NixOS manual
source link: https://nixos.org/nixos/manual/release-notes.html#sec-release-17.09
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Appendix B. Release Notes
This section lists the release notes for each stable version of NixOS and current unstable revision.
B.1. Release 21.11 (“Porcupine”, 2021/11/30)
Support is planned until the end of June 2022, handing over to 22.05.
B.1.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
The default Nix version remains at 2.3.16. Nix has not been updated to version 2.4 due to regressions in non-experimental behavior. To upgrade to 2.4, use the
nixos-unstable
branch or set thenix.package
option to either ofnixFlakes
ornix_2_4
packages. ThenixUnstable
attribute is a pre-release of Nix 2.5. Read the release notes for more information on upcoming changes. Please help us improve Nix by providing any breakage reports.iptables
is now usingnf_tables
under the hood, by usingiptables-nft
, similar to Debian and Fedora. This means,ip[6]tables
,arptables
andebtables
commands will actually show rules from some specific tables in thenf_tables
kernel subsystem. In case you’re migrating from an older release without rebooting, there might be cases where you end up with iptable rules configured both in the legacyiptables
kernel backend, as well as in thenf_tables
backend. This can lead to confusing firewall behaviour. Aniptables-save
after switching will complain about “iptables-legacy tables present”. It’s probably best to reboot after the upgrade, or manually removing all legacy iptables rules (via theiptables-legacy
package).systemd got an
nftables
backend, and configures (networkd) rules in their ownio.systemd.*
tables. Checknft list ruleset
to see these rules, notiptables-save
(which only showsiptables
-created rules.PHP now defaults to PHP 8.0, updated from 7.4.
kops now defaults to 1.21.1, which uses containerd as the default runtime.
python3
now defaults to Python 3.9, updated from Python 3.8.PostgreSQL now defaults to major version 13.
spark now defaults to spark 3, updated from 2. A migration guide is available.
Improvements have been made to the Hadoop module and package:
HDFS and YARN now support production-ready highly available deployments with automatic failover.
Hadoop now defaults to Hadoop 3, updated from 2.
JournalNode, ZKFS and HTTPFS services have been added.
Activation scripts can now, optionally, be run during a
nixos-rebuild dry-activate
and can detect the dry activation by reading$NIXOS_ACTION
. This allows activation scripts to output what they would change if the activation was really run. The users/modules activation script supports this and outputs some of is actions.KDE Plasma now finally works on Wayland.
bash now defaults to major version 5.
Systemd was updated to version 249 (from 247).
Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn’t work for you, please try
gsettings set org.gnome.desktop.lockdown disable-lock-screen false
.kubernetes-helm
now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details.helmfile
also defaults to 0.141.0, which is the minimum compatible version.GNOME has been upgraded to 41. Please take a look at their Release Notes for details.
LXD support was greatly improved:
building LXD images from configurations is now directly possible with just nixpkgs
hydra is now building nixOS LXD images that can be used standalone with full nixos-rebuild support
OpenSSH was updated to version 8.8p1
This breaks connections to old SSH daemons as ssh-rsa host keys and ssh-rsa public keys that were signed with SHA-1 are disabled by default now
These can be re-enabled, see the OpenSSH changelog for details
ORY Kratos was updated to version 0.8.0-alpha.3
This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.
The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
for more details, see Release Notes.
B.1.2. New Services
btrbk, a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as services.btrbk.
clipcat, an X11 clipboard manager written in Rust. Available at services.clipcat.
dex, an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at services.dex.
geoipupdate, a GeoIP database updater from MaxMind. Available as services.geoipupdate.
Jibri, a service for recording or streaming a Jitsi Meet conference. Available as services.jibri.
Kea, ISCs 2nd generation DHCP and DDNS server suite. Available at services.kea.
owncast, self-hosted video live streaming solution. Available at services.owncast.
PeerTube, developed by Framasoft, is the free and decentralized alternative to video platforms. Available at services.peertube.
sourcehut, a collection of tools useful for software development. Available as services.sourcehut.
ucarp, an userspace implementation of the Common Address Redundancy Protocol (CARP). Available as networking.ucarp.
Users of flashrom should migrate to programs.flashrom.enable and add themselves to the
flashrom
group to be able to access programmers supported by flashrom.vikunja, a to-do list app. Available as services.vikunja.
opensnitch, an application firewall. Available as services.opensnitch.
snapraid, a backup program for disk arrays. Available as snapraid.
Hockeypuck, a OpenPGP Key Server. Available as services.hockeypuck.
buildkite-agent-metrics, a command-line tool for collecting Buildkite agent metrics, now has a Prometheus exporter available as services.prometheus.exporters.buildkite-agent.
influxdb-exporter a Prometheus exporter that exports metrics received on an InfluxDB compatible endpoint is now available as services.prometheus.exporters.influxdb.
mx-puppet-discord, a discord puppeting bridge for matrix. Available as services.mx-puppet-discord.
MeshCentral, a remote administration service (“TeamViewer but self-hosted and with more features”) is now available with a package and a module: services.meshcentral.enable
moonraker, an API web server for Klipper. Available as moonraker.
influxdb2, a Scalable datastore for metrics, events, and real-time analytics. Available as services.influxdb2.
isso, a commenting server similar to Disqus. Available as isso
navidrome, a personal music streaming server with subsonic-compatible api. Available as navidrome.
fluidd, a Klipper web interface for managing 3d printers using moonraker. Available as fluidd.
sx, a simple alternative to both xinit and startx for starting a Xorg server. Available as services.xserver.displayManager.sx
postfixadmin, a web based virtual user administration interface for Postfix mail servers. Available as postfixadmin.
prowlarr, an indexer manager/proxy built on the popular arr .net/reactjs base stack services.prowlarr.
soju, a user-friendly IRC bouncer. Available as services.soju.
nats, a high performance cloud and edge messaging system. Available as services.nats.
git, a distributed version control system. Available as programs.git.
parsedmarc, a service which parses incoming DMARC reports and stores or sends them to a downstream service for further analysis. Documented in its manual entry.
spark, a unified analytics engine for large-scale data processing.
touchegg, a multi-touch gesture recognizer. Available as services.touchegg.
pantheon-tweaks, an unofficial system settings panel for Pantheon. Available as programs.pantheon-tweaks.
joycond, a service that uses
hid-nintendo
to provide nintendo joycond pairing and better nintendo switch pro controller support.multipath, the device mapper multipath (DM-MP) daemon. Available as services.multipath.
seafile, an open source file syncing & sharing software. Available as services.seafile.
rasdaemon, a hardware error logging daemon. Available as hardware.rasdaemon.
code-server
-module now availablexmrig, a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark.
Auto nice daemons ananicy and ananicy-cpp. Available as services.ananicy.
smartctl_exporter, a Prometheus exporter for S.M.A.R.T. data. Available as services.prometheus.exporters.smartctl.
filebeat, a lightweight shipper for forwarding and centralizing log data. Available as services.filebeat.
B.1.3. Backward Incompatibilities
The NixOS VM test framework,
pkgs.nixosTest
/make-test-python.nix
, now requires detaching commands such assucceed("foo &")
andsucceed("foo | xclip -i")
to close stdout. This can be done with a redirect such assucceed("foo >&2 &")
. This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, includingexecute
,succeed
,fail
,wait_until_succeeds
,wait_until_fails
.The
services.wakeonlan
option was removed, and replaced withnetworking.interfaces.<name>.wakeOnLan
.The
security.wrappers
option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.Since
iptables
now usesnf_tables
backend andipset
doesn’t support it, some applications (ferm, shorewall, firehol) may have limited functionality.The
paperless
module and package have been removed. All users should migrate to the successorpaperless-ng
instead. The Paperless project has been archived and advises all users to usepaperless-ng
instead.Users can use the
services.paperless-ng
module as a replacement while noting the following incompatibilities:services.paperless.ocrLanguages
has no replacement. Users should migrate toservices.paperless-ng.extraConfig
instead:
{ services.paperless-ng.extraConfig = { # Provide languages as ISO 639-2 codes # separated by a plus (+) sign. # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse }; }
If you previously specified
PAPERLESS_CONSUME_MAIL_*
settings inservices.paperless.extraConfig
you should remove those options now. You now must define those settings in the admin interface of paperless-ng.Option
services.paperless.manage
no longer exists. Use the script at${services.paperless-ng.dataDir}/paperless-ng-manage
instead. Note that this script only exists after thepaperless-ng
service has been started at least once.After switching to the new system configuration you should run the Django management command to reindex your documents and optionally create a user, if you don’t have one already.
To do so, enter the data directory (the value of
services.paperless-ng.dataDir
,/var/lib/paperless
by default), switch to the paperless user and execute the management command like below:$ cd /var/lib/paperless $ su paperless -s /bin/sh $ ./paperless-ng-manage document_index reindex # if not already done create a user account, paperless-ng requires a login $ ./paperless-ng-manage createsuperuser Username (leave blank to use 'paperless'): my-user-name Email address: [email protected] Password: ********** Password (again): ********** Superuser created successfully.
The
staticjinja
package has been upgraded from 1.0.4 to 4.1.1Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.
The
erigon
ethereum node has moved to a new database format in2021-05-04
, and requires a full resyncThe
erigon
ethereum node has moved it’s database location in2021-08-03
, users upgrading must manually move their chaindata (see release notes).users.users.<name>.group no longer defaults to
nogroup
, which was insecure. Out-of-tree modules are likely to require adaptation: instead of{ users.users.foo = { isSystemUser = true; }; }
also create a group for your user:
{ users.users.foo = { isSystemUser = true; group = "foo"; }; users.groups.foo = {}; }
services.geoip-updater
was broken and has been replaced by services.geoipupdate.ihatemoney
has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie tofalse
.PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.
Those making use of
buildBazelPackage
will need to regenerate the fetch hashes (preferred), or setfetchConfigured = false;
.consul
was upgraded to a new major release with breaking changes, see upstream changelog.fsharp41 has been removed in preference to use the latest dotnet-sdk
The following F#-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.ExtCore
Fantomas
FsCheck
FsCheck262
FsCheckNunit
FSharpAutoComplete
FSharpCompilerCodeDom
FSharpCompilerService
FSharpCompilerTools
FSharpCore302
FSharpCore3125
FSharpCore4001
FSharpCore4117
FSharpData
FSharpData225
FSharpDataSQLProvider
FSharpFormatting
FsLexYacc
FsLexYacc706
FsLexYaccRuntime
FsPickler
FsUnit
Projekt
Suave
UnionArgParser
ExcelDnaRegistration
MathNetNumerics
programs.x2goserver
is nowservices.x2goserver
The following dotnet-related packages have been removed for being unmaintaned. Please use
fetchNuGet
for specific packages.Autofac
SystemValueTuple
MicrosoftDiaSymReader
MicrosoftDiaSymReaderPortablePdb
SystemCollectionsImmutable
SystemCollectionsImmutable131
SystemReflectionMetadata
NUnit350
Deedle
ExcelDna
GitVersionTree
NDeskOptions
The
antlr
package now defaults to the 4.x release instead of the old 2.7.7 version.The
pulseeffects
package updated to version 4.x and renamed toeasyeffects
.The
libwnck
package now defaults to the 3.x release instead of the old 2.31.0 version.The
bitwarden_rs
packages and modules were renamed tovaultwarden
following upstream. More specifically,pkgs.bitwarden_rs
,pkgs.bitwarden_rs-sqlite
,pkgs.bitwarden_rs-mysql
andpkgs.bitwarden_rs-postgresql
were renamed topkgs.vaultwarden
,pkgs.vaultwarden-sqlite
,pkgs.vaultwarden-mysql
andpkgs.vaultwarden-postgresql
, respectively.Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
The
bitwarden_rs
executable was also renamed tovaultwarden
in all packages.
pkgs.bitwarden_rs-vault
was renamed topkgs.vaultwarden-vault
.pkgs.bitwarden_rs-vault
is preserved as an alias for backwards compatibility, but may be removed in the future.The static files were moved from
/usr/share/bitwarden_rs
to/usr/share/vaultwarden
.
The
services.bitwarden_rs
config module was renamed toservices.vaultwarden
.services.bitwarden_rs
is preserved as an alias for backwards compatibility, but may be removed in the future.
systemd.services.bitwarden_rs
,systemd.services.backup-bitwarden_rs
andsystemd.timers.backup-bitwarden_rs
were renamed tosystemd.services.vaultwarden
,systemd.services.backup-vaultwarden
andsystemd.timers.backup-vaultwarden
, respectively.Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
users.users.bitwarden_rs
andusers.groups.bitwarden_rs
were renamed tousers.users.vaultwarden
andusers.groups.vaultwarden
, respectively.The data directory remains located at
/var/lib/bitwarden_rs
, for backwards compatibility.
yggdrasil
was upgraded to a new major release with breaking changes, see upstream changelog.icingaweb2
was upgraded to a new release which requires a manual database upgrade, see upstream changelog.The
isabelle
package has been upgraded from 2020 to 2021the
mingw-64
package has been upgraded from 6.0.0 to 9.0.0tt-rss
was upgraded to the commit on 2021-06-21, which has breaking changes. If you useservices.tt-rss.extraConfig
you should migrate to theputenv
-style configuration. See this Discourse post in the tt-rss forums for more details.The following Visual Studio Code extensions were renamed to keep the naming convention uniform.
bbenoist.Nix
->bbenoist.nix
CoenraadS.bracket-pair-colorizer
->coenraads.bracket-pair-colorizer
golang.Go
->golang.go
services.uptimed
now uses/var/lib/uptimed
as its stateDirectory instead of/var/spool/uptimed
. Make sure to move all files to the new directory.Deprecated package aliases in
emacs.pkgs.*
have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible.programs.neovim.runtime
switched to alinkFarm
internally, making it impossible to use wildcards in thesource
argument.The
openrazer
andopenrazer-daemon
packages as well as thehardware.openrazer
module now require users to be members of theopenrazer
group instead ofplugdev
. With this change, users no longer need be granted the entire set ofplugdev
group permissions, which can include permissions other than those required byopenrazer
. This is desirable from a security point of view. The settingharware.openrazer.users
can be used to add users to theopenrazer
group.The fontconfig service’s dpi option has been removed. Fontconfig should use Xft settings by default so there’s no need to override one value in multiple places. The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with
services.xserver.dpi
.The
yambar
package has been split intoyambar
andyambar-wayland
, corresponding to the xorg and wayland backend respectively. Please switch toyambar-wayland
if you are on wayland.The
services.minio
module gained an additional optionconsoleAddress
, that configures the address and port the web UI is listening, it defaults to:9001
. To be able to access the web UI this port needs to be opened in the firewall.The
varnish
package was upgraded from 6.3.x to 7.x.varnish60
for the last LTS release is also still available.The
kubernetes
package was upgraded to 1.22. Thekubernetes.apiserver.kubeletHttps
option was removed and HTTPS is always used.The attribute
linuxPackages_latest_hardened
was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such aslinuxPackages_5_10_hardened
.The
nomad
package now defaults to a 1.1.x release instead of 1.0.xIf
exfat
is included inboot.supportedFilesystems
and when using kernel 5.7 or later, theexfatprogs
user-space utilities are used instead ofexfat
.The
todoman
package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format.The
datadog-agent
,datadog-integrations-core
anddatadog-process-agent
packages were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2, respectively. As a resultservices.datadog-agent
has had breaking changes to the configuration file. For details, see the upstream changelog.opencv2
no longer includes the non-free libraries by default, and consequentlypfstools
no longer includes OpenCV support by default. Both packages now support anenableUnfree
option to re-enable this functionality.services.xserver.displayManager.defaultSession = "plasma5"
does not work anymore, instead use either"plasma"
for the Plasma X11 session or"plasmawayland"
for the Plasma Wayland sesison.boot.kernelParams
now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like “param = 12”, which would be parsed as 3 parameters.nix.daemonNiceLevel
andnix.daemonIONiceLevel
have been removed in favour of the new optionsnix.daemonCPUSchedPolicy
,nix.daemonIOSchedClass
andnix.daemonIOSchedPriority
. Please refer to the options documentation and thesched(7)
andioprio_set(2)
man pages for guidance on how to use them.The
coursier
package’s binary was renamed fromcoursier
tocs
. Completions which haven’t worked for a while should now work with the renamed binary. To keep usingcoursier
, you can create a shell alias.The
services.mosquitto
module has been rewritten to support multiple listeners and per-listener configuration. Module configurations from previous releases will no longer work and must be updated.The
fluidsynth_1
attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available asfluidsynth
unchanged.Nextcloud 20 (
pkgs.nextcloud20
) has been dropped because it was EOLed by upstream in 2021-10.The
virtualisation.pathsInNixDB
option was renamedvirtualisation.additionalPaths
.The
services.ddclient.password
option was removed, and replaced withservices.ddclient.passwordFile
.The default GNAT version has been changed: The
gnat
attribute now points tognat11
instead ofgnat9
.retroArchCores
has been removed. This means that usingnixpkgs.config.retroarch
to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example:retroarch.override { cores = with libretro; [ citra snes9x ]; };
. Also,retroarchFull
derivation is available for those who want to have all RetroArch cores available.The Linux kernel for security reasons now restricts access to BPF syscalls via
BPF_UNPRIV_DEFAULT_OFF=y
. Unprivileged access can be reenabled via thekernel.unprivileged_bpf_disabled
sysctl knob.
B.1.4. Other Notable Changes
The linux kernel package infrastructure was moved out of
all-packages.nix
, and restructured. Linux related functions and attributes now live under thepkgs.linuxKernel
attribute set. In particular the versionedlinuxPackages_*
package sets (such aslinuxPackages_5_4
) and kernels frompkgs
were moved there and now live underpkgs.linuxKernel.packages.*
. The unversioned ones (such aslinuxPackages_latest
) remain untouched.In NixOS virtual machines (QEMU), the
virtualisation
module has been updated with new options:forwardPorts
to configure IPv4 port forwarding,sharedDirectories
to set up shared host directories,resolution
to set the screen resolution,useNixStoreImage
to use a disk image for the Nix store instead of 9P.
In addition, the default
msize
parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance.The setting
services.openssh.logLevel
"VERBOSE"
"INFO"
. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.However, if
services.fail2ban.enable
istrue
, thefail2ban
will override the verbosity to"VERBOSE"
, so thatfail2ban
can observe the failed login attempts from the SSH logs.The
services.xserver.extraLayouts
no longer cause additional rebuilds when a layout is added or modified.Sway: The terminal emulator
rxvt-unicode
is no longer installed by default viaprograms.sway.extraPackages
. The current default configuration usesalacritty
(and soonfoot
) so this is only an issue when using a customized configuration and not installingrxvt-unicode
explicitly.python3
now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What’s New In Python 3.9 post for more information.qtile
hase been updated from “0.16.0” to “0.18.0”, please check qtile changelog for changes.The
claws-mail
package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install theclaws-mail-gtk2
package.The wordpress module provides a new interface which allows to use different webservers with the new option
services.wordpress.webserver
. Currentlyhttpd
,caddy
andnginx
are supported. The definitions of wordpress sites should now be set inservices.wordpress.sites
.Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
The dokuwiki module provides a new interface which allows to use different webservers with the new option
services.dokuwiki.webserver
. Currentlycaddy
andnginx
are supported. The definitions of dokuwiki sites should now be set inservices.dokuwiki.sites
.Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.
The order of NSS (host) modules has been brought in line with upstream recommendations:
The
myhostname
module is placed before theresolve
(optional) anddns
entries, but afterfile
(to allow overriding via/etc/hosts
/networking.extraHosts
, and prevent ISPs with catchall-DNS resolvers from hijacking.localhost
domains)The
mymachines
module, which provides hostname resolution for local containers (registered withsystemd-machined
) is placed to the front, to make sure its mappings are preferred over other resolvers.If systemd-networkd is enabled, the
resolve
module is placed beforefiles
andmyhostname
, as it provides the same logic internally, with caching.The
mdns(_minimal)
module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities according to these rules:
NSS modules which should be queried before
resolved
DNS resolution should use mkBefore.NSS modules which should be queried after
resolved
,files
andmyhostname
, but beforedns
should use the default priorityNSS modules which should come after
dns
should use mkAfter.
The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:
The automatic discovery of wireless interfaces at boot has been made reliable again (issues #101963, #23196).
WPA3 and Fast BSS Transition (802.11r) are now enabled by default for all networks.
Secrets like pre-shared keys and passwords can now be handled safely, meaning without including them in a world-readable file (
wpa_supplicant.conf
under /nix/store). This is achieved by storing the secrets in a secured environmentFile and referring to them though environment variables that are expanded inside the configuration.With multiple interfaces declared, independent wpa_supplicant daemons are started, one for each interface (the services are named
wpa_supplicant-wlan0
,wpa_supplicant-wlan1
, etc.).The generated
wpa_supplicant.conf
file is now formatted for easier reading.A new scanOnLowSignal option has been added to facilitate fast roaming between access points (enabled by default).
A new networks.<name>.authProtocols option has been added to change the authentication protocols used when connecting to a network.
The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.
The services.smokeping.host option was added and defaulted to
localhost
. Before,smokeping
listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service forsmokeping
got reworked defaults for increased operational stability, see PR #144127 for details.The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn’t clean up after execution. You can manually look this up for your pools by running
zfs allow your-pool-name
and usezfs unallow syncoid your-pool-name
to clean this up.Zfs:
latestCompatibleLinuxPackages
is now exported on the zfs package. One can useboot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
to always track the latest compatible kernel with a given version of zfs.Nginx will use the value of
sslTrustedCertificate
if provided for a virtual host, even ifenableACME
is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.lib.formats.yaml
’sgenerate
will not generate JSON anymore, but instead use more of the YAML-specific syntax.MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.
The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.
GNOME desktop environment now enables
QGnomePlatform
as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually.rofi
has been updated from “1.6.1” to “1.7.0”, one important thing is the removal of the old xresources based configuration setup. Read more in rofi’s changelog.ipfs now defaults to not listening on you local network. This setting was change as server providers won’t accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting
ipfs.localDiscovery = true;
. localDiscovery enables different instances to discover each other and share data.lua
andluajit
interpreters have been patched to avoid looking into /usr/lib directories, thus increasing the purity of the build.Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of
/etc/xdg/mimeapps.list
.Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.
The
systemd.network
module has gained support for the FooOverUDP link type.The
networking
module has a newnetworking.fooOverUDP
option to configure Foo-over-UDP encapsulations.networking.sits
now supports Foo-over-UDP encapsulation.The
virtualisation.libvirtd
module has been refactored and updated with new options:virtualisation.libvirtd.qemu*
options (e.g.:virtualisation.libvirtd.qemuRunAsRoot
) were moved tovirtualisation.libvirtd.qemu
submodule,software TPM1/TPM2 support (e.g.: Windows 11 guests) (
virtualisation.libvirtd.qemu.swtpm
),custom OVMF package (e.g.:
pkgs.OVMFFull
with HTTP, CSM and Secure Boot support) (virtualisation.libvirtd.qemu.ovmf.package
).
The
cawbird
Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change.A new option
services.prometheus.enableReload
has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting.The option
services.prometheus.environmentFile
has been removed since it was causing issues and Prometheus now has native support for secret files, i.e.basic_auth.password_file
andauthorization.credentials_file
.Dokuwiki now supports caddy! However
the nginx option has been removed, in the new configuration, please use the
dokuwiki.webserver = "nginx"
instead.The “${hostname}” option has been deprecated, please use
dokuwiki.sites = [ "${hostname}" ]
instead
The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:
The
services.unifi.dataDir
option is removed and the data is now always located under/var/lib/unifi/data
. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable.The unifi logs can now be found under:
/var/log/unifi
instead of/var/lib/unifi/logs
.The unifi run directory can now be found under:
/run/unifi
instead of/var/lib/unifi/run
.
security.pam.services.<name>.makeHomeDir
now usesumask=0077
instead ofumask=0022
when creating the home directory.Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.
julia
now refers tojulia-stable
instead ofjulia-lts
. In practice this means it has been upgraded from1.0.4
to1.5.4
.RetroArch has been upgraded from version
1.8.5
to1.9.13.2
. Since the previous release was quite old, if you’re having issues after the upgrade, please delete your$XDG_CONFIG_HOME/retroarch/retroarch.cfg
file.hydrus has been upgraded from version
438
to463
. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual.pkgs.emacsPackages.orgPackages
is removed because org elpa is deprecated. The packages in the top level ofpkgs.emacsPackages
, such as org and org-contrib, refer to the ones inpkgs.emacsPackages.elpaPackages
andpkgs.emacsPackages.nongnuPackages
where the new versions will release.
B.2. Release 21.05 (“Okapi”, 2021.05/31)
Support is planned until the end of December 2021, handing over to 21.11.
B.2.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
Core version changes:
gcc: 9.3.0 -> 10.3.0
glibc: 2.30 -> 2.32
default linux: 5.4 -> 5.10, all supported kernels available
mesa: 20.1.7 -> 21.0.1
Desktop Environments:
GNOME: 3.36 -> 40, see its release notes
Plasma5: 5.18.5 -> 5.21.3
kdeApplications: 20.08.1 -> 20.12.3
cinnamon: 4.6 -> 4.8.1
Programming Languages and Frameworks:
Python optimizations were disabled again. Builds with optimizations enabled are not reproducible. Optimizations can now be enabled with an option.
The linux_latest kernel was updated to the 5.13 series. It currently is not officially supported for use with the zfs filesystem. If you use zfs, you should use a different kernel version (either the LTS kernel, or track a specific one).
B.2.2. New Services
The following new services were added since the last release:
GNURadio 3.8 and 3.9 were finally packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute
gnuradio
(3.9),gnuradio3_8
andgnuradio3_7
now point to an externally wrapped by default derivations, that allow you to also add `extraPythonPackages` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added (#75478).Keycloak, an open source identity and access management server with support for OpenID Connect, OAUTH 2.0 and SAML 2.0.
See the Keycloak section of the NixOS manual for more information.
services.samba-wsdd.enable Web Services Dynamic Discovery host daemon
Discourse, a modern and open source discussion platform.
See the Discourse section of the NixOS manual for more information.
B.2.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
GNOME desktop environment was upgraded to 40, see the release notes for 40.0 and 3.38. The
gnome3
attribute set has been renamed tognome
and so have been the NixOS options.If you are using
services.udev.extraRules
to assign custom names to network interfaces, this may stop working due to a change in the initialisation of dhcpcd and systemd networkd. To avoid this, either move them toservices.udev.initrdRules
or see the new Assigning custom names section of the NixOS manual for an example using networkd links.The
security.hideProcessInformation
module has been removed. It was broken since the switch to cgroups-v2.The
linuxPackages.ati_drivers_x11
kernel modules have been removed. The drivers only supported kernels prior to 4.2, and thus have become obsolete.The
systemConfig
kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.systemd-journal2gelf
no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue.If the
services.dbus
module is enabled, then the user D-Bus session is now always socket activated. The associated optionsservices.dbus.socketActivated
andservices.xserver.startDbusSession
have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins.The
networking.wireless.iwd
module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to "keep kernel", to avoid race conditions between iwd and networkd. If you don't want this, you can setsystemd.network.links."80-iwd" = lib.mkForce {}
.rubyMinimal
was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it's compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by settingjitSupport = false;
in an overlay. See #90151 for more info.Setting
services.openssh.authorizedKeysFiles
now also affects which keyssecurity.pam.enableSSHAgentAuth
will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present inservices.openssh.authorizedKeysFiles
!The option
fonts.enableFontDir
has been renamed to fonts.fontDir.enable. The path of font directory has also been changed to/run/current-system/sw/share/X11/fonts
, for consistency with other X11 resources.A number of options have been renamed in the kicad interface.
oceSupport
has been renamed towithOCE
,withOCCT
has been renamed towithOCC
,ngspiceSupport
has been renamed towithNgspice
, andscriptingSupport
has been renamed towithScripting
. Additionally,kicad/base.nix
no longer provides default argument values since these are provided bykicad/default.nix
.The socket for the
pdns-recursor
module was moved from/var/lib/pdns-recursor
to/run/pdns-recursor
to match upstream.Paperwork was updated to version 2. The on-disk format slightly changed, and it is not possible to downgrade from Paperwork 2 back to Paperwork 1.3. Back your documents up before upgrading. See this thread for more details.
PowerDNS has been updated from
4.2.x
to4.3.x
. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the service now runs entirely as a dedicatedpdns
user, instead of starting asroot
and dropping privileges, as well as the defaultsocket-dir
location changing from/var/lib/powerdns
to/run/pdns
.The
mediatomb
service is now using by default the new and maintained forkgerbera
package instead of the unmaintainedmediatomb
package. If you want to keep the old behavior, you must declare it with:{ services.mediatomb.package = pkgs.mediatomb; }
One new option
openFirewall
has been introduced which defaults to false. If you relied on the service declaration to add the firewall rules itself before, you should now declare it with:{ services.mediatomb.openFirewall = true; }
xfsprogs was update from 4.19 to 5.11. It now enables reflink support by default on filesystem creation. Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them with
mkfs.xfs -m reflink=0
.The uWSGI server is now built with POSIX capabilities. As a consequence, root is no longer required in emperor mode and the service defaults to running as the unprivileged
uwsgi
user. Any additional capability can be added via the new option services.uwsgi.capabilities. The previous behaviour can be restored by setting:{ services.uwsgi.user = "root"; services.uwsgi.group = "root"; services.uwsgi.instance = { uid = "uwsgi"; gid = "uwsgi"; }; }
Another incompatibility from the previous release is that vassals running under a different user or group need to use
immediate-{uid,gid}
instead of the usualuid,gid
options.btc1 has been abandoned upstream, and removed.
cpp_ethereum (aleth) has been abandoned upstream, and removed.
riak-cs package removed along with
services.riak-cs
module.stanchion package removed along with
services.stanchion
module.mutt has been updated to a new major version (2.x), which comes with some backward incompatible changes that are described in the release notes for Mutt 2.0.
vim
andneovim
switched to Python 3, dropping all Python 2 support.networking.wireguard.interfaces.<name>.generatePrivateKeyFile, which is off by default, had a
chmod
race condition fixed. As an aside, the parent directory's permissions were widened, and the key files were made owner-writable. This only affects newly created keys. However, if the exact permissions are important for your setup, read #121294.boot.zfs.forceImportAll previously did nothing, but has been fixed. However its default has been changed to
false
to preserve the existing default behaviour. If you have this explicitly set totrue
, please note that your non-root pools will now be forcibly imported.openafs now points to openafs_1_8, which is the new stable release. OpenAFS 1.6 was removed.
The WireGuard module gained a new option
networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds
that implements refreshing the IP of DNS-based endpoints periodically (which WireGuard itself cannot do).MariaDB has been updated to 10.5. Before you upgrade, it would be best to take a backup of your database and read Incompatible Changes Between 10.4 and 10.5. After the upgrade you will need to run
mysql_upgrade
.The TokuDB storage engine dropped in mariadb 10.5 and removed in mariadb 10.6. It is recommended to switch to RocksDB. See also TokuDB and MDEV-19780: Remove the TokuDB storage engine.
The
openldap
module now has support for OLC-style configuration, users of theconfigDir
option may wish to migrate. If you continue to useconfigDir
, ensure thatolcPidFile
is set to/run/slapd/slapd.pid
.As a result,
extraConfig
andextraDatabaseConfig
are removed. To help with migration, you can convert yourslapd.conf
file to OLC configuration with the following script (find the location of this configuration file by runningsystemctl status openldap
, it is the-f
option.$ TMPDIR=$(mktemp -d) $ slaptest -f /path/to/slapd.conf -F $TMPDIR $ slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
This will dump your current configuration in LDIF format, which should be straightforward to convert into Nix settings. This does not show your schema configuration, as this is unnecessarily verbose for users of the default schemas and
slaptest
is buggy with schemas directly in the config file.Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data.
WarningSpecifically,
/etc/ec2-metadata
is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples:root
's SSH key is only added if/root/.ssh/authorized_keys
does not exist, and SSH host keys are only set from user data if they do not exist in/etc/ssh
.The
rspamd
services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in/run/rspamd
instead of/run
.Enabling the Tor client no longer silently also enables and configures Privoxy, and the
services.tor.client.privoxy.enable
option has been removed. To enable Privoxy, and to configure it to use Tor's faster port, use the following configuration:{ opt-services.privoxy.enable = true; opt-services.privoxy.enableTor = true; }
The
services.tor
module has a new exhaustively typed services.tor.settings option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. The corresponding systemd service has been hardened, but there is a chance that the service still requires more permissions, so please report any related trouble on the bugtracker. Onion services v3 are now supported in services.tor.relay.onionServices. A new services.tor.openFirewall option as been introduced for allowing connections on all the TCP ports configured.The options
services.slurm.dbdserver.storagePass
andservices.slurm.dbdserver.configFile
have been removed. Useservices.slurm.dbdserver.storagePassFile
instead to provide the database password. Extra config options can be given via the optionservices.slurm.dbdserver.extraConfig
. The actual configuration file is created on the fly on startup of the service. This avoids that the password gets exposed in the nix store.The
wafHook
hook does not wrap Python anymore. Packages depending onwafHook
need to include any Python into theirnativeBuildInputs
.Starting with version 1.7.0, the project formerly named
CodiMD
is now namedHedgeDoc
. New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. Based on system.stateVersion, existing installations will continue to work.The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the
vendor_functions.d
directory to be loaded automatically.The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's
/probe
endpoint. In the prometheus scrape configuration the scrape target might look like this:http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint
Existing configuration for the exporter needs to be updated, but can partially be re-used. Documentation is available in the upstream repository and a small example for NixOS is available in the corresponding NixOS test.
These changes also affect services.prometheus.exporters.rspamd.enable, which is just a preconfigured instance of the json exporter.
For more information, take a look at the official documentation of the json_exporter.
Androidenv was updated, removing the
includeDocs
andlldbVersions
arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, and both are no longer available to download from the Android package repositories. Additionally, since the package lists have been updated, some older versions of Android packages may not be bundled. If you depend on older versions of Android packages, we recommend overriding the repo.Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments
repoJson
andrepoXmls
have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and theextraLicenses
argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details.The attribute
mpi
is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have usedmpi ? null
in the input for optional MPI builds, have been changed to the boolean input paramateruseMpi
to enable building with MPI. Building all packages withmpich
instead of the defaultopenmpi
can now be achived like this:self: super: { mpi = super.mpich; }
The Searx module has been updated with the ability to configure the service declaratively and uWSGI integration. The option
services.searx.configFile
has been renamed to services.searx.settingsFile for consistency with the new services.searx.settings. In addition, thesearx
uid and gid reservations have been removed since they were not necessary: the service is now running with a dynamically allocated uid.The libinput module has been updated with the ability to configure mouse and touchpad settings separately. The options in
services.xserver.libinput
have been renamed toservices.xserver.libinput.touchpad
, while there is a newservices.xserver.libinput.mouse
for mouse related configuration.Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in mouse section.
ALSA OSS emulation (
sound.enableOSSEmulation
) is now disabled by default.Thinkfan as been updated to
1.2.x
, which comes with a new YAML based configuration format. For this reason, several NixOS options of the thinkfan module have been changed to non-backward compatible types. In addition, a new services.thinkfan.settings option has been added.Please read the thinkfan documentation before updating.
Adobe Flash Player support has been dropped from the tree. In particular, the following packages no longer support it:
chromium
firefox
qt5.qtwebkit
Additionally, packages flashplayer and hal-flash were removed along with the
services.flashpolicyd
module.The
security.rngd
module has been removed. It was disabled by default in 20.09 as it was functionally redundant with krngd in the linux kernel. It is not necessary for any device that the kernel recognises as an hardware RNG, as it will automatically run the krngd task to periodically collect random data from the device and mix it into the kernel's RNG.The default SMTP port for GitLab has been changed to
25
from its previous default of465
. If you depended on this default, you should now set the services.gitlab.smtp.port option.The default version of ImageMagick has been updated from 6 to 7. You can use imagemagick6, imagemagick6_light, and imagemagick6Big if you need the older version.
services.xserver.videoDrivers no longer uses the deprecated
cirrus
andvesa
device dependent X drivers by default. It also enables bothamdgpu
andnouveau
drivers by default now.The
kindlegen
package is gone, because it is no longer supported or hosted by Amazon. Sadly, its replacement, Kindle Previewer, has no Linux support. However, there are other ways to generate MOBI files. See the discussion for more info.The apacheKafka packages are now built with version-matched JREs. Versions 2.6 and above, the ones that recommend it, use jdk11, while versions below remain on jdk8. The NixOS service has been adjusted to start the service using the same version as the package, adjustable with the new services.apache-kafka.jre option. Furthermore, the default list of services.apache-kafka.jvmOptions have been removed. You should set your own according to the upstream documentation for your Kafka version.
The kodi package has been modified to allow concise addon management. Consider the following configuration from previous releases of NixOS to install kodi, including the kodiPackages.inputstream-adaptive and kodiPackages.vfs-sftp addons:
{ environment.systemPackages = [ pkgs.kodi ]; nixpkgs.config.kodi = { enableInputStreamAdaptive = true; enableVFSSFTP = true; }; }
All Kodi
config
flags have been removed, and as a result the above configuration should now be written as:{ environment.systemPackages = [ (pkgs.kodi.withPackages (p: with p; [ inputstream-adaptive vfs-sftp ])) ]; }
environment.defaultPackages
now includes the nano package. If pkgs.nano is not added to the list, make sure another editor is installed and theEDITOR
environment variable is set to it. Environment variables can be set usingenvironment.variables
.services.minio.dataDir
changed type to a list of paths, required for specifiyng multiple data directories for using with erasure coding. Currently, the service doesn't enforce nor checks the correct number of paths to correspond to minio requirements.All CUDA toolkit versions prior to CUDA 10 have been removed.
The kbdKeymaps package was removed since dvp and neo are now included in kbd. If you want to use the Programmer Dvorak Keyboard Layout, you have to use
dvorak-programmer
inconsole.keyMap
now instead ofdvp
. Inservices.xserver.xkbVariant
it's stilldvp
.The babeld service is now being run as an unprivileged user. To achieve that the module configures
skip-kernel-setup true
and takes care of setting forwarding and rp_filter sysctls by itself as well as for each interface inservices.babeld.interfaces
.The
services.zigbee2mqtt.config
option has been renamed toservices.zigbee2mqtt.settings
and now follows RFC 0042.
The yadm dotfile manager has been updated from 2.x to 3.x, which has new (XDG) default locations for some data/state files. Most yadm commands will fail and print a legacy path warning (which describes how to upgrade/migrate your repository). If you have scripts, daemons, scheduled jobs, shell profiles, etc. that invoke yadm, expect them to fail or misbehave until you perform this migration and prepare accordingly.
Instead of determining
services.radicale.package
automatically based onsystem.stateVersion
, the latest version is always used because old versions are not officially supported.Furthermore, Radicale's systemd unit was hardened which might break some deployments. In particular, a non-default
filesystem_folder
has to be added tosystemd.services.radicale.serviceConfig.ReadWritePaths
if the deprecatedservices.radicale.config
is used.In the
security.acme
module, use of--reuse-key
parameter for Lego has been removed. It was introduced for HKPK, but this security feature is now deprecated. It is a better security practice to rotate key pairs instead of always keeping the same. If you need to keep this parameter, you can add it back usingextraLegoRenewFlags
as an option for the appropriate certificate.
B.2.4. Other Notable Changes
stdenv.lib
has been deprecated and will break eval in 21.11. Please usepkgs.lib
instead. See #108938 for details.GNURadio has a
pkgs
attribute set, and there's agnuradio.callPackage
function that extendspkgs
with amkDerivation
, and amkDerivationWith
, like Qt5. Now allgnuradio.pkgs
are defined withgnuradio.callPackage
and some packages that depend on gnuradio are defined with this as well.Privoxy has been updated to version 3.0.32 (See announcement). Compared to the previous release, Privoxy has gained support for HTTPS inspection (still experimental), Brotli decompression, several new filters and lots of bug fixes, including security ones. In addition, the package is now built with compression and external filters support, which were previously disabled.
Regarding the NixOS module, new options for HTTPS inspection have been added and
services.privoxy.extraConfig
has been replaced by the new services.privoxy.settings (See RFC 0042 for the motivation).Kodi has been updated to version 19.1 "Matrix". See the announcement for further details.
The
services.packagekit.backend
option has been removed as it only supported a single setting which would always be the default. Instead new RFC 0042 compliant services.packagekit.settings and services.packagekit.vendorSettings options have been introduced.Nginx has been updated to stable version 1.20.0. Now nginx uses the zlib-ng library by default.
KDE Gear (formerly KDE Applications) is upgraded to 21.04, see its release notes for details.
The
kdeApplications
package set is nowkdeGear
, in keeping with the new name. The old name remains for compatibility, but it is deprecated.Libreswan has been updated to version 4.4. The package now includes example configurations and manual pages by default. The NixOS module has been changed to use the upstream systemd units and write the configuration in the
/etc/ipsec.d/
directory. In addition, two new options have been added to specify connection policies (services.libreswan.policies) and disable send/receive redirects (services.libreswan.disableRedirects).The Mailman NixOS module (
services.mailman
) has a new option services.mailman.enablePostfix, defaulting to true, that controls integration with Postfix.If this option is disabled, default MTA config becomes not set and you should set the options in
services.mailman.settings.mta
according to the desired configuration as described in Mailman documentation.The default-version of
nextcloud
is nextcloud21. Please note that it's not possible to upgradenextcloud
across multiple major versions! This means that it's e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy and most20.09
users will have to upgrade to nextcloud20 first.The package can be manually upgraded by setting services.nextcloud.package to nextcloud21.
The setting services.redis.bind defaults to
127.0.0.1
now, making Redis listen on the loopback interface only, and not all public network interfaces.NixOS now emits a deprecation warning if systemd's
StartLimitInterval
setting is used in aserviceConfig
section instead of in aunitConfig
; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details.All services should use systemd.services.name.startLimitIntervalSec or
StartLimitIntervalSec
in systemd.services.name.unitConfig instead.The
mediatomb
service declares new options. It also adapts existing options so the configuration generation is now lazy. The existing optioncustomCfg
(defaults to false), when enabled, stops the service configuration generation completely. It then expects the users to provide their own correct configuration at the right location (whereas the configuration was generated and not used at all before). The new optiontranscodingOption
(defaults to no) allows a generated configuration. It makes the mediatomb service pulls the necessary runtime dependencies in the nix store (whereas it was generated with hardcoded values before). The new optionmediaDirectories
allows the users to declare autoscan media directories from their nixos configuration:{ services.mediatomb.mediaDirectories = [ { path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; } { path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; } ]; }
The Unbound DNS resolver service (
services.unbound
) has been refactored to allow reloading, control sockets and to fix startup ordering issues.It is now possible to enable a local UNIX control socket for unbound by setting the services.unbound.localControlSocketPath option.
Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities.
As of this we are (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound as
unbound
user with the required capabilities instead of letting unbound do the chroot & uid/gid changes.The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the
Type
set tonotify
, therefore we are now also using theunbound-with-systemd
package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unitactive (running)
. This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Services depending onnss-lookup.target
orunbound.service
are now be able to use unbound when those targets have been reached.Additionally to the much stricter runtime environment the
/dev/urandom
mount lines we previously had in the code (that randomly failed during the stop-phase) have been removed as systemd will take care of those for us.The
preStart
script is now only required if we enabled the trust anchor updates (which are still enabled by default).Another benefit of the refactoring is that we can now issue reloads via either
pkill -HUP unbound
andsystemctl reload unbound
to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. We are using the path/etc/unbound/unbound.conf
as that is the default in the CLI tooling which in turn enables us to useunbound-control
without passing a custom configuration location.The module has also been reworked to be RFC 0042 compliant. As such,
sevices.unbound.extraConfig
has been removed and replaced by services.unbound.settings.services.unbound.interfaces
has been renamed toservices.unbound.settings.server.interface
.services.unbound.forwardAddresses
andservices.unbound.allowedAccess
have also been changed to use the new settings interface. You can follow the instructions when executingnixos-rebuild
to upgrade your configuration to use the new interface.The
services.dnscrypt-proxy2
module now takes the upstream's example configuration and updates it with the user's settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch.NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the Fedora Article for 31 for details on why this is desirable, and how it impacts containers.
If you want to run containers with a runtime that does not yet support cgroupsv2, you can switch back to the old behaviour by setting systemd.enableUnifiedCgroupHierarchy =
false
; and rebooting.PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. See its release notes.
GNOME users may wish to delete their
~/.config/pulse
due to the changes to stream routing logic. See PulseAudio bug 832 for more information.The zookeeper package does not provide
zooInspector.sh
anymore, as that "contrib" has been dropped from upstream releases.In the ACME module, the data used to build the hash for the account directory has changed to accomodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling.
users.users.name.createHome now always ensures home directory permissions to be
0700
. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly.When defining a new user, one of users.users.name.isNormalUser and users.users.name.isSystemUser is now required. This is to prevent accidentally giving a UID above 1000 to system users, which could have unexpected consequences, like running user activation scripts for system users. Note that users defined with an explicit UID below 500 are exempted from this check, as users.users.name.isSystemUser has no effect for those.
The
security.apparmor
module, for the AppArmor Mandatory Access Control system, has been substantialy improved along with related tools, so that module maintainers can now more easily write AppArmor profiles for NixOS. The most notable change on the user-side is the new option security.apparmor.policies, replacing the previousprofiles
option to provide a way to disable a profile and to select whether to confine in enforce mode (default) or in complain mode (seejournalctl -b --grep apparmor
). Security-minded users may also want to enable security.apparmor.killUnconfinedConfinables, at the cost of having some of their processes killed when updating to a NixOS version introducing new AppArmor profiles.The GNOME desktop manager once again installs gnome.epiphany by default.
NixOS now generates empty
/etc/netgroup
./etc/netgroup
defines network-wide groups and may affect to setups using NIS.Platforms, like
stdenv.hostPlatform
, no longer have aplatform
attribute. It has been (mostly) flattened away:platform.gcc
is nowgcc
platform.kernel*
is nowlinux-kernel.*
Additionally,
platform.kernelArch
moved to the top level aslinuxArch
to match the other*Arch
variables.The
platform
grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal.services.restic
now uses a dedicated cache directory for every backup defined inservices.restic.backups
. The old global cache directory,/root/.cache/restic
, is now unused and can be removed to free up disk space.isync
: Theisync
compatibility wrapper was removed and the Master/Slave terminology has been deprecated and should be replaced with Far/Near in the configuration file.The nix-gc service now accepts randomizedDelaySec (default: 0) and persistent (default: true) parameters. By default nix-gc will now run immediately if it would have been triggered at least once during the time when the timer was inactive.
The
rustPlatform.buildRustPackage
function is split into several hooks: cargoSetupHook to set up vendoring for Cargo-based projects, cargoBuildHook to build a project using Cargo, cargoInstallHook to install a project using Cargo, and cargoCheckHook to run tests in Cargo-based projects. With this change, mixed-language projects can use the relevant hooks within builders other thanbuildRustPackage
. However, these changes also required several API changes tobuildRustPackage
itself:The
target
argument was removed. Instead,buildRustPackage
will always use the same target as the C/C++ compiler that is used.The
cargoParallelTestThreads
argument was removed. Parallel tests are now disabled throughdontUseCargoParallelTests
.
The
rustPlatform.maturinBuildHook
hook was added. This hook can be used withbuildPythonPackage
to build Python packages that are written in Rust and use Maturin as their build tool.Kubernetes has deprecated docker as container runtime. As a consequence, the Kubernetes module now has support for configuration of custom remote container runtimes and enables containerd by default. Note that containerd is more strict regarding container image OCI-compliance. As an example, images with CMD or ENTRYPOINT defined as strings (not lists) will fail on containerd, while working fine on docker. Please test your setup and container images with containerd prior to upgrading.
The GitLab module now has support for automatic backups. A schedule can be set with the services.gitlab.backup.startAt option.
Prior to this release, systemd would also read system units from an undocumented
/etc/systemd-mutable/system
path. This path has been dropped from the defaults. That path (or others) can be re-enabled by adding it to the boot.extraSystemdUnitPaths list.PostgreSQL 9.5 is scheduled EOL during the 21.05 life cycle and has been removed.
Xfce4 relies on GIO/GVfs for userspace virtual filesystem access in applications like thunar and gigolo. For that to work, the gvfs nixos service is enabled by default, and it can be configured with the specific package that provides GVfs. Until now Xfce4 was setting it to use a lighter version of GVfs (without support for samba). To avoid conflicts with other desktop environments this setting has been dropped. Users that still want it should add the following to their system configuration:
{ services.gvfs.package = pkgs.gvfs.override { samba = null; }; }
The newly enabled
systemd-pstore.service
now automatically evacuates crashdumps and panic logs from the persistent storage to/var/lib/systemd/pstore
. This prevents NVRAM from filling up, which ensures the latest diagnostic data is always stored and alleviates problems with writing new boot configurations.Nixpkgs now contains automatically packaged GNOME Shell extensions from the GNOME Extensions portal. You can find them, filed by their UUID, under
gnome38Extensions
attribute for GNOME 3.38 and undergnome40Extensions
for GNOME 40. Finally, thegnomeExtensions
attribute contains extensions for the latest GNOME Shell version in Nixpkgs, listed under a more human-friendly name. The unqualified attribute scope also contains manually packaged extensions. Note that the automatically packaged extensions are provided for convenience and are not checked or guaranteed to work.Erlang/OTP versions older than R21 got dropped. We also dropped the cuter package, as it was purely an example of how to build a package. We also dropped
lfe_1_2
as it could not build with R21+. Moving forward, we expect to only support 3 yearly releases of OTP.
B.3. Release 20.09 (“Nightingale”, 2020.10/27)
Support is planned until the end of June 2021, handing over to 21.05. (Plans have shifted by two months since release of 20.09.)
B.3.1. Highlights
In addition to 7349 new, 14442 updated, and 8181 removed packages, this release has the following highlights:
Core version changes:
gcc: 9.2.0 -> 9.3.0
glibc: 2.30 -> 2.31
linux: still defaults to 5.4.x, all supported kernels available
mesa: 19.3.5 -> 20.1.7
Desktop Environments:
plasma5: 5.17.5 -> 5.18.5
kdeApplications: 19.12.3 -> 20.08.1
gnome3: 3.34 -> 3.36, see its release notes
cinnamon: added at 4.6
NixOS now distributes an official GNOME ISO
Programming Languages and Frameworks:
Agda ecosystem was heavily reworked (see more details below)
PHP now defaults to PHP 7.4, updated from 7.3
PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release
Python 3 now defaults to Python 3.8 instead of 3.7
Python 3.5 reached its upstream EOL at the end of September 2020: it has been removed from the list of available packages
Databases and Service Monitoring:
MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Please read the related upgrade instructions under backwards incompatibilities before upgrading.
Zabbix now defaults to 5.0, updated from 4.4. Please read related sections under backwards compatibilities before upgrading.
Major module changes:
Quickly configure a complete, private, self-hosted video conferencing solution with the new Jitsi Meet module.
Two new options, authorizedKeysCommand and authorizedKeysCommandUser, have been added to the
openssh
module. If you haveAuthorizedKeysCommand
in your services.openssh.extraConfig you should make use of these new options instead.There is a new module for Podman (
virtualisation.podman
), a drop-in replacement for the Docker command line.The new
virtualisation.containers
module manages configuration shared by the CRI-O and Podman modules.Declarative Docker containers are renamed from
docker-containers
tovirtualisation.oci-containers.containers
. This is to make it possible to usepodman
instead ofdocker
.The new option documentation.man.generateCaches has been added to automatically generate the
man-db
caches, which are needed by utilities likewhatis
andapropos
. The caches are generated during the build of the NixOS configuration: since this can be expensive when a large number of packages are installed, the feature is disabled by default.services.postfix.sslCACert
was replaced byservices.postfix.tlsTrustedAuthorities
which now defaults to system certificate authorities.The various documented workarounds to use steam have been converted to a module.
programs.steam.enable
enables steam, controller support and the workarounds.Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers).
hardware.logitech.lcd.enable
enables support for all hardware supported by the g15daemon project.The GRUB module gained support for basic password protection, which allows to restrict non-default entries in the boot menu to one or more users. The users and passwords are defined via the option
boot.loader.grub.users
. Note: Password support is only available in GRUB version 2.
NixOS module changes:
The NixOS module system now supports freeform modules as a mix between
types.attrsOf
andtypes.submodule
. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See Section 65.8, “Freeform modules” for how to use them.Following its deprecation in 20.03, the Perl NixOS test driver has been removed. All remaining tests have been ported to the Python test framework. Code outside nixpkgs using
make-test.nix
ortesting.nix
needs to be ported tomake-test-python.nix
andtesting-python.nix
respectively.Subordinate GID and UID mappings are now set up automatically for all normal users. This will make container tools like Podman work as non-root users out of the box.
Starting with this release, the hydra-build-result
nixos-YY.MM
branches no longer exist in the deprecated nixpkgs-channels repository. These branches are now in the main nixpkgs repository.
B.3.2. New Services
In addition to 1119 new, 118 updated, and 476 removed options; 61 new modules were added since the last release:
Hardware:
hardware.system76.firmware-daemon.enable adds easy support of system76 firmware
hardware.uinput.enable loads uinput kernel module
hardware.video.hidpi.enable enable good defaults for HiDPI displays
hardware.wooting.enable support for Wooting keyboards
hardware.xpadneo.enable xpadneo driver for Xbox One wireless controllers
Programs:
programs.hamster.enable enable hamster time tracking
programs.steam.enable adds easy enablement of steam and related system configuration
Security:
security.doas.enable alternative to sudo, allows non-root users to execute commands as root
security.tpm2.enable add Trusted Platform Module 2 support
System:
boot.initrd.network.openvpn.enable start an OpenVPN client during initrd boot
Virtualization:
Services:
services.ankisyncd.enable Anki sync server
services.bazarr.enable Subtitle manager for Sonarr and Radarr
services.biboumi.enable Biboumi XMPP gateway to IRC
services.blockbook-frontend Blockbook-frontend, a service for the Trezor wallet
services.cage.enable Wayland cage service
services.convos.enable IRC daemon, which can be accessed throught the browser
services.engelsystem.enable Tool for coordinating volunteers and shifts on large events
services.espanso.enable text-expander written in rust
services.foldingathome.enable Folding@home client
services.gerrit.enable Web-based team code collaboration tool
services.go-neb.enable Matrix bot
services.hardware.xow.enable xow as a systemd service
services.hercules-ci-agent.enable Hercules CI build agent
services.jicofo.enable Jitsi Conference Focus, component of Jitsi Meet
services.jirafeau.enable A web file repository
services.jitsi-meet.enable Secure, simple and scalable video conferences
services.jitsi-videobridge.enable Jitsi Videobridge, a WebRTC compatible router
services.jupyterhub.enable Jupyterhub development server
services.k3s.enable Lightweight Kubernetes distribution
services.magic-wormhole-mailbox-server.enable Magic Wormhole Mailbox Server
services.malcontent.enable Parental Control support
services.matrix-appservice-discord.enable Matrix and Discord bridge
services.mautrix-telegram.enable Matrix-Telegram puppeting/relaybot bridge
services.mirakurun.enable Japanese DTV Tuner Server Service
services.molly-brown.enable Molly-Brown Gemini server
services.mullvad-vpn.enable Mullvad VPN daemon
services.ncdns.enable Namecoin to DNS bridge
services.nextdns.enable NextDNS to DoH Proxy service
services.nix-store-gcs-proxy Google storage bucket to be used as a nix store
services.onedrive.enable OneDrive sync service
services.pinnwand.enable Pastebin-like service
services.pixiecore.enable Manage network booting of machines
services.privacyidea.enable Privacy authentication server
services.quorum.enable Quorum blockchain daemon
services.robustirc-bridge.enable RobustIRC bridge
services.rss-bridge.enable Generate RSS and Atom feeds
services.rtorrent.enable rTorrent service
services.smartdns.enable SmartDNS DNS server
services.sogo.enable SOGo groupware
services.teeworlds.enable Teeworlds game server
services.torque.mom.enable torque computing node
services.torque.server.enable torque server
services.tuptime.enable A total uptime service
services.urserver.enable X11 remote server
services.wasabibackend.enable Wasabi backend service
services.yubikey-agent.enable Yubikey agent
services.zigbee2mqtt.enable Zigbee to MQTT bridge
B.3.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
MariaDB has been updated to 10.4, MariaDB Galera to 26.4. Before you upgrade, it would be best to take a backup of your database. For MariaDB Galera Cluster, see Upgrading from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster instead. Before doing the upgrade read Incompatible Changes Between 10.3 and 10.4. After the upgrade you will need to run
mysql_upgrade
. MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more intuitive. See Authentication from MariaDB 10.4. unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use the traditional mysql_native_password plugin method, one must run the following:{ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); ''; }
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when calling
LOAD DATA INFILE or SELECT * INTO OUTFILE
. In this scenario a variant of the following may be required: - allow MySQL to read from /home and /tmp directories when usingLOAD DATA INFILE
{ systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; }
- allow MySQL to write to custom folder
/var/data
when usingSELECT * INTO OUTFILE
, assuming the mysql user has write access to/var/data
{ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; }
The MySQL service no longer runs its
systemd
service startup script asroot
anymore. A dedicated nonroot
super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements as a super admin user before upgrading:CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
If you use MySQL instead of MariaDB please replace
unix_socket
withauth_socket
. If you have changed the value of services.mysql.user from the default ofmysql
to a different user please change'mysql'@'localhost'
to the corresponding user instead.Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through the upgrade guide and apply any changes required. Be sure to take special note of the section on enabling extended range of numeric (float) values as you will need to apply this database migration manually.
If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of
utf8
and a collate ofutf8_bin
has become mandatory with this release. See the upstream issue for further discussion. Before upgrading you should check the character set and collation used by your database and ensure they are correct:SELECT default_character_set_name, default_collation_name FROM information_schema.schemata WHERE schema_name = 'zabbix';
If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an example of how to do so, taken from the Zabbix forums:
ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; -- the following will produce a list of SQL commands you should subsequently execute SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString FROM information_schema.`COLUMNS` WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci";
maxx package removed along with
services.xserver.desktopManager.maxx
module. Please migrate to cdesktopenv andservices.xserver.desktopManager.cde
module.The matrix-synapse module no longer includes optional dependencies by default, they have to be added through the plugins option.
buildGoModule
now internally creates a vendor directory in the source tree for downloaded modules instead of using go's module proxy protocol. This storage format is simpler and therefore less likely to break with future versions of go. As a resultbuildGoModule
switched frommodSha256
to thevendorSha256
attribute to pin fetched version data.Grafana is now built without support for phantomjs by default. Phantomjs support has been deprecated in Grafana and the phantomjs project is currently unmaintained. It can still be enabled by providing
phantomJsSupport = true
to the package instantiation:{ services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = true; }); }
The supybot module now uses
/var/lib/supybot
as its default stateDir path ifstateVersion
is 20.09 or higher. It also enables a number of systemd sandboxing options which may possibly interfere with some plugins. If this is the case you can disable the options through attributes insystemd.services.supybot.serviceConfig
.The
security.duosec.skey
option, which stored a secret in the nix store, has been replaced by a new security.duosec.secretKeyFile option for better security.security.duosec.ikey
has been renamed to security.duosec.integrationKey.vmware
has been removed from theservices.x11.videoDrivers
defaults. For VMWare guests setvirtualisation.vmware.guest.enable
totrue
which will include the appropriate drivers.The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified.
If you used the
boot.initrd.network.ssh.host*Key
options, you'll get an error explaining how to convert your host keys and migrate to the newboot.initrd.network.ssh.hostKeys
option. Otherwise, if you don't have any host keys set, you'll need to generate some; see thehostKeys
option documentation for instructions.Since this release there's an easy way to customize your PHP install to get a much smaller base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP with the extensions
imagick
,opcache
,pdo
andpdo_mysql
loaded:{ environment.systemPackages = [ (pkgs.php.withExtensions ({ all, ... }: with all; [ imagick opcache pdo pdo_mysql ]) ) ]; }
The default
php
attribute hasn't lost any extensions. Theopcache
extension has been added. All upstream PHP extensions are available under php.extensions.<name?>.All PHP
config
flags have been removed for the following reasons:The updated
php
attribute is now easily customizable to your liking by usingphp.withExtensions
orphp.buildEnv
instead of writing config files or changing configure flags.The remaining configuration flags can now be set directly on the
php
attribute. For example, instead of{ php.override { config.php.embed = true; config.php.apxs2 = false; } }
you should now write
{ php.override { embedSupport = true; apxs2Support = false; } }
The ACME module has been overhauled for simplicity and maintainability. Cert generation now implicitly uses the
acme
user, and thesecurity.acme.certs._name_.user
option has been removed. Instead, certificate access from other services is now managed through group permissions. The module no longer runs lego twice under certain conditions, and will correctly renew certificates if their configuration is changed. Services which reload nginx and httpd after certificate renewal are now properly configured too so you no longer have to do this manually if you are using HTTPS enabled virtual hosts. A mechanism for regenerating certs on demand has also been added and documented.Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found here.
Deluge 2.x was added and is used as default for new NixOS installations where stateVersion is >= 20.09. If you are upgrading from a previous NixOS version, you can set
service.deluge.package = pkgs.deluge-2_x
to upgrade to Deluge 2.x and migrate the state to the new format. Be aware that backwards state migrations are not supported by Deluge.Nginx web server now starting with additional sandbox/hardening options. By default, write access to
/var/log/nginx
and/var/cache/nginx
is allowed. To allow writing to other folders, usesystemd.services.nginx.serviceConfig.ReadWritePaths
{ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; }
Nginx is also started with the systemd option
ProtectHome = mkDefault true;
which forbids it to read anything from/home
,/root
and/run/user
(see ProtectHome docs for details). If you require serving files from home directories, you may choose to set e.g.{ systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; }
The NixOS options
nesting.clone
andnesting.children
have been deleted, and replaced with named specialisation configurations.Replace a
nesting.clone
entry with:{ specialisation.example-sub-configuration = { configuration = { ... }; };
Replace a
nesting.children
entry with:{ specialisation.example-sub-configuration = { inheritParentConfig = false; configuration = { ... }; };
To switch to a specialised configuration at runtime you need to run:
$ sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
Before you would have used:
$ sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
The Nginx log directory has been moved to
/var/log/nginx
, the cache directory to/var/cache/nginx
. The optionservices.nginx.stateDir
has been removed.The httpd web server previously started its main process as root privileged, then ran worker processes as a less privileged identity user. This was changed to start all of httpd as a less privileged user (defined by services.httpd.user and services.httpd.group). As a consequence, all files that are needed for httpd to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.
The default value for services.httpd.mpm has been changed from
prefork
toevent
. Along with this change the default value for services.httpd.virtualHosts.<name>.http2 has been set totrue
.The
systemd-networkd
optionsystemd.network.networks.<name>.dhcp.CriticalConnection
has been removed following upstream systemd's deprecation of the same. It is recommended to usesystemd.network.networks.<name>.networkConfig.KeepConfiguration
instead. See systemd.network 5 for details.The
systemd-networkd
optionsystemd.network.networks._name_.dhcpConfig
has been renamed to systemd.network.networks.name.dhcpV4Config following upstream systemd's documentation change. See systemd.network 5 for details.In the
picom
module, several options that accepted floating point numbers encoded as strings (for example services.picom.activeOpacity) have been changed to the (relatively) new nativefloat
type. To migrate your configuration simply remove the quotes around the numbers.When using
buildBazelPackage
from Nixpkgs,flat
hash mode is now used for dependencies instead ofrecursive
. This is to better allow using hashed mirrors where needed. As a result, these hashes will have changed.The syntax of the PostgreSQL configuration file is now checked at build time. If your configuration includes a file inaccessible inside the build sandbox, set
services.postgresql.checkConfig
tofalse
.The rkt module has been removed, it was archived by upstream.
The Bazaar VCS is unmaintained and, as consequence of the Python 2 EOL, the packages
bazaar
andbazaarTools
were removed. Breezy, the backward compatible fork of Bazaar (see the announcement), was packaged asbreezy
and can be used instead.Regarding Nixpkgs,
fetchbzr
,nix-prefetch-bzr
and Bazaar support in Hydra will continue to work through Breezy.In addition to the hostname, the fully qualified domain name (FQDN), which consists of
${networking.hostName}
and${networking.domain}
is now added to/etc/hosts
, to allow local FQDN resolution, as used by thehostname --fqdn
command and other applications that try to determine the FQDN. These new entries take precedence over entries from the DNS which could cause regressions in some very specific setups. Additionally the hostname is now resolved to127.0.0.2
instead of127.0.1.1
to be consistent with whatnss-myhostname
(from systemd) returns. The old behaviour can e.g. be restored by usingnetworking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };
.The hostname (
networking.hostName
) must now be a valid DNS label (see RFC 1035, RFC 1123) and as such must not contain the domain part. This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname (uname --nodename
) the optionboot.kernel.sysctl."kernel.hostname"
can be used as a workaround (but be aware of the 64 character limit).The GRUB specific option
boot.loader.grub.extraInitrd
has been replaced with the generic optionboot.initrd.secrets
. This option creates a secondary initrd from the specified files, rather than using a manually created initrd file. Due to an existing bug withboot.loader.grub.extraInitrd
, it is not possible to directly boot an older generation that used that option. It is still possible to rollback to that generation if the required initrd file has not been deleted.The DNSChain package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can't be built. For more information see issue #89205.
In the
resilio
module, services.resilio.httpListenAddr has been changed to listen to[::1]
instead of0.0.0.0
.sslh
has been updated to version1.21
. Thessl
probe must be renamed totls
in services.sslh.appendConfig.Users of OpenAFS 1.6 must upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package version 1.6.24 is marked broken but can be used during transition to OpenAFS 1.8.x. Use the options
services.openafsClient.packages.module
,services.openafsClient.packages.programs
andservices.openafsServer.package
to select a different OpenAFS package. OpenAFS 1.6 will be removed in the next release. The packageopenafs
and the service options will then silently point to the OpenAFS 1.8 release.See also the OpenAFS Administrator Guide for instructions. Beware of the following when updating servers:
The storage format of the server key has changed and the key must be converted before running the new release.
When updating multiple database servers, turn off the database servers from the highest IP down to the lowest with resting periods in between. Start up in reverse order. Do not concurrently run database servers working with different OpenAFS releases!
Update servers first, then clients.
Radicale's default package has changed from 2.x to 3.x. An upgrade checklist can be found here. You can use the newer version in the NixOS service by setting the
package
toradicale3
, which is done automatically ifstateVersion
is 20.09 or higher.udpt
experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. The new configuration documentation can be found at the official website and example configuration is packaged in${udpt}/share/udpt/udpt.toml
.We now have a unified services.xserver.displayManager.autoLogin option interface to be used for every display-manager in NixOS.
The
bitcoind
module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. To use this new multi-instance config with an existing bitcoind data directory and user, you have to adjust the original config, e.g.:{ services.bitcoind = { enable = true; extraConfig = "..."; ... }; }
To something similar:
{ services.bitcoind.mainnet = { enable = true; dataDir = "/var/lib/bitcoind"; user = "bitcoin"; extraConfig = "..."; ... }; }
The key settings are:
dataDir
- to continue using the same data directory.user
- to continue using the same user so that bitcoind maintains access to its files.
Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. When updating Graylog from a version before 3.3.3 make sure to check the Graylog release info for information on how to avoid the issue.
The
dokuwiki
module has changed to multi-instance, using submodules. Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, songinx.forceSSL
andnginx.enableACME
are no longer set totrue
. To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:{ services.dokuwiki = { enable = true; ... }; }
To something similar:
{ services.dokuwiki."mywiki" = { enable = true; nginx = { forceSSL = true; enableACME = true; }; ... }; }
The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading.
The services.postgresql.dataDir option is now set to
"/var/lib/postgresql/${cfg.package.psqlSchema}"
regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of17.03
or below should double check what the value of their services.postgresql.dataDir option is (/var/db/postgresql
) and then explicitly set this value to maintain compatibility:{ services.postgresql.dataDir = "/var/db/postgresql"; }
The postgresql module now expects there to be a database super user account called
postgres
regardless of your system.stateVersion. Users with an existing postgresql install that have a system.stateVersion of17.03
or below should run the following SQL statements as a database super admin user before upgrading:CREATE ROLE postgres LOGIN SUPERUSER;
The USBGuard module now removes options and instead hardcodes values for
IPCAccessControlFiles
,ruleFiles
, andauditFilePath
. Audit logs can be found in the journal.The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. As a result, what previously evaluated may not do so anymore. See the PR that changed this for more info.
For NixOS configuration options, the type
loaOf
, after its initial deprecation in release 20.03, has been removed. In NixOS and Nixpkgs options using this type have been converted toattrsOf
. For more information on this change have look at these links: issue #1800, PR #63103.config.systemd.services.${name}.path
now returns a list of paths instead of a colon-separated string.Caddy module now uses Caddy v2 by default. Caddy v1 can still be used by setting services.caddy.package to
pkgs.caddy1
.New option services.caddy.adapter has been added.
The jellyfin module will use and stay on the Jellyfin version
10.5.5
ifstateVersion
is lower than20.09
. This is because significant changes were made to the database schema, and it is highly recommended to backup your instance before upgrading. After making your backup, you can upgrade to the latest version either by setting yourstateVersion
to20.09
or higher, or set theservices.jellyfin.package
topkgs.jellyfin
. If you do not wish to upgrade Jellyfin, but want to change yourstateVersion
, you can set the value ofservices.jellyfin.package
topkgs.jellyfin_10_5
.The
security.rngd
service is now disabled by default. This choice was made because there's krngd in the linux kernel space making it (for most usecases) functionally redundent.The
hardware.nvidia.optimus_prime.enable
service has been renamed tohardware.nvidia.prime.sync.enable
and has many new enhancements. Related nvidia prime settings may have also changed.The package nextcloud17 has been removed and nextcloud18 was marked as insecure since both of them will will be EOL (end of life) within the lifetime of 20.09.
It's necessary to upgrade to nextcloud19:
From nextcloud17, you have to upgrade to nextcloud18 first as Nextcloud doesn't allow going multiple major revisions forward in a single upgrade. This is possible by setting services.nextcloud.package to nextcloud18.
From nextcloud18, it's possible to directly upgrade to nextcloud19 by setting services.nextcloud.package to nextcloud19.
The GNOME desktop manager no longer default installs gnome3.epiphany. It was chosen to do this as it has a usability breaking issue (see issue #98819) that makes it unsuitable to be a default app.
Issue #98819 is now fixed and gnome3.epiphany is once again installed by default.
If you want to manage the configuration of wpa_supplicant outside of NixOS you must ensure that none of networking.wireless.networks, networking.wireless.extraConfig or networking.wireless.userControlled.enable is being used or
true
. Using any of those options will cause wpa_supplicant to be started with a NixOS generated configuration file instead of your own.
B.3.4. Other Notable Changes
SD images are now compressed by default using
zstd
. The compression for ISO images has also been changed tozstd
, but ISO images are still not compressed by default.services.journald.rateLimitBurst
was updated from1000
to10000
to follow the new upstream systemd default.The notmuch package moves its emacs-related binaries and emacs lisp files to a separate output. They're not part of the default
out
output anymore - if you relied on thenotmuch-emacs-mua
binary or the emacs lisp files, access them via thenotmuch.emacs
output.Device tree overlay support was improved in #79370 and now uses hardware.deviceTree.kernelPackage instead of
hardware.deviceTree.base
. hardware.deviceTree.overlays configuration was extended to support.dts
files with symbols. Device trees can now be filtered by setting hardware.deviceTree.filter option.The default output of
buildGoPackage
is now$out
instead of$bin
.buildGoModule
doCheck
now defaults totrue
.Packages built using
buildRustPackage
now userelease
mode for thecheckPhase
by default.Please note that Rust packages utilizing a custom build/install procedure (e.g. by using a
Makefile
) or test suites that rely on the structure of thetarget/
directory may break due to those assumptions. For further information, please read the Rust section in the Nixpkgs manual.The cc- and binutils-wrapper's "infix salt" and
_BUILD_
and_TARGET_
user infixes have been replaced with with a "suffix salt" and suffixes and_FOR_BUILD
and_FOR_TARGET
. This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.Additional Git documentation (HTML and text files) is now available via the
git-doc
package.Default algorithm for ZRAM swap was changed to
zstd
.The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
The scripted networking system now uses
.link
files in/etc/systemd/network
to configure mac address and link MTU, instead of the sometimes buggynetwork-link-*
units, which have been removed. Bringing the interface up has been moved to the beginning of thenetwork-addresses-*
unit. Note this doesn't requiresystemd-networkd
- it's udev that parses.link
files. Extra care needs to be taken in the presence of legacy udev rules to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. In such cases, you most likely want to create a10-*.link
file through systemd.network.links and set both name and MAC Address / MTU there.Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found in the Grafana documentation.
The
hardware.u2f
module, which was installing udev rules was removed, as udev gained native support to handle FIDO security tokens.The
services.transmission
module was enhanced with the new options: services.transmission.credentialsFile, services.transmission.openFirewall, and services.transmission.performanceNetParameters.transmission-daemon
is now started with additional systemd sandbox/hardening options for better security. Please report any use case where this is not working well. In particular, theRootDirectory
option newly set forbids uploading or downloading a torrent outside of the default directory configured at settings.download-dir. If you really need Transmission to access other directories, you must include those directories into theBindPaths
of the service:{ systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; }
Also, connection to the RPC (Remote Procedure Call) of
transmission-daemon
is now only available on the local network interface by default. Use:{ services.transmission.settings.rpc-bind-address = "0.0.0.0"; }
to get the previous behavior of listening on all network interfaces.
With this release
systemd-networkd
(when enabled through networking.useNetworkd) has it's netlink socket created through asystemd.socket
unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) devices the default buffer size (currently 128MB) is not enough.On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available.
By having
systemd-networkd
start with a netlink socket created bysystemd
we can configure theReceiveBufferSize=
parameter in the socket options (i.e.systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize
) without recompilingsystemd-networkd
.Since the actual memory requirements depend on hardware, timing, exact configurations etc. it isn't currently possible to infer a good default from within the NixOS module system. Administrators are advised to monitor the logs of
systemd-networkd
forrtnl: kernel receive buffer overrun
spam and increase the memory limit as they see fit.Note: Increasing the
ReceiveBufferSize=
doesn't allocate any memory. It just increases the upper bound on the kernel side. The memory allocation depends on the amount of messages that are queued on the kernel side of the netlink socket.Specifying mailboxes in the dovecot2 module as a list is deprecated and will break eval in 21.05. Instead, an attribute-set should be specified where the
name
should be the key of the attribute.This means that a configuration like this
{ services.dovecot2.mailboxes = [ { name = "Junk"; auto = "create"; } ]; }
should now look like this:
{ services.dovecot2.mailboxes = { Junk.auto = "create"; }; }
netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
nextcloud has been updated to v19.
If you have an existing installation, please make sure that you're on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn't support upgrades across multiple major versions.
The
nixos-run-vms
script now deletes the previous run machines states on test startup. You can use the--keep-vm-state
flag to match the previous behaviour and keep the same VM state between different test runs.The nix.buildMachines option is now type-checked. There are no functional changes, however this may require updating some configurations to use correct types for all attributes.
The
fontconfig
module stopped generating config and cache files for fontconfig 2.10.x, the/etc/fonts/fonts.conf
now belongs to the latest fontconfig, just like on other Linux distributions, and we will no longer be versioning the config directories.Fontconfig 2.10.x was removed from Nixpkgs since it hasn’t been used in any Nixpkgs package for years now.
Nginx module
nginxModules.fastcgi-cache-purge
renamed to official namenginxModules.cache-purge
. Nginx modulenginxModules.ngx_aws_auth
renamed to official namenginxModules.aws-auth
.The option
defaultPackages
was added. It installs the packages perl, rsync and strace for now. They were added unconditionally tosystemPackages
before, but are not strictly necessary for a minimal NixOS install. You can set it to an empty list to have a more minimal system. Be aware that some functionality might still have an impure dependency on those packages, so things might break.The
undervolt
option no longer needs to apply its settings every 30s. If they still become undone, open an issue and restore the previous behaviour usingundervolt.useTimer
.Agda has been heavily reworked.
agda.mkDerivation
has been heavily changed and is now located at agdaPackages.mkDerivation.New top-level packages agda and
agda.withPackages
have been added, the second of which sets up agda with access to chosen libraries.All agda libraries now live under
agdaPackages
.Many broken libraries have been removed.
See the new documentation for more information.
The
deepin
package set has been removed from nixpkgs. It was a work in progress to package the Deepin Desktop Environment (DDE), including libraries, tools and applications, and it was still missing a service to launch the desktop environment. It has shown to no longer be a feasible goal due to reasons discussed in issue #94870. The packagenetease-cloud-music
has also been removed, as it depends on libraries from deepin.The
opendkim
module now uses systemd sandboxing features to limit the exposure of the system towards the opendkim service.Kubernetes has been upgraded to 1.19.1, which also means that the golang version to build it has been bumped to 1.15. This may have consequences for your existing clusters and their certificates. Please consider the release notes for Kubernetes 1.19 carefully before upgrading.
For AMD GPUs, Vulkan can now be used by adding
amdvlk
tohardware.opengl.extraPackages
.Similarly, still for AMD GPUs, the ROCm OpenCL stack can now be used by adding
rocm-opencl-icd
tohardware.opengl.extraPackages
.
B.3.5. Contributions
I, Jonathan Ringer, would like to thank the following individuals for their work on nixpkgs. This release could not be done without the hard work of the NixOS community. There were 31282 contributions across 1313 contributors.
2288 Mario Rodas
1837 Frederik Rietdijk
946 Jörg Thalheim
925 Maximilian Bosch
687 Jonathan Ringer
651 Jan Tojnar
622 Daniël de Kok
605 WORLDofPEACE
597 Florian Klink
528 José Romildo Malaquias
281 volth
101 Robert Scott
86 Tim Steinbach
76 WORLDofPEACE
49 Maximilian Bosch
42 Thomas Tuegel
37 Doron Behar
36 Vladimír Čunát
27 Jonathan Ringer
27 Maciej Krüger
I, Jonathan Ringer, would also like to personally thank @WORLDofPEACE for their help in mentoring me on the release process. Special thanks also goes to Thomas Tuegel for helping immensely with stabilizing Qt, KDE, and Plasma5; I would also like to thank Robert Scott for his numerous fixes and pull request reviews.
B.4. Release 20.03 (“Markhor”, 2020.04/20)
B.4.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
Support is planned until the end of October 2020, handing over to 20.09.
Core version changes:
gcc: 8.3.0 -> 9.2.0
glibc: 2.27 -> 2.30
linux: 4.19 -> 5.4
mesa: 19.1.5 -> 19.3.3
openssl: 1.0.2u -> 1.1.1d
Desktop version changes:
plasma5: 5.16.5 -> 5.17.5
kdeApplications: 19.08.2 -> 19.12.3
gnome3: 3.32 -> 3.34
pantheon: 5.0 -> 5.1.3
Linux kernel is updated to branch 5.4 by default (from 4.19).
Grub is updated to 2.04, adding support for booting from F2FS filesystems and Btrfs volumes using zstd compression. Note that some users have been unable to boot after upgrading to 2.04 - for more information, please see this discussion.
Postgresql for NixOS service now defaults to v11.
The graphical installer image starts the graphical session automatically. Before you'd be greeted by a tty and asked to enter
systemctl start display-manager
. It is now possible to disable the display-manager from running by selecting theDisable display-manager
quirk in the boot menu.GNOME 3 has been upgraded to 3.34. Please take a look at their Release Notes for details.
If you enable the Pantheon Desktop Manager via services.xserver.desktopManager.pantheon.enable, we now default to also use Pantheon's newly designed greeter . Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible.
By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the
services.zfs.trim.enable
varname. The zfs scrub service (services.zfs.autoScrub.enable
) and the zfs autosnapshot service (services.zfs.autoSnapshot.enable
) are now only enabled if zfs is set inconfig.boot.initrd.supportedFilesystems
orconfig.boot.supportedFilesystems
. These lists will automatically contain zfs as soon as any zfs mountpoint is configured infileSystems
.nixos-option
has been rewritten in C++, speeding it up, improving correctness, and adding a-r
option which prints all options and their values recursively.services.xserver.desktopManager.default
andservices.xserver.windowManager.default
options were replaced by a single services.xserver.displayManager.defaultSession option to improve support for upstream session files. If you used something like:{ services.xserver.desktopManager.default = "xfce"; services.xserver.windowManager.default = "icewm"; }
you should change it to:
{ services.xserver.displayManager.defaultSession = "xfce+icewm"; }
The testing driver implementation in NixOS is now in Python
make-test-python.nix
. This was done by Jacek Galowicz (@tfc), and with the collaboration of Julian Stecklina (@blitz) and Jana Traue (@jtraue). All documentation has been updated to use this testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation,make-test.nix
, is slated for removal. This should give users of the NixOS integration framework a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see this warning everytime they use it:$ warning: Perl VM tests are deprecated and will be removed for 20.09. Please update your tests to use the python test driver. See https://github.com/NixOS/nixpkgs/pull/71684 for details.
API compatibility is planned to be kept for at least the next release with the perl driver.
B.4.2. New Services
The following new services were added since the last release:
The kubernetes kube-proxy now supports a new hostname configuration
services.kubernetes.proxy.hostname
which has to be set if the hostname of the node should be non default.UPower's configuration is now managed by NixOS and can be customized via
services.upower
.To use Geary you should enable programs.geary.enable instead of just adding it to environment.systemPackages. It was created so Geary could function properly outside of GNOME.
./config/console.nix
./hardware/brillo.nix
./hardware/tuxedo-keyboard.nix
./programs/bandwhich.nix
./programs/bash-my-aws.nix
./programs/liboping.nix
./programs/traceroute.nix
./services/backup/sanoid.nix
./services/backup/syncoid.nix
./services/backup/zfs-replication.nix
./services/continuous-integration/buildkite-agents.nix
./services/databases/victoriametrics.nix
./services/desktops/gnome3/gnome-initial-setup.nix
./services/desktops/neard.nix
./services/games/openarena.nix
./services/hardware/fancontrol.nix
./services/mail/sympa.nix
./services/misc/freeswitch.nix
./services/misc/mame.nix
./services/monitoring/do-agent.nix
./services/monitoring/prometheus/xmpp-alerts.nix
./services/network-filesystems/orangefs/server.nix
./services/network-filesystems/orangefs/client.nix
./services/networking/3proxy.nix
./services/networking/corerad.nix
./services/networking/go-shadowsocks2.nix
./services/networking/ntp/openntpd.nix
./services/networking/shorewall.nix
./services/networking/shorewall6.nix
./services/networking/spacecookie.nix
./services/networking/trickster.nix
./services/networking/v2ray.nix
./services/networking/xandikos.nix
./services/networking/yggdrasil.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/gotify-server.nix
./services/web-apps/grocy.nix
./services/web-apps/ihatemoney
./services/web-apps/moinmoin.nix
./services/web-apps/trac.nix
./services/web-apps/trilium.nix
./services/web-apps/shiori.nix
./services/web-servers/ttyd.nix
./services/x11/picom.nix
./services/x11/hardware/digimend.nix
./services/x11/imwheel.nix
./virtualisation/cri-o.nix
B.4.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
The dhcpcd package does not request IPv4 addresses for tap and bridge interfaces anymore by default. In order to still get an address on a bridge interface, one has to disable
networking.useDHCP
and explicitly enablenetworking.interfaces.<name>.useDHCP
on every interface, that should get an address via DHCP. This way, dhcpcd is configured in an explicit way about which interface to run on.GnuPG is now built without support for a graphical passphrase entry by default. Please enable the
gpg-agent
user service via the NixOS optionprograms.gnupg.agent.enable
. Note that upstream recommends usinggpg-agent
and will spawn agpg-agent
on the first invocation of GnuPG anyway.The
dynamicHosts
option has been removed from the NetworkManager module. Allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. Consider setting system-wide host entries using networking.hosts, provide them via the DNS server in your network, or use environment.etc to add a file into/etc/NetworkManager/dnsmasq.d
reconfiguringhostsdir
.The
99-main.network
file was removed. Matching all network interfaces caused many breakages, see #18962 and #71106.We already don't support the global networking.useDHCP, networking.defaultGateway and networking.defaultGateway6 options if networking.useNetworkd is enabled, but direct users to configure the per-device networking.interfaces.<name>…. options.
The stdenv now runs all bash with
set -u
, to catch the use of undefined variables. Before, it itself usedset -u
but was careful to unset it so other packages' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc.
The Way Cooler wayland compositor has been removed, as the project has been officially canceled. There are no more
way-cooler
attribute andprograms.way-cooler
options.The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled.
There is now only one Xfce package-set and module. This means that attributes
xfce4-14
andxfceUnstable
all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release's development (if viable).The phpfpm module now sets
PrivateTmp=true
in its systemd units for better process isolation. If you rely on/tmp
being shared with other services, explicitly override this by settingserviceConfig.PrivateTmp
tofalse
for each phpfpm unit.KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have
enableQt4Support
option any more.The BeeGFS module has been removed.
The osquery module has been removed.
Going forward,
~/bin
in the users home directory will no longer be inPATH
by default. If you depend on this you should set the optionenvironment.homeBinInPath
totrue
. The aforementioned option was added this release.The
buildRustCrate
infrastructure now produceslib
outputs in addition to theout
output. This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in thelib
output.Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 and bitmap fonts are no longer supported in applications relying on Pango for font rendering (notably, GTK application). See upstream issue for more information.
The
roundcube
module has been hardened.The password of the database is not written world readable in the store any more. If
database.host
is set tolocalhost
, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new optiondatabase.passwordFile
, which should be set to the path of a file containing the password and readable by the usernginx
only. Thedatabase.password
option is insecure and deprecated. Usage of this option will print a warning.A random
des_key
is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
The packages
openobex
andobexftp
are no longer installed when enabling Bluetooth viahardware.bluetooth.enable
.The
dump1090
derivation has been changed to use FlightAware's dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in theshare/dump1090
directory of the derivation can be used in conjunction with an external webserver to replace this functionality.The fourStore and fourStoreEndpoint modules have been removed.
Polkit no longer has the user of uid 0 (root) as an admin identity. We now follow the upstream default of only having every member of the wheel group admin privileged. Before it was root and members of wheel. The positive outcome of this is pkexec GUI popups or terminal prompts will no longer require the user to choose between two essentially equivalent choices (whether to perform the action as themselves with wheel permissions, or as the root user).
NixOS containers no longer build NixOS manual by default. This saves evaluation time, especially if there are many declarative containers defined. Note that this is already done when
<nixos/modules/profiles/minimal.nix>
module is included in container config.The
kresd
services deprecates theinterfaces
option in favor of thelistenPlain
option which requires full systemd.socket compatible declaration which always include a port.Virtual console options have been reorganized and can be found under a single top-level attribute:
console
. The full set of changes is as follows:i18n.consoleFont
renamed to console.fonti18n.consoleKeyMap
renamed to console.keyMapi18n.consoleColors
renamed to console.colorsi18n.consolePackages
renamed to console.packagesi18n.consoleUseXkbConfig
renamed to console.useXkbConfigboot.earlyVconsoleSetup
renamed to console.earlySetupboot.extraTTYs
renamed toconsole.extraTTYs
.
The awstats module has been rewritten to serve stats via static html pages, updated on a timer, over nginx, instead of dynamic cgi pages over apache.
Minor changes will be required to migrate existing configurations. Details of the required changes can seen by looking through the awstats module.
The httpd module no longer provides options to support serving web content without defining a virtual host. As a result of this the services.httpd.logPerVirtualHost option now defaults to
true
instead offalse
. Please update your configuration to make use of services.httpd.virtualHosts.The services.httpd.virtualHosts.<name> option has changed type from a list of submodules to an attribute set of submodules, better matching services.nginx.virtualHosts.<name>.
This change comes with the addition of the following options which mimic the functionality of their
nginx
counterparts: services.httpd.virtualHosts.<name>.addSSL, services.httpd.virtualHosts.<name>.forceSSL, services.httpd.virtualHosts.<name>.onlySSL, services.httpd.virtualHosts.<name>.enableACME, services.httpd.virtualHosts.<name>.acmeRoot, and services.httpd.virtualHosts.<name>.useACMEHost.For NixOS configuration options, the
loaOf
type has been deprecated and will be removed in a future release. In nixpkgs, options of this type will be changed toattrsOf
instead. If you were using one of these in your configuration, you will see a warning suggesting what changes will be required.For example, users.users is a
loaOf
option that is commonly used as follows:{ users.users = [ { name = "me"; description = "My personal user."; isNormalUser = true; } ]; }
This should be rewritten by removing the list and using the value of
name
as the name of the attribute set:{ users.users.me = { description = "My personal user."; isNormalUser = true; }; }
For more information on this change have look at these links: issue #1800, PR #63103.
For NixOS modules, the types
types.submodule
andtypes.submoduleWith
now support paths as allowed values, similar to howimports
supports paths. Because of this, if you have a module that defines an option of typeeither (submodule ...) path
, it will break since a path is now treated as the first type instead of the second. To fix this, change the type toeither path (submodule ...)
.The Buildkite Agent module and corresponding packages have been updated to 3.x, and to support multiple instances of the agent running at the same time. This means you will have to rename
services.buildkite-agent
toservices.buildkite-agents.<name>
. Furthermore, the following options have been changed:services.buildkite-agent.meta-data
has been renamed to services.buildkite-agents.<name>.tags, to match upstreams naming for 3.x. Its type has also changed - it now accepts an attrset of strings.The
services.buildkite-agent.openssh.publicKeyPath
option has been removed, as it's not necessary to deploy public keys to clone private repositories.services.buildkite-agent.openssh.privateKeyPath
has been renamed to buildkite-agents.<name>.privateSshKeyPath, as the wholeopenssh
now only contained that single option.services.buildkite-agents.<name>.shell has been introduced, allowing to specify a custom shell to be used.
The
citrix_workspace_19_3_0
package has been removed as it will be EOLed within the lifespan of 20.03. For further information, please refer to the support and maintenance information from upstream.The
gcc5
andgfortran5
packages have been removed.The
services.xserver.displayManager.auto
module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it's actually LightDM. Please use theservices.xserver.displayManager.lightdm.autoLogin
options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like:{ security.pam.services.lightdm-autologin.text = lib.mkForce '' auth requisite pam_nologin.so auth required pam_succeed_if.so quiet auth required pam_permit.so account include lightdm password include lightdm session include lightdm ''; }
The difference is the:
auth required pam_succeed_if.so quiet
line, where default it's:
auth required pam_succeed_if.so uid >= 1000 quiet
not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this.
There have been lots of improvements to the Mailman module. As a result,
The
services.mailman.hyperkittyBaseUrl
option has been renamed to services.mailman.hyperkitty.baseUrl.The
services.mailman.hyperkittyApiKey
option has been removed. This is because having an option for the Hyperkitty API key meant that the API key would be stored in the world-readable Nix store, which was a security vulnerability. A new Hyperkitty API key will be generated the first time the new Hyperkitty service is run, and it will then be persisted outside of the Nix store. To continue using Hyperkitty, you must set services.mailman.hyperkitty.enable totrue
.Additionally, some Postfix configuration must now be set manually instead of automatically by the Mailman module:
{ services.postfix.relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; services.postfix.config.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; services.postfix.config.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; }
This is because some users may want to include other values in these lists as well, and this was not possible if they were set automatically by the Mailman module. It would not have been possible to just concatenate values from multiple modules each setting the values they needed, because the order of elements in the list is significant.
The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.
The
networking.interfaces.*.preferTempAddress
option has been replaced bynetworking.interfaces.*.tempAddress
. The new option allows better control of the IPv6 temporary addresses, including completely disabling them for interfaces where they are not needed.Rspamd was updated to version 2.2. Read the upstream migration notes carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis.
The
*psu
versions of oraclejdk8 have been removed as they aren't provided by upstream anymore.The
services.dnscrypt-proxy
module has been removed as it used the deprecated version of dnscrypt-proxy. We've added services.dnscrypt-proxy2.enable to use the supported version. This module supports configuration via the Nix attribute set services.dnscrypt-proxy2.settings, or by passing a TOML configuration file via services.dnscrypt-proxy2.configFile.{ # Example configuration: services.dnscrypt-proxy2.enable = true; services.dnscrypt-proxy2.settings = { listen_addresses = [ "127.0.0.1:43" ]; sources.public-resolvers = { urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; cache_file = "public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; refresh_delay = 72; }; }; services.dnsmasq.enable = true; services.dnsmasq.servers = [ "127.0.0.1#43" ]; }
qesteidutil
has been deprecated in favor ofqdigidoc
.sqldeveloper_18 has been removed as it's not maintained anymore, sqldeveloper has been updated to version
19.4
. Please note that this means that this means that the oraclejdk is now required. For further information please read the release notes.Haskell
env
andshellFor
dev shell environments now organize dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a
buildDepends
or run-time Haskell dependency as asetupDepends
, whereas things would have worked before they may not work now.The gcc-snapshot-package has been removed. It's marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch.
The nixos-build-vms8 -script now uses the python test-driver.
The riot-web package now accepts configuration overrides as an attribute set instead of a string. A formerly used JSON configuration can be converted to an attribute set with
builtins.fromJSON
.The new default configuration also disables automatic guest account registration and analytics to improve privacy. The previous behavior can be restored by setting
config.riot-web.conf = { disable_guests = false; piwik = true; }
.Stand-alone usage of
Upower
now requiresservices.upower.enable
instead of just installing into environment.systemPackages.nextcloud has been updated to
v18.0.2
. This means that users from NixOS 19.09 can't upgrade directly since you can only move one version forward and 19.09 usesv16.0.8
.To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken:
The pkgs.nextcloud-attribute has been removed and replaced with versioned attributes (currently pkgs.nextcloud17 and pkgs.nextcloud18). With this change major-releases can be backported without breaking stuff and to make upgrade-paths easier.
Existing setups will be detected using system.stateVersion: by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it's recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting services.nextcloud.package.
Users with an overlay (e.g. to use nextcloud at version
v18
on19.09
) will get an evaluation error by default. This is done to ensure that our package-option doesn't select an older version by accident. It's recommended to use pkgs.nextcloud18 or to set package to pkgs.nextcloud explicitly.
WarningPlease note that if you're coming from
19.03
or older, you have to manually upgrade to19.09
first to upgrade your server to Nextcloud v16.Hydra has gained a massive performance improvement due to some database schema changes by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps:
At first, an older version of Hydra needs to be deployed which adds those (nullable) columns. When having set stateVersion to a value older than
20.03
, this package will be selected by default from the module when upgrading. Otherwise, the package can be deployed using the following config:{ pkgs, ... }: { services.hydra.package = pkgs.hydra-migration; }
Automatically fill the newly added ID columns on the server by running the following command:
$ hydra-backfill-ids
WarningPlease note that this process can take a while depending on your database-size!
Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes flake-support and is therefore compiled against pkgs.nixFlakes.
WarningIf your stateVersion is set to
20.03
or greater, hydra-unstable will be used automatically! This will break your setup if you didn't run the migration.Please note that Hydra is currently not available with nixStable as this doesn't compile anymore.
Warningpkgs.hydra has been removed to ensure a graceful database-migration using the dedicated package-attributes. If you still have pkgs.hydra defined in e.g. an overlay, an assertion error will be thrown. To circumvent this, you need to set services.hydra.package to pkgs.hydra explicitly and make sure you know what you're doing!
The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also TokuDB.
B.4.4. Other Notable Changes
SD images are now compressed by default using
bzip2
.The nginx web server previously started its master process as root privileged, then ran worker processes as a less privileged identity user (the
nginx
user). This was changed to start all of nginx as a less privileged user (defined byservices.nginx.user
andservices.nginx.group
). As a consequence, all files that are needed for nginx to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.To continue to use the old approach, you can configure:
{ services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; }
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features but with potential incompatibilities. Consult the release announcement for more information.
PRETTY_NAME
in/etc/os-release
now uses the short rather than full version string.The ACME module has switched from simp-le to lego which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added: security.acme.acceptTerms, security.acme.certs.<name>.dnsProvider, security.acme.certs.<name>.credentialsFile, security.acme.certs.<name>.dnsPropagationCheck. As well as this, the options
security.acme.acceptTerms
and eithersecurity.acme.email
orsecurity.acme.certs.<name>.email
must be set in order to use the ACME module. Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le. In particular private keys will not be preserved. However, the credentials for simp-le are preserved and thus it is possible to roll back to previous versions without breaking certificate generation. Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can have consequences if you embed your public key in apps.It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token via
boot.initrd.luks.fido2Support
.Predictably named network interfaces get renamed in stage-1. This means that it is possible to use the proper interface name for e.g. Dropbear setups.
For further reference, please read #68953 or the corresponding discourse thread.
The matrix-synapse-package has been updated to v1.11.1. Due to stricter requirements for database configuration when using postgresql, the automated database setup of the module has been removed to avoid any further edge-cases.
matrix-synapse expects
postgresql
-databases to have the optionsLC_COLLATE
andLC_CTYPE
set to'C'
which basically instructspostgresql
to ignore any locale-based preferences.Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03:
If you use
sqlite3
you don't need to do anything.If you use
postgresql
on a different server, you don't need to change anything as well since this module was never designed to configure remote databases.If you use
postgresql
and configured your synapse initially on19.09
or older, you simply need to enable postgresql-support explicitly:{ ... }: { services.matrix-synapse = { enable = true; /* and all the other config you've defined here */ }; services.postgresql.enable = true; }
If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the services.postgresql.initialScript option). An example for this can be found in the documentation of the Matrix module.
If you initially deployed your matrix-synapse on
nixos-unstable
after the19.09
-release, your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will startup with a warning, but it's recommended to reconfigure the database to set the valuesLC_COLLATE
andLC_CTYPE
to'C'
.The systemd.network.links option is now respected even when systemd-networkd is disabled. This mirrors the behaviour of systemd - It's udev that parses
.link
files, notsystemd-networkd
.mongodb has been updated to version
3.4.24
.WarningPlease note that mongodb has been relicensed under their own
sspl
-license. Since it's not entirely free and not OSI-approved, it's listed as non-free. This means that Hydra doesn't provide prebuilt mongodb-packages and needs to be built locally.
B.5. Release 19.09 (“Loris”, 2019/10/09)
B.5.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of April 2020, handing over to 20.03.
Nix has been updated to 2.3; see its release notes.
Core version changes:
systemd: 239 -> 243
gcc: 7 -> 8
glibc: 2.27 (unchanged)
linux: 4.19 LTS (unchanged)
openssl: 1.0 -> 1.1
Desktop version changes:
plasma5: 5.14 -> 5.16
gnome3: 3.30 -> 3.32
PHP now defaults to PHP 7.3, updated from 7.2.
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
The binfmt module is now easier to use. Additional systems can be added through
boot.binfmt.emulatedSystems
. For instance,boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];
will set up binfmt interpreters for each of those listed systems.The installer now uses a less privileged
nixos
user whereas before we logged in as root. To gain root privileges usesudo -i
without a password.We've updated to Xfce 4.14, which brings a new module
services.xserver.desktopManager.xfce4-14
. If you'd like to upgrade, please switch from theservices.xserver.desktopManager.xfce
module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't supportthunarPlugins
and it isn't recommended to useservices.xserver.desktopManager.xfce
andservices.xserver.desktopManager.xfce4-14
simultaneously or to downgrade from Xfce 4.14 after upgrading.The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.
services.gnome3.core-os-services.enable
services.gnome3.core-shell.enable
services.gnome3.core-utilities.enable
services.gnome3.games.enable
With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use
environment.gnome3.excludePackages
which only excluded the optional applications.environment.gnome3.excludePackages
is now unguarded, it can exclude any package installed withenvironment.systemPackages
in the GNOME 3 module.Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.
The following changes were enacted in
services.gnome3.core-utilities.enable
accerciser
dconf-editor
evolution
gnome-documents
gnome-nettool
gnome-power-manager
gnome-todo
gnome-tweaks
gnome-usage
gucharmap
nautilus-sendto
vinagre
cheese
geary
The following changes were enacted in
services.gnome3.core-shell.enable
gnome-color-manager
orca
services.avahi.enable
B.5.2. New Services
The following new services were added since the last release:
./programs/dwm-status.nix
The new
hardware.printers
module allows to declaratively configure CUPS printers via theensurePrinters
andensureDefaultPrinter
options.ensurePrinters
will never delete existing printers, but will make sure that the given printers are configured as declared.There is a new services.system-config-printer.enable and programs.system-config-printer.enable module for the program of the same name. If you previously had
system-config-printer
enabled through some other means you should migrate to using one of these modules.services.xserver.desktopManager.plasma5
services.xserver.desktopManager.gnome3
services.xserver.desktopManager.pantheon
services.xserver.desktopManager.mate
Note Mate usesprograms.system-config-printer
as it doesn't use it as a service, but its graphical interface directly.
services.blueman.enable has been added. If you previously had blueman installed via
environment.systemPackages
please migrate to using the NixOS module, as this would result in an insufficiently configured blueman.
B.5.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.
PostgreSQL now uses
/run/postgresql
as its socket directory instead of/tmp
. So if you run an application like eg. Nextcloud, where you need to use the Unix socket path as the database host name, you need to change it accordingly.PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.
The options
services.prometheus.alertmanager.user
andservices.prometheus.alertmanager.group
have been removed because the alertmanager service is now using systemd's DynamicUser mechanism which obviates these options.The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
The
services.nzbget.configFile
andservices.nzbget.openFirewall
options were removed as they are managed internally by the nzbget. Theservices.nzbget.dataDir
option hadn't actually been used by the module for some time and so was removed as cleanup.The
services.mysql.pidDir
option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded)/run/mysqld/mysql.sock
file to appear.The
services.emby.enable
module has been removed, seeservices.jellyfin.enable
instead for a free software fork of Emby. See the Jellyfin documentation: Migrating from Emby to JellyfinIPv6 Privacy Extensions are now enabled by default for undeclared interfaces. The previous behaviour was quite misleading — even though the default value for
networking.interfaces.*.preferTempAddress
wastrue
, undeclared interfaces would not prefer temporary addresses. Now, interfaces not mentioned in the config will prefer temporary addresses. EUI64 addresses can still be set as preferred by explicitly setting the option tofalse
for the interface in question.Since Bittorrent Sync was superseded by Resilio Sync in 2016, the
bittorrentSync
,bittorrentSync14
, andbittorrentSync16
packages have been removed in favor ofresilio-sync
.The corresponding module,
services.btsync
has been replaced by theservices.resilio
module.The httpd service no longer attempts to start the postgresql service. If you have come to depend on this behaviour then you can preserve the behavior with the following configuration:
systemd.services.httpd.after = [ "postgresql.service" ];
The option
services.httpd.extraSubservices
has been marked as deprecated. You may still use this feature, but it will be removed in a future release of NixOS. You are encouraged to convert any httpd subservices you may have written to a full NixOS module.Most of the httpd subservices packaged with NixOS have been replaced with full NixOS modules including LimeSurvey, WordPress, and Zabbix. These modules can be enabled using the
services.limesurvey.enable
,services.mediawiki.enable
,services.wordpress.enable
, andservices.zabbixWeb.enable
options.The option
systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink
was renamed tosystemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink
(capitalL
). This follows upstreams renaming of the setting.As of this release the NixOps feature
autoLuks
is deprecated. It no longer works with our systemd version without manual intervention.Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.
A new knob named
nixops.enableDeprecatedAutoLuks
has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates.Make sure you set the
_netdev
option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore.If you are actively using the
autoLuks
module please let us know in issue #62211.The setopt declarations will be evaluated at the end of
/etc/zshrc
, so any code in programs.zsh.interactiveShellInit, programs.zsh.loginShellInit and programs.zsh.promptInit may break if it relies on those options being set.The
prometheus-nginx-exporter
package now uses the offical exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the official repo.The
shibboleth-sp
package has been updated to version 3. It is largely backward compatible, for further information refer to the release notes and upgrade guide.Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
By default, prometheus exporters are now run with
DynamicUser
enabled. Exporters that need a real user, now run under a seperate user and group which follow the pattern<exporter-name>-exporter
, instead of the previous defaultnobody
andnogroup
. Only some exporters are affected by the latter, namely the exportersdovecot
,node
,postfix
andvarnish
.The
ibus-qt
package is not installed by default anymore when i18n.inputMethod.enabled is set toibus
. If IBus support in Qt 4.x applications is required, add theibus-qt
package to your environment.systemPackages manually.The CUPS Printing service now uses socket-based activation by default, only starting when needed. The previous behavior can be restored by setting
services.cups.startWhenNeeded
tofalse
.The
services.systemhealth
module has been removed from nixpkgs due to lack of maintainer.The
services.mantisbt
module has been removed from nixpkgs due to lack of maintainer.Squid 3 has been removed and the
squid
derivation now refers to Squid 4.The
services.pdns-recursor.extraConfig
option has been replaced byservices.pdns-recursor.settings
. The new option allows setting extra configuration while being better type-checked and mergeable.No service depends on
keys.target
anymore which is a systemd target that indicates if all NixOps keys were successfully uploaded. Instead,<key-name>-key.service
should be used to define a dependency of a key in a service. The full issue behind thekeys.target
dependency is described at NixOS/nixpkgs#67265.The following services are affected by this:
The
security.acme.directory
option has been replaced by a read-onlysecurity.acme.certs.<cert>.directory
option for each certificate you define. This will be a subdirectory of/var/lib/acme
. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example, theservices.nginx.virtualhosts.<name>.enableACME
option will use this directory option to find the certs for the virtual host.security.acme.preDelay
andsecurity.acme.activationDelay
options have been removed. To execute a service before certificates are provisioned or renewed add aRequiredBy=acme-${cert}.service
to any service.Furthermore, the acme module will not automatically add a dependency on
lighttpd.service
anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate serviceacme-${cert}.service>
manually.For nginx, the dependencies are still automatically managed when
services.nginx.virtualhosts.<name>.enableACME
is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-allacme-certificates.target
. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at NixOS/nixpkgs#60180.The old deprecated
emacs
package sets have been dropped. What used to be calledemacsPackagesNg
is now simply calledemacsPackages
.services.xserver.desktopManager.xterm
is now disabled by default ifstateVersion
is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default.The WeeChat plugin
pkgs.weechatScripts.weechat-xmpp
has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules.Old unsupported versions (
logstash5
,kibana5
,filebeat5
,heartbeat5
,metricbeat5
,packetbeat5
) of the ELK-stack and Elastic beats have been removed.For NixOS 19.03, both Prometheus 1 and 2 were available to allow for a seamless transition from version 1 to 2 with existing setups. Because Prometheus 1 is no longer developed, it was removed. Prometheus 2 is now configured with
services.prometheus
.Citrix Receiver (
citrix_receiver
) has been dropped in favor of Citrix Workspace (citrix_workspace
).The
services.gitlab
module has had its literal secret options (services.gitlab.smtp.password
,services.gitlab.databasePassword
,services.gitlab.initialRootPassword
,services.gitlab.secrets.secret
,services.gitlab.secrets.db
,services.gitlab.secrets.otp
andservices.gitlab.secrets.jws
) replaced by file-based versions (services.gitlab.smtp.passwordFile
,services.gitlab.databasePasswordFile
,services.gitlab.initialRootPasswordFile
,services.gitlab.secrets.secretFile
,services.gitlab.secrets.dbFile
,services.gitlab.secrets.otpFile
andservices.gitlab.secrets.jwsFile
). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g.services.gitlab.databasePassword = "supersecurepassword"
becomesservices.gitlab.databasePasswordFile = "/path/to/secret_file"
where the filesecret_file
contains the stringsupersecurepassword
.The state path (
services.gitlab.statePath
) now has the following restriction: no parent directory can be owned by any other user thanroot
or the user specified inservices.gitlab.user
; i.e. ifservices.gitlab.statePath
is set to/var/lib/gitlab/state
,gitlab
and all parent directories must be owned by eitherroot
or the user specified inservices.gitlab.user
.The
networking.useDHCP
option is unsupported in combination withnetworking.useNetworkd
in anticipation of defaulting to it. It has to be set tofalse
and enabled per interface withnetworking.interfaces.<name>.useDHCP = true;
The Twitter client
corebird
has been dropped as it is discontinued and does not work against the new Twitter API. Please use the forkcawbird
instead which has been adapted to the API changes and is still maintained.The
nodejs-11_x
package has been removed as it's EOLed by upstream.Because of the systemd upgrade, systemd-timesyncd will no longer work if
system.stateVersion
is not set correctly. When upgrading from NixOS 19.03, please make sure thatsystem.stateVersion
is set to"19.03"
, or lower if the installation dates back to an earlier version of NixOS.Due to the short lifetime of non-LTS kernel releases package attributes like
linux_5_1
,linux_5_2
andlinux_5_3
have been removed to discourage dependence on specific non-LTS kernel versions in stable NixOS releases. Going forward, versioned attributes likelinux_4_9
will exist for LTS versions only. Please uselinux_latest
orlinux_testing
if you depend on non-LTS releases. Keep in mind thatlinux_latest
andlinux_testing
will change versions under the hood during the lifetime of a stable release and might include breaking changes.Because of the systemd upgrade, some network interfaces might change their name. For details see upstream docs or our ticket.
B.5.4. Other Notable Changes
The
documentation
module gained an option nameddocumentation.nixos.includeAllModules
which makes the generated configuration.nix 5 manual page include all options from all NixOS modules included in a givenconfiguration.nix
configuration file. Currently, it is set tofalse
by default as enabling it frequently prevents evaluation. But the plan is to eventually have it set totrue
by default. Please set it totrue
now in yourconfiguration.nix
and fix all the bugs it uncovers.The
vlc
package gained support for Chromecast streaming, enabled by default. TCP port 8010 must be open for it to work, so something likenetworking.firewall.allowedTCPPorts = [ 8010 ];
may be required in your configuration. Also consider enabling Accelerated Video Playback for better transcoding performance.The following changes apply if the
stateVersion
is changed to 19.09 or higher. ForstateVersion = "19.03"
or lower the old behavior is preserved.solr.package
defaults topkgs.solr_8
.
The
hunspellDicts.fr-any
dictionary now ships withfr_FR.{aff,dic}
which is linked tofr-toutesvariantes.{aff,dic}
.The
mysql
service now runs asmysql
user. Previously, systemd did execute it as root, and mysql dropped privileges itself. This includesExecStartPre=
andExecStartPost=
phases. To accomplish that, runtime and data directory setup was delegated to RuntimeDirectory and tmpfiles.With the upgrade to systemd version 242 the
systemd-timesyncd
service is no longer usingDynamicUser=yes
. In order for the upgrade to work we rely on an activation script to move the state from the old to the new directory. The older directory (prior19.09
) was/var/lib/private/systemd/timesync
.As long as the
system.config.stateVersion
is below19.09
the state folder will migrated to its proper location (/var/lib/systemd/timesync
), if required.The package
avahi
is now built to look up service definitions from/etc/avahi/services
instead of its output directory in the nix store. Accordingly the moduleavahi
now supports custom service definitions viaservices.avahi.extraServiceFiles
, which are then placed in the aforementioned directory. See avahi.service5 for more information on custom service definitions.Since version 0.1.19,
cargo-vendor
honors package includes that are specified in theCargo.toml
file of Rust crates.rustPlatform.buildRustPackage
usescargo-vendor
to collect and build dependent crates. Since this change incargo-vendor
changes the set of vendored files for most Rust packages, the hash that use used to verify the dependencies,cargoSha256
, also changes.The
cargoSha256
hashes of all in-tree derivations that usebuildRustPackage
have been updated to reflect this change. However, third-party derivations that usebuildRustPackage
may have to be updated as well.The
consul
package was upgraded past version1.5
, so its deprecated legacy UI is no longer available.The default resample-method for PulseAudio has been changed from the upstream default
speex-float-1
tospeex-float-5
. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to sethardware.pulseaudio.daemon.config.resample-method
back tospeex-float-1
.The
phabricator
package and associatedhttpd.extraSubservice
, as well as thephd
service have been removed from nixpkgs due to lack of maintainer.The
mercurial
httpd.extraSubservice
has been removed from nixpkgs due to lack of maintainer.The
trac
httpd.extraSubservice
has been removed from nixpkgs because it was unmaintained.The
foswiki
package and associatedhttpd.extraSubservice
have been removed from nixpkgs due to lack of maintainer.The
tomcat-connector
httpd.extraSubservice
has been removed from nixpkgs.It's now possible to change configuration in services.nextcloud after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating
/var/lib/nextcloud
.There exists now
lib.forEach
, which is likemap
, but with arguments flipped. When mapping function body spans many lines (or has nestedmap
s), it is often hard to follow which list is modified.Previous solution to this problem was either to use
lib.flip map
idiom or extract that anonymous mapping function to a named one. Both can still be used butlib.forEach
is preferred overlib.flip map
.The
/etc/sysctl.d/nixos.conf
file containing all the options set via boot.kernel.sysctl was moved to/etc/sysctl.d/60-nixos.conf
, as sysctl.d5 recommends prefixing all filenames in/etc/sysctl.d
with a two-digit number and a dash to simplify the ordering of the files.We now install the sysctl snippets shipped with systemd.
Loose reverse path filtering
Source route filtering
fq_codel
as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass core dumps to
systemd-coredump
, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in/etc/sysctl.d/50-*.conf
, and overridden via boot.kernel.sysctl (which will place the parameters in/etc/sysctl.d/60-nixos.conf
).Core dumps are now processed by
systemd-coredump
by default.systemd-coredump
behaviour can still be modified viasystemd.coredump.extraConfig
. To stick to the old behaviour (having the kernel dump to a file calledcore
in the working directory), without piping it throughsystemd-coredump
, setsystemd.coredump.enable
tofalse
.systemd.packages
option now also supports generators and shutdown scripts. Oldsystemd.generator-packages
option has been removed.The
rmilter
package was removed with associated module and options due deprecation by upstream developer. Userspamd
in proxy mode instead.systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.
We no longer enable custom font rendering settings with
fonts.fontconfig.penultimate.enable
by default. The defaults from fontconfig are sufficient.The
crashplan
package and thecrashplan
service have been removed from nixpkgs due to crashplan shutting down the service, while thecrashplansb
package andcrashplan-small-business
service have been removed from nixpkgs due to lack of maintainer.The redis module was hardcoded to use the
redis
user,/run/redis
as runtime directory and/var/lib/redis
as state directory. Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).Using
fonts.enableDefaultFonts
adds a default emoji fontnoto-fonts-emoji
.services.xserver.enable
programs.sway.enable
programs.way-cooler.enable
services.xrdp.enable
The
altcoins
categorization of packages has been removed. You now access these packages at the top level, ie.nix-shell -p dogecoin
instead ofnix-shell -p altcoins.dogecoin
, etc.Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.
pkgs.weechat
is now compiled againstpkgs.python3
. Weechat also recommends to use Python3 in their docs.
B.6. Release 19.03 (“Koi”, 2019/04/11)
B.6.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2019, handing over to 19.09.
The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.
Added the Pantheon desktop environment. It can be enabled through
services.xserver.desktopManager.pantheon.enable
.By default,
services.xserver.desktopManager.pantheon
enables LightDM as a display manager, as pantheon's screen locking implementation relies on it. Because of that it is recommended to leave LightDM enabled. If you'd like to disable it anyway, setservices.xserver.displayManager.lightdm.enable
tofalse
and enable your preferred display manager.Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet.
A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: Chapter 55, Kubernetes for details.
There is now a set of
confinement
options forsystemd.services
, which allows to restrict services into a chroot 2 ed environment that only contains the store paths from the runtime closure of the service.
B.6.2. New Services
The following new services were added since the last release:
./programs/nm-applet.nix
There is a new
security.googleOsLogin
module for using OS Login to manage SSH access to Google Compute Engine instances, which supersedes the imperative and brokengoogle-accounts-daemon
used innixos/modules/virtualisation/google-compute-config.nix
../services/misc/beanstalkd.nix
There is a new
services.cockroachdb
module for running CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available onx86_64-linux
andaarch64-linux
../security/duosec.nix
The PAM module for Duo Security has been enabled for use. One can configure it using the
security.duosec
options along with the corresponding PAM option insecurity.pam.services.<name?>.duoSecurity.enable
.
B.6.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
The minimum version of Nix required to evaluate Nixpkgs is now 2.0.
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix 2.0, but supports using Nix 1.11 by setting
nix.package = pkgs.nix1;
. If this option is set to a Nix 1.11 package, you will need to either unset the option or upgrade it to Nix 2.0.For users of NixOS 17.09, you will first need to upgrade Nix by setting
nix.package = pkgs.nixStable2;
and runnixos-rebuild switch
as theroot
user.For users of a daemon-less Nix installation on Linux or macOS, you can upgrade Nix by running
curl -L https://nixos.org/nix/install | sh
, or prior to doing a channel update, runningnix-env -iA nix
. If you have already run a channel update and Nix is no longer able to evaluate Nixpkgs, the error message printed should provide adequate directions for upgrading Nix.For users of the Nix daemon on macOS, you can upgrade Nix by running
sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon
.
The
buildPythonPackage
function now setsstrictDeps = true
to help distinguish between native and non-native dependencies in order to improve cross-compilation compatibility. Note however that this may break user expressions.The
buildPythonPackage
function now setsLANG = C.UTF-8
to enable Unicode support. TheglibcLocales
package is no longer needed as a build input.The Syncthing state and configuration data has been moved from
services.syncthing.dataDir
to the newly definedservices.syncthing.configDir
, which default to/var/lib/syncthing/.config/syncthing
. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start.The
ntp
module now has sane default restrictions. If you're relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can setservices.ntp.restrictDefault
andservices.ntp.restrictSource
to[]
.Package
rabbitmq_server
is renamed torabbitmq-server
.The
light
module no longer uses setuid binaries, but udev rules. As a consequence users of that module have to belong to thevideo
group in order to use the executable (i.e.users.users.yourusername.extraGroups = ["video"];
).Buildbot now supports Python 3 and its packages have been moved to
pythonPackages
. The optionsservices.buildbot-master.package
andservices.buildbot-worker.package
can be used to select the Python 2 or 3 version of the package.Options
services.znc.confOptions.networks.name.userName
andservices.znc.confOptions.networks.name.modulePackages
were removed. They were never used for anything and can therefore safely be removed.Package
wasm
has been renamedproglodyte-wasm
. The packagewasm
will be pointed toocamlPackages.wasm
in 19.09, so make sure to update your configuration if you want to keepproglodyte-wasm
When the
nixpkgs.pkgs
option is set, NixOS will no longer ignore thenixpkgs.overlays
option. The old behavior can be recovered by settingnixpkgs.overlays = lib.mkForce [];
.OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See
man smtpd.conf
for more information on the new file format.The versioned
postgresql
have been renamed to use underscore number seperators. For example,postgresql96
has been renamed topostgresql_9_6
.Package
consul-ui
and passthroughconsul.ui
have been removed. The packageconsul
now uses upstream releases that vendor the UI into the binary. See #48714 for details.Slurm introduces the new option
services.slurm.stateSaveLocation
, which is now set to/var/spool/slurm
by default (instead of/var/spool
). Make sure to move all files to the new directory or to set the option accordingly.The slurmctld now runs as user
slurm
instead ofroot
. If you want to keep slurmctld running asroot
, setservices.slurm.user = root
.The options
services.slurm.nodeName
andservices.slurm.partitionName
are now sets of strings to correctly reflect that fact that each of these options can occour more than once in the configuration.The
solr
package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. Theservices.solr
module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.Package
ckb
is renamed tockb-next
, and optionshardware.ckb.*
are renamed tohardware.ckb-next.*
.The option
services.xserver.displayManager.job.logToFile
which was previously set totrue
when using the display managerslightdm
,sddm
orxpra
has been reset to the default value (false
).Network interface indiscriminate NixOS firewall options (
networking.firewall.allow*
) are now preserved when also setting interface specific rules such asnetworking.firewall.interfaces.en0.allow*
. These rules continue to use the pseudo device "default" (networking.firewall.interfaces.default.*
), and assigning to this pseudo device will override the (networking.firewall.allow*
) options.The
nscd
service now disables all caching ofpasswd
andgroup
databases by default. This was interferring with the correct functioning of thelibnss_systemd.so
module which is used bysystemd
to manage uids and usernames in the presence ofDynamicUser=
in systemd services. This was already the default behaviour in presence ofservices.sssd.enable = true
because nscd caching would interfere withsssd
in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.If the old behaviour is desired, this can be restored by setting the
services.nscd.config
option with the desired caching parameters.{ services.nscd.config = '' server-user nscd threads 1 paranoia no debug-level 0 enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd no shared passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group no shared group yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 5 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes ''; }
See #50316 for details.
GitLab Shell previously used the nix store paths for the
gitlab-shell
command in itsauthorized_keys
file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. Asgitlab-shell
has now been changed to use/var/run/current-system/sw/bin/gitlab-shell
, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate theauthorized_keys
file viasudo -u git -H gitlab-rake gitlab:shell:setup
in that case.The
pam_unix
account module is now loaded with its control field set torequired
instead ofsufficient
, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name topam_unix
. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually settingsecurity.pam.services.<name?>.text
.The
pam_unix
password module is now loaded with its control field set tosufficient
instead ofrequired
, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely bypam_unix
, preventingpam_ldap
to manage the password as it should.fish
has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See thefish
release notes for more information.The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See this commit message for details.
NixOS module system type
types.optionSet
andlib.mkOption
argumentoptions
are deprecated. Usetypes.submodule
instead. (#54637)matrix-synapse
has been updated to version 0.99. It will no longer generate a self-signed certificate on first launch and will be the last version to accept self-signed certificates. As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new manual chapter on Matrix contains a working example of using nginx as a reverse proxy in front ofmatrix-synapse
, using Let's Encrypt certificates.mailutils
now works by default whensendmail
is not in a setuid wrapper. As a consequence, thesendmailPath
argument, having lost its main use, has been removed.graylog
has been upgraded from version 2.* to 3.*. Some setups making use of extraConfig (especially those exposing Graylog via reverse proxies) need to be updated as upstream removed/replaced some settings. See Upgrading Graylog for details.The option
users.ldap.bind.password
was renamed tousers.ldap.bind.passwordFile
, and needs to be readable by thenslcd
user. Same applies to the newusers.ldap.daemon.rootpwmodpwFile
option.nodejs-6_x
is end-of-life.nodejs-6_x
,nodejs-slim-6_x
andnodePackages_6_x
are removed.
B.6.4. Other Notable Changes
The
services.matomo
module gained the optionservices.matomo.package
which determines the used Matomo version.The Matomo module now also comes with the systemd service
matomo-archive-processing.service
and a timer that automatically triggers archive processing every hour. This means that you can safely disable browser triggers for Matomo archiving atAdministration > System > General Settings
.Additionally, you can enable to delete old visitor logs at
Administration > System > Privacy
, but make sure that you runsystemctl start matomo-archive-processing.service
at least once without errors if you have already collected data before, so that the reports get archived before the source data gets deleted.composableDerivation
along with supporting library functions has been removed.The deprecated
truecrypt
package has been removed andtruecrypt
attribute is now an alias forveracrypt
. VeraCrypt is backward-compatible with TrueCrypt volumes. Note thatcryptsetup
also supports loading TrueCrypt volumes.The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This change is made in accordance with Kubernetes making CoreDNS the official default starting from Kubernetes v1.11. Please beware that upgrading DNS-addon on existing clusters might induce minor downtime while the DNS-addon terminates and re-initializes. Also note that the DNS-service now runs with 2 pod replicas by default. The desired number of replicas can be configured using:
services.kubernetes.addons.dns.replicas
.The quassel-webserver package and module was removed from nixpkgs due to the lack of maintainers.
The manual gained a new chapter on self-hosting
matrix-synapse
andriot-web
, the most prevalent server and client implementations for the Matrix federated communication network.The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
The httpd service now saves log files with a .log file extension by default for easier integration with the logrotate service.
The owncloud server packages and httpd subservice module were removed from nixpkgs due to the lack of maintainers.
It is possible now to uze ZRAM devices as general purpose ephemeral block devices, not only as swap. Using more than 1 device as ZRAM swap is no longer recommended, but is still possible by setting
zramSwap.swapDevices
explicitly.ZRAM algorithm can be changed now.
Changes to ZRAM algorithm are applied during
nixos-rebuild switch
, so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively, usenixos-rebuild boot; reboot
.Flat volumes are now disabled by default in
hardware.pulseaudio
. This has been done to prevent applications, which are unaware of this feature, setting their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.With this change application specific volumes are relative to the master volume which can be adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the device-volume with the volume of the loudest application.
The
ndppd
module now supports all config options provided by the current upstream version as service options. Additionally thendppd
package doesn't contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in
services.redmine.package
while existing installs of NixOS will default to the Redmine 3.x series.The Grafana module now supports declarative datasource and dashboard provisioning.
The use of insecure ports on kubernetes has been deprecated. Thus options:
services.kubernetes.apiserver.port
andservices.kubernetes.controllerManager.port
has been renamed to.insecurePort
, and default of both options has changed to 0 (disabled).Note that the default value of
services.kubernetes.apiserver.bindAddress
has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from outside the master node itself. If the apiserver insecurePort is enabled, it is strongly recommended to only bind on the loopback interface. See:services.kubernetes.apiserver.insecurebindAddress
.The option
services.kubernetes.apiserver.allowPrivileged
andservices.kubernetes.kubelet.allowPrivileged
now defaults to false. Disallowing privileged containers on the cluster.The kubernetes module does no longer add the kubernetes package to
environment.systemPackages
implicitly.The
intel
driver has been removed from the default list of X.org video drivers. Themodesetting
driver should take over automatically, it is better maintained upstream and has less problems with advanced X11 features. This can lead to a change in the output names used byxrandr
. Some performance regressions on some GPU models might happen. Some OpenCL and VA-API applications might also break (Beignet seems to provide OpenCL support withmodesetting
driver, too). Kernel mode setting API does not support backlight control, soxbacklight
tool will not work; backlight level can be controlled directly via/sys/
or withbrightnessctl
. Users who need this functionality more than multi-output XRandR are advised to add `intel` to `videoDrivers` and report an issue (or provide additional details in an existing one)Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols. This may break some older applications that still rely on those symbols. An upgrade guide can be found here.
The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using services.nginx.sslProtocols.
A new subcommand
nixos-rebuild edit
was added.
B.7. Release 18.09 (“Jellyfish”, 2018/10/05)
B.7.1. Highlights
In addition to numerous new and upgraded packages, this release has the following notable updates:
End of support is planned for end of April 2019, handing over to 19.03.
Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.
Nix has been updated to 2.1; see its release notes.
Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.
Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.
Notable changes and additions for 18.09 include:
Support for wrapping binaries using
firejail
has been added throughprograms.firejail.wrappedBinaries
.For example
{ programs.firejail = { enable = true; wrappedBinaries = { firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; }; }; }
This will place
firefox
andmpv
binaries in the global path wrapped by firejail.User channels are now in the default
NIX_PATH
, allowing users to use their personalnix-channel
defined channels innix-build
andnix-shell
commands, as well as in imports likeimport <mychannel>
.For example
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable $ nix-channel --update $ nix-build '<nixpkgsunstable>' -A gitFull $ nix run -f '<nixpkgsunstable>' gitFull $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
B.7.2. New Services
A curated selection of new services that were added since the last release:
The
services.cassandra
module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of Apache Cassandra.There is a new
services.foundationdb
module for deploying FoundationDB clusters.When enabled the
iproute2
will copy the files expected by ip route (e.g.,rt_tables
) in/etc/iproute2
. This allows to write aliases for routing tables for instance.services.strongswan-swanctl
is a modern replacement forservices.strongswan
. You can use either one of them to setup IPsec VPNs but not both at the same time.services.strongswan-swanctl
uses the swanctl command which uses the modern vici Versatile IKE Configuration Interface. The deprecatedipsec
command used inservices.strongswan
is using the legacy stroke configuration interface.The new
services.elasticsearch-curator
service periodically curates or manages, your Elasticsearch indices and snapshots.
Every new services:
./config/xdg/autostart.nix
./config/xdg/icons.nix
./config/xdg/menus.nix
./config/xdg/mime.nix
./hardware/brightnessctl.nix
./hardware/onlykey.nix
./hardware/video/uvcvideo/default.nix
./misc/documentation.nix
./programs/firejail.nix
./programs/iftop.nix
./programs/sedutil.nix
./programs/singularity.nix
./programs/xss-lock.nix
./programs/zsh/zsh-autosuggestions.nix
./services/admin/oxidized.nix
./services/backup/duplicati.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/cluster/hadoop/default.nix
./services/databases/aerospike.nix
./services/databases/monetdb.nix
./services/desktops/bamf.nix
./services/desktops/flatpak.nix
./services/desktops/zeitgeist.nix
./services/development/bloop.nix
./services/development/jupyter/default.nix
./services/hardware/lcd.nix
./services/hardware/undervolt.nix
./services/misc/clipmenu.nix
./services/misc/gitweb.nix
./services/misc/serviio.nix
./services/misc/safeeyes.nix
./services/misc/sysprof.nix
./services/misc/weechat.nix
./services/monitoring/datadog-agent.nix
./services/monitoring/incron.nix
./services/networking/dnsdist.nix
./services/networking/freeradius.nix
./services/networking/hans.nix
./services/networking/morty.nix
./services/networking/ndppd.nix
./services/networking/ocserv.nix
./services/networking/owamp.nix
./services/networking/quagga.nix
./services/networking/shadowsocks.nix
./services/networking/stubby.nix
./services/networking/zeronet.nix
./services/security/certmgr.nix
./services/security/cfssl.nix
./services/security/oauth2_proxy_nginx.nix
./services/web-apps/virtlyst.nix
./services/web-apps/youtrack.nix
./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix
./services/web-servers/meguca.nix
./services/web-servers/nginx/gitweb.nix
./virtualisation/kvmgt.nix
./virtualisation/qemu-guest-agent.nix
B.7.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
Some licenses that were incorrectly not marked as unfree now are. This is the case for:
cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike 2.0
cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike 2.5
cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike 3.0
cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike 4.0
cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00
msrla: Microsoft Research License Agreement
The deprecated
services.cassandra
module has seen a complete rewrite. (See above.)lib.strict
is removed. Usebuiltins.seq
instead.The
clementine
package points now to the free derivation.clementineFree
is removed now andclementineUnfree
points to the package which is bundled with the unfreelibspotify
package.The
netcat
package is now taken directly from OpenBSD'slibressl
, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command.The
services.docker-registry.extraConfig
object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in thedocker/distribution
docs.gnucash
has changed from version 2.4 to 3.x. If you've been usinggnucash
(version 2.4) instead ofgnucash26
(version 2.6) you must open your Gnucash data file(s) withgnucash26
and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade documentation. Gnucash 2.4 is still available under the attributegnucash24
.services.munge
now runs as user (and group)munge
instead of root. Make sure the key file is accessible to the daemon.dockerTools.buildImage
now usesnull
as default value fortag
, which indicates that the nix output hash will be used as tag.The ELK stack:
elasticsearch
,logstash
andkibana
has been upgraded from 2.* to 6.3.*. The 2.* versions have been unsupported since last year so they have been removed. You can still use the 5.* versions under the nameselasticsearch5
,logstash5
andkibana5
.The elastic beats:
filebeat
,heartbeat
,metricbeat
andpacketbeat
have had the same treatment: they now target 6.3.* as well. The 5.* versions are available under the names:filebeat5
,heartbeat5
,metricbeat5
andpacketbeat5
The ELK-6.3 stack now comes with X-Pack by default. Since X-Pack is licensed under the Elastic License the ELK packages now have an unfree license. To use them you need to specify
allowUnfree = true;
in your nixpkgs configuration.Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names:
elasticsearch-oss
,logstash-oss
andkibana-oss
.Options
boot.initrd.luks.devices.name.yubikey.ramfsMountPoint
boot.initrd.luks.devices.name.yubikey.storage.mountPoint
were removed.luksroot.nix
module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues.stdenv.system
andsystem
in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, andstdenv.buildPlatform.system
can be used instead for the old behavior. They should be using that anyways for clarity.Groups
kvm
andrender
are introduced now, as systemd requires them.
B.7.4. Other Notable Changes
dockerTools.pullImage
relies on image digest instead of image tag to download the image. Thesha256
of a pulled image has to be updated.lib.attrNamesToStr
has been deprecated. Use more specific concatenation (lib.concat(Map)StringsSep
) instead.lib.addErrorContextToAttrs
has been deprecated. Usebuiltins.addErrorContext
directly.lib.showVal
has been deprecated. Uselib.traceSeqN
instead.lib.traceXMLVal
has been deprecated. Uselib.traceValFn builtins.toXml
instead.lib.traceXMLValMarked
has been deprecated. Uselib.traceValFn (x: str + builtins.toXML x)
instead.The
pkgs
argument to NixOS modules can now be set directly usingnixpkgs.pkgs
. Previously, only thesystem
,config
andoverlays
arguments could be used to influencepkgs
.A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
{ inherit (pkgs.nixos { boot.loader.grub.enable = false; fileSystems."/".device = "/dev/xvda1"; }) toplevel kernel initialRamdisk manual; }
This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
lib.traceValIfNot
has been deprecated. Useif/then/else
andlib.traceValSeq
instead.lib.traceCallXml
has been deprecated. Please complain if you use the function regularly.The attribute
lib.nixpkgsVersion
has been deprecated in favor oflib.version
. Please refer to the discussion in NixOS/nixpkgs#39416 for further reference.lib.recursiveUpdateUntil
was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added.The module for
security.dhparams
has two new options now:security.dhparams.stateless
Puts the generated Diffie-Hellman parameters into the Nix store instead of managing them in a stateful manner in
/var/lib/dhparams
.security.dhparams.defaultBitSize
The default bit size to use for the generated Diffie-Hellman parameters.
The path to the actual generated parameter files should now be queried using
config.security.dhparams.params.name.path
because it might be either in the Nix store or in a directory configured bysecurity.dhparams.path
.For developers:
Module implementers should not set a specific bit size in order to let users configure it by themselves if they want to have a different bit size than the default (2048).
An example usage of this would be:
{ config, ... }: { security.dhparams.params.myservice = {}; environment.etc."myservice.conf".text = '' dhparams = ${config.security.dhparams.params.myservice.path} ''; }
networking.networkmanager.useDnsmasq
has been deprecated. Usenetworking.networkmanager.dns
instead.The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.
The option
services.kubernetes.apiserver.admissionControl
was renamed toservices.kubernetes.apiserver.enableAdmissionPlugins
.Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.
The option
services.kubernetes.apiserver.address
was renamed toservices.kubernetes.apiserver.bindAddress
. Note that the default value has changed from 127.0.0.1 to 0.0.0.0.The option
services.kubernetes.apiserver.publicAddress
was not used and thus has been removed.The option
services.kubernetes.addons.dashboard.enableRBAC
was renamed toservices.kubernetes.addons.dashboard.rbac.enable
.The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set
services.kubernetes.addons.dashboard.rbac.clusterAdmin
to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:kubectl delete clusterrolebinding kubernetes-dashboard
The
programs.screen
module provides allows to configure/etc/screenrc
, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09pkgs.screen
will be added toenvironment.systemPackages
.The module
services.networking.hostapd
now uses WPA2 by default.s6Dns
,s6Networking
,s6LinuxUtils
ands6PortableUtils
renamed tos6-dns
,s6-networking
,s6-linux-utils
ands6-portable-utils
respectively.The module option
nix.useSandbox
is now defaulted totrue
.The config activation script of
nixos-rebuild
now reloads all user units for each authenticated user.The default display manager is now LightDM. To use SLiM set
services.xserver.displayManager.slim.enable
totrue
.NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use
</para><para>
to start a new paragraph.Top-level
buildPlatform
,hostPlatform
, andtargetPlatform
in Nixpkgs are deprecated. Please use their equivalents instdenv
instead:stdenv.buildPlatform
,stdenv.hostPlatform
, andstdenv.targetPlatform
.
B.8. Release 18.03 (“Impala”, 2018/04/04)
B.8.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2018, handing over to 18.09.
Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.
Nix now defaults to 2.0; see its release notes.
Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.
Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.
MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:
libmysql
has been deprecated, please usemysql.connector-c
instead, a compatibility passthru has been added to the MySQL packages.The
mysql57
package has a newstatic
output containing the static libraries includinglibmysqld.a
PHP now defaults to PHP 7.2, updated from 7.1.
B.8.2. New Services
The following new services were added since the last release:
./config/krb5/default.nix
./hardware/digitalbitbox.nix
./misc/label.nix
./programs/ccache.nix
./programs/criu.nix
./programs/digitalbitbox/default.nix
./programs/less.nix
./programs/npm.nix
./programs/plotinus.nix
./programs/rootston.nix
./programs/systemtap.nix
./programs/sway.nix
./programs/udevil.nix
./programs/way-cooler.nix
./programs/yabar.nix
./programs/zsh/zsh-autoenv.nix
./services/backup/borgbackup.nix
./services/backup/crashplan-small-business.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/tracker-miners.nix
./services/hardware/fwupd.nix
./services/hardware/interception-tools.nix
./services/hardware/u2f.nix
./services/hardware/usbmuxd.nix
./services/mail/clamsmtp.nix
./services/mail/dkimproxy-out.nix
./services/mail/pfix-srsd.nix
./services/misc/gitea.nix
./services/misc/home-assistant.nix
./services/misc/ihaskell.nix
./services/misc/logkeys.nix
./services/misc/novacomd.nix
./services/misc/osrm.nix
./services/misc/plexpy.nix
./services/misc/pykms.nix
./services/misc/tzupdate.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/prometheus/exporters.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/davfs2.nix
./services/network-filesystems/openafs/client.nix
./services/network-filesystems/openafs/server.nix
./services/network-filesystems/ceph.nix
./services/networking/aria2.nix
./services/networking/monero.nix
./services/networking/nghttpx/default.nix
./services/networking/nixops-dns.nix
./services/networking/rxe.nix
./services/networking/stunnel.nix
./services/web-apps/matomo.nix
./services/web-apps/restya-board.nix
./services/web-servers/mighttpd2.nix
./services/x11/fractalart.nix
./system/boot/binfmt.nix
./system/boot/grow-partition.nix
./tasks/filesystems/ecryptfs.nix
./virtualisation/hyperv-guest.nix
B.8.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
sound.enable
now defaults to false.Dollar signs in options under
services.postfix
are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options in the previous release, but not for list-valued options. If you need to pass literal dollar signs through Postfix, double them.The
postage
package (for web-based PostgreSQL administration) has been renamed topgmanage
. The corresponding module has also been renamed. To migrate please rename allservices.postage
options toservices.pgmanage
.Package attributes starting with a digit have been prefixed with an underscore sign. This is to avoid quoting in the configuration and other issues with command-line tools like
nix-env
. The change affects the following packages:2048-in-terminal
→_2048-in-terminal
90secondportraits
→_90secondportraits
2bwm
→_2bwm
389-ds-base
→_389-ds-base
The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.
DSA support was deprecated in OpenSSH 7.0, due to it being too weak. To re-enable support, add
PubkeyAcceptedKeyTypes +ssh-dss
to the end of yourservices.openssh.extraConfig
.After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.
The
openssh
package now includes Kerberos support by default; theopenssh_with_kerberos
package is now a deprecated alias. If you do not want Kerberos support, you can doopenssh.override { withKerberos = false; }
. Note, this also applies to theopenssh_hpn
package.cc-wrapper
has been split in two; there is now also abintools-wrapper
. The most commonly used files innix-support
are now split between the two wrappers. Some commonly used ones, likenix-support/dynamic-linker
, are duplicated for backwards compatability, even though they rightly belong only inbintools-wrapper
. Other more obscure ones are just moved.The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many
propagatedNativeBuildInputs
should instead bepropagatedBuildInputs
. Thankfully, that was and is the least used type of dependency. Also, it means that somepropagatedBuildInputs
should instead bedepsTargetTargetPropagated
. Other types dependencies should be unaffected.lib.addPassthru drv passthru
is removed. Uselib.extendDerivation true passthru drv
instead.The
memcached
service no longer accept dynamic socket paths viaservices.memcached.socket
. Unix sockets can be still enabled byservices.memcached.enableUnixSocket
and will be accessible at/run/memcached/memcached.sock
.The
hardware.amdHybridGraphics.disable
option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.The merging of config options for
services.postfix.config
was buggy. Previously, if other options in the Postfix module likeservices.postfix.useSrs
were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden,lib.mkForce
orlib.mkOverride
can be used.The following changes apply if the
stateVersion
is changed to 18.03 or higher. ForstateVersion = "17.09"
or lower the old behavior is preserved.matrix-synapse
uses postgresql by default instead of sqlite. Migration instructions can be found here .
The
jid
package has been removed, due to maintenance overhead of a go package having non-versioned dependencies.When using
services.xserver.libinput
(enabled by default in GNOME), it now handles all input devices, not just touchpads. As a result, you might need to re-evaluate any custom Xorg configuration. In particular,Option "XkbRules" "base"
may result in broken keyboard layout.The
attic
package was removed. A maintained fork called Borg should be used instead. Migration instructions can be found here.The Piwik analytics software was renamed to Matomo:
The package
pkgs.piwik
was renamed topkgs.matomo
.The service
services.piwik
was renamed toservices.matomo
.The data directory
/var/lib/piwik
was renamed to/var/lib/matomo
. All files will be moved automatically on first startup, but you might need to adjust your backup scripts.The default
serverName
for the nginx configuration changed frompiwik.${config.networking.hostName}
tomatomo.${config.networking.hostName}.${config.networking.domain}
ifconfig.networking.domain
is set,matomo.${config.networking.hostName}
if it is not set. If you change yourserverName
, remember you'll need to update thetrustedHosts[]
array in/var/lib/matomo/config/config.ini.php
as well.The
piwik
user was renamed tomatomo
. The service will adjust ownership automatically for files in the data directory. If you use unix socket authentication, remember to give the newmatomo
user access to the database and to change theusername
tomatomo
in the[database]
section of/var/lib/matomo/config/config.ini.php
.If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, but this is neither enforced nor required.
nodejs-4_x
is end-of-life.nodejs-4_x
,nodejs-slim-4_x
andnodePackages_4_x
are removed.The
pump.io
NixOS module was removed. It is now maintained as an external module.The Prosody XMPP server has received a major update. The following modules were renamed:
services.prosody.modules.httpserver
is nowservices.prosody.modules.http_files
services.prosody.modules.console
is nowservices.prosody.modules.admin_telnet
Many new modules are now core modules, most notably
services.prosody.modules.carbons
andservices.prosody.modules.mam
.The better-performing
libevent
backend is now enabled by default.withCommunityModules
now passes through the modules toservices.prosody.extraModules
. UsewithOnlyInstalledCommunityModules
for modules that should not be enabled directly, e.glib_ldap
.All prometheus exporter modules are now defined as submodules. The exporters are configured using
services.prometheus.exporters
.
B.8.4. Other Notable Changes
ZNC option
services.znc.mutable
now defaults totrue
. That means that old configuration is not overwritten by default when update to the znc options are made.The option
networking.wireless.networks.<name>.auth
has been added for wireless networks with WPA-Enterprise authentication. There is also a newextraConfig
option to directly configurewpa_supplicant
andhidden
to connect to hidden networks.In the module
networking.interfaces.<name>
the following options have been removed:ipAddress
ipv6Address
prefixLength
ipv6PrefixLength
subnetMask
To assign static addresses to an interface the options
ipv4.addresses
andipv6.addresses
should be used instead. The optionsip4
andip6
have been renamed toipv4.addresses
ipv6.addresses
respectively. The new optionsipv4.routes
andipv6.routes
have been added to set up static routing.The option
services.logstash.listenAddress
is now127.0.0.1
by default. Previously the default behaviour was to listen on all interfaces.services.btrfs.autoScrub
has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.displayManager.lightdm.greeters.gtk.clock-format.
has been added, the clock format string (as expected by strftime, e.g.%H:%M
) to use with the lightdm gtk greeter panel.If set to null the default clock format is used.
displayManager.lightdm.greeters.gtk.indicators
has been added, a list of allowed indicator modules to use with the lightdm gtk greeter panel.Built-in indicators include
~a11y
,~language
,~session
,~power
,~clock
,~host
,~spacer
. Unity indicators can be represented by short name (e.g.sound
,power
), service file name, or absolute path.If set to
null
the default indicators are used.In order to have the previous default configuration add
{ services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ "~host" "~spacer" "~clock" "~spacer" "~session" "~language" "~a11y" "~power" ]; }
to your
configuration.nix
.The NixOS test driver supports user services declared by
systemd.user.services
. The methodswaitForUnit
,getUnitInfo
,startJob
andstopJob
provide an optional$user
argument for that purpose.Enabling bash completion on NixOS,
programs.bash.enableCompletion
, will now also enable completion for the Nix command line tools by installing the nix-bash-completions package.
B.9. Release 17.09 (“Hummingbird”, 2017/09/??)
B.9.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.
The module option
services.xserver.xrandrHeads
now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example:{ services.xserver.xrandrHeads = [ "HDMI-0" { output = "DVI-0"; primary = true; monitorConfig = '' Option "Rotate" "right" ''; } ]; }
This will set the
DVI-0
output to be the primary head, even thoughHDMI-0
is the first head in the list.The handling of SSL in the
services.nginx
module has been cleaned up, renaming the misnamedenableSSL
toonlySSL
which reflects its original intention. This is not to be used with the already existingforceSSL
which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove theenableSSL
option to keep the previous behaviour.Another
addSSL
option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.Options to configure
resolver
options andupstream
blocks have been introduced. See their information for further details.The
port
option has been replaced by a more genericlisten
option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.
B.9.2. New Services
The following new services were added since the last release:
config/fonts/fontconfig-penultimate.nix
config/fonts/fontconfig-ultimate.nix
config/terminfo.nix
hardware/sensor/iio.nix
hardware/nitrokey.nix
hardware/raid/hpsa.nix
programs/browserpass.nix
programs/gnupg.nix
programs/qt5ct.nix
programs/slock.nix
programs/thefuck.nix
security/auditd.nix
security/lock-kernel-modules.nix
service-managers/docker.nix
service-managers/trivial.nix
services/admin/salt/master.nix
services/admin/salt/minion.nix
services/audio/slimserver.nix
services/cluster/kubernetes/default.nix
services/cluster/kubernetes/dns.nix
services/cluster/kubernetes/dashboard.nix
services/continuous-integration/hail.nix
services/databases/clickhouse.nix
services/databases/postage.nix
services/desktops/gnome3/gnome-disks.nix
services/desktops/gnome3/gpaste.nix
services/logging/SystemdJournal2Gelf.nix
services/logging/heartbeat.nix
services/logging/journalwatch.nix
services/logging/syslogd.nix
services/mail/mailhog.nix
services/mail/nullmailer.nix
services/misc/airsonic.nix
services/misc/autorandr.nix
services/misc/exhibitor.nix
services/misc/fstrim.nix
services/misc/gollum.nix
services/misc/irkerd.nix
services/misc/jackett.nix
services/misc/radarr.nix
services/misc/snapper.nix
services/monitoring/osquery.nix
services/monitoring/prometheus/collectd-exporter.nix
services/monitoring/prometheus/fritzbox-exporter.nix
services/network-filesystems/kbfs.nix
services/networking/dnscache.nix
services/networking/fireqos.nix
services/networking/iwd.nix
services/networking/keepalived/default.nix
services/networking/keybase.nix
services/networking/lldpd.nix
services/networking/matterbridge.nix
services/networking/squid.nix
services/networking/tinydns.nix
services/networking/xrdp.nix
services/security/shibboleth-sp.nix
services/security/sks.nix
services/security/sshguard.nix
services/security/torify.nix
services/security/usbguard.nix
services/security/vault.nix
services/system/earlyoom.nix
services/system/saslauthd.nix
services/web-apps/nexus.nix
services/web-apps/pgpkeyserver-lite.nix
services/web-apps/piwik.nix
services/web-servers/lighttpd/collectd.nix
services/web-servers/minio.nix
services/x11/display-managers/xpra.nix
services/x11/xautolock.nix
tasks/filesystems/bcachefs.nix
tasks/powertop.nix
B.9.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
In an Qemu-based virtualization environment, the network interface names changed from i.e.
enp0s3
toens3
.This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.
A machine is affected if the
virt-what
tool either returnsqemu
orkvm
and has interface names used in any part of its NixOS configuration, in particular if a static network configuration withnetworking.interfaces
is used.Before rebooting affected machines, please ensure:
Change the interface names in your NixOS configuration. The first interface will be called
ens3
, the second oneens8
and starting from there incremented by 1.After changing the interface names, rebuild your system with
nixos-rebuild boot
to activate the new configuration after a reboot. If you switch to the new configuration right away you might lose network connectivity! If usingnixops
, deploy withnixops deploy --force-reboot
.
The following changes apply if the
stateVersion
is changed to 17.09 or higher. ForstateVersion = "17.03"
or lower the old behavior is preserved.The
postgres
default version was changed from 9.5 to 9.6.The
postgres
superuser name has changed fromroot
topostgres
to more closely follow what other Linux distributions are doing.The
postgres
defaultdataDir
has changed from/var/db/postgres
to/var/lib/postgresql/$psqlSchema
where $psqlSchema is 9.6 for example.The
mysql
defaultdataDir
has changed from/var/mysql
to/var/lib/mysql
.Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found here . It is also possible to use the newer version by setting the
package
toradicale2
, which is done automatically whenstateVersion
is 17.09 or higher. TheextraArgs
option has been added to allow passing the data migration arguments specified in the instructions; see theradicale.nix
NixOS test for an example migration.
The
aiccu
package was removed. This is due to SixXS sunsetting its IPv6 tunnel.The
fanctl
package andfan
module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.Top-level
idea
package collection was renamed. All JetBrains IDEs are now atjetbrains
.flexget
's state database cannot be upgraded to its new internal format, requiring removal of any existingdb-config.sqlite
which will be automatically recreated.The
ipfs
service now doesn't ignore thedataDir
option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually withdataDir=<valueOfDataDir> mv /var/lib/ipfs/.ipfs/* $dataDir rmdir /var/lib/ipfs/.ipfs
The
caddy
service was previously using an extra.caddy
directory in the data directory specified with thedataDir
option. The contents of the.caddy
directory are now expected to be in thedataDir
.The
ssh-agent
user service is not started by default anymore. Useprograms.ssh.startAgent
to enable it if needed. There is also a newprograms.gnupg.agent
module that creates agpg-agent
user service. It can also serve as a SSH agent ifenableSSHSupport
is set.The
services.tinc.networks.<name>.listenAddress
option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, useservices.tinc.networks.<name>.bindToAddress
instead. Refer to the description of the options for more details.tlsdate
package and module were removed. This is due to the project being dead and not building with openssl 1.1.wvdial
package and module were removed. This is due to the project being dead and not building with openssl 1.1.cc-wrapper
's setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g.LD
,STRIP
,RANLIB
, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.services.firefox.syncserver
now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.The
compiz
window manager and package was removed. The system support had been broken for several years.Touchpad support should now be enabled through
libinput
assynaptics
is now deprecated. See the optionservices.xserver.libinput.enable
.grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.
services.mysql
now has declarative configuration of databases and users with theensureDatabases
andensureUsers
options.These options will never delete existing databases and users, especially not when the value of the options are changed.
The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.
If you have previously created a MySQL
root
user with a password, you will need to addroot
user for unix socket authentication before using the new options. This can be done by running the following SQL script:CREATE USER 'root'@'%' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; -- Optionally, delete the password-authenticated user: -- DROP USER 'root'@'localhost';
services.mysqlBackup
now works by default without any user setup, including for users other thanmysql
.By default, the
mysql
user is no longer the user which performs the backup. Instead a system accountmysqlbackup
is used.The
mysqlBackup
service is also now using systemd timers instead ofcron
.Therefore, the
services.mysqlBackup.period
option no longer exists, and has been replaced withservices.mysqlBackup.calendar
, which is in the format of systemd.time(7).If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.
You can check that backups still work by running
systemctl start mysql-backup
thensystemctl status mysql-backup
.Templated systemd services e.g
container@name
are now handled currectly when switching to a new configuration, resulting in them being reloaded.Steam: the
newStdcpp
parameter was removed and should not be needed anymore.Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.
B.9.4. Other Notable Changes
Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.
Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.
ZFS/SPL have been updated to 0.7.0,
zfsUnstable, splUnstable
have therefore been removed.The
time.timeZone
option now allows the valuenull
in addition to timezone strings. This value allows changing the timezone of a system imperatively usingtimedatectl set-timezone
. The default timezone is still UTC.Nixpkgs overlays may now be specified with a file as well as a directory. The value of
<nixpkgs-overlays>
may be a file, and~/.config/nixpkgs/overlays.nix
can be used instead of the~/.config/nixpkgs/overlays
directory.See the overlays chapter of the Nixpkgs manual for more details.
Definitions for
/etc/hosts
can now be specified declaratively withnetworking.hosts
.Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.
This therefore leads to adding a new
debug
option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.Additionally a
copytoram
option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.services.gitlab-runner.configOptions
has been added to specify the configuration of gitlab-runners declaratively.services.jenkins.plugins
has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.services.postfix.config
has been added to specify the main.cf with NixOS options. Additionally other options have been added to the postfix module and has been improved further.The GitLab package and module have been updated to the latest 10.0 release.
The
systemd-boot
boot loader now lists the NixOS version, kernel version and build date of all bootable generations.The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the
services.dnscrypt-proxy.resolverName
option or setting it to"random"
.
B.10. Release 17.03 (“Gorilla”, 2017/03/31)
B.10.1. Highlights
In addition to numerous new and upgraded packages, this release has the following highlights:
Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.
This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed
The setuid wrapper functionality now supports setting capabilities.
X.org server uses branch 1.19. Due to ABI incompatibilities,
ati_unfree
keeps forcing 1.17 andamdgpu-pro
starts forcing 1.18.Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no
.nativeDrv
nor.crossDrv
are now cross by default, not native.The
overridePackages
function has been rewritten to be replaced by overlaysPackages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.
PHP now defaults to PHP 7.1
B.10.2. New Services
The following new services were added since the last release:
hardware/ckb.nix
hardware/mcelog.nix
hardware/usb-wwan.nix
hardware/video/capture/mwprocapture.nix
programs/adb.nix
programs/chromium.nix
programs/gphoto2.nix
programs/java.nix
programs/mtr.nix
programs/oblogout.nix
programs/vim.nix
programs/wireshark.nix
security/dhparams.nix
services/audio/ympd.nix
services/computing/boinc/client.nix
services/continuous-integration/buildbot/master.nix
services/continuous-integration/buildbot/worker.nix
services/continuous-integration/gitlab-runner.nix
services/databases/riak-cs.nix
services/databases/stanchion.nix
services/desktops/gnome3/gnome-terminal-server.nix
services/editors/infinoted.nix
services/hardware/illum.nix
services/hardware/trezord.nix
services/logging/journalbeat.nix
services/mail/offlineimap.nix
services/mail/postgrey.nix
services/misc/couchpotato.nix
services/misc/docker-registry.nix
services/misc/errbot.nix
services/misc/geoip-updater.nix
services/misc/gogs.nix
services/misc/leaps.nix
services/misc/nix-optimise.nix
services/misc/ssm-agent.nix
services/misc/sssd.nix
services/monitoring/arbtt.nix
services/monitoring/netdata.nix
services/monitoring/prometheus/default.nix
services/monitoring/prometheus/alertmanager.nix
services/monitoring/prometheus/blackbox-exporter.nix
services/monitoring/prometheus/json-exporter.nix
services/monitoring/prometheus/nginx-exporter.nix
services/monitoring/prometheus/node-exporter.nix
services/monitoring/prometheus/snmp-exporter.nix
services/monitoring/prometheus/unifi-exporter.nix
services/monitoring/prometheus/varnish-exporter.nix
services/monitoring/sysstat.nix
services/monitoring/telegraf.nix
services/monitoring/vnstat.nix
services/network-filesystems/cachefilesd.nix
services/network-filesystems/glusterfs.nix
services/network-filesystems/ipfs.nix
services/networking/dante.nix
services/networking/dnscrypt-wrapper.nix
services/networking/fakeroute.nix
services/networking/flannel.nix
services/networking/htpdate.nix
services/networking/miredo.nix
services/networking/nftables.nix
services/networking/powerdns.nix
services/networking/pdns-recursor.nix
services/networking/quagga.nix
services/networking/redsocks.nix
services/networking/wireguard.nix
services/system/cgmanager.nix
services/torrent/opentracker.nix
services/web-apps/atlassian/confluence.nix
services/web-apps/atlassian/crowd.nix
services/web-apps/atlassian/jira.nix
services/web-apps/frab.nix
services/web-apps/nixbot.nix
services/web-apps/selfoss.nix
services/web-apps/quassel-webserver.nix
services/x11/unclutter-xfixes.nix
services/x11/urxvtd.nix
system/boot/systemd-nspawn.nix
virtualisation/ecs-agent.nix
virtualisation/lxcfs.nix
virtualisation/openstack/keystone.nix
virtualisation/openstack/glance.nix
B.10.3. Backward Incompatibilities
When upgrading from a previous release, please be aware of the following incompatible changes:
Derivations have no
.nativeDrv
nor.crossDrv
and are now cross by default, not native.stdenv.overrides
is now expected to takeself
andsuper
arguments. Seelib.trivial.extends
for what those parameters represent.ansible
now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.gnome
alias has been removed along withgtk
,gtkmm
and several others. Now you need to use versioned attributes, likegnome3
.The attribute name of the Radicale daemon has been changed from
pythonPackages.radicale
toradicale
.The
stripHash
bash function instdenv
changed according to its documentation; it now outputs the stripped name tostdout
instead of putting it in the variablestrippedName
.PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.
Two lone top-level dict dbs moved into
dictdDBs
. This affects:dictdWordnet
which is now atdictdDBs.wordnet
anddictdWiktionary
which is now atdictdDBs.wiktionary
Parsoid service now uses YAML configuration format.
service.parsoid.interwikis
is now calledservice.parsoid.wikis
and is a list of either API URLs or attribute sets as specified in parsoid's documentation.Ntpd
was replaced bysystemd-timesyncd
as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by settingservices.ntp.enable
totrue
. Upstream time servers for all NTP implementations are now configured usingnetworking.timeServers
.service.nylon
is now declared using named instances. As an example:{ services.nylon = { enable = true; acceptInterface = "br0"; bindInterface = "tun1"; port = 5912; }; }
should be replaced with:
{ services.nylon.myvpn = { enable = true; acceptInterface = "br0"; bindInterface = "tun1"; port = 5912; }; }
this enables you to declare a SOCKS proxy for each uplink.
overridePackages
function no longer exists. It is replaced by overlays. For example, the following code:let pkgs = import <nixpkgs> {}; in pkgs.overridePackages (self: super: ...)
should be replaced by:
let pkgs = import <nixpkgs> {}; in import pkgs.path { overlays = [(self: super: ...)]; }
Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable
networking.firewall.autoLoadConntrackHelpers
and tunenetworking.firewall.connectionTrackingModules
to suit your needs.local_recipient_maps
is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it viaservices.postfix.extraConfig
.Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags
-4
and-6
have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the-I
flag, but by encoding the interface into the address (ping fe80::1%eth0
).The socket handling of the
services.rmilter
module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the optionsbindUnixSockets
andbindInetSockets
have been replaced byservices.rmilter.bindSocket.*
. The default is still a unix socket in/run/rmilter/rmilter.sock
. Refer to the options documentation for more information.The
fetch*
functions no longer support md5, please use sha256 instead.The dnscrypt-proxy module interface has been streamlined around the
extraArgs
option. Where possible, legacy option declarations are mapped toextraArgs
but will emit warnings. TheresolverList
has been outright removed: to use an unlisted resolver, use thecustomResolver
option.torbrowser now stores local state under
~/.local/share/tor-browser
by default. Any browser profile data from the old location,~/.torbrowser4
, must be migrated manually.The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
B.10.4. Other Notable Changes
Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.
jre
now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to usejre_headless
.Python 2.6 interpreter and package set have been removed.
The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a
nix-shell
. See the Nixpkgs manual for details.The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.
The Python function
buildPythonPackage
has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.When adding new or updating current Python libraries, the expressions should be put in separate files in
pkgs/development/python-modules
and called frompython-packages.nix
.The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.
Containers using bridged networking no longer lose their connection after changes to the host networking.
ZFS supports pool auto scrubbing.
The bind DNS utilities (e.g. dig) have been split into their own output and are now also available in
pkgs.dnsutils
and it is no longer necessary to pull in all ofbind
to use them.Per-user configuration was moved from
~/.nixpkgs
to~/.config/nixpkgs
. The former is still valid forconfig.nix
for backwards compatibility.
B.11. Release 16.09 (“Flounder”, 2016/09/30)
In addition to numerous new and upgraded packages, this release has the following highlights:
Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.
Support for PXE netboot. See Section 2.5.2, “Booting from the “netboot” media (PXE)” for documentation.
X.org server 1.18. If you use the
ati_unfree
driver, 1.17 is still used due to an ABI incompatibility.This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.
The following new services were added since the last release:
(this will get automatically generated at release time)
When upgrading from a previous release, please be aware of the following incompatible changes:
A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided
haskell.packages.lts-x_y
package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will drop those old names entirely. The motivation for this change has been discussed at length on thenix-dev
mailing list and in Github issue #14897. Development strategies for Haskell hackers who want to rely on Nix and NixOS have been described in another nix-dev article.Shell aliases for systemd sub-commands were dropped:
start
,stop
,restart
,status
.Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default behavior of Redis 3.2
/var/empty
is now immutable. Activation script runschattr +i
to forbid any modifications inside the folder. See the pull request for what bugs this caused.Gitlab's maintainance script
gitlab-runner
was removed and split up into the more clearergitlab-run
andgitlab-rake
scripts, becausegitlab-runner
is a component of Gitlab CI.services.xserver.libinput.accelProfile
default changed fromflat
toadaptive
, as per official documentation.fonts.fontconfig.ultimate.rendering
was removed because our presets were obsolete for some time. New presets are hardcoded into FreeType; you can select a preset viafonts.fontconfig.ultimate.preset
. You can customize those presets via ordinary environment variables, usingenvironment.variables
.The
audit
service is no longer enabled by default. Usesecurity.audit.enable = true
to explicitly enable it.pkgs.linuxPackages.virtualbox
now contains only the kernel modules instead of the VirtualBox user space binaries. If you want to reference the user space binaries, you have to use the newpkgs.virtualbox
instead.goPackages
was replaced with separated Go applications in appropriatenixpkgs
categories. Each Go package uses its own dependency set. There's also a newgo2nix
tool introduced to generate a Go package definition from its Go source automatically.services.mongodb.extraConfig
configuration format was changed to YAML.PHP has been upgraded to 7.0
Other notable improvements:
Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set
{ security.grsecurity.enable = true; }
to get a reasonably secure system without having to sacrifice too much functionality.
Special filesystems, like
/proc
,/run
and others, now have the same mount options as recommended by systemd and are unified across different places in NixOS. Mount options are updated duringnixos-rebuild switch
if possible. One benefit from this is improved security — most such filesystems are now mounted withnoexec
,nodev
and/ornosuid
options.The reverse path filter was interfering with DHCPv4 server operation in the past. An exception for DHCPv4 and a new option to log packets that were dropped due to the reverse path filter was added (
networking.firewall.logReversePathDrops
) for easier debugging.Containers configuration within
containers.<name>.config
is now properly typed and checked. In particular, partial configurations are merged correctly.The directory container setuid wrapper programs,
/var/setuid-wrappers
, is now updated atomically to prevent failures if the switch to a new configuration is interrupted.services.xserver.startGnuPGAgent
has been removed due to GnuPG 2.1.x bump. See how to achieve similar behavior. You might need topkill gpg-agent
after the upgrade to prevent a stale agent being in the way.Declarative users could share the uid due to the bug in the script handling conflict resolution.
Gummi boot has been replaced using systemd-boot.
Hydra package and NixOS module were added for convenience.
B.12. Release 16.03 (“Emu”, 2016/03/31)
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd 229, bringing numerous improvements over 217.
Linux 4.4 (was 3.18).
GCC 5.3 (was 4.9). Note that GCC 5 changes the C++ ABI in an incompatible way; this may cause problems if you try to link objects compiled with different versions of GCC.
Glibc 2.23 (was 2.21).
Binutils 2.26 (was 2.23.1). See #909
Improved support for ensuring bitwise reproducible builds. For example,
stdenv
now sets the environment variableSOURCE_DATE_EPOCH
to a deterministic value, and Nix has gained an option to repeat a build a number of times to test determinism. An ongoing project, the goal of exact reproducibility is to allow binaries to be verified independently (e.g., a user might only trust binaries that appear in three independent binary caches).Perl 5.22.
The following new services were added since the last release:
services/monitoring/longview.nix
hardware/video/webcam/facetimehd.nix
i18n/input-method/default.nix
i18n/input-method/fcitx.nix
i18n/input-method/ibus.nix
i18n/input-method/nabi.nix
i18n/input-method/uim.nix
programs/fish.nix
security/acme.nix
security/audit.nix
security/oath.nix
services/hardware/irqbalance.nix
services/mail/dspam.nix
services/mail/opendkim.nix
services/mail/postsrsd.nix
services/mail/rspamd.nix
services/mail/rmilter.nix
services/misc/autofs.nix
services/misc/bepasty.nix
services/misc/calibre-server.nix
services/misc/cfdyndns.nix
services/misc/gammu-smsd.nix
services/misc/mathics.nix
services/misc/matrix-synapse.nix
services/misc/octoprint.nix
services/monitoring/hdaps.nix
services/monitoring/heapster.nix
services/monitoring/longview.nix
services/network-filesystems/netatalk.nix
services/network-filesystems/xtreemfs.nix
services/networking/autossh.nix
services/networking/dnschain.nix
services/networking/gale.nix
services/networking/miniupnpd.nix
services/networking/namecoind.nix
services/networking/ostinato.nix
services/networking/pdnsd.nix
services/networking/shairport-sync.nix
services/networking/supplicant.nix
services/search/kibana.nix
services/security/haka.nix
services/security/physlock.nix
services/web-apps/pump.io.nix
services/x11/hardware/libinput.nix
services/x11/window-managers/windowlab.nix
system/boot/initrd-network.nix
system/boot/initrd-ssh.nix
system/boot/loader/loader.nix
system/boot/networkd.nix
system/boot/resolved.nix
virtualisation/lxd.nix
virtualisation/rkt.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
We no longer produce graphical ISO images and VirtualBox images for
i686-linux
. A minimal ISO image is still provided.Firefox and similar browsers are now wrapped by default. The package and attribute names are plain
firefox
ormidori
, etc. Backward-compatibility attributes were set up, but note thatnix-env -u
will not update your currentfirefox-with-plugins
; you have to uninstall it and installfirefox
instead.wmiiSnap
has been replaced withwmii_hg
, butservices.xserver.windowManager.wmii.enable
has been updated respectively so this only affects you if you have explicitly installedwmiiSnap
.jobs
NixOS option has been removed. It served as compatibility layer between Upstart jobs and SystemD services. All services have been rewritten to usesystemd.services
wmiimenu
is removed, as it has been removed by the developers upstream. Usewimenu
from thewmii-hg
package.Gitit is no longer automatically added to the module list in NixOS and as such there will not be any manual entries for it. You will need to add an import statement to your NixOS configuration in order to use it, e.g.
{ imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; }
will include the Gitit service configuration options.
nginx
does not accept flags for enabling and disabling modules anymore. Instead it acceptsmodules
argument, which is a list of modules to be built in. All modules now reside innginxModules
set. Example configuration:nginx.override { modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; }
s3sync
is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look attarsnap
and others.ruby_1_8
has been removed as it's not supported from upstream anymore and probably contains security issues.tidy-html5
package is removed. Upstream only provided(lib)tidy5
during development, and now they went back to(lib)tidy
to work as a drop-in replacement of the original package that has been unmaintained for years. You can (still) use thehtml-tidy
package, which got updated to a stable release from this new upstream.extraDeviceOptions
argument is removed frombumblebee
package. Instead there are now two separate arguments:extraNvidiaDeviceOptions
andextraNouveauDeviceOptions
for setting extra X11 options for nvidia and nouveau drivers, respectively.The
Ctrl+Alt+Backspace
key combination no longer kills the X server by default. There's a new optionservices.xserver.enableCtrlAltBackspace
allowing to enable the combination again.emacsPackagesNg
now contains all packages from the ELPA, MELPA, and MELPA Stable repositories.Data directory for Postfix MTA server is moved from
/var/postfix
to/var/lib/postfix
. Old configurations are migrated automatically.service.postfix
module has also received many improvements, such as correct directories' access rights, newaliasFiles
andmapFiles
options and more.Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style:
{ fileSystems."/example" = { device = "/dev/sdc"; fsType = "btrfs"; options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ]; }; }
CUPS, installed by
services.printing
module, now has its data directory in/var/lib/cups
. Old configurations from/etc/cups
are moved there automatically, but there might be problems. Also configuration optionsservices.printing.cupsdConf
andservices.printing.cupsdFilesConf
were removed because they had been allowing one to override configuration variables required for CUPS to work at all on NixOS. For most use cases,services.printing.extraConf
and new optionservices.printing.extraFilesConf
should be enough; if you encounter a situation when they are not, please file a bug.There are also Gutenprint improvements; in particular, a new option
services.printing.gutenprint
is added to enable automatic updating of Gutenprint PPMs; it's greatly recommended to enable it instead of addinggutenprint
to thedrivers
list.services.xserver.vaapiDrivers
has been removed. Usehardware.opengl.extraPackages{,32}
instead. You can also specify VDPAU drivers there.programs.ibus
moved toi18n.inputMethod.ibus
. The optionprograms.ibus.plugins
changed toi18n.inputMethod.ibus.engines
and the option to enable ibus changed fromprograms.ibus.enable
toi18n.inputMethod.enabled
.i18n.inputMethod.enabled
should be set to the used input method name,"ibus"
for ibus. An example of the new style:{ i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ]; }
That is equivalent to the old version:
{ programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ]; }
services.udev.extraRules
option now writes rules to99-local.rules
instead of10-local.rules
. This makes all the user rules apply after others, so their results wouldn't be overriden by anything else.Large parts of the
services.gitlab
module has been been rewritten. There are new configuration options available. ThestateDir
option was renamned tostatePath
and thesatellitesDir
option was removed. Please review the currently available options.The option
services.nsd.zones.<name>.data
no longer interpret the dollar sign ($) as a shell variable, as such it should not be escaped anymore. Thus the following zone data:$ORIGIN example.com. $TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. (
Should modified to look like the actual file expected by nsd:
$ORIGIN example.com. $TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. (
service.syncthing.dataDir
options now has to point to exact folder where syncthing is writing to. Example configuration should look something like:{ services.syncthing = { enable = true; dataDir = "/home/somebody/.syncthing"; user = "somebody"; }; }
networking.firewall.allowPing
is now enabled by default. Users are encouraged to configure an appropriate rate limit for their machines using the Kernel interface at/proc/sys/net/ipv4/icmp_ratelimit
and/proc/sys/net/ipv6/icmp/ratelimit
or using the firewall itself, i.e. by setting the NixOS optionnetworking.firewall.pingLimit
.Systems with some broadcom cards used to result into a generated config that is no longer accepted. If you get errors like
error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created
you should either re-run
nixos-generate-config
or manually replace"${config.boot.kernelPackages.broadcom_sta}"
byconfig.boot.kernelPackages.broadcom_sta
in your/etc/nixos/hardware-configuration.nix
. More discussion is on the github issue.The
services.xserver.startGnuPGAgent
option has been removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no longer requires (or even supports) the "start everything as a child of the agent" scheme we've implemented in NixOS for older versions. To configure the gpg-agent for your X session, add the following code to~/.bashrc
or some file that’s sourced when your shell is started:GPG_TTY=$(tty) export GPG_TTY
If you want to use gpg-agent for SSH, too, add the following to your session initialization (e.g.
displayManager.sessionCommands
)gpg-connect-agent /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
and make sure that
enable-ssh-support
is included in your
~/.gnupg/gpg-agent.conf
. You will need to usessh-add
to re-add your ssh keys. If gpg’s automatic transformation of the private keys to the new format fails, you will need to re-import your private keyring as well:gpg --import ~/.gnupg/secring.gpg
The
gpg-agent(1)
man page has more details about this subject, i.e. in the "EXAMPLES" section.
Other notable improvements:
ejabberd
module is brought back and now works on NixOS.Input method support was improved. New NixOS modules (fcitx, nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) have been added.
B.13. Release 15.09 (“Dingo”, 2015/09/30)
In addition to numerous new and upgraded packages, this release has the following highlights:
The Haskell packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on Hackage -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the User's Guide to the Haskell Infrastructure. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single LTS Haskell release since version 0.0 as well as the most recent Stackage Nightly snapshot. The announcement "Full Stackage Support in Nixpkgs" gives additional details.
Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.
You can now keep your NixOS system up to date automatically by setting
{ system.autoUpgrade.enable = true; }
This will cause the system to periodically check for updates in your
current channel and run nixos-rebuild
.
This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.
GNOME has been upgraded to 3.16.
Xfce has been upgraded to 4.12.
KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.
E19 has been upgraded to 0.16.8.15.
The following new services were added since the last release:
services/mail/exim.nix
services/misc/apache-kafka.nix
services/misc/canto-daemon.nix
services/misc/confd.nix
services/misc/devmon.nix
services/misc/gitit.nix
services/misc/ihaskell.nix
services/misc/mbpfan.nix
services/misc/mediatomb.nix
services/misc/mwlib.nix
services/misc/parsoid.nix
services/misc/plex.nix
services/misc/ripple-rest.nix
services/misc/ripple-data-api.nix
services/misc/subsonic.nix
services/misc/sundtek.nix
services/monitoring/cadvisor.nix
services/monitoring/das_watchdog.nix
services/monitoring/grafana.nix
services/monitoring/riemann-tools.nix
services/monitoring/teamviewer.nix
services/network-filesystems/u9fs.nix
services/networking/aiccu.nix
services/networking/asterisk.nix
services/networking/bird.nix
services/networking/charybdis.nix
services/networking/docker-registry-server.nix
services/networking/fan.nix
services/networking/firefox/sync-server.nix
services/networking/gateone.nix
services/networking/heyefi.nix
services/networking/i2p.nix
services/networking/lambdabot.nix
services/networking/mstpd.nix
services/networking/nix-serve.nix
services/networking/nylon.nix
services/networking/racoon.nix
services/networking/skydns.nix
services/networking/shout.nix
services/networking/softether.nix
services/networking/sslh.nix
services/networking/tinc.nix
services/networking/tlsdated.nix
services/networking/tox-bootstrapd.nix
services/networking/tvheadend.nix
services/networking/zerotierone.nix
services/scheduling/marathon.nix
services/security/fprintd.nix
services/security/hologram.nix
services/security/munge.nix
services/system/cloud-init.nix
services/web-servers/shellinabox.nix
services/web-servers/uwsgi.nix
services/x11/unclutter.nix
services/x11/display-managers/sddm.nix
system/boot/coredump.nix
system/boot/loader/loader.nix
system/boot/loader/generic-extlinux-compatible
system/boot/networkd.nix
system/boot/resolved.nix
system/boot/timesyncd.nix
tasks/filesystems/exfat.nix
tasks/filesystems/ntfs.nix
tasks/filesystems/vboxsf.nix
virtualisation/virtualbox-host.nix
virtualisation/vmware-guest.nix
virtualisation/xen-dom0.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sshd
no longer supports DSA and ECDSA host keys by default. If you have existing systems with such host keys and want to continue to use them, please set
{ system.stateVersion = "14.12"; }
The new option system.stateVersion
ensures that
certain configuration changes that could break existing systems
(such as the sshd
host key setting) will maintain
compatibility with the specified NixOS release. NixOps sets the
state version of existing deployments automatically.
cron
is no longer enabled by default, unless you have a non-emptyservices.cron.systemCronJobs
. To forcecron
to be enabled, setservices.cron.enable = true
.Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set
nix.requireSignedBinaryCaches = false
.Steam now doesn't need root rights to work. Instead of using
*-steam-chrootenv
, you should now just runsteam
.steamChrootEnv
package was renamed tosteam
, and oldsteam
package -- tosteamOriginal
.CMPlayer has been renamed to bomi upstream. Package
cmplayer
was accordingly renamed tobomi
Atom Shell has been renamed to Electron upstream. Package
atom-shell
was accordingly renamed toelectron
Elm is not released on Hackage anymore. You should now use
elmPackages.elm
which contains the latest Elm platform.The CUPS printing service has been updated to version
2.0.2
. Furthermore its systemd service has been renamed tocups.service
.Local printers are no longer shared or advertised by default. This behavior can be changed by enabling
services.printing.defaultShared
orservices.printing.browsing
respectively.The VirtualBox host and guest options have been named more consistently. They can now found in
virtualisation.virtualbox.host.*
instead ofservices.virtualboxHost.*
andvirtualisation.virtualbox.guest.*
instead ofservices.virtualboxGuest.*
.Also, there now is support for the
vboxsf
file system using thefileSystems
configuration attribute. An example of how this can be used in a configuration:
{ fileSystems."/shiny" = { device = "myshinysharedfolder"; fsType = "vboxsf"; }; }
"
nix-env -qa
" no longer discovers Haskell packages by name. The only packages visible in the global scope areghc
,cabal-install
, andstack
, but all other packages are hidden. The reason for this inconvenience is the sheer size of the Haskell package set. Name-based lookups are expensive, and mostnix-env -qa
operations would become much slower if we'd add the entire Hackage database into the top level attribute set. Instead, the list of Haskell packages can be displayed by running:
nix-env -f "<nixpkgs>" -qaP -A haskellPackages
Executable programs written in Haskell can be installed with:
nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc
Installing Haskell libraries this way, however, is no longer supported. See the next item for more details.
Previous versions of NixOS came with a feature called
ghc-wrapper
, a small script that allowed GHC to transparently pick up on libraries installed in the user's profile. This feature has been deprecated;ghc-wrapper
was removed from the distribution. The proper way to register Haskell libraries with the compiler now is thehaskellPackages.ghcWithPackages
function. The User's Guide to the Haskell Infrastructure provides more information about this subject.All Haskell builds that have been generated with version 1.x of the
cabal2nix
utility are now invalid and need to be re-generated with a current version ofcabal2nix
to function. The most recent version of this tool can be installed by runningnix-env -i cabal2nix
.The
haskellPackages
set in Nixpkgs used to have a function attribute calledextension
that users could override in their~/.nixpkgs/config.nix
files to configure additional attributes, etc. That function still exists, but it's now calledoverrides
.The OpenBLAS library has been updated to version
0.2.14
. Support for thex86_64-darwin
platform was added. Dynamic architecture detection was enabled; OpenBLAS now selects microarchitecture-optimized routines at runtime, so optimal performance is achieved without the need to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages which use an optimized BLAS or LAPACK implementation.The
phpfpm
is now using the default PHP version (pkgs.php
) instead of PHP 5.4 (pkgs.php54
).The
locate
service no longer indexes the Nix store by default, preventing packages with potentially numerous versions from cluttering the output. Indexing the store can be activated by settingservices.locate.includeStore = true
.The Nix expression search path (
NIX_PATH
) no longer contains/etc/nixos/nixpkgs
by default. You can overrideNIX_PATH
by settingnix.nixPath
.Python 2.6 has been marked as broken (as it no longer receives security updates from upstream).
Any use of module arguments such as
pkgs
to access library functions, or to defineimports
attributes will now lead to an infinite loop at the time of the evaluation.In case of an infinite loop, use the
--show-trace
command line argument and read the line just above the error message.$ nixos-rebuild build --show-trace … while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix": infinite recursion encountered
Any use of
pkgs.lib
, should be replaced bylib
, after adding it as argument of the module. The following module{ config, pkgs, ... }: with pkgs.lib; { options = { foo = mkOption { … }; }; config = mkIf config.foo { … }; }
should be modified to look like:
{ config, pkgs, lib, ... }: with lib; { options = { foo = mkOption { option declaration }; }; config = mkIf config.foo { option definition }; }
When
pkgs
is used to download other projects to import their modules, and only in such cases, it should be replaced by(import <nixpkgs> {})
. The following module{ config, pkgs, ... }: let myProject = pkgs.fetchurl { src = url; sha256 = hash; }; in { imports = [ "${myProject}/module.nix" ]; }
should be modified to look like:
{ config, pkgs, ... }: let myProject = (import <nixpkgs> {}).fetchurl { src = url; sha256 = hash; }; in { imports = [ "${myProject}/module.nix" ]; }
Other notable improvements:
The nixos and nixpkgs channels were unified, so one can use
nix-env -iA nixos.bash
instead ofnix-env -iA nixos.pkgs.bash
. See the commit for details.Users running an SSH server who worry about the quality of their
/etc/ssh/moduli
file with respect to the vulnerabilities discovered in the Diffie-Hellman key exchange can now replace OpenSSH's default version with one they generated themselves using the newservices.openssh.moduliFile
option.A newly packaged TeX Live 2015 is provided in
pkgs.texlive
, split into 6500 nix packages. For basic user documentation see the source. Beware of an issue when installing a too large package set. The plan is to deprecate and maybe delete the original TeX packages until the next release.buildEnv.env
on all Python interpreters is now available for nix-shell interoperability.
B.14. Release 14.12 (“Caterpillar”, 2014/12/30)
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd has been updated to version 217, which has numerous improvements.
NixOS is now based on Glibc 2.20.
KDE has been updated to 4.14.
The default Linux kernel has been updated to 3.14.
If
users.mutableUsers
is enabled (the default), changes made to the declaration of a user or group will be correctly realised when runningnixos-rebuild
. For instance, removing a user specification fromconfiguration.nix
will cause the actual user account to be deleted. Ifusers.mutableUsers
is disabled, it is no longer necessary to specify UIDs or GIDs; if omitted, they are allocated dynamically.
Following new services were added since the last release:
atftpd
bosun
bspwm
chronos
collectd
consul
cpuminer-cryptonight
crashplan
dnscrypt-proxy
docker-registry
docker
etcd
fail2ban
fcgiwrap
fleet
fluxbox
gdm
geoclue2
gitlab
gitolite
gnome3.gnome-documents
gnome3.gnome-online-miners
gnome3.gvfs
gnome3.seahorse
hbase
i2pd
influxdb
kubernetes
liquidsoap
lxc
mailpile
mesos
mlmmj
monetdb
mopidy
neo4j
nsd
openntpd
opentsdb
openvswitch
parallels-guest
peerflix
phd
polipo
prosody
radicale
redmine
riemann
scollector
seeks
siproxd
strongswan
tcsd
teamspeak3
thermald
torque/mrom
torque/server
uhub
unifi
znc
zookeeper
When upgrading from a previous release, please be aware of the following incompatible changes:
The default version of Apache httpd is now 2.4. If you use the
extraConfig
option to pass literal Apache configuration text, you may need to update it — see Apache’s documentation for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration:{ services.httpd.package = pkgs.apacheHttpd_2_2; }
PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.
The host side of a container virtual Ethernet pair is now called
ve-container-name
rather thanc-container-name
.GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.
VirtualBox has been upgraded to 4.3.20 release. Users may be required to run
rm -rf /tmp/.vbox*
. The lineimports = [ <nixpkgs/nixos/modules/programs/virtualbox.nix> ]
is no longer necessary, useservices.virtualboxHost.enable = true
instead.Also, hardening mode is now enabled by default, which means that unless you want to use USB support, you no longer need to be a member of the
vboxusers
group.Chromium has been updated to 39.0.2171.65.
enablePepperPDF
is now enabled by default.chromium*Wrapper
packages no longer exist, because upstream removed NSAPI support.chromium-stable
has been renamed tochromium
.Python packaging documentation is now part of nixpkgs manual. To override the python packages available to a custom python you now use
pkgs.pythonFull.buildEnv.override
instead ofpkgs.pythonFull.override
.boot.resumeDevice = "8:6"
is no longer supported. Most users will want to leave it undefined, which takes the swap partitions automatically. There is an evaluation assertion to ensure that the string starts with a slash.The system-wide default timezone for NixOS installations changed from
CET
toUTC
. To choose a different timezone for your system, configuretime.timeZone
inconfiguration.nix
. A fairly complete list of possible values for that setting is available at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.
The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.
B.15. Release 14.04 (“Baboon”, 2014/04/30)
This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:
Installation on UEFI systems is now supported. See Chapter 2, Installing NixOS for details.
Systemd has been updated to version 212, which has numerous improvements. NixOS now automatically starts systemd user instances when you log in. You can define global user units through the
systemd.unit.*
options.NixOS is now based on Glibc 2.19 and GCC 4.8.
The default Linux kernel has been updated to 3.12.
KDE has been updated to 4.12.
GNOME 3.10 experimental support has been added.
Nix has been updated to 1.7 (details).
NixOS now supports fully declarative management of users and groups. If you set
users.mutableUsers
tofalse
, then the contents of/etc/passwd
and/etc/group
will be congruent to your NixOS configuration. For instance, if you remove a user fromusers.extraUsers
and runnixos-rebuild
, the user account will cease to exist. Also, imperative commands for managing users and groups, such asuseradd
, are no longer available. Ifusers.mutableUsers
istrue
(the default), then behaviour is unchanged from NixOS 13.10.NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 62, Container Management for details.
Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package
foo
provides systemd units, you can say:{ systemd.packages = [ pkgs.foo ]; }
to enable those units. You can then set or override unit options in the usual way, e.g.
{ systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M"; }
When upgrading from a previous release, please be aware of the following incompatible changes:
Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:
{ nixpkgs.config.allowUnfree = true; }
Otherwise, you get an error message such as:
error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ has an unfree license, refusing to evaluate
The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:
{ nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium }
The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:
{ networking.firewall.enable = false; }
The option
boot.loader.grub.memtest86
has been renamed toboot.loader.grub.memtest86.enable
.The
mysql55
service has been merged into themysql
service, which no longer sets a default for the optionservices.mysql.package
.Package variants are now differentiated by suffixing the name, rather than the version. For instance,
sqlite-3.8.4.3-interactive
is now calledsqlite-interactive-3.8.4.3
. This ensures thatnix-env -i sqlite
is unambiguous, and thatnix-env -u
won’t “upgrade”sqlite
tosqlite-interactive
or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now calledfirefox-wrapper
. So when usingnix-env
, you should donix-env -e firefox; nix-env -i firefox-wrapper
if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names likepkgs.firefoxWrapper
were already unambiguous.The symlink
/etc/ca-bundle.crt
is gone. Programs should instead use the environment variableOPENSSL_X509_CERT_FILE
(which points to/etc/ssl/certs/ca-bundle.crt
).
B.16. Release 13.10 (“Aardvark”, 2013/10/31)
This is the first stable release branch of NixOS.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK