services/cluster/kubernetes/default.nix

services/cluster/kubernetes/dns.nix

services/cluster/kubernetes/dashboard.nix

services/continuous-integration/hail.nix

services/databases/clickhouse.nix

services/databases/postage.nix

services/desktops/gnome3/gnome-disks.nix

services/desktops/gnome3/gpaste.nix

services/logging/SystemdJournal2Gelf.nix

services/logging/heartbeat.nix

services/logging/journalwatch.nix

services/logging/syslogd.nix

services/mail/mailhog.nix

services/mail/nullmailer.nix

services/misc/airsonic.nix

services/misc/autorandr.nix

services/misc/exhibitor.nix

services/misc/fstrim.nix

services/misc/gollum.nix

services/misc/irkerd.nix

services/misc/jackett.nix

services/misc/radarr.nix

services/misc/snapper.nix

services/monitoring/osquery.nix

services/monitoring/prometheus/collectd-exporter.nix

services/monitoring/prometheus/fritzbox-exporter.nix

services/network-filesystems/kbfs.nix

services/networking/dnscache.nix

services/networking/fireqos.nix

services/networking/iwd.nix

services/networking/keepalived/default.nix

services/networking/keybase.nix

services/networking/lldpd.nix

services/networking/matterbridge.nix

services/networking/squid.nix

services/networking/tinydns.nix

services/networking/xrdp.nix

services/security/shibboleth-sp.nix

services/security/sks.nix

services/security/sshguard.nix

services/security/torify.nix

services/security/usbguard.nix

services/security/vault.nix

services/system/earlyoom.nix

services/system/saslauthd.nix

services/web-apps/nexus.nix

services/web-apps/pgpkeyserver-lite.nix

services/web-apps/piwik.nix

services/web-servers/lighttpd/collectd.nix

services/web-servers/minio.nix

services/x11/display-managers/xpra.nix

services/x11/xautolock.nix

tasks/filesystems/bcachefs.nix

tasks/powertop.nix

In an Qemu-based virtualization environment, the network interface names changed from i.e. enp0s3 to ens3.

This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.

A machine is affected if the virt-what tool either returns qemu or kvm and has interface names used in any part of its NixOS configuration, in particular if a static network configuration with networking.interfaces is used.

Before rebooting affected machines, please ensure:

The following changes apply if the stateVersion is changed to 17.09 or higher. For stateVersion = "17.03" or lower the old behavior is preserved.

The aiccu package was removed. This is due to SixXS sunsetting its IPv6 tunnel.

The fanctl package and fan module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.

Top-level idea package collection was renamed. All JetBrains IDEs are now at jetbrains.

flexget's state database cannot be upgraded to its new internal format, requiring removal of any existing db-config.sqlite which will be automatically recreated.

The ipfs service now doesn't ignore the dataDir option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with

dataDir=<valueOfDataDir>
mv /var/lib/ipfs/.ipfs/* $dataDir
rmdir /var/lib/ipfs/.ipfs

The caddy service was previously using an extra .caddy directory in the data directory specified with the dataDir option. The contents of the .caddy directory are now expected to be in the dataDir.

The ssh-agent user service is not started by default anymore. Use programs.ssh.startAgent to enable it if needed. There is also a new programs.gnupg.agent module that creates a gpg-agent user service. It can also serve as a SSH agent if enableSSHSupport is set.

The services.tinc.networks.<name>.listenAddress option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, use services.tinc.networks.<name>.bindToAddress instead. Refer to the description of the options for more details.

tlsdate package and module were removed. This is due to the project being dead and not building with openssl 1.1.

wvdial package and module were removed. This is due to the project being dead and not building with openssl 1.1.

cc-wrapper's setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. LD, STRIP, RANLIB, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.

services.firefox.syncserver now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.

The compiz window manager and package was removed. The system support had been broken for several years.

Touchpad support should now be enabled through libinput as synaptics is now deprecated. See the option services.xserver.libinput.enable.

grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.

services.mysql now has declarative configuration of databases and users with the ensureDatabases and ensureUsers options.

These options will never delete existing databases and users, especially not when the value of the options are changed.

The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.

If you have previously created a MySQL root user with a password, you will need to add root user for unix socket authentication before using the new options. This can be done by running the following SQL script:

CREATE USER 'root'@'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

-- Optionally, delete the password-authenticated user:
-- DROP USER 'root'@'localhost';

services.mysqlBackup now works by default without any user setup, including for users other than mysql.

By default, the mysql user is no longer the user which performs the backup. Instead a system account mysqlbackup is used.

The mysqlBackup service is also now using systemd timers instead of cron.

Therefore, the services.mysqlBackup.period option no longer exists, and has been replaced with services.mysqlBackup.calendar, which is in the format of systemd.time(7).

If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.

You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.

Templated systemd services e.g container@name are now handled currectly when switching to a new configuration, resulting in them being reloaded.

Steam: the newStdcpp parameter was removed and should not be needed anymore.

Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.

Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.

Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.

ZFS/SPL have been updated to 0.7.0, zfsUnstable, splUnstable have therefore been removed.

The time.timeZone option now allows the value null in addition to timezone strings. This value allows changing the timezone of a system imperatively using timedatectl set-timezone. The default timezone is still UTC.

Nixpkgs overlays may now be specified with a file as well as a directory. The value of <nixpkgs-overlays> may be a file, and ~/.config/nixpkgs/overlays.nix can be used instead of the ~/.config/nixpkgs/overlays directory.

See the overlays chapter of the Nixpkgs manual for more details.

Definitions for /etc/hosts can now be specified declaratively with networking.hosts.

Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.

This therefore leads to adding a new debug option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.

Additionally a copytoram option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.

services.gitlab-runner.configOptions has been added to specify the configuration of gitlab-runners declaratively.

services.jenkins.plugins has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.

services.postfix.config has been added to specify the main.cf with NixOS options. Additionally other options have been added to the postfix module and has been improved further.

The GitLab package and module have been updated to the latest 10.0 release.

The systemd-boot boot loader now lists the NixOS version, kernel version and build date of all bootable generations.

The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the services.dnscrypt-proxy.resolverName option or setting it to "random".

Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.

This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.

The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed

The setuid wrapper functionality now supports setting capabilities.

X.org server uses branch 1.19. Due to ABI incompatibilities, ati_unfree keeps forcing 1.17 and amdgpu-pro starts forcing 1.18.

Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv nor .crossDrv are now cross by default, not native.

The overridePackages function has been rewritten to be replaced by overlays

Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.

PHP now defaults to PHP 7.1

hardware/ckb.nix

hardware/mcelog.nix

hardware/usb-wwan.nix

hardware/video/capture/mwprocapture.nix

programs/adb.nix

programs/chromium.nix

programs/gphoto2.nix

programs/java.nix

programs/mtr.nix

programs/oblogout.nix

programs/vim.nix

programs/wireshark.nix

security/dhparams.nix

services/audio/ympd.nix

services/computing/boinc/client.nix

services/continuous-integration/buildbot/master.nix

services/continuous-integration/buildbot/worker.nix

services/continuous-integration/gitlab-runner.nix

services/databases/riak-cs.nix

services/databases/stanchion.nix

services/desktops/gnome3/gnome-terminal-server.nix

services/editors/infinoted.nix

services/hardware/illum.nix

services/hardware/trezord.nix

services/logging/journalbeat.nix

services/mail/offlineimap.nix

services/mail/postgrey.nix

services/misc/couchpotato.nix

services/misc/docker-registry.nix

services/misc/errbot.nix

services/misc/geoip-updater.nix

services/misc/gogs.nix

services/misc/leaps.nix

services/misc/nix-optimise.nix

services/misc/ssm-agent.nix

services/misc/sssd.nix

services/monitoring/arbtt.nix

services/monitoring/netdata.nix

services/monitoring/prometheus/default.nix

services/monitoring/prometheus/alertmanager.nix

services/monitoring/prometheus/blackbox-exporter.nix

services/monitoring/prometheus/json-exporter.nix

services/monitoring/prometheus/nginx-exporter.nix

services/monitoring/prometheus/node-exporter.nix

services/monitoring/prometheus/snmp-exporter.nix

services/monitoring/prometheus/unifi-exporter.nix

services/monitoring/prometheus/varnish-exporter.nix

services/monitoring/sysstat.nix

services/monitoring/telegraf.nix

services/monitoring/vnstat.nix

services/network-filesystems/cachefilesd.nix

services/network-filesystems/glusterfs.nix

services/network-filesystems/ipfs.nix

services/networking/dante.nix

services/networking/dnscrypt-wrapper.nix

services/networking/fakeroute.nix

services/networking/flannel.nix

services/networking/htpdate.nix

services/networking/miredo.nix

services/networking/nftables.nix

services/networking/powerdns.nix

services/networking/pdns-recursor.nix

services/networking/quagga.nix

services/networking/redsocks.nix

services/networking/wireguard.nix

services/system/cgmanager.nix

services/torrent/opentracker.nix

services/web-apps/atlassian/confluence.nix

services/web-apps/atlassian/crowd.nix

services/web-apps/atlassian/jira.nix

services/web-apps/frab.nix

services/web-apps/nixbot.nix

services/web-apps/selfoss.nix

services/web-apps/quassel-webserver.nix

services/x11/unclutter-xfixes.nix

services/x11/urxvtd.nix

system/boot/systemd-nspawn.nix

virtualisation/ecs-agent.nix

virtualisation/lxcfs.nix

virtualisation/openstack/keystone.nix

virtualisation/openstack/glance.nix

Derivations have no .nativeDrv nor .crossDrv and are now cross by default, not native.

stdenv.overrides is now expected to take self and super arguments. See lib.trivial.extends for what those parameters represent.

ansible now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.

gnome alias has been removed along with gtk, gtkmm and several others. Now you need to use versioned attributes, like gnome3.

The attribute name of the Radicale daemon has been changed from pythonPackages.radicale to radicale.

The stripHash bash function in stdenv changed according to its documentation; it now outputs the stripped name to stdout instead of putting it in the variable strippedName.

PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.

Two lone top-level dict dbs moved into dictdDBs. This affects: dictdWordnet which is now at dictdDBs.wordnet and dictdWiktionary which is now at dictdDBs.wiktionary

Parsoid service now uses YAML configuration format. service.parsoid.interwikis is now called service.parsoid.wikis and is a list of either API URLs or attribute sets as specified in parsoid's documentation.

Ntpd was replaced by systemd-timesyncd as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting services.ntp.enable to true. Upstream time servers for all NTP implementations are now configured using networking.timeServers.

service.nylon is now declared using named instances. As an example:

{
  services.nylon = {
    enable = true;
    acceptInterface = "br0";
    bindInterface = "tun1";
    port = 5912;
  };
}

should be replaced with:

{
  services.nylon.myvpn = {
    enable = true;
    acceptInterface = "br0";
    bindInterface = "tun1";
    port = 5912;
  };
}

this enables you to declare a SOCKS proxy for each uplink.

overridePackages function no longer exists. It is replaced by overlays. For example, the following code: