Fixes odd bulletpoints and bare URLs that are prohibited by most
Markdown linters and specs.
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Iae14dce3d158ac11c59d9117694ccde46a6a6964
(cherry picked from commit b786821e13)
Follow-up to the 9.0.4 update in aa9f3b7824 that broke the (completely
optional) tests, because upstream renamed the already ignored tests (as
they try to access internet resources) in 5ebe8ea15f.
(cherry picked from commit 45185e91bf)
This should help debugging config values. I verified that `pnpm config
list` works across pnpm_8, pnpm_9, pnpm_10, pnpm_10_29_2 and pnpm_11.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit d5cbb9e641)
These checks are still performed in fetchPnpmDeps. These checks require
access to the registries used in the lockfile, making it infeasible to
run during configurePhase in a sandboxed build.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 599909067c)
See 63147b12a5
Apparently on i686-linux the test isn't flaky but failing reliably.
So restarting on Hydra won't help, and waiting for staging*
would take a few weeks.
(cherry picked from commit 664e60aa95)
This might be a nice way to use our reach to remind users to donate to
FLOSS projects that they use and love.
Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
(cherry picked from commit 9d2f2d71e4)
This patch is merged upstream and can be reverted on the next update.
Fetchpatch does not work against framagit.org, which is why I vendored
the patch instead.
(cherry picked from commit 1a7b7c7ddf)
machine-learning[1920443]: mkdir -p failed for path /var/empty/.config/matplotlib: [Errno 1] Operation not permitted: '/var/empty/.config'
machine-learning[1920443]: Matplotlib created a temporary cache directory at /tmp/matplotlib-uo52wf71 because there was an issue with the default path (/var/empty/.config/matplotlib); it is highly recommended to set the MPLCONFIGDIR environment variable to a writable directory, in particular to speed up the import of Matplotlib and to better support multiprocessing.
(cherry picked from commit cb2ed10279)
By default, Git commands will trigger background processes to perform
repository maintenance. As of Git v2.54.0, and in particular as of
452b12c2e0 (builtin/maintenance: use "geometric" strategy by default,
2026-02-24), Git has changed the strategy it uses to decide whether
maintenance needs performing, and as a result will kick off background
maintenance processes much more often.
These background processes will potentially change the contents of the
`.git` directory while `nix-prefetch-git` is deleting it. This results in
effectively random failures, when files are added to the `.git`
directory during the `rm -rf` operation (causing it to fail) or after
the operation has completed (causing the `.git` directory to be
recreated and resulting in a FOD hash mismatch).
This also causes problems for the determinism of Git's own tests.
They've resolved this in 09505b1115 (t: fix races caused by background
maintenance, 2026-02-24) by having the maintenance processes run in the
foreground. The discussion in that commit explains they considered just
disabling maintenance entirely, but opted for the foreground option
because disabling maintenance would mean the tests looked even less like
how most Git users work with Git.
`nix-prefetch-git` is nothing like most Git users. In almost every
case, the `.git` directory will be deleted during or immediately after
the script is called. The repositories certainly don't benefit from
ongoing maintenance. To avoid the non-determinism created by the
background maintenance processes, just disable maintenance entirely.
This is done with `git config` after initialising the repository, rather
than `git config --global` earlier in the script, as `git config
--global` will fail if `fetchgit` was called with a `gitConfig`
argument.
It would be possible to set this option with
`GIT_CONFIG_[COUNT|KEY_<n>|VALUE_<n>]` environment variables; I've opted
against that because (a) they're less familiar to most people who might
want to come to edit this script in future and (b) because if someone is
using those values themselves via `impureEnvVars` or similar, making our
configuration play nicely with someone else's would require some fairly
complex logic.
I haven't made this a configurable option: any use of `nix-prefetch-git`
will run with maintenance disabled, as I cannot think of a use case
where it would be useful. If there is such a use case, it would be
straightforward to extend `nix-prefetch-git` and `fetchgit` to allow
users to change the behaviour.
Fixes#524215.
(cherry picked from commit 011471c7f2)
Update to latest pre-release to fix multiple security vulnerabilities:
- CVE-2026-9500: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9501: heap-buffer-overflow in decode.c (read_2004_compressed_section)
- CVE-2026-9502: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9503: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9504: null pointer dereference in dwggrep.c (main)
- CVE-2026-9529: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9530: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9605: heap-buffer-overflow in decode.c (decompress_R2004_section)
Individual backports were not feasible as the decompressor was significantly
refactored on upstream's main branch between 0.13.4 and the fixes.
(cherry picked from commit b27ee09e7d)
The 9.4.14 tarball is no longer hosted at download.nomachine.com; the
old URL now redirects to the vendor homepage and breaks fetchurl. Bump
to the current upstream release. Both x86_64 and i686 release tarballs
use build suffix _2.
Hashes recomputed via nix-prefetch-url against
https://download.nomachine.com/download/9.5/Linux/.
(cherry picked from commit 0f906ee9b4)
The crates.io API server's 1 req/sec rate limit currently surfaces as
intermittent HTTP 403 errors when vendoring lockfiles. Switch to the CDN
endpoint as recommended by upstream (rust-lang/crates.io#13482), mirroring
the fix already applied to fetchCargoVendor in #512735.
fetchurl is content-addressed by sha256, so the URL change does not affect
any downstream store paths.
Fixes#524979
(cherry picked from commit f830e6112b)
Versions before 144 vendor bindgen 0.69, which emits invalid Rust for
libc++ 21's attributed basic_string::__self_view alias on Darwin.
This was exposed by commit 0758fc3add ("darwin.libcxx:
20.1.0+apple-sdk-26.0 -> 21.1.6+apple-sdk-26.4"), where libc++
changed `basic_string::__self_view` from a typedef to an attributed
`using` alias. bindgen then drops the alias template parameter and emits
`basic_string___self_view = ...<_CharT>`.
The solution is to blocklist the unused `string_view` internals for the
profiler Rust API. They are not used in the actual build.
Note: Mozilla 144 updated vendored bindgen via:
https://bugzilla.mozilla.org/show_bug.cgi?id=1985509
Assisted-by: Codex gpt-5.5 xhigh
(cherry picked from commit c19203e06f)
I suspect it was commit 0968bb28e2 that
broke the build with nodejs_24, presumably because of npm updating from
11.11.1 to 11.12.1.
(cherry picked from commit 78df8f88a5)
The fix in #523016 fixes an issue with the default gateway, however it
does so by unconditionally defining `networking.interfaces.eth0`. This
makes so if you had other methods of defining the addresses for eth0,
those now get blanked out.
Instead, move the logic around so we only define
networking.interfaces.eth0 if we really have to.
(cherry picked from commit 217d834eb9)
With kernel lockdown the tun kmod is not necessarily available in stage2,
but Lix dependes on it through pasta.
nix-daemon[682677]: remote pid 682659 is user build (trusted)
nix-daemon[682711]: Failed to open() /dev/net/tun: No such device
nix-daemon[682702]: Failed to set up tap device in namespace
(cherry picked from commit 34fbf0285a)
Commit 5aa9012bb3 (nixos: replace 'text' with structured PAM rules
(#420889), 2026-04-14) resulted in the vsftpd module no longer creating
a PAM module, and therefore configurations relying on `cfg.localUsers`
stopped permitting logins unless the PAM module was being set up by
other configuration.
In the absence of a better fix, document this change of behaviour as a
regression. Per the discussion at [0], provide a mechanims to restore
the previous behaviour, but with the caveat that this may be insecure.
I'd prefer more useful advice, but if I had a better understanding of
NixOS's PAM configuration and how it interacts with vsftpd, I'd just be
providing the better fix in the first place.
[0]: https://github.com/NixOS/nixpkgs/issues/515531#issuecomment-4367747991
(cherry picked from commit 93699b88a5)
This replaces the earlier 2.86 patch.
One may consider bumping the source to something newer than the 8 year old release, but that's out of scope for this fix.
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit 79f6dec101)
Define ANSI_FUNC so corkscrew uses ANSI C function definitions instead of legacy K&R definitions rejected by modern Clang/C23.
Assisted-by: OpenCode (openai/gpt-5.5)
(cherry picked from commit 47eb5f6f4d)
The test created ZFS datasets with canmount=noauto, but pam_zfs_key's
mount_dataset() now checks canmount == ZFS_CANMOUNT_ON and skips
mounting otherwise (added in
https://github.com/openzfs/zfs/commit/387ed5ca41). Use the default
canmount=on and unmount before unloading the key to compensate for
the auto-mount that happens when the key is loaded during creation.
This also silences the warning for forceImportRoot.
Assisted-by: opencode with DeepSeek V4 Flash Free
(cherry picked from commit 3fdfb983c7)
also switches to the new `generate_db.py` script
this was done because the old `lensfun_convert_db_v2_to_v1.py` script has been
removed upstream and this is the new preferred method
additionally, this adds the optional `lensfunDatabases` argument which can be
used to override the lens database used when building the package
(cherry picked from commit f652ee5019)
This gives us better UI in the PR by hiding the commits that are already
on the base branch (mostly staging) after the periodic merge. Without
this, the PR has 100s of commits listed after a few days.
(cherry picked from commit 5439176950)
Replace gitUpdater with a shell script that invokes
update-source-version once per system using
--source-key, so both per-arch AppImage hashes are
refreshed on each version bump.
(cherry picked from commit ec5d28b85b)
MemoryDenyWriteExecute=true breaks pyopenssl's cffi calls, used in the remote access feature.
```
2026-05-24 17:32:58.344 ERROR (MainThread) [music_assistant] Error doing task: Task exception was never retrieved
Traceback (most recent call last):
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcpeerconnection.py", line 1084, in __connect
await dtlsTransport.start(self.__remoteDtls[self.__sctp])
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 518, in start
self.__local_certificate._create_ssl_context(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
srtp_profiles=self._srtp_profiles
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 198, in _create_ssl_context
ctx.set_verify(
~~~~~~~~~~~~~~^
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda *args: True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 867, in inner
return f(self, *args, **kwargs)
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 1390, in set_verify
self._verify_helper = _VerifyHelper(callback)
~~~~~~~~~~~~~^^^^^^^^^^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 527, in __init__
self.callback = _ffi.callback(
~~~~~~~~~~~~~^
"int (*)(int, X509_STORE_CTX *)", wrapper
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
```
(cherry picked from commit 6b53fc13e3)
I assume quadradical doesn't want to re-assume maintainership simply because I reverted the package drop for my own purposes.
(cherry picked from commit 261eac2ed0)
qbz uses pactl for PipeWire device enumeration and sink routing, and
pw-metadata for bit-perfect sample rate queries. Without these on PATH,
audio playback fails with "Failed to run pactl: No such file or directory".
(cherry picked from commit feafc3f846)
@@ -442,6 +442,7 @@ The staging workflow is used for all stable branches with corresponding names:
- `master`/`release-YY.MM`
- `staging`/`staging-YY.MM`
- `staging-next`/`staging-next-YY.MM`
- `staging-nixos`/`staging-nixos-YY.MM`
[^1]: Except changes that cause no more rebuilds than kernel updates
@@ -505,7 +506,7 @@ These PRs go to `staging-nixos`, see [the next section for more context](#change
Changes causing a rebuild of all NixOS tests get a special [`10.rebuild-nixos-tests`](https://github.com/NixOS/nixpkgs/issues?q=state%3Aopen%20label%3A10.rebuild-nixos-tests) label.
These changes pose a significant impact on the build infrastructure.
Hence, these PRs should either target a `staging`-branch or `staging-nixos`, provided one of following conditions applies:
Hence, these PRs should either target a `staging`-branch or `staging-nixos`-branch, provided one of following conditions applies:
- For basic usage, use some of the prebuilt environments available at the top level, such as `texliveBasic`, `texliveSmall`. For the full list of prebuilt environments, inspect `texlive.schemes`.
@@ -24,7 +22,7 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
- `texlive.withPackages` uses the same logic as `buildEnv`. Only parts of a package are installed in an environment: its 'runtime' files (`tex` output), binaries (`out` output), and support files (`tlpkg` output). Moreover, man and info pages are assembled into separate `man` and `info` outputs. To add only the TeX files of a package, or its documentation (`texdoc` output), just specify the outputs:
```nix
texlive.withPackages (
texliveBasic.withPackages (
ps: with ps; [
texdoc # recommended package to navigate the documentation
perlPackages.LaTeXML.tex # tex files of LaTeXML, omit binaries
@@ -34,64 +32,19 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
)
```
- To add the documentation for all packages in the environment, use
```nix
texliveSmall.overrideAttrs { withDocs = true; }
```
This can be applied before or after calling `withPackages`. The parameter `withSources` adds all source containers.
- All packages distributed by TeX Live, which contains most of CTAN, are available and can be found under `texlive.pkgs`:
```ShellSession
$ nix repl
nix-repl> :l <nixpkgs>
nix-repl> texlive.pkgs.[TAB]
```
Note that the packages in `texlive.pkgs` are only provided for search purposes and must not be used directly.
- **Experimental and subject to change without notice:** to add the documentation for all packages in the environment, use
- For basic usage just pull `texlive.combined.scheme-basic` for an environment with basic LaTeX support.
- It typically won't work to use separately installed packages together. Instead, you can build a custom set of packages like this. Most CTAN packages should be available:
```nix
texlive.combine {
inherit (texlive)
scheme-small
collection-langkorean
algorithms
cm-super
;
}
```
- There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).
- By default you only get executables and files needed during runtime, and a little documentation for the core packages. To change that, you need to add `pkgFilter` function to `combine`.
- Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example, `scheme-basic`, into the combination.
- TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use
These are derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.withPackages` but are available for other uses. To repackage a font, for instance, use
```nix
stdenvNoCC.mkDerivation (finalAttrs: {
@@ -112,9 +65,9 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `tlDeps`.
You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the "texmf" directory in its `"tex"` output, according to the [TeX Directory Structure](https://tug.ctan.org/tds/tds.html). Dependencies on other TeX packages can be listed in the attribute `passthru.tlDeps`, which is a function taking a package set and returning a list of packages.
The functions `texlive.combine` and `texlive.withPackages` recognise the following outputs:
The function `texlive.withPackages` recognise the following outputs:
- `"out"`: contents are linked in the TeX Live environment, and binaries in the `$out/bin` folder are wrapped;
- `"tex"`: linked in `$TEXMFDIST`; files should follow the TDS (for instance `$tex/tex/latex/foiltex/foiltex.cls`);
@@ -122,8 +75,6 @@ The functions `texlive.combine` and `texlive.withPackages` recognise the followi
- `"tlpkg"`: linked in `$TEXMFROOT/tlpkg`;
- `"man"`, `"info"`, ...: the other outputs are combined into separate outputs.
When using `pkgFilter`, `texlive.combine` will assign `tlType` respectively `"bin"`, `"run"`, `"doc"`, `"source"`, `"tlpkg"` to the above outputs.
Here is a (very verbose) example. See also the packages `auctex`, `eukleides`, `mftrace` for more examples.
```nix
@@ -138,7 +89,7 @@ let
"tex"
"texdoc"
];
passthru.tlDeps = with texlive; [ latex ];
passthru.tlDeps = ps: [ ps.latex ];
srcs = [
(fetchurl {
@@ -169,13 +120,14 @@ let
latexmk
]
))
# multiple-outputs.sh fails if $out is not defined
(writeShellScript "force-tex-output.sh" ''
out="''${tex-}"
'')
writableTmpDirAsHomeHook # Need a writable $HOME for latexmk
];
# multiple-outputs.sh fails if $out is not defined
-`base16-builder` node package has been removed due to lack of upstream maintenance.
-`budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
-`budgie-desktop` has been updated to [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
-`buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
Specifying `CGO_ENABLED` directly now results in an error.
@@ -53,7 +53,7 @@
-`cardboard` has been removed due to the package having been broken since at least November 2024.
-`carla` no longer support `gtk2` override.
-`carla` no longer supports`gtk2` override.
-`chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.
@@ -135,7 +135,7 @@
-`linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.
-`lxde` scope has been removed, and its packages have been moved the top-level.
-`lxde` scope has been removed, and its packages have been moved to the top-level.
-`mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.
@@ -183,7 +183,7 @@
-`pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.
-`podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
-`privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.
@@ -246,7 +246,7 @@
-`sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.
- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64-bit PowerPC has been dropped.
The latter was probably broken anyway.
If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.
@@ -359,7 +359,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
-`ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg is now `ffmpeg_8`. You can install previous versions from package attributes such as `ffmpeg_7`.
-`forgejo-runner` upgrading to version 11 brings a license change from MIT to GPLv3-or-later.
-`forgejo-runner` has been upgraded to version 11, which brings a license change from MIT to GPLv3-or-later.
- GIMP now defaults to version 3. Use `gimp2` for the old version.
@@ -405,8 +405,6 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
-`prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.
-`searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
-`sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).
@@ -431,7 +429,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
- The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.
- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.
- The `open-webui` package's postgres support has been moved to optional dependencies to comply with upstream changes in 0.6.26.
- The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.
@@ -440,6 +438,8 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
- Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.
-`waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.
-`searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.
@@ -470,7 +470,7 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
-`lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.
-`lib.strings.isCoercibleToString` has been in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
-`lib.strings.isCoercibleToString` has been replaced in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
-`lib.types.string` has been removed. See [this pull request](https://github.com/NixOS/nixpkgs/pull/66346) for better alternative types like `lib.types.str`.
- `yarn2nix`/`yarn2nix-moretea` and its tooling(`mkYarnPackage`, `mkYarnModules`, and `fixup_yarn_lock`) have been removed as they were unmaintainable in nixpkgs. If you want to build with Yarn V1 going forward, use the hooks instead(`yarnBuildHook`, `yarnConfigHook`, and `yarnInstallHook`). See the yarn v1 documentation in the nixpkgs manual for more details.
- `albert` has been updated to the version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
- `albert` has been updated to version 34.0.5. This release redesigns the query system to support stateful asynchronous handlers and infinite scrolling, and adds internationalized tokenization.
This update introduces several breaking changes: the Python plugin interface is now v5.0, the `PATH` plugin has been renamed to `Commandline`, and the QStylesheets-based widgets box model frontend has been removed.
For more information read the [changelog for 34.0.0](https://albertlauncher.github.io/2026/01/19/albert-v34.0.0-released/).
@@ -105,7 +105,7 @@
- `spoof` has been removed, as there are many issues upstream with it working on modern OS versions, and it appears to be unmaintained.
- `duckstation` package has been removed, as it was requested by upstream and build source were changed to be incompatible with NixOS.
- `duckstation` package has been removed, as it was requested by upstream and build sources were changed to be incompatible with NixOS.
- `nodePackages.coc-go` and `nodePackages.coc-tsserver`, along with their vim plugins, have been removed from nixpkgs due to being unmaintained.
@@ -115,7 +115,7 @@
- `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.
- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from https://channels.nixos.org is used. This usage will also make the database of `command-not-found` stateless.
- `command-not-found` package will be enabled by default if the source of nixpkgs contains the file `programs.sqlite`. This is the case if a nixpkgs tarball from <https://channels.nixos.org> is used. This usage will also make the database of `command-not-found` stateless.
- `nodePackages.sass` has been removed, as it was unmaintained within nixpkgs.
@@ -128,7 +128,7 @@
- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
- Keycloak has been updated to 26.6.X, bringing a lot new features like federated client authentication, JWT authorization grants, workflows and the ability to do
- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
change for your keycloak instance.
@@ -157,21 +157,19 @@
This release contains breaking changes, see [Upgrading to Vinyl Cache 9.0](https://vinyl-cache.org/docs/9.0/whats-new/upgrading-9.0.html).
The `varnish-modules` project is currently not packaged for Vinyl Cache, as it is incompatible.
- `eslint` has been updated from version 9 to version 10. Please see https://eslint.org/blog/2026/02/eslint-v10.0.0-released/ for details about the breaking changes included in the update.
- `eslint` has been updated from version 9 to version 10. Please see <https://eslint.org/blog/2026/02/eslint-v10.0.0-released/> for details about the breaking changes included in the update.
- `minio` has been abandoned by upstream and security issues won't be fixed. It is scheduled to be removed for 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
- `minio` has been abandoned by upstream and security issues won't be fixed. `minio_legacy_fs` has also been removed. Both are scheduled for full removal in 26.11. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
`minio_legacy_fs` has been removed. Users should migrate to alternatives such as Garage, SeaweedFS, or Ceph. S3-compatible clients such as rclone can be used to move data.
- `mercure` has been updated to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
- `mercure` has been update to `0.21.4` (or later). Version [0.21.0](https://github.com/dunglas/mercure/releases/v0.21.0) and [0.21.2](https://github.com/dunglas/mercure/releases/tag/v0.21.2) introduce breaking changes to the package.
- `mozc` and `mozc-ut` no longer contains the IBus front-end, which are now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.
- `mozc` and `mozc-ut` no longer contain the IBus front-end, which is now provided by `ibus-engines.mozc` and `ibus-engines.mozc-ut`.
- `nemorosa` has been updated from `0.4.3` to `0.5.0`. Version [0.5.0](https://github.com/KyokoMiki/nemorosa/releases/tag/0.5.0) introduced breaking changes to the package configuration.
- `n8n` has been updated to version 2. You can find the breaking changes here: https://docs.n8n.io/2-0-breaking-changes/.
- `n8n` has been updated to version 2. You can find the breaking changes here: <https://docs.n8n.io/2-0-breaking-changes/>.
- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded it's data directory, it generally cannot be downgraded to the previous version.
- `nomad` has been updated to v1.11. Refer to the [release note](https://developer.hashicorp.com/nomad/docs/release-notes/nomad/v1-11-x) for more details. Once a new Nomad version has started and upgraded its data directory, it generally cannot be downgraded to the previous version.
- The default NVIDIA drivers no longer support Maxwell (GTX 1xxx) or older GPUs. Pin the nvidia package to ` config.boot.kernelPackages.nvidiaPackages.legacy_580` for continued support.
@@ -185,18 +183,20 @@
Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
If modifying the Nix expression is not feasible, users can remediate the error by overriding `pytestFlagsArray` with `null` or `[ ]`.
- `python3Packages.pygame` has been been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`
- `python3Packages.pygame` has been renamed to `python3Packages.pygame-original`, the attribute `python3Packages.pygame` will from python 3.14 default to the more actively maintained `python3Packages.pygame-ce`.
- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0)
- `fastly` has been updated to major version 14. For more information, you can check the [release notes](https://github.com/fastly/cli/releases/tag/v14.0.0).
- `peertube` has been updated from `7.3.0` to `8.0.2`, introducing several breaking changes.
Some notable new features include channel collaboration and video player redesign with a new theme.
For details on how to upgrade, see the `IMPORTANT NOTES` section of the [v8.0.0 CHANGELOG entry](https://docs.joinpeertube.org/CHANGELOG#v8-0-0).
- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at https://www.gradio.app/main/guides/gradio-6-migration-guide.
- `python3Packages.gradio` has been updated to version 6. See upstream's migration guide at <https://www.gradio.app/main/guides/gradio-6-migration-guide>.
- `python3Packages.pikepdf` no longer builds with mupdf support by default, which may be nice in Jupyter and iPython. Build with `withMupdf = true` if this is required.
- `olive-editor` has been dropped as upstream development ceased and no longer builds.
- `python3Packages.django-mdeditor` has been removed, as it was unmaintained upstream and the latest release was vulnerable to a [critical security vulnerability](https://github.com/NixOS/nixpkgs/issues/515462).
- `vicinae` has been updated to v0.20. This includes, among several other breaking changes, a complete overhaul of the configuration system. For update instructions, see the [upstream configuration documentation](https://docs.vicinae.com/config#migration-from-v0-16-x-to-v0-17-x).
@@ -272,7 +272,7 @@
IMAP_CERTIFICATE_VALIDATION=false
```
- `python3packages.pillow-avif-plugin` has been removed as the functionality is included in `python3packages.pillow` directly since version 11.3.
- `python3Packages.pillow-avif-plugin` has been removed as the functionality is included in `python3Packages.pillow` directly since version 11.3.
- `wasistlos` (previously known as `whatsapp-for-linux`) has been removed because it was unmaintained and archived upstream.
Multiple alternatives exist: `karere`, `whatsie` and `zapzap` among others.
@@ -284,7 +284,7 @@
- `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.
- `services.openssh.settings.AcceptEnv` now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.
@@ -296,7 +296,7 @@
- `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.
- `services.taskchampion-sync-server` module have been added an option `services.taskchampion-sync-server.dynamicUser` to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- Package `jellyseerr` has been renamed to `seerr` following the upstream rename.
@@ -326,7 +326,7 @@
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows to avoid switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- GNU Taler has been updated to version 1.3.
This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
@@ -349,7 +349,7 @@
- Added `dell-bios-fan-control` package and service.
- Added `lovr` package, a LUA-based game engine for VR and XR applications.
- Added `lovr` package, a Lua-based game engine for VR and XR applications.
- Updated `wsjtx` from 2.7.0 to 3.0.0 for amateur radio hobbyists who use FT8 and other related digital modes.
See the [release notes](https://wsjt.sourceforge.io/Release_Notes.txt) for the changelog.
@@ -359,13 +359,15 @@
- `wrapNeovimUnstable` now sets provider-related configuration in its generated config rather than as wrapper arguments. It should not affect configuration unless you set `wrapRc` to false or are using the `legacyWrapper`.
- neovim lua dependencies are now set in the generated init.lua instead of
- Neovim Lua dependencies are now set in the generated init.lua instead of
modifying LUA_PATH in the wrapper. Commands run pre-vimrc via `nvim --cmd
"require'LUA_MODULE'"` may
not find their lua dependencies anymore. Use `nvim -c "lua require'LUA_MODULE'"` instead to run these commands after loading `init.lua`. If you use `wrapNeovim` with `wrapRc` set to `false`, you may lose the lua dependencies if you are not loading the generated `init.lua`.
- We now use the upstream wrapper script for Gradle, supporting both the `JAVA_HOME` and `GRADLE_OPTS` environment variables.
- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
- Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
@@ -400,7 +402,7 @@ gnuradioMinimal.override {
- `nodejs` is now a simple wrapper for `nodejs-slim`+`nodejs-slim.npm`+`nodejs-slim.corepack`, meaning it is no longer possible to reference or override its attributes or outputs (e.g. `nodejs.libv8` must be replaced with `nodejs-slim.libv8`, `nodejs.nativeBuildInputs` with `nodejs-slim.nativeBuildInputs`, etc.).
- `navidrome` has removed the built-in Spotify integrationhttps://github.com/navidrome/navidrome/releases/tag/v0.61.0 has details on optional replacements
- `navidrome` has removed the built-in Spotify integration. See [v0.61.0](https://github.com/navidrome/navidrome/releases/tag/v0.61.0) for details on optional replacements.
- `mold` is now wrapped by default.
@@ -420,4 +422,4 @@ gnuradioMinimal.override {
- The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.
- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and a some new settings for managing variable content and filepaths.
- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd.
- COSMIC DE has been updated to the beta version, bringing it closer to its first stable release. This includes updates to its core components, applications, and overall stability.
@@ -41,17 +41,19 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows building NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
- [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).
- Auto-scrub support for Bcachefs filesystems can now be enabled through [services.bcachefs.autoScrub.enable](#opt-services.bcachefs.autoScrub.enable) to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.
- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](options.html#opt-services.beszel.agent.enable) and [`services.beszel.hub`](options.html#opt-services.beszel.hub.enable).
- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](#opt-services.beszel.agent.enable) and [`services.beszel.hub`](#opt-services.beszel.hub.enable).
- [boot.kernel.sysfs](options.html#opt-boot.kernel.sysfs), a new way to set of sysfs attributes.
- [boot.kernel.sysfs](#opt-boot.kernel.sysfs), a new way to set sysfs attributes.
- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](options.html#opt-services.broadcast-box.enable).
- [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](#opt-services.broadcast-box.enable).
- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).
- [byedpi](https://github.com/hufrea/byedpi), a DPI bypass service. Available as [services.byedpi](#opt-services.byedpi.enable).
@@ -67,9 +69,7 @@
- [crowdsec-firewall-bouncer](https://www.crowdsec.net/), the CrowdSec Remediation Component for fetching new and old decisions from a CrowdSec API and adding them to a blocklist used by supported firewalls. Available as [services.crowdsec-firewall-bouncer](#opt-services.crowdsec-firewall-bouncer.enable).
-Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available at [services.docuseal](#opt-services.docuseal.enable).
-[docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available as [services.docuseal](#opt-services.docuseal.enable).
- [Draupnir](https://github.com/the-draupnir-project/draupnir), a Matrix moderation bot. Available as [services.draupnir](#opt-services.draupnir.enable).
@@ -93,14 +93,14 @@
- [Homebridge](https://github.com/homebridge/homebridge), a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as [services.homebridge](#opt-services.homebridge.enable).
- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](options.html#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](options.html#opt-boot.initrd.network.ifstate.enable).
- [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](#opt-boot.initrd.network.ifstate.enable).
- [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).
- [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).
- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available as [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
- [LibreTranslate](https://libretranslate.com), a free and open source machine translation API. Available as [services.libretranslate](#opt-services.libretranslate.enable).
@@ -121,11 +121,11 @@
- [nebula-lighthouse-service](https://github.com/manuels/nebula-lighthouse-service), a public Nebula VPN lighthouse service. Available as [services.nebula-lighthouse-service](#opt-services.nebula-lighthouse-service.enable).
- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](options.html#opt-services.newt.enable).
- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](#opt-services.newt.enable).
- [nixbit](https://github.com/pbek/nixbit), a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as [programs.nixbit](#opt-programs.nixbit.enable).
- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](#opt-boot.initrd.nix-store-veritysetup.enable).
- [Pi-hole](https://pi-hole.net/), a DNS sinkhole for advertisements based on Dnsmasq. Available as [services.pihole-ftl](#opt-services.pihole-ftl.enable), and [services.pihole-web](#opt-services.pihole-web.enable) for the web GUI and API.
- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).
- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available as [programs.pmount](#opt-programs.pmount.enable).
- [postfix-tlspol](https://github.com/Zuplu/postfix-tlspol), a MTA-STS and DANE resolver and TLS policy server for Postfix. Available as [services.postfix-tlspol](#opt-services.postfix-tlspol.enable).
@@ -153,7 +153,7 @@
- [radicle-native-ci](https://radicle.network/nodes/seed.radicle.dev/rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE), an adapter for the [Radicle CI broker](https://radicle.network/nodes/seed.radicle.dev/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), for performing CI runs locally. Available as [services.radicle.ci.adapters.native](#opt-services.radicle.ci.adapters.native.instances).
- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available at [services.rauc](#opt-services.rauc.enable).
- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available as [services.rauc](#opt-services.rauc.enable).
- [ringboard](https://github.com/SUPERCILEX/clipboard-history), a fast, efficient, and composable clipboard manager for Linux. Available for x11 as [services.ringboard](#opt-services.ringboard.x11.enable) and for Wayland as [services.ringboard](#opt-services.ringboard.wayland.enable).
@@ -189,7 +189,7 @@
- [tuwunel](https://matrix-construct.github.io/tuwunel/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-tuwunel](#opt-services.matrix-tuwunel.enable).
- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).
- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available as [services.umami](#opt-services.umami.enable).
- [wayvnc](https://github.com/any1/wayvnc), a VNC server for wlroots based Wayland compositors. Available as [programs.wayvnc](#opt-programs.wayvnc.enable).
@@ -222,7 +222,7 @@
-`miniflux` no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your `miniflux` PostgreSQL database externally, disable the extension with `DROP EXTENSION IF EXISTS hstore;`.
-`netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change it's user to `netbox` using `runuser`.
-`netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change its user to `netbox` using `runuser`.
- NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.
@@ -254,7 +254,7 @@
-`services.nextcloud.notify_push.enable` now installs the notify_push app. Therefore the appstore is now disabled when using `notify_push`. See `services.nextcloud.appstoreEnable`.
-`services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
-`services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.substituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
-`services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.
@@ -373,7 +373,7 @@
- `boot.plymouth` now has a [`package`](#opt-boot.plymouth.package) option to specify the package used in the module.
- Drivers and utilities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).
- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
- Due to [deprecation of gnome-session X11 support](https://blogs.gnome.org/alatiera/2025/06/08/the-x11-session-removal/), `services.desktopManager.pantheon` now defaults to pantheon-wayland session. The X11 session has been removed, see [this issue](https://github.com/elementary/session-settings/issues/91) for details.
@@ -436,9 +436,9 @@
- `services.k3s` now shares most of its code with `services.rke2`. The merge resulted in both modules providing more options, with `services.rke2` receiving the most improvements.
Existing configurations for either module should not be affected.
- [services.libvirtd.autoSnapshot](options.html#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.
- [services.libvirtd.autoSnapshot](#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.
- `services.limesurvey` now supports nginx as reverse-proxy. Available through [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
- `services.limesurvey` now supports nginx as reverse-proxy. Available as [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
- `services.mattermost` has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.
- The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
- Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).
- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using `nix-channel`.
- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
For example,
```nix
@@ -65,12 +65,11 @@
- [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).
- [Meshtastic](https://meshtastic.org), an open-source, off-grid, decentralised mesh network
designed to run on affordable, low-power devices. Available as [services.meshtasticd]
(#opt-services.meshtasticd.enable).
designed to run on affordable, low-power devices. Available as [services.meshtasticd](#opt-services.meshtasticd.enable).
- [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).
- [knot-resolver](https://www.knot-resolver.cz/) in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.
@@ -80,7 +79,7 @@
- [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).
- [vinyl-cache] as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
- [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).
@@ -96,29 +95,29 @@
- [LibreChat](https://www.librechat.ai/), open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as [services.librechat](#opt-services.librechat.enable).
- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable)
- [nohang](https://github.com/hakavlad/nohang), a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as [services.nohang](#opt-services.nohang.enable).
- [clevis-luks-askpass](https://github.com/latchset/clevis), automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as [boot.initrd.clevisLuksAskpass](#opt-boot.initrd.clevisLuksAskpass.enable).
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.
- [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).
- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform. that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable)
- [pyroscope](https://github.com/grafana/pyroscope), a continuous profiling platform that allows for performance debugging. Available as [services.pyroscope](#opt-services.pyroscope.enable).
- [dms-greeter](https://danklinux.com), a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as [services.displayManager.dms-greeter](#opt-services.displayManager.dms-greeter.enable).
- [dsearch](https://github.com/AvengeMedia/danksearch), a fast filesystem search service with fuzzy matching. Available as [programs.dsearch](#opt-programs.dsearch.enable).
- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](options.html#opt-services.rustical.enable).
- [Rustical](https://github.com/lennart-k/rustical), a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as [services.rustical](#opt-services.rustical.enable).
- [Elephant](https://github.com/abenz1267/elephant), a data provider service and backend for building custom application launchers. Available as [services.elephant](#opt-services.elephant.enable).
- [Dunst](https://github.com/dunst-project/dunst), a lightweight and customizable notification daemon. Available as [services.dunst](#opt-services.dunst.enable).
- [cocoon](https://github.com/haileyok/cocoon), is a PDS (personal data server) that is a alternative to the bluesky pds. Available as [services.cocoon](#opt-services.cocoon.enable).
- [cocoon](https://github.com/haileyok/cocoon), a PDS (personal data server) that is an alternative to the Bluesky PDS. Available as [services.cocoon](#opt-services.cocoon.enable).
- [Ente Auth](https://ente.io/auth/), an open source 2FA authenticator, with end-to-end encrypted backups. Available as [programs.ente-auth](#opt-programs.ente-auth.enable).
@@ -138,7 +137,7 @@
- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.
- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](options.html#opt-services.turborepo-remote-cache).
- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).
- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.
@@ -162,7 +161,7 @@
- [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).
- [LogiOps](https://github.com/PixlOne/logiops), a unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).
- [LogiOps](https://github.com/PixlOne/logiops), an unofficial userspace driver for HID++ Logitech devices. Available as [services.logiops](#opt-services.logiops.enable).
- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:
- `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.
- `services.vsftpd` no longer automatically configures a PAM module. This means configurations using `services.vsftpd.localUsers` will no longer work unless `services.vsftpd.enableVirtualUsers` and `services.vsftpd.userDbPath` are also configured. The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
@@ -259,7 +271,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
for further information.
Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being
on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.
on the same filesystem with the same permissions for Grafana only to read, it is most likely OK to keep using the old key.
If you need to rotate, a [3rd-party tool, `grafana-secretkey-rotation-tool`](https://github.com/erooke/grafana-secretkey-rotation-tool/tree/d9dc788902fa5185e15cb15ce6129f7237ab6138) is a tested option.
When using a secret for this value, make sure to use [Grafana's variable expansion to inject secrets](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion).
@@ -297,7 +309,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.
It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephpant.enable`.
It now requires a running `elephant` application launcher backend service, which can be enabled using the new `services.elephant.enable`.
The way keybinds and actions are handled have been completely revamped. Please refer to the [default config](https://raw.githubusercontent.com/abenz1267/walker/refs/heads/master/resources/config.toml).
@@ -444,7 +456,7 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.
- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`.If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`.If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
