nixos/sshd: add generateHostKeys setting

If a user doesn't want to enable the SSH daemon, but does want to have
SSH host keys configured for some other reason (e.g. they're used for
host identification in some other way), provide a `generateHostKeys`
setting that will generate the keys without otherwise setting up sshd.

(cherry picked from commit 375fc85aea)

.github/labeler-no-sync.yml

@@ -22,13 +22,4 @@
               - doc/**/*
               - nixos/doc/**/*
 
-"backport release-25.05":
-  - any:
-      - changed-files:
-          - any-glob-to-any-file:
-              - .github/actions/*
-              - .github/workflows/*
-              - ci/**/*.*
-              - maintainers/github-teams.json
-
 # keep-sorted end

.github/workflows/backport.yml

@@ -22,7 +22,7 @@ jobs:
   backport:
     name: Backport Pull Request
     if: vars.NIXPKGS_CI_APP_ID && github.event.pull_request.merged == true && (github.event.action != 'labeled' || startsWith(github.event.label.name, 'backport'))
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered

.github/workflows/bot.yml

@@ -39,7 +39,7 @@ defaults:
 
 jobs:
   run:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
     env:
       # TODO: Remove after 2026-03-04, when Node 24 becomes the default.

.github/workflows/check.yml

@@ -32,7 +32,7 @@ jobs:
     if: inputs.baseBranch && inputs.headBranch
     permissions:
       pull-requests: write
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     timeout-minutes: 3
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

.github/workflows/comment.yml

@@ -19,7 +19,7 @@ jobs:
   # a reaction to these comments.
   react:
     name: React with eyes
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     timeout-minutes: 2
     if: contains(github.event.comment.body, '@NixOS/nixpkgs-merge-bot merge')
     steps:

.github/workflows/edited.yml

@@ -29,7 +29,7 @@ defaults:
 jobs:
   base:
     name: Trigger jobs
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
     if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
     timeout-minutes: 2
     steps:

.github/workflows/eval.yml

@@ -33,7 +33,7 @@ defaults:
 jobs:
   versions:
     if: inputs.testVersions
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     outputs:
       versions: ${{ steps.versions.outputs.versions }}
     steps:
@@ -257,7 +257,7 @@ jobs:
 
   # Creates a matrix of Eval performance for various versions and systems.
   report:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     needs: [versions, eval]
     steps:
       - name: Download output paths and eval stats for all versions

.github/workflows/merge-group.yml

@@ -18,7 +18,7 @@ permissions: {}
 
 jobs:
   prepare:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     outputs:
       baseBranch: ${{ steps.prepare.outputs.base }}
       mergedSha: ${{ steps.prepare.outputs.mergedSha }}
@@ -111,9 +111,11 @@ jobs:
     if: github.event_name != 'pull_request' && always()
     # Modify this list to add or remove jobs from required status checks.
     needs:
+      - check
       - lint
       - eval
-    runs-on: ubuntu-24.04-arm
+      - build
+    runs-on: ubuntu-slim
     permissions:
       statuses: write
     steps:

.github/workflows/pull-request-target.yml

@@ -19,7 +19,7 @@ permissions: {}
 
 jobs:
   prepare:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     permissions:
       # wrong branch review comment
       pull-requests: write
@@ -121,7 +121,7 @@ jobs:
       - lint
       - eval
       - build
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     permissions:
       statuses: write
     steps:

.github/workflows/review.yml

@@ -17,7 +17,7 @@ defaults:
 
 jobs:
   process:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     timeout-minutes: 2
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

.github/workflows/reviewed.yml

@@ -12,6 +12,6 @@ defaults:
 
 jobs:
   trigger:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     steps:
       - run: echo This is a no-op only used as a trigger for workflow_run.

.github/workflows/teams.yml

@@ -15,7 +15,7 @@ defaults:
 jobs:
   sync:
     if: github.event_name != 'schedule' || github.repository_owner == 'NixOS'
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered and to
       # request team member lists.

.github/workflows/test.yml

@@ -11,7 +11,7 @@ permissions: {}
 
 jobs:
   prepare:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-slim
     outputs:
       merge-group: ${{ steps.files.outputs.merge-group }}
       mergedSha: ${{ steps.prepare.outputs.mergedSha }}

ci/default.nix

@@ -117,7 +117,12 @@ let
 
         settings.formatter.editorconfig-checker = {
           command = "${pkgs.lib.getExe pkgs.editorconfig-checker}";
-          options = [ "-disable-indent-size" ];
+          options = [
+            "-disable-indent-size"
+            # TODO: Remove this once this upstream issue is fixed:
+            #   https://github.com/editorconfig-checker/editorconfig-checker/issues/505
+            "-disable-charset"
+          ];
           includes = [ "*" ];
           priority = 1;
         };

ci/github-script/commits.js

@@ -46,7 +46,7 @@ module.exports = async ({ github, context, core, dry, cherryPicks }) => {
           sha,
           commit,
           severity: 'warning',
-          message: `Couldn't locate original commit hash in message of ${sha}.`,
+          message: `Couldn't locate the cherry-picked commit's hash in the commit message of ${sha}.`,
           type: 'no-commit-hash',
         }
 

ci/pinned.json

@@ -9,9 +9,9 @@
       },
       "branch": "nixpkgs-unstable",
       "submodules": false,
-      "revision": "12c1f0253aa9a54fdf8ec8aecaafada64a111e24",
-      "url": "https://github.com/NixOS/nixpkgs/archive/12c1f0253aa9a54fdf8ec8aecaafada64a111e24.tar.gz",
-      "hash": "0zr033ybqjc5spwh7xnzkhbqgc6gh8waw6z76rpvadxckyqlfgiq"
+      "revision": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+      "url": "https://github.com/NixOS/nixpkgs/archive/ee09932cedcef15aaf476f9343d1dea2cb77e261.tar.gz",
+      "hash": "1xz5pa6la2fyj5b1cfigmg3nmml11fyf9ah0rnr4zfgmnwimn2gn"
     },
     "treefmt-nix": {
       "type": "Git",
@@ -22,9 +22,9 @@
       },
       "branch": "main",
       "submodules": false,
-      "revision": "4ef3dfdbb5ddfb9e39999a2f2b0c2637277859d4",
-      "url": "https://github.com/numtide/treefmt-nix/archive/4ef3dfdbb5ddfb9e39999a2f2b0c2637277859d4.tar.gz",
-      "hash": "0dhvpzcknsr2ybi3zz9mjggs93aqkfr24radvlw74y9620dziqw4"
+      "revision": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
+      "url": "https://github.com/numtide/treefmt-nix/archive/5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4.tar.gz",
+      "hash": "0cr6aj9bk7n3y09lwmfjr7xg1f069332xf4q99z3kj1c1mp0wl82"
     }
   },
   "version": 5

doc/languages-frameworks/gradle.section.md

@@ -138,7 +138,7 @@ The update script does the following:
   downstream, non-nixpkgs projects)
 - `data` - path to the dependencies lockfile (can be relative to the
   package, can be absolute). In nixpkgs, it's discouraged to have the
-  lockfiles be named anything other `deps.json`, consider creating
+  lockfiles be named anything other than `deps.json`. Consider creating
   subdirectories if your package requires multiple `deps.json` files.
 
 ## Environment {#gradle-environment}

doc/languages-frameworks/javascript.section.md

@@ -95,93 +95,6 @@ The node_modules abstraction can be also used to build some web framework fronte
 For an example of this see how [plausible](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix) is built. `mkYarnModules` to make the derivation containing node_modules.
 Then when building the frontend you can just symlink the node_modules directory.
 
-## Javascript packages inside nixpkgs {#javascript-packages-nixpkgs}
-
-The [pkgs/development/node-packages](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages) folder contains a generated collection of [npm packages](https://npmjs.com/) that can be installed with the Nix package manager.
-
-As a rule of thumb, the package set should only provide _end-user_ software packages, such as command-line utilities.
-Libraries should only be added to the package set if there is a non-npm package that requires it.
-
-When it is desired to use npm libraries in a development project, use the `node2nix` generator directly on the `package.json` configuration file of the project.
-
-The package set provides support for the official stable Node.js versions.
-The latest stable LTS release in `nodePackages`, as well as the latest stable current release in `nodePackages_latest`.
-
-If your package uses native addons, you need to examine what kind of native build system it uses. Here are some examples:
-
-- `node-gyp`
-- `node-gyp-builder`
-- `node-pre-gyp`
-
-After you have identified the correct system, you need to override your package expression while adding in build system as a build input.
-For example, `dat` requires `node-gyp-build`, so we override its expression in [pkgs/development/node-packages/overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/overrides.nix):
-
-```nix
-{
-  dat = prev.dat.override (oldAttrs: {
-    buildInputs = [
-      final.node-gyp-build
-      pkgs.libtool
-      pkgs.autoconf
-      pkgs.automake
-    ];
-    meta = oldAttrs.meta // {
-      broken = since "12";
-    };
-  });
-}
-```
-
-### Adding and updating JavaScript packages in Nixpkgs {#javascript-adding-or-updating-packages}
-
-To add a package from npm to Nixpkgs:
-
-1. Modify [pkgs/development/node-packages/node-packages.json](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/node-packages.json) to add, update or remove package entries to have it included in `nodePackages` and `nodePackages_latest`.
-2. Run the script:
-
-   ```sh
-   ./pkgs/development/node-packages/generate.sh
-   ```
-
-3. Build your new package to test your changes:
-
-   ```sh
-   nix-build -A nodePackages.<new-or-updated-package>
-   ```
-
-    To build against the latest stable Current Node.js version (e.g. 18.x):
-
-    ```sh
-    nix-build -A nodePackages_latest.<new-or-updated-package>
-    ```
-
-    If the package doesn't build, you may need to add an override as explained above.
-4. If the package's name doesn't match any of the executables it provides, add an entry in [pkgs/development/node-packages/main-programs.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/main-programs.nix). This will be the case for all scoped packages, e.g., `@angular/cli`.
-5. Add and commit all modified and generated files.
-
-For more information about the generation process, consult the [README.md](https://github.com/svanderburg/node2nix) file of the `node2nix` tool.
-
-To update npm packages in Nixpkgs, run the same `generate.sh` script:
-
-```sh
-./pkgs/development/node-packages/generate.sh
-```
-
-#### Git protocol error {#javascript-git-error}
-
-Some packages may have Git dependencies from GitHub specified with `git://`.
-GitHub has [disabled unencrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script:
-
-```
-The unauthenticated git protocol on port 9418 is no longer supported
-```
-
-Use the following Git configuration to resolve the issue:
-
-```sh
-git config --global url."https://github.com/".insteadOf git://github.com/
-```
-
 ## Tool-specific instructions {#javascript-tool-specific}
 
 ### buildNpmPackage {#javascript-buildNpmPackage}

doc/redirects.json

@@ -3401,15 +3401,6 @@
   "javascript-using-node_modules": [
     "index.html#javascript-using-node_modules"
   ],
-  "javascript-packages-nixpkgs": [
-    "index.html#javascript-packages-nixpkgs"
-  ],
-  "javascript-adding-or-updating-packages": [
-    "index.html#javascript-adding-or-updating-packages"
-  ],
-  "javascript-git-error": [
-    "index.html#javascript-git-error"
-  ],
   "javascript-tool-specific": [
     "index.html#javascript-tool-specific"
   ],

doc/release-notes/rl-2511.section.md

@@ -1,4 +1,4 @@
-# Nixpkgs 25.11 ("Xantusia", 2025.11/??) {#sec-nixpkgs-release-25.11}
+# Nixpkgs 25.11 ("Xantusia", 2025.11/30) {#sec-nixpkgs-release-25.11}
 
 ## Highlights {#sec-nixpkgs-release-25.11-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -14,7 +14,7 @@
 
 - **This release of Nixpkgs requires macOS Sonoma 14.0 or newer, as announced in the 25.05 release notes.**
   The default SDK is now 14.4, but the minimum version is 14.0.
-  cc-wrapper will enforce that availability annotations are used or an appropriate deployment target is set.
+  `cc-wrapper` will enforce that availability annotations are used or an appropriate deployment target is set.
   See the Darwin platform notes for details.
 
 - **We expect to drop support for `x86_64-darwin` by Nixpkgs 26.11,** in light of Apple’s announcement that macOS 26 will be the final version to support Intel Macs.
@@ -34,40 +34,73 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained.
+- `adminneo` has been updated to version 5.1.1. Version 5 breaks compatibility with `adminer` and changes how plugins and configuration work. See the [Upgrade Guide](https://www.adminneo.org/upgrade#v5.0.0) for details. Those changes also led to changes in the arguments of the package.
 
-- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18.
+- `android-udev-rules` has been removed, as it is effectively superseded by built-in uaccess rules in systemd.
 
-- `mono4` and `mono5` have been removed. Use `mono6` or `mono` instead.
+- `ansible-later` has been removed because it was discontinued by the author.
+
+- `asciidoctor-with-extension` had its `asciidoctor-mathematical` extension removed, because it fails to build, and it is not maintained properly.
+
+- `base16-builder` node package has been removed due to lack of upstream maintenance.
+
+- `budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
+
+- `buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
+  Specifying `CGO_ENABLED` directly now results in an error.
+
+- `buildGoModule` now warns if `<pkg>.passthru.overrideModAttrs` is lost during the overriding of its result packages.
+
+- `cardboard` has been removed due to the package having been broken since at least November 2024.
+
+- `carla` no longer support `gtk2` override.
+
+- `chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.
+
+- `conduwuit` was removed due to upstream ceasing development and deleting their repository. For existing data, a migration to `matrix-conduit`, `matrix-continuwuity` or `matrix-tuwunel` may be possible.
+
+- `conftest` since `0.60.0` has moved to use rego `v1` as default. To continue using `v0` use `--rego-version v0`. For more information about upgrading to Rego v1 syntax, see the [upstream docs](https://www.openpolicyagent.org/docs/latest/v0-upgrade/).
+
+- CUDA versions below 12.6 have been removed, as they are unmaintained upstream and depend on end‐of‐life compilers.
+
+- `cudaPackages.cudatoolkit-legacy-runfile` has been removed.
+
+- `ddccontrol` service now enables `hardware.i2c` by default, and adds `ddcci_backlight` to the kernel modules, based on [experiences reported on discourse](https://discourse.nixos.org/t/brightness-control-of-external-monitors-with-ddcci-backlight/8639/).
+
+- `deadbeef` no longer supports `gtk2`.
+
+- Derivations setting both `separateDebugInfo` and one of `allowedReferences`, `allowedRequisites`, `disallowedReferences` or `disallowedRequisites` must now set `__structuredAttrs` to `true`. The effect of reference whitelisting or blacklisting will be disabled on the `debug` output created by `separateDebugInfo`.
+
+- `emacs-macport` has been moved to a fork of Mitsuharu Yamamoto's patched source code starting with Emacs v30 as the original project seems to be currently dormant. All older versions of this package have been dropped.
+  This introduces some backwards‐incompatible changes; see the NEWS for details.
+  NEWS can be viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
+  It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).
 
 - Everything related to `bower` was removed, as it is deprecated and not used by anything in nixpkgs.
 
-- `reaction` has been updated to version 2, which includes some breaking changes.
-  For more information, [check the release article](https://blog.ppom.me/en-reaction-v2).
+- `fetchFromBitBucket` has gained a `fetchgit` backend when passing in git-related arguments similar to `fetchFromGitHub`.
 
-- `mealie` has been updated to 3.0.2: This update introduces breaking changes in some API endpoints (see the [release changelog](https://github.com/mealie-recipes/mealie/releases/tag/v3.0.0)).
+- `fetchtorrent`, when using the "rqbit" backend, erroneously started fetching files into a subdirectory in Nixpkgs 24.11.  The original behaviour &ndash; which matches the behaviour using the "transmission" backend &ndash; has now been restored. Users reliant on the erroneous behaviour can temporarily maintain it by adding `flatten = false` to the `fetchtorrent` arguments; Nix will produce an evaluation warning for anyone using `backend = "rqbit"` without `flatten = true`.
 
-- The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader
+- `floorp` has been replaced with a binary build, available as `floorp-bin`. Due to major changes in the upstream project structure and build system, building Floorp from source has become unfeasible. No configuration or state migration is necessary.
 
-- `installShellFiles`: Allow installManPage to take a piped input, add the `--name` flag for renaming the file when installed. Can also append `--` to opt-out of all subsequent parsing.
+- `forgejo` main program has been renamed to `bin/forgejo` from the previous `bin/gitea`.
 
 - GCC 9, 10, 11, and 12 have been removed, as they have reached end‐of‐life upstream and are no longer supported.
 
-- LLVM 12, 13, 14, 15, 16, and 17 have been removed, as they have reached end‐of‐life upstream and are no longer supported.
-
-- The `vlock` output from kbd has been removed. Instead a new package `kbdVlock` has been introduced. Use this package now instead of the output.
+- `gentium` package now provides `Gentium-*.ttf` files, and not `GentiumPlus-*.ttf` files like before. The font identifiers `Gentium Plus*` are available in the `gentium-plus` package. If you want to use the more recently updated package `gentium` [by SIL](https://software.sil.org/gentium/), you should update your configuration files to use the `Gentium` font identifier.
 
 - GHCJS 8.10, exposed via `haskell.compiler.ghcjs` and `haskell.compiler.ghcjs810`, has been removed. Downstream users should migrate their projects to the new JavaScript backend of GHC proper which can be used via `pkgsCross.ghcjs` from Nixpkgs. Haskell packaging code, like `haskellPackages.mkDerivation`, `ghcWithPackages` and `hoogleWithPackages`, also no longer supports GHCJS.
 
 - GHC 8.6, 8.10, 9.0, 9.2, and their package sets have been removed.
 
-- The `haskellPackages.mkDerivation` builder now converts packages' cabal files to Unix line endings before `patchPhase`. This behavior can be disabled using `dontConvertCabalFileToUnix`.
+- `gnome-keyring` no longer ships with an SSH agent anymore because it has been deprecated upstream. You should use `gcr_4` instead, which provides the same features. More information on why this was done can be found on [the relevant GCR upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67).
 
-- `webkitgtk_4_0` has been removed because it depends on an unmaintained version of security-critical libsoup library (`libsoup_2`) and the support will be [dropped upstream soon](https://webkitgtk.org/2025/10/07/webkitgtk-soup2-deprecation.html).
+- `go-mockery` has been updated to v3. For migration instructions see the [upstream documentation](https://vektra.github.io/mockery/latest/v3/). If v2 is still required `go-mockery_v2` has been added but will be removed on or before 2029-12-31 in-line with its [upstream support lifecycle](https://vektra.github.io/mockery/).
 
-- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
-  The latter was probably broken anyway.
-  If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.
+- `gradience` has been removed because it was archived upstream.
+
+- Greetd and its original greeters (`tuigreet`, `gtkgreet`, `qtgreet`, `regreet`, `wlgreet`) were moved from `greetd` namespace to top level (`greetd.tuigreet` -> `tuigreet`, `greetd.greetd` -> `greetd`, etc). The original attrs are available for compatibility as passthrus of `greetd`, but will emit a warning. They will be removed in future releases.
 
 - `haskellPackages` and the package sets under `haskell.packages` no longer expose an `llvmPackages` attribute,
   though it can still be accessed via `ghc.llvmPackages` (from the same package set).
@@ -75,60 +108,161 @@
   backend even if NCG is available. In this case, it is best to use the `forceLlvmCodegenBackend` helper.
   In all other cases, like linking against `libLLVM`, Haskell packages should use the appropriate version of `llvmPackages` from `pkgs`.
 
-- `uw-ttyp0` has been updated to version 2.1. The filenames of the OTB and PSF fonts have been changed to match the upstream naming convention.
-  If you were loading a font by path, for example in the `console.font` NixOS option, remember to update the filename accordingly.
+- `hiawata` has been removed, due to lack of active development upstream, lack of maintainership downstream and upcoming security issues.
 
-- `adminneo` has been updated to version 5.1.1. Version 5 breaks compatibility with `adminer` and changes how plugins and configuration work. See the [Upgrade Guide](https://www.adminneo.org/upgrade#v5.0.0) for details. Those changes also led to changes in the arguments of the package.
+- `hsd` has been upgraded to version 8. See [their changelog](https://github.com/handshake-org/hsd/blob/v8.0.0/docs/release-notes/release-notes-8.x.md) for important instructions before upgrading.
 
-- `base16-builder` node package has been removed due to lack of upstream maintenance.
+- `inspircd` has been updated to the v4 release series. Please refer to the upstream documentation for [general information](https://docs.inspircd.org/4/overview/#v4-overview) and a list of [breaking changes](https://docs.inspircd.org/4/breaking-changes/).
 
-- The default glibc ELF ABI for the powerpc64-linux platform has been changed from ELFv2 back to ELFv1, due to the latter having less remaining issues when bootstrapping & building Nixpkgs packages on hardware.
-  If glibc ELFv2 is desired, use a fuller target triplet like `powerpc64-unknown-linux-gnuabielfv2` or the provided `ppc64-elfv2` platform example.
-
-- `python3Packages.bjoern` has been removed, as the upstream is unmaintained and it depends on a 14-year-old version of http-parser with numerous vulnerabilities.
-
-- `buildGoModule` removes the compatibility layer of `CGO_ENABLED` not specified via `env`.
-  Specifying `CGO_ENABLED` directly now results in an error.
-
-- `buildGoModule` now warns if `<pkg>.passthru.overrideModAttrs` is lost during the overriding of its result packages.
-
-- `gentium` package now provides `Gentium-*.ttf` files, and not `GentiumPlus-*.ttf` files like before. The font identifiers `Gentium Plus*` are available in the `gentium-plus` package, and if you want to use the more recently updated package `gentium` [by SIL](https://software.sil.org/gentium/), you should update your configuration files to use the `Gentium` font identifier.
-
-- `space-orbit` package has been removed due to lack of upstream maintenance. Debian upstream stopped tracking it in 2011.
-
-- Derivations setting both `separateDebugInfo` and one of `allowedReferences`, `allowedRequisites`, `disallowedReferences` or `disallowedRequisites` must now set `__structuredAttrs` to `true`. The effect of reference whitelisting or blacklisting will be disabled on the `debug` output created by `separateDebugInfo`.
-
-- `k2pdfopt` has been removed, as it's broken.
-
-- `victoriametrics` no longer contains VictoriaLogs components. These have been separated into the new package `victorialogs`.
-
-- `mx-puppet-discord` was removed from Nixpkgs along with its NixOS module as it was unmaintained and was the only user of sha1 hashes in tree.
-
-- `notary` has been removed because it was [archived upstream](https://github.com/notaryproject/.github/issues/70). Upstream recommends [`notation`](https://github.com/notaryproject/notation/) instead.
-
-- `gradience` has been removed because it was archived upstream.
+- `installShellFiles` now allows `installManPage` to take a piped input, add the `--name` flag for renaming the file when installed. You can also append `--` to opt-out of all subsequent parsing.
 
 - `kbd` package's `outputs` now include a `man` and `scripts` outputs. The `unicode_start` and `unicode_stop` Bash scripts are now part of the `scripts` output, allowing most usages of the `kbd` package to not pull in `bash`.
 
+- `k2pdfopt` has been removed, as it's broken.
+
+- `k3s` airgap images `passthru` attributes have changed:
+  - `imagesList` was removed
+  - `airgapImages` was renamed to `airgap-images`
+  - `airgapImagesAmd64` was renamed to `airgap-images-amd64-tar-zst`
+  - `airgapImagesArm64` was renamed to `airgap-images-arm64-tar-zst`
+  - `airgapImagesArm` was renamed to `airgap-images-arm-tar-zst`
+
+- LLVM 12, 13, 14, 15, 16, and 17 have been removed, as they have reached end‐of‐life upstream and are no longer supported.
+
+- `lima` package now only includes the guest agent for the host's architecture by default. If your guest VM's architecture differs from your Lima host's, you'll need to enable the `lima-additional-guestagents` package by setting `withAdditionalGuestAgents = true` when overriding lima with this input.
+
+- `libpinyin`, which is used for Chinese character input, has migrated from the unmaintained BDB database format to the newer KyotoCabinet database format. If you want to migrate your user input statistics, you can consider using [bdbtokyotodb](https://codeberg.org/raboof/bdbtokyotodb).
+
+- `linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.
+
+- `lxde` scope has been removed, and its packages have been moved the top-level.
+
+- `mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.
+
+- `mealie` has been updated to 3.0.2: This update introduces breaking changes in some API endpoints (see the [release changelog](https://github.com/mealie-recipes/mealie/releases/tag/v3.0.0)).
+
+- `meilisearch_1_11` has been removed, as it is no longer supported.
+
+- `moar` has been updated from `1.33.0` to `2.0.0`, and renamed to `moor` following an upstream decision. See the [release notes](https://github.com/walles/moor/releases/tag/v2.0.0) for more.
+
+- `mongodb-6_0` was removed as it is end of life as of 2025-07-31.
+
+- `mono4` and `mono5` have been removed. Use `mono6` or `mono` instead.
+
+- `mx-puppet-discord` was removed from Nixpkgs along with its NixOS module as it was unmaintained and was the only user of sha1 hashes in tree.
+
+- `navidrome` 0.58.0 introduces [multi-library support](https://www.navidrome.org/docs/usage/multi-library/)
+    and backwards incompatible database migrations. Ensure backups are valid and run a Full Scan after
+    starting the new version.
+
+- NetBox was updated to `>= 4.4.0`. You should review the breaking changes
+  of the [4.3 release](https://github.com/netbox-community/netbox/releases/tag/v4.3.0)
+  the [4.4 release](https://github.com/netbox-community/netbox/releases/tag/v4.4.0),
+  make the required changes to your database (if needed), and then upgrade by setting `services.netbox.package = pkgs.netbox_4_4;` in your configuration.
+
+- `neovimUtils.makeNeovimConfig` now uses `customLuaRC` parameter instead of accepting `luaRcContent`. The old usage is deprecated but still works with a warning.
+
+- `nixVersions.nix_2_3` has been dropped because it was insecure and unmaintained.
+
+- `nodePackages.rimraf` has been removed, as it is a Javascript library, and packages that want to use it should depend directly on it instead.
+
+- `notary` has been removed because it was [archived upstream](https://github.com/notaryproject/.github/issues/70). Upstream recommends [`notation`](https://github.com/notaryproject/notation/) instead.
+
+- `nuget-to-nix` has been removed as it was deprecated in favor of `nuget-to-json`. Out-of-tree packages that were using `nuget-to-nix` should migrate to use `nuget-to-json` instead for generating .NET dependency lock files.
+
+- `odoo16` has been dropped due to end of support by upstream, consider upgrading supported version.
+
+- `oink` service no longer accepts `settings.apiKey` and `settings.secretApiKey` options as these have been replaced by `apiKeyFile` and `secretApiKeyFile`.
+
+- `opensoldat` binaries and user configuration directory names have been prefixed by 'open', becoming opensoldat and opensoldatserver. Configuration will be moved automatically before launch when possible.
+
+- `orjail` package has been removed as it is broken by the latest firejail release and seems unmaintained.
+
+- `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.
+
+- `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
+  Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md.
+
+- `privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.
+
+- [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream.
+
+- `proton-caller` has been removed due to lack of upstream maintenance.
+
+- `prometheus-script-exporter` has been updated to use a new maintained alternative. This release updates from `1.2.0 -> 3.0.1` and largely changes configuration options formats from json to yaml, among other changes.
+
+- `pulsemeeter` has been updated to `2.0.0`. The configuration file from older versions has to be deleted. For more information and instructions see the [v2.0.0 changelog entry](https://github.com/theRealCarneiro/pulsemeeter/releases/tag/v2.0.0).
+
+- `purple-matrix` has been removed, since it has been unmaintained since April 2022 and upstream does not recommend using it anymore.
+
+- `python3Full` and its versioned attributes (python3xxFull) have been removed. Bluetooth support is now enabled in the default python3 attributes. The X11 support built the tkinter module, which is available as a dedicated attribute on the package set.
+
+- `python3Packages.bjoern` has been removed, as the upstream is unmaintained and it depends on a 14-year-old version of http-parser with numerous vulnerabilities.
+
+- `python3Packages.duckduckgo-search` has been updated to v9+ and renamed to `python3Packages.ddgs`.
+  See [release note for v9.0.0](https://github.com/deedy5/ddgs/releases/tag/v9.0.0).
+
+- `python3Packages.heif-image-plugin` has been dropped due to lack of upstream maintenance and breakage. Use `python3Packages.pillow-heif` instead.
+
+- `python3Packages.triton` no longer takes an `enableRocm` argument and supports ROCm in all build configurations via runtime binding. In most cases no action will be needed. If triton is unable to find the HIP SDK add `rocmPackages.clr` as a build input or set the environment variable `HIP_PATH="${rocmPackages.clr}"`.
+
+- `python3Packages.pyheif` has been dropped due to lack of upstream maintenance and breakage. Use `python3Packages.pillow-heif` instead.
+
+- `python3Packages.pyocr` no longer supports `cuneiform` on Linux by default. It is still possible to enable it using `withCuneiformSupport` override.
+
+- `qt5.full` and `qt6.full` aliases have been removed. Their use has always been discouraged, and downstream projects should use `qtN.env` with the right set of packages.
+
+- `rabbitmq-server` has been updated from 4.0.9 to 4.1.4. The 4.1.0 release includes breaking changes. For more information read the [changelog of 4.1.0](https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.1.0).
+
+- `reaction` has been updated to version 2, which includes some breaking changes.
+  For more information, [check the release article](https://blog.ppom.me/en-reaction-v2).
+
+- `renovate` was updated to v41. See the upstream release notes for [v40](https://github.com/renovatebot/renovate/releases/tag/40.0.0) and [v41](https://github.com/renovatebot/renovate/releases/tag/41.0.0) for breaking changes.
+
+- `river` 0.3.x has been renamed to `river-classic` following an upstream decision.
+
+- `rocmPackages.triton` has been removed in favor of `python3Packages.triton`.
+
+- `rofi` has been updated to `2.0.0`. `rofi-wayland` and `rofi-wayland-unwrapped` have been merged into `rofi` and `rofi-unwrapped` respectively. For more information and instructions see the [v2.0.0 changelog entry](https://github.com/davatorium/rofi/releases/tag/2.0.0).
+
+- `rofi-emoji-wayland` has been merged into `rofi-emoji` as `rofi` has been updated to `2.0.0` and supports both X11 & Wayland.
+
+- `sail-riscv` 0.8 follows [upstream](https://github.com/riscv/sail-riscv/blob/7cc4620eb1a57bfe04832baccdcf5727e9459bd4/doc/ChangeLog.md) and provides only a single binary, `sail_riscv_sim`.
+
+- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.
+  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.
+
+- `space-orbit` package has been removed due to lack of upstream maintenance. Debian upstream stopped tracking it in 2011.
+
 - `spidermonkey_91` has been removed, as it has been EOL since September 2022.
 
-- `ddccontrol` service now enables `hardware.i2c` by default, and adds `ddcci_backlight` to the kernel modules, based on [experiences reported on discourse](https://discourse.nixos.org/t/brightness-control-of-external-monitors-with-ddcci-backlight/8639/).
+- `stalwart-mail` since `0.13.0` "introduces a significant redesign of the MTA’s delivery and queueing subsystem". See [the upgrading announcement for the `0.13.0` release](https://github.com/stalwartlabs/stalwart/blob/89b561b5ca1c5a11f2a768b4a2cfef0f473b7a01/UPGRADING.md#upgrading-from-v012x-and-v011x-to-v013x).
 
-- The license of duckstation has changed from `gpl3Only` to `cc-by-nc-nd-40` making it unfree in newer releases. The `duckstation` package has been overhauled to support the new releases and `duckstation-bin` has been aliased to `duckstation` to support darwin binary builds.
+- `stdenv.mkDerivation` and other derivation builders that use it no longer allow the value of `env` to be anything but an attribute set, for the purpose of setting environment variables that are available to the [builder](https://nix.dev/manual/nix/latest/store/derivation/#builder) process. An environment variable called `env` can still be provided by means of `mkDerivation { env.env = ...; }`, though we recommend to use a more specific name than "env".
 
-- `hiawata` has been removed, due to lack of active development upstream, lack of maintainership downstream and upcoming security issues.
+- `steamcontroller` has been removed due to lack of upstream maintenance. Consider using `sc-controller` instead.
 
-- `forgejo` main program has been renamed to `bin/forgejo` from the previous `bin/gitea`.
+- `sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.
 
-- the "pie" hardening flag has been removed. compilers are expected to enable PIE by default, as has been common practice since 2016 outside of nixpkgs. If a package needs "pie" disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalance of default PIE toolchains most packages incompatible with PIE already pass no-pie.
+- Support for bootstrapping native GHC compilers on 32‐bit ARM and little‐endian 64‐bit PowerPC has been dropped.
+  The latter was probably broken anyway.
+  If there is interest in restoring support for these architectures, it should be possible to cross‐compile a bootstrap GHC binary.
 
-- `wayclip` now uses the `ext-data-control-v1` Wayland protocol instead of `wlr-data-control-unstable-v1`.
+- `telegram-desktop` packages now uses `Telegram` for its binary. The previous name was `telegram-desktop`. This is due to [an upstream decision](https://github.com/telegramdesktop/tdesktop/commit/56ff5808a3d766f892bc3c3305afb106b629ef6f) to make the name consistent with other platforms.
 
-- `cudaPackages.cudatoolkit-legacy-runfile` has been removed.
+- `teleport` has been upgraded from major version 17 to major version 18.
+Refer to [upstream upgrade instructions](https://goteleport.com/docs/upgrading/overview/)
+and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
 
-- `conduwuit` was removed due to upstream ceasing development and deleting their repository. For existing data, a migration to `matrix-conduit`, `matrix-continuwuity` or `matrix-tuwunel` may be possible.
+- The `asterisk-lts` package was changed to v22 from v18. The default `asterisk` package was changed to v22 from v20. Asterisk version 18 has been dropped due to being EOL. The `asterisk-stable` (v20) package was unchanged. You may need to update /var/lib/asterisk to match the template files in `${asterisk-...}/var/lib/asterisk`.
 
-- `asciidoctor-with-extension` had its `asciidoctor-mathematical` extension removed, because it fails to build, and it is not maintained properly.
+- The `archipelago-minecraft` package was removed, as upstream no longer provides support for the Minecraft APWorld.
+
+- The default Android NDK version has been raised to 27, and the default SDK version to 35.
+  NDK 21–26 have been removed, as they are end‐of‐life.
+
+- The default glibc ELF ABI for the powerpc64-linux platform has been changed from ELFv2 back to ELFv1, due to the latter having less remaining issues when bootstrapping & building Nixpkgs packages on hardware.
+  If glibc ELFv2 is desired, use a fuller target triplet like `powerpc64-unknown-linux-gnuabielfv2` or the provided `ppc64-elfv2` platform example.
 
 - The `ghcInfo` and `controlPhases` functions have been removed from `haskell.lib.compose` and `haskell.lib`. They were unused and would return incorrect results.
 
@@ -138,205 +272,101 @@
   - To find a suitable `nativeGhc`, `buildHaskellPackages` should be used. `ghcInfo` would use `ghc.bootPkgs.ghc` if cross compiling,
     and the given `ghc` otherwise. This approach is not recommended since it results in mismatched GHC versions.
 
-- `gnome-keyring` no longer ships with an SSH agent anymore because it has been deprecated upstream. You should use `gcr_4` instead, which provides the same features. More information on why this was done can be found on [the relevant GCR upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67).
+- The `haskellPackages.mkDerivation` builder now converts packages' cabal files to Unix line endings before `patchPhase`. This behavior can be disabled using `dontConvertCabalFileToUnix`.
 
-- `python3Full` and its versioned attributes (python3xxFull) have been removed. Bluetooth support is now enabled in the default python3 attributes. The X11 support built the tkinter module, which is available as a dedicated attribute on the package set.
+- The default `kops` version is now 1.33.0 and versions 1.30 and older have been dropped. See [Upgrading Kubernetes](https://kops.sigs.k8s.io/tutorial/upgrading-kubernetes/) for instructions on how to update kOps.
 
-- `stdenv.mkDerivation` and other derivation builders that use it no longer allow the value of `env` to be anything but an attribute set, for the purpose of setting environment variables that are available to the [builder](https://nix.dev/manual/nix/latest/store/derivation/#builder) process. An environment variable called `env` can still be provided by means of `mkDerivation { env.env = ...; }`, though we recommend to use a more specific name than "env".
+- The license of duckstation has changed from `gpl3Only` to `cc-by-nc-nd-40` making it unfree in newer releases. The `duckstation` package has been overhauled to support the new releases and `duckstation-bin` has been aliased to `duckstation` to support darwin binary builds.
 
-- `purple-matrix` has been removed, since it has been unmaintained since April 2022 and upstream does not recommend using it anymore.
+- The main binary of `tomlq` has been renamed from `tomlq` to `tq`.
 
-- `sublime-music` has been removed because upstream has announced it is no longer maintained. Upstream suggests using `supersonic` instead.
+- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18.
 
-- The default Android NDK version has been raised to 27, and the default SDK version to 35.
-  NDK 21–26 have been removed, as they are end‐of‐life.
+- The `no-broken-symlink` build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).
 
-- `nuget-to-nix` has been removed as it was deprecated in favor of `nuget-to-json`. Out-of-tree packages that were using `nuget-to-nix` should migrate to use `nuget-to-json` instead for generating .NET dependency lock files.
+- The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)
+  for all the details and how to ensure smooth upgrades.
 
-- `conftest` since `0.60.0` has moved to use rego `v1` as default. To continue using `v0` use `--rego-version v0`. For more information about upgrading to Rego v1 syntax, see the [upstream docs](https://www.openpolicyagent.org/docs/latest/v0-upgrade/).
+- The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader.
 
-- Zig 0.12 has been removed.
+- The `pie` hardening flag has been removed. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.
 
-- `ansible-later` has been removed because it was discontinued by the author.
-
-- `k3s` airgap images passthru attributes have changed:
-  - `imagesList` was removed
-  - `airgapImages` was renamed to `airgap-images`
-  - `airgapImagesAmd64` was renamed to `airgap-images-amd64-tar-zst`
-  - `airgapImagesArm64` was renamed to `airgap-images-arm64-tar-zst`
-  - `airgapImagesArm` was renamed to `airgap-images-arm-tar-zst`
-
-- `stalwart-mail` since `0.13.0` "introduces a significant redesign of the MTA’s delivery and queueing subsystem". See [the upgrading announcement for the `0.13.0` release](https://github.com/stalwartlabs/stalwart/blob/89b561b5ca1c5a11f2a768b4a2cfef0f473b7a01/UPGRADING.md#upgrading-from-v012x-and-v011x-to-v013x).
-
-- `meilisearch_1_11` has been removed, as it is no longer supported.
-
-- `budgie-desktop` has been updated [10.9.4](https://github.com/BuddiesOfBudgie/budgie-desktop/releases/tag/v10.9.4). This changes `XDG_CURRENT_DESKTOP` from `Budgie:GNOME` to `Budgie` and contains ABI bumps for libpeas2 migration.
-
-- Greetd and its original greeters (`tuigreet`, `gtkgreet`, `qtgreet`, `regreet`, `wlgreet`) were moved from `greetd` namespace to top level (`greetd.tuigreet` -> `tuigreet`, `greetd.greetd` -> `greetd`, etc). The original attrs are available for compatibility as passthrus of `greetd`, but will emit a warning. They will be removed in future releases.
-
-- `carla` no longer support `gtk2` override.
-
-- The `archipelago-minecraft` package was removed, as upstream no longer provides support for the Minecraft APWorld.
-
-- `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.
-
-- `navidrome` 0.58.0 introduces [multi-library support](https://www.navidrome.org/docs/usage/multi-library/)
-    and backwards incompatible database migrations. Ensure backups are valid and run a Full Scan after
-    starting the new version.
-
-- `deabbeef` no longer support `gtk2`.
+- The `vlock` output from kbd has been removed. Instead a new package `kbdVlock` has been introduced. Use this package now instead of the output.
 
 - `tooling-language-server` has been renamed to `deputy` (both the package and binary), following the rename of the upstream project.
 
-- `fetchFromBitBucket` has gained a `fetchgit` backend when passing in git-related arguments similar to `fetchFromGitHub`.
+- `victoriametrics` no longer contains VictoriaLogs components. These have been separated into the new package `victorialogs`.
 
-- `fetchtorrent`, when using the "rqbit" backend, erroneously started fetching files into a subdirectory in Nixpkgs 24.11.  The original behaviour &ndash; which matches the behaviour using the "transmission" backend &ndash; has now been restored.  Users reliant on the erroneous behaviour can temporarily maintain it by adding `flatten = false` to the `fetchtorrent` arguments; Nix will produce an evaluation warning for anyone using `backend = "rqbit"` without `flatten = true`.
+- `vmware-horizon-client` was renamed to `omnissa-horizon-client`, following [VMware's sale of their end-user business to Omnissa](https://www.omnissa.com/insights/introducing-omnissa-the-former-vmware-end-user-computing-business/). The binary has been renamed from `vmware-view` to `horizon-client`.
 
-- `steamcontroller` has been removed due to lack of upstream maintenance. Consider using `sc-controller` instead.
+- `uw-ttyp0` has been updated to version 2.1. The filenames of the OTB and PSF fonts have been changed to match the upstream naming convention.
+  If you were loading a font by path, for example in the `console.font` NixOS option, remember to update the filename accordingly.
 
-- `linux` and all other Linux kernel packages have moved all in-tree kernel modules into a new `modules` output.
+- `wayclip` now uses the `ext-data-control-v1` Wayland protocol instead of `wlr-data-control-unstable-v1`.
 
 - `webfontkitgenerator` has been renamed to `webfont-bundler`, following the rename of the upstream project.
   The binary name remains `webfontkitgenerator`.
   The `webfontkitgenerator` package is an alias to `webfont-bundler`.
 
-- `python3Packages.triton` no longer takes an `enableRocm` argument and supports ROCm in all build configurations via runtime binding. In most cases no action will be needed. If triton is unable to find the HIP SDK add `rocmPackages.clr` as a build input or set the environment variable `HIP_PATH="${rocmPackages.clr}"`.
+- `webkitgtk_4_0` has been removed because it depends on an unmaintained version of security-critical libsoup library (`libsoup_2`) and the support will be [dropped upstream soon](https://webkitgtk.org/2025/10/07/webkitgtk-soup2-deprecation.html).
 
-- `floorp` has been replaced with a binary build, available as `floorp-bin`. Due to major changes in the upstream project structure and build system, building Floorp from source has become unfeasible. No configuration or state migration is necessary.
-
-- `inspircd` has been updated to the v4 release series. Please refer to the upstream documentation for [general information](https://docs.inspircd.org/4/overview/#v4-overview) and a list of [breaking changes](https://docs.inspircd.org/4/breaking-changes/).
-
-- `proton-caller` has been removed due to lack of upstream maintenance.
-
-- `android-udev-rules` has been removed, as it is effectively superseded by built-in uaccess rules in systemd.
-
-- `lima` package now only includes the guest agent for the host's architecture by default. If your guest VM's architecture differs from your Lima host's, you'll need to enable the `lima-additional-guestagents` package by setting `withAdditionalGuestAgents = true` when overriding lima with this input.
-
-- `mongodb-6_0` was removed as it is end of life as of 2025-07-31.
-
-- CUDA versions below 12.6 have been removed, as they are unmaintained upstream and depend on end‐of‐life compilers.
-
-- `vmware-horizon-client` was renamed to `omnissa-horizon-client`, following [VMware's sale of their end-user business to Omnissa](https://www.omnissa.com/insights/introducing-omnissa-the-former-vmware-end-user-computing-business/). The binary has been renamed from `vmware-view` to `horizon-client`.
+- `yehawn` was removed due to the package being broken and unmaintained upstream.
 
 - `yggdrasil-jumper` has been updated to v0.4, changing traversal protocol. See [release notes](https://github.com/one-d-wide/yggdrasil-jumper/releases/tag/v0.4.0).
 
-- `neovimUtils.makeNeovimConfig` now uses `customLuaRC` parameter instead of accepting `luaRcContent`. The old usage is deprecated but still works with a warning.
+- `zig_0_12` has been removed.
 
-- `python3Packages.pyocr` no longer supports `cuneiform` on Linux by default. It is still possible to enable it using `withCuneiformSupport` override.
-
-- `telegram-desktop` packages now uses `Telegram` for its binary. The previous name was `telegram-desktop`. This is due to [an upstream decision](https://github.com/telegramdesktop/tdesktop/commit/56ff5808a3d766f892bc3c3305afb106b629ef6f) to make the name consistent with other platforms.
-
-- `hsd` has been upgraded to version 8. See [their changelog](https://github.com/handshake-org/hsd/blob/v8.0.0/docs/release-notes/release-notes-8.x.md) for important instructions before upgrading.
-
-- `sail-riscv` 0.8 follows [upstream](https://github.com/riscv/sail-riscv/blob/7cc4620eb1a57bfe04832baccdcf5727e9459bd4/doc/ChangeLog.md) and provides only a single binary, `sail_riscv_sim`.
-
-- `moar` has been updated from `1.33.0` to `2.0.0`, and renamed to `moor` following an upstream decision. See the [release notes](https://github.com/walles/moor/releases/tag/v2.0.0) for more.
-
-- `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.
-  Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md.
-
-- NetBox was updated to `>= 4.4.0`. Have a look at the breaking changes
-  of the [4.3 release](https://github.com/netbox-community/netbox/releases/tag/v4.3.0)
-  and the [4.4 release](https://github.com/netbox-community/netbox/releases/tag/v4.4.0),
-  make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_4;` in your configuration.
-
-- `privatebin` has been updated to `2.0.0`. This release changes configuration defaults including switching the template and removing legacy features. See the [v2.0.0 changelog entry](https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.0) for details on how to upgrade.
-
-- `rocmPackages.triton` has been removed in favor of `python3Packages.triton`.
-
-- `oink` service no longer accepts `settings.apiKey` and `settings.secretApiKey` options as these have been replaced by `apiKeyFile` and `secretApiKeyFile`.
-
-- `linpinyin`, which is used for Chinese character input, has migrated from the unmaintained BDB database format to the newer KyotoCabinet database format. If you want to migrate your user input statistics you can consider using [bdbtokyotodb](https://codeberg.org/raboof/bdbtokyotodb).
-
-- `go-mockery` has been updated to v3. For migration instructions see the [upstream documentation](https://vektra.github.io/mockery/latest/v3/). If v2 is still required `go-mockery_v2` has been added but will be removed on or before 2029-12-31 in-line with its [upstream support lifecycle](https://vektra.github.io/mockery/)
-
-- `prometheus-script-exporter` has been updated to use a new maintained alternative. This release updates from `1.2.0 -> 3.0.1` and largely changes configuration options formats from json to yaml, among other changes.
-
-- [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream.
-
-- `rabbitmq-server` has been updated from 4.0.9 to 4.1.4. The 4.1.0 release includes breaking changes. For more information read the [changelog of 4.1.0](https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.1.0)
-
-- `lxde` scope has been removed, and its packages have been moved the top-level.
-
-- `pulsemeeter` has been updated to `2.0.0`. The configuration file from older versions has to be deleted. For more information and instructions see the [v2.0.0 changelog entry](https://github.com/theRealCarneiro/pulsemeeter/releases/tag/v2.0.0).
-
-- `rofi` has been updated to `2.0.0`. `rofi-wayland` and `rofi-wayland-unwrapped` have been merged into `rofi` and `rofi-unwrapped` respectively. For more information and instructions see the [v2.0.0 changelog entry](https://github.com/davatorium/rofi/releases/tag/2.0.0).
-
-- `rofi-emoji-wayland` has been merged into `rofi-emoji` as `rofi` has been updated to `2.0.0` and supports both X11 & Wayland.
-
-- The main binary of `tomlq` has been renamed from `tomlq` to `tq`.
-
-- `opensoldat` binaries and user configuration directory names have been prefixed by 'open', becoming opensoldat and opensoldatserver. Configuration will be moved automatically before launch when possible.
-
-- `emacs-macport` has been moved to a fork of Mitsuharu Yamamoto's patched source code starting with Emacs v30 as the original project seems to be currently dormant. All older versions of this package have been dropped.
-  This introduces some backwards‐incompatible changes; see the NEWS for details.
-  NEWS can be viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
-  It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).
-
-- `python3Packages.heif-image-plugin` has been dropped due to lack of upstream maintenance and breakage. Use `python3Packages.pillow-heif` instead.
-
-- `python3Packages.pyheif` has been dropped due to lack of upstream maintenance and breakage. Use `python3Packages.pillow-heif` instead.
-
-- `nodePackages.rimraf` has been removed, as it is a Javascript library, and packages that want to use it should depend directly on it instead.
-
-- `mariadb` now defaults to `mariadb_114` instead of `mariadb_1011`, meaning the default version was upgraded from 10.11.x to 11.4.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-11-to-mariadb-11-4/) for potential issues.
-
-- `qt5.full` and `qt6.full` aliases have been removed. Their use has always been discouraged, and downstream projects should use `qtN.env` with the right set of packages.
-
-- `python3Packages.duckduckgo-search` has been updated to v9+ and therefore has been renamed to ddgs.
-  Use `python3Packages.ddgs` instead.
-  See [release note for v9.0.0](https://github.com/deedy5/ddgs/releases/tag/v9.0.0)
-
-- `ra-multiplex` has been renamed to/replaced by `lspmux`. Its wrapper no longer includes `rust-analyzer`.
+- `zigbee2mqtt` was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.
 
 ## Other Notable Changes {#sec-nixpkgs-release-25.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 - Added `rewriteURL` attribute to the nixpkgs `config`, to allow for rewriting the URLs downloaded by `fetchurl`.
+
 - Added `hashedMirrors` attribute to the nixpkgs `config`, to allow for customization of the hashed mirrors used by `fetchurl`.
 
 - Added `gitConfig` and `gitConfigFile` option to the nixpkgs `config`, to allow for setting a default `gitConfigFile` for all `fetchgit` invocations.
 
 - Added `npmRegistryOverrides` and `npmRegistryOverridesString` option to the nixpkgs `config`, to allow for setting a default `npmRegistryOverridesString` for all `fetchNpmDeps` invocations.
 
-- The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.
+- `buildPythonPackage` and `buildPythonApplication` now default to `nix-update-script` as their default `updateScript`. This should improve automated updates, since nix-update is better maintained than the in-tree update script and has more robust fetcher support.
 
-- The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.
+- `cloudflare-ddns` has been added.
 
-- `neovim`: Added support for the `vim.o.exrc` option, the `VIMINIT` environment variable, and sourcing of `sysinit.vim`.
+- Direct use of `pkgs.formats.systemd` has been deprecated, and should now be instantiated with `pkgs.formats.systemd { }` similarly to other items in `pkgs.formats`.
 
-  See the neovim help page [`:help startup`](https://neovim.io/doc/user/starting.html#startup) for more information, as well as [the nixpkgs neovim wrapper documentation](#neovim-custom-configuration).
+- `dragonflydb` has been updated from version 0.1.0 to version 1.34.2.
 
-- `cloudflare-ddns`: Added package cloudflare-ddns.
+- `emacs` now disables the GC mark trace buffer by default. This improves GC performance by 5%, but can make GC issues harder to debug. This is configurable with `withGcMarkTrace`.
 
-- `clickhouse`: Added `serverConfig`, `usersConfig` configuration options accepting Nix attribute sets. Also added `extraServerConfig` and `extraUsersConfig` options accepting plain text (expecting XML configuration).
+- `etcd` package was upgraded to 3.6, see [migration notes](https://etcd.io/docs/v3.6/upgrades/upgrade_3_6/) for incompatibilities and upgrade procedure.
 
-- [`homebox` 0.20.0](https://github.com/sysadminsmedia/homebox/releases/tag/v0.20.0) changed how assets are stored and hashed. It is recommended to back up your database before this update. In particular, `--storage-data` was replaced with `--storage-conn-string` and `--storage-prefix-path`. If your configuration set `HBOX_STORAGE_DATA` manually, you must migrate it to `HBOX_STORAGE_CONN_STRING` and `HBOX_STORAGE_PREFIX_PATH`.
+- `fetchgit` now accepts a `gitConfigFile` argument to set a git config (via `$GIT_CONFIG_GLOBAL`) for the fetcher.
+
+- `fetchgit` now accepts a `rootDir` argument to limit the resulting source to one subdirectory of the whole Git repository. Corresponding `--root-dir` option added to `nix-prefetch-git`.
+
+- `fetchNpmDeps` now accepts a `npmRegistryOverridesString` argument to pass NPM registry overrides to the fetcher.
+
+- `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg is now `ffmpeg_8`. You can install previous versions from package attributes such as `ffmpeg_7`.
+
+- `forgejo-runner` upgrading to version 11 brings a license change from MIT to GPLv3-or-later.
 
 - GIMP now defaults to version 3. Use `gimp2` for the old version.
 
-- `installShellCompletion`: now supports Nushell completion files
-
-- `idris2` supports being instantiated with a package environment with `idris.withPackages (p: [ ])`
-
-- New hardening flags `strictflexarrays1`, `strictflexarrays3`, `glibcxxassertions`, `libcxxhardeningfast` and `libcxxhardeningextensive` were made available.
+- `gitversion` was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.
+  See the [6.0.0 release notes for GitVersion](https://github.com/GitTools/GitVersion/releases/tag/6.0.0) for details on the breaking changes, [the documentation on the configuration format](https://gitversion.net/docs/reference/configuration) for the new configuration specification, and [the documentation on version variables](https://gitversion.net/docs/reference/variables) for what is now supported.
 
 - `gramps` has been updated to 6.0.0
   Upstream recommends [backing up your Family Trees](https://gramps-project.org/wiki/index.php/Gramps_6.0_Wiki_Manual_-_Manage_Family_Trees#Backing_up_a_Family_Tree) before upgrading.
 
-- `meta.mainProgram`: Changing this `meta` entry can lead to a package rebuild due to being used to determine the `NIX_MAIN_PROGRAM` environment variable.
+- [`homebox` 0.20.0](https://github.com/sysadminsmedia/homebox/releases/tag/v0.20.0) changed how assets are stored and hashed. It is recommended to back up your database before this update. In particular, `--storage-data` was replaced with `--storage-conn-string` and `--storage-prefix-path`. If your configuration set `HBOX_STORAGE_DATA` manually, you must migrate it to `HBOX_STORAGE_CONN_STRING` and `HBOX_STORAGE_PREFIX_PATH`.
 
-- `forgejo-runner`: The upgrade to version 11 brings a license change from MIT to GPLv3-or-later.
+- HTTP3 support has been enabled in in `nginx`, `openresty`, `angie` and `tengine`. The `nginxQuic` and `angieQuic` package flavors have been removed.
 
-- `waydroid-nftables`: New variant of `waydroid` that supports nftables instead of iptables.
+- `idris2` supports being instantiated with a package environment with `idris.withPackages (p: [ ])`.
 
-- `lisp-modules` were brought in sync with the [June 2025 Quicklisp release](http://blog.quicklisp.org/2025/07/june-2025-quicklisp-dist-now-available.html).
-
-- `ffmpeg_8`, `ffmpeg_8-headless`, and `ffmpeg_8-full` have been added. The default version of FFmpeg remains ffmpeg_7 for now, though this may change before release.
-
-- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
-  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.
+- `installShellCompletion` now supports Nushell completion files.
 
 - `jellyfin` was updated to `10.11.x`, which includes heavy backend changes.
   Make sure to backup your data and configuration directories
@@ -345,8 +375,43 @@
   and beware that the migration may take several hours depending on your library size and state.
   The process must not be interrupted.
 
-- `versionCheckHook`: Packages that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.
+- `lisp-modules` were brought in sync with the [June 2025 Quicklisp release](http://blog.quicklisp.org/2025/07/june-2025-quicklisp-dist-now-available.html).
 
+- `meta.mainProgram` is now used to determine the `NIX_MAIN_PROGRAM` environment variable. This means that changing it can now lead to a package rebuild.
+
+- `neovim` now has support for the `vim.o.exrc` option, the `VIMINIT` environment variable, and sourcing of `sysinit.vim`.
+  See the neovim help page [`:help startup`](https://neovim.io/doc/user/starting.html#startup) for more information, as well as [the nixpkgs neovim wrapper documentation](#neovim-custom-configuration).
+
+- New hardening flags `strictflexarrays1`, `strictflexarrays3`, `glibcxxassertions`, `libcxxhardeningfast` and `libcxxhardeningextensive` were made available.
+
+- `nix-prefetch-git` now has a `--no-add-path` argument to disable adding the path to the store. This is useful when working with a [read-only store](https://nix.dev/manual/nix/2.28/command-ref/new-cli/nix3-help-stores#store-experimental-local-overlay-store-read-only).
+
+- Passing `stdenv` to `buildPythonPackage` or `buildPythonApplication` has been deprecated and will trigger an error in a future release.
+  Instead, you should _override_ the python build helper, e.g., `(buildPythonPackage.override { stdenv = customStdenv; })`.
+  See [](#overriding-python-build-helpers).
+
+- `php81` was removed.
+
+- `plasma6`: Fixed the `ksycoca` cache not being re-built when `$XDG_CACHE_HOME` is set to something that isn't `$HOME/.cache`.
+
+- `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.
+
+- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.
+
+- `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
+  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).
+
+- `slurm` no longer supports gtk2.
+
+- `sparkleshare` has been removed as it no longer builds and has been abandoned upstream.
+
+- `strongSwan` has been updated to 6.0. See [strongSwan 6.0.0 release notes](https://github.com/strongswan/strongswan/releases/tag/6.0.0) for a complete list of changes.
+
+- `simplesamlphp` has been removed since the package was severely outdated, unmaintained in Nixpkgs and having known vulnerabilities.
+
+- The `clickhouse` package now track the stable upstream version per [upstream's
+  recommendation](https://clickhouse.com/docs/faq/operations/production). Users
+  can continue to use the `clickhouse-lts` package if desired.
 
 - The debug outputs produced by `separateDebugInfo = true;` now contain symlinks mapping build-ids to the original source and ELF file.
   Specifically, if `$out/bin/ninja` has build-id `483bd7f7229bdb06462222e1e353e4f37e15c293`, then
@@ -355,32 +420,18 @@
   * `$debug/lib/debug/.build-id/48/3bd7f7229bdb06462222e1e353e4f37e15c293.sourceoverlay` is a symlink to a directory with the same structure as the expanded `$sourceRoot` but containing only a copy of files which were patched during the build
   * `$debug/lib/debug/.build-id/48/3bd7f7229bdb06462222e1e353e4f37e15c293.debug` is the file containing debug symbols (like before).
 
-- `fetchgit`: Add `gitConfigFile` argument to set a git config (via `$GIT_CONFIG_GLOBAL`) for the fetcher.
+- The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.
 
-- `fetchgit`: Add `rootDir` argument to limit the resulting source to one subdirectory of the whole Git repository. Corresponding `--root-dir` option added to `nix-prefetch-git`.
+- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.
 
-- `nix-prefetch-git`: Added a `--no-add-path` argument to disable adding the path to the store; this is useful when working with a [read-only store](https://nix.dev/manual/nix/2.28/command-ref/new-cli/nix3-help-stores#store-experimental-local-overlay-store-read-only).
+- The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.
 
-- `fetchNpmDeps`: Add `npmRegistryOverridesString` argument to pass NPM registry overrides to the fetcher.
+- The third-party `ant-contrib` is no longer included in the `ant` package.
 
-- `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.
-  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).
+- Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.
 
-- The `clickhouse` package now track the stable upstream version per [upstream's
-  recommendation](https://clickhouse.com/docs/faq/operations/production). Users
-  can continue to use the `clickhouse-lts` package if desired.
-
-- `emacs` now disables the GC mark trace buffer by default. This improves GC performance by 5%, but can make GC issues harder to debug. This is configurable with `withGcMarkTrace`.
-
-- Passing `stdenv` to `buildPythonPackage` or `buildPythonApplication` has been deprecated and will trigger an error in a future release.
-  Instead, you should _override_ the python build helper, e.g., `(buildPythonPackage.override { stdenv = customStdenv; })`.
-  See [](#overriding-python-build-helpers).
-
-- `buildPythonPackage` and `buildPythonApplication` now default to `nix-update-script` as their default `updateScript`. This should improve automated updates, since nix-update is better maintained than the in-tree update script and has more robust fetcher support.
-
-- `plasma6`: Fixed the `ksycoca` cache not being re-built when `$XDG_CACHE_HOME` is set to something that isn't `$HOME/.cache`.
-
-- `dragonflydb` has been updated from version 0.1.0 to version 1.34.2.
+- `waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.
+  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.
 
 ## Nixpkgs Library {#sec-nixpkgs-release-25.11-lib}
 
@@ -388,32 +439,32 @@
 
 ### Breaking changes {#sec-nixpkgs-release-25.11-lib-breaking}
 
+- `haskell.lib.addOptparseApplicativeCompletionScripts` has been removed, use `haskellPackages.generateOptparseApplicativeCompletions` instead.
+
+- `lib.attrsets.cartesianProductOfSets` has been removed, following its deprecation in NixOS 24.11. Use `lib.attrsets.cartesianProduct` instead.
+
+- `lib.attrsets.zipWithNames` has been removed, following its deprecation in 2009. Use `lib.attrsets.zipAttrsWithNames` instead.
+
+- `lib.attrsets.zip` has been removed, following its deprecation in 2013. Use `lib.attrsets.zipAttrsWith` instead.
+
 - `lib.literalExample` has been removed, use `lib.literalExpression` instead, or use `lib.literalMD` for a non-Nix description.
 
+- `lib.mapAttrsFlatten` has been removed, following its deprecation in NixOS 24.11. Use `lib.attrsets.mapAttrsToList` instead.
+
+- `lib.modules.defaultPriority` has been removed, please use `lib.modules.defaultOverridePriority` instead.
+
+- `lib.options.mkPackageOptionMD` has been removed, following its deprecation in NixOS 24.11. Use `lib.options.mkPackageOption` instead.
+
+- `lib.readPathsFromFile` has been removed, use a list instead.
+
 - `lib.replaceChars` has been removed, it was a deprecated alias of `lib.replaceStrings`.
 
-- `lib.readPathsFromFile` has been removed, use a list instead
-
-- `lib.mapAttrsFlatten` has been removed, following its deprecation in NixOS 24.11. Use `lib.attrsets.mapAttrsToList` instead.
+- `lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.
 
 - `lib.strings.isCoercibleToString` has been in favor of either `lib.strings.isStringLike` or `lib.strings.isConvertibleWithToString`. Only use the latter if it needs to return true for null, numbers, booleans, or a list of those.
 
 - `lib.types.string` has been removed. See [this pull request](https://github.com/NixOS/nixpkgs/pull/66346) for better alternative types like `lib.types.str`.
 
-- `lib.modules.defaultPriority` has been removed, please use `lib.modules.defaultOverridePriority` instead.
-
-- `lib.attrsets.cartesianProductOfSets` has been removed, following its deprecation in NixOS 24.11. Use `lib.attrsets.cartesianProduct` instead.
-
-- `lib.sources.pathType`, `lib.sources.pathIsDirectory` and `lib.sources.pathIsRegularFile` have been replaced by `lib.filesystem.pathType`, `lib.filesystem.pathIsDirectory` and `lib.filesystem.pathIsRegularFile` respectively.
-
-- `lib.attrsets.zip` has been removed, following its deprecation in 2013. Use `lib.attrsets.zipAttrsWith` instead.
-
-- `lib.attrsets.zipWithNames` has been removed, following its deprecation in 2009. Use `lib.attrsets.zipAttrsWithNames` instead.
-
-- `lib.options.mkPackageOptionMD` has been removed, following its deprecation in NixOS 24.11. Use `lib.options.mkPackageOption` instead.
-
-- `haskell.lib.addOptparseApplicativeCompletionScripts` has been removed, use `haskellPackages.generateOptparseApplicativeCompletions` instead.
-
 - The `buildPythonPackage` and `buildPythonApplication` functions now require
   an explicit `format` attribute. Previously the default format used setuptools
   and called `setup.py` from the source tree, which is deprecated.
@@ -421,6 +472,8 @@
 
 ### Deprecations {#sec-nixpkgs-release-25.11-lib-deprecations}
 
+- `lib.cli.toGNUCommandLine` and `lib.cli.toGNUCommandLineShell` have been deprecated in favor of `lib.cli.toCommandLine`, `lib.cli.toCommandLineShell`, `lib.cli.toCommandLineGNU` and `lib.cli.toCommandLineShellGNU`.
+
 - `lib.options.mkAliasOptionModuleMD` is now obsolete; use the identical [`lib.options.mkAliasOptionModule`] instead.
 
 - `types.either` silently accepted mismatching types when used in `freeformType`. Module maintainers should fix the used type
@@ -431,13 +484,11 @@
   - `number`
   - `numbers.*`
 
-- `lib.cli.toGNUCommandLine` and `lib.cli.toGNUCommandLineShell` have been deprecated in favor of `lib.cli.toCommandLine`, `lib.cli.toCommandLineShell`, `lib.cli.toCommandLineGNU` and `lib.cli.toCommandLineShellGNU`.
-
 ### Additions and Improvements {#sec-nixpkgs-release-25.11-lib-additions-improvements}
 
 - `lib.cli.toCommandLine`, `lib.cli.toCommandLineShell`, `lib.cli.toCommandLineGNU` and `lib.cli.toCommandLineShellGNU` have been added to address multiple issues in `lib.cli.toGNUCommandLine` and `lib.cli.toGNUCommandLineShell`.
 
-- `ugrep`: Added `wrapWithFilterUtils` package flag for optionally wrapping `ugrep+` and `ug+` with filter utilities for grepping other file types.
-
-- `ugrep`: Added `createGrepReplacementLinks` package flag for optionally creating drop-in replacement symlinks for `gnugrep`.
+- `ugrep` now has two new override options:
+  - `wrapWithFilterUtils` for optionally wrapping `ugrep+` and `ug+` with filter utilities for grepping other file types.
+  - `createGrepReplacementLinks` for optionally creating drop-in replacement symlinks for `gnugrep`.
 

doc/stdenv/platform-notes.chapter.md

@@ -117,10 +117,11 @@ The following is a list of Xcode versions, the SDK version in Nixpkgs, and the a
 Check your package’s documentation (platform support or installation instructions) to find which Xcode or SDK version to use.
 Generally, only the last SDK release for a major version is packaged.
 
-| Xcode version      | SDK version        | Nixpkgs attribute             |
-|--------------------|--------------------|-------------------------------|
-| 15.0–15.4          | 14.4               | `apple-sdk_14` / `apple-sdk`  |
-| 16.0               | 15.0               | `apple-sdk_15`                |
+| Xcode version | SDK version | Nixpkgs attribute            |
+|---------------|-------------|------------------------------|
+| 15.0–15.4     | 14.4        | `apple-sdk_14` / `apple-sdk` |
+| 16.0          | 15.0        | `apple-sdk_15`               |
+| 26.0+         | 26.0+       | `apple-sdk_26`, etc          |
 
 
 #### Darwin Default SDK versions {#sec-darwin-troubleshooting-darwin-defaults}
@@ -129,7 +130,7 @@ The current default version of the SDK and deployment target (minimum supported
 Because of the ways that minimum version and SDK can be changed that are not visible to Nix, they should be treated as lower bounds.
 If you need to parameterize over a specific version, create a function that takes the version as a parameter instead of relying on these attributes.
 
-On macOS, the `darwinMinVersion` and `darwinSdkVersion` are always the same, and are currently set to 11.3.
+On macOS, the `darwinMinVersion` is 14.0, and the `darwinSdkVersion` is 14.4.
 
 
 #### `xcrun` cannot find a binary {#sec-darwin-troubleshooting-xcrun}

lib/licenses.nix

@@ -1520,6 +1520,11 @@ lib.mapAttrs mkLicense (
       fullName = "X11 License";
     };
 
+    x11NoPermitPersons = {
+      spdxId = "X11-no-permit-persons";
+      fullName = "X11 no permit persons clause";
+    };
+
     xerox = {
       spdxId = "Xerox";
       fullName = "Xerox License";

lib/strings.nix

@@ -2088,15 +2088,15 @@ rec {
 
     # Inputs
 
-    `feature`
-    : The feature to be set
-
     `type`
     : The type of the feature to be set, as described in
       https://cmake.org/cmake/help/latest/command/set.html
       the possible values (case insensitive) are:
       BOOL FILEPATH PATH STRING INTERNAL LIST
 
+    `feature`
+    : The feature to be set
+
     `value`
     : The desired value
 

maintainers/github-teams.json

@@ -309,8 +309,7 @@
     "description": "",
     "id": 2516946,
     "maintainers": {
-      "jian-lin": 75130626,
-      "matthewbauer": 19036
+      "jian-lin": 75130626
     },
     "members": {
       "AndersonTorres": 5954806,
@@ -347,6 +346,18 @@
     },
     "name": "exotic-platform-maintainers"
   },
+  "feel-co": {
+    "description": "Managing packages related to https://github.com/feel-co",
+    "id": 15169000,
+    "maintainers": {
+      "NotAShelf": 62766066,
+      "eclairevoyant": 848000
+    },
+    "members": {
+      "Gerg-L": 88247690
+    },
+    "name": "feel-co"
+  },
   "flutter": {
     "description": "Maintain Flutter and Dart-related packages and build tools",
     "id": 7718198,
@@ -687,7 +698,8 @@
       "0x4A6F": 9675338,
       "MattSturgeon": 5046562,
       "Sereja313": 112060595,
-      "dasJ": 4971975
+      "dasJ": 4971975,
+      "dyegoaurelio": 42411160
     },
     "name": "nix-formatting"
   },

maintainers/maintainer-list.nix

@@ -19758,6 +19758,13 @@
     githubId = 83010835;
     keys = [ { fingerprint = "0181 FF89 4F34 7FCC EB06  5710 4C88 A185 FB89 301E"; } ];
   };
+  overloader = {
+    name = "Overloader";
+    github = "Overloader6";
+    githubId = 22007229;
+    email = "overloader@tutanota.com";
+    keys = [ { fingerprint = "B96E 6D41 E47B 042C 64A2  1D9A 8B17 537A AF09 AF18"; } ];
+  };
   ovlach = {
     email = "ondrej@vlach.xyz";
     name = "Ondrej Vlach";

nixos/doc/manual/installation/upgrading.chapter.md

@@ -8,7 +8,7 @@ passed and a selection of packages has been built successfully
 (see `nixos/release-combined.nix` and `nixos/release-small.nix`).
 These channels are:
 
--   *Stable channels*, such as [`nixos-25.05`](https://channels.nixos.org/nixos-25.05).
+-   *Stable channels*, such as [`nixos-25.11`](https://channels.nixos.org/nixos-25.11).
     These only get conservative bug fixes and package upgrades. For
     instance, a channel update may cause the Linux kernel on your system
     to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -21,7 +21,7 @@ These channels are:
     radical changes between channel updates. It's not recommended for
     production systems.
 
--   *Small channels*, such as [`nixos-25.05-small`](https://channels.nixos.org/nixos-25.05-small)
+-   *Small channels*, such as [`nixos-25.11-small`](https://channels.nixos.org/nixos-25.11-small)
     or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
     These are identical to the stable and unstable channels described above,
     except that they contain fewer binary packages. This means they get updated
@@ -40,8 +40,8 @@ supported stable release.
 
 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 25.05 ISO, you will be subscribed to
-the `nixos-25.05` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 25.11 ISO, you will be subscribed to
+the `nixos-25.11` channel. To see which NixOS channel you're subscribed
 to, run the following as root:
 
 ```ShellSession
@@ -59,13 +59,13 @@ To switch to a different NixOS channel, do
 use the NixOS 25.05 stable channel:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.05 nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.11 nixos
 ```
 
 If you have a server, you may want to use the "small" channel instead:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.05-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-25.11-small nixos
 ```
 
 And if you want to live on the bleeding edge:
@@ -118,5 +118,5 @@ the new generation contains a different kernel, initrd or kernel
 modules. You can also specify a channel explicitly, e.g.
 
 ```nix
-{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.05"; }
+{ system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.11"; }
 ```

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -1110,7 +1110,7 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
 
 - [preload](http://sourceforge.net/projects/preload), a service that makes
   applications run faster by prefetching binaries and shared objects.
-  Available as [services.preload](#opt-services.preload.enable).
+  Available as `services.preload`.
 
 ### Other Notable Changes {#sec-release-23.11-nixos-notable-changes}
 

nixos/doc/manual/release-notes/rl-2511.section.md

@@ -1,27 +1,15 @@
-# Release 25.11 ("Xantusia", 2025.11/??) {#sec-release-25.11}
+# Release 25.11 ("Xantusia", 2025.11/30) {#sec-release-25.11}
 
 ## Highlights {#sec-release-25.11-highlights}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is enabled by default from this release. You can disable it by setting [](#opt-system.rebuild.enableNg) to `false` in your configuration if you need, but please report any issues. It is expected that the next major version of NixOS (26.05) will remove the {option}`system.rebuild.enableNg` option.
-
-- `rEFInd`, a graphical boot manager for UEFI systems, can now be used through [](#opt-boot.loader.refind.enable).
-
-- Secure boot support can now be enabled for the Limine bootloader through {option}`boot.loader.limine.secureBoot.enable`. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.
-
-- The default PostgreSQL version for new NixOS installations (i.e. with `system.stateVersion >= 25.11`) is v17.
-
 - Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
 
-- The NetworkManager module does not ship with a default set of VPN plugins anymore. All required VPN plugins must now be explicitly configured in [`networking.networkmanager.plugins`](#opt-networking.networkmanager.plugins).
-
-- The Qt 5-based versions of KDE Gear, Plasma, Maui and Deepin have been removed. Users are advised to migrate to Plasma 6 and Gear 25.08, available under `kdePackages`.
-
-- Syncthing has been updated to version 2.0.0.
-
 - COSMIC DE has been updated to the beta version, bringing it closer to its first stable release. This includes updates to its core components, applications, and overall stability.
 
+- FirewallD support has been added. It can be configured both as a standalone service (through `services.firewalld`), and as a backend to the existing `networking.firewall` options.
+
 - GNOME has been updated to version 49.
 
   - Removes X11 session support. Though you can still run X11 apps using XWayland.
@@ -32,205 +20,311 @@
 
   Refer to the [GNOME release notes](https://release.gnome.org/49/) for more details.
 
-- FirewallD support has been added. It can be configured both as a standalone service (through `services.firewalld`), and as a backend to the existing `networking.firewall` options.
-
 - `networking.firewall` now has a `backend` option for choosing which backend to use.
 
+- `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is enabled by default from this release. You can disable it by setting [](#opt-system.rebuild.enableNg) to `false` in your configuration if you need, but please report any issues. It is expected that the next major version of NixOS (26.05) will remove the {option}`system.rebuild.enableNg` option.
+
+- `rEFInd`, a graphical boot manager for UEFI systems, can now be used through [](#opt-boot.loader.refind.enable).
+
+- Secure boot support can now be enabled for the Limine bootloader through {option}`boot.loader.limine.secureBoot.enable`. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.
+
+- Syncthing has been updated to version 2.0.0.
+
+- The default PostgreSQL version for new NixOS installations (i.e. with `system.stateVersion >= 25.11`) is v17.
+
+- The NetworkManager module does not ship with a default set of VPN plugins anymore. All required VPN plugins must now be explicitly configured in [`networking.networkmanager.plugins`](#opt-networking.networkmanager.plugins).
+
+- The Qt 5-based versions of KDE Gear, Plasma, Maui and Deepin have been removed. Users are advised to migrate to Plasma 6 and Gear 25.08, available under `kdePackages`.
+
 ## New Modules {#sec-release-25.11-new-modules}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- [byedpi](https://github.com/hufrea/byedpi), a DPI bypass service. Available as [services.byedpi](#opt-services.byedpi.enable).
+- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
 
-- [Overseerr](https://overseerr.dev), a request management and media discovery tool for the Plex ecosystem. Available as [services.overseerr](#opt-services.overseerr.enable).
-
-- [services.rsync](options.html#opt-services.rsync) has been added to simplify periodic directory syncing.
-
-- [gtklock](https://github.com/jovanlanik/gtklock), a GTK-based lockscreen for Wayland. Available as [programs.gtklock](#opt-programs.gtklock.enable).
-- [Chrysalis](https://github.com/keyboardio/Chrysalis), a graphical configurator for Kaleidoscope-powered keyboards. Available as [programs.chrysalis](#opt-programs.chrysalis.enable).
-
-- [wayvnc](https://github.com/any1/wayvnc), VNC server for wlroots based Wayland compositors. Available as [programs.wayvnc](#opt-programs.wayvnc.enable).
-
-- [Pi-hole](https://pi-hole.net/), a DNS sinkhole for advertisements based on Dnsmasq. Available as [services.pihole-ftl](#opt-services.pihole-ftl.enable), and [services.pihole-web](#opt-services.pihole-web.enable) for the web GUI and API.
-
-- [Fediwall](https://fediwall.social), a web application for live displaying toots from mastodon, inspired by mastowall. Available as [services.fediwall](#opt-services.fediwall.enable).
-
-- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).
-
-- [FirewallD](https://firewalld.org/), a firewall daemon with D-Bus interface providing a dynamic firewall. Available as [services.firewalld](#opt-services.firewalld.enable) and a [networking.firewall.backend](#opt-networking.firewall.backend).
-
-- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).
-
-- Options under [networking.getaddrinfo](#opt-networking.getaddrinfo.enable) are now allowed to declaratively configure address selection and sorting behavior of `getaddrinfo` in dual-stack networks.
-
-- [Homebridge](https://github.com/homebridge/homebridge), a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as [services.homebridge](#opt-services.homebridge.enable).
-
-- [XPPen](https://www.xp-pen.com/), the official closed-source driver for XP Pen tablets. Available as [programs.xppen](#opt-programs.xppen.enable).
-
-- [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
-  Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).
+- [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).
 
 - Auto-scrub support for Bcachefs filesystems can now be enabled through [services.bcachefs.autoScrub.enable](#opt-services.bcachefs.autoScrub.enable) to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.
 
-- [LibreTranslate](https://libretranslate.com), a free and open source machine translation API. Available as [services.libretranslate](#opt-services.libretranslate.enable).
+- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](options.html#opt-services.beszel.agent.enable) and [`services.beszel.hub`](options.html#opt-services.beszel.hub.enable).
 
-- [Linyaps](https://linyaps.org.cn/), a cross-distribution package manager with sandboxed apps and shared runtime. Available as [services.linyaps](#opt-services.linyaps.enable).
-
-- [tlsrpt-reporter](https://github.com/sys4/tlsrpt-reporter), an application suite to generate and deliver TLSRPT reports. Available as [services.tlsrpt](#opt-services.tlsrpt.enable).
-
-- [Chhoto URL](https://github.com/SinTan1729/chhoto-url), a simple, blazingly fast, selfhosted URL shortener with no unnecessary features, written in Rust. Available as [services.chhoto-url](#opt-services.chhoto-url.enable).
-
-- [go-httpbin](https://github.com/mccutchen/go-httpbin), a reasonably complete and well-tested golang port of httpbin, with zero dependencies outside the go stdlib. Available as [services.go-httpbin](#opt-services.go-httpbin.enable).
-
-- [radicle-ci-broker](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), runs CI for repositories in the local [Radicle](https://radicle.xyz/) node. Available as [services.radicle.ci.broker.enable](#opt-services.radicle.ci.broker.enable).
-
-- [radicle-native-ci](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE), an adapter for the [Radicle CI broker](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), for performing CI runs locally. Available as [services.radicle.ci.adapters.native](#opt-services.radicle.ci.adapters.native.instances).
-
-- [llama-swap](https://github.com/mostlygeek/llama-swap), a light weight transparent proxy server that provides automatic model swapping to llama.cpp's server (or any server with an OpenAI compatible endpoint). Available as [](#opt-services.llama-swap.enable).
-
-- [tuwunel](https://matrix-construct.github.io/tuwunel/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-tuwunel](#opt-services.matrix-tuwunel.enable).
+- [boot.kernel.sysfs](options.html#opt-boot.kernel.sysfs), a new way to set of sysfs attributes.
 
 - [Broadcast Box](https://github.com/Glimesh/broadcast-box), a WebRTC broadcast server. Available as [services.broadcast-box](options.html#opt-services.broadcast-box.enable).
 
-- [boot.kernel.sysfs](options.html#opt-boot.kernel.sysfs) allows setting of sysfs attributes.
+- [byedpi](https://github.com/hufrea/byedpi), a DPI bypass service. Available as [services.byedpi](#opt-services.byedpi.enable).
 
-- [local-content-share](https://github.com/Tanq16/local-content-share), a simple web-app for storing/sharing text snippets and files in your local network. Available as [services.local-content-share](#opt-services.local-content-share.enable).
+- [Chrysalis](https://github.com/keyboardio/Chrysalis), a graphical configurator for Kaleidoscope-powered keyboards. Available as [programs.chrysalis](#opt-programs.chrysalis.enable).
 
-- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
+- [Chhoto URL](https://github.com/SinTan1729/chhoto-url), a simple, blazingly fast, selfhosted URL shortener with no unnecessary features, written in Rust. Available as [services.chhoto-url](#opt-services.chhoto-url.enable).
+
+- [conman](https://github.com/dun/conman), a serial console management program. Available as [services.conman](#opt-services.conman.enable).
 
 - [Corteza](https://cortezaproject.org/), a low-code platform. Available as [services.corteza](#opt-services.corteza.enable).
 
-- [Warpgate](https://warpgate.null.page), a SSH, HTTPS, MySQL and Postgres bastion. Available as [services.warpgate](#opt-services.warpgate.enable). Note that you need to run `warpgate recover-access` to recover builtin admin account, as the initialisation script uses a throwaway value to initialise its database.
-
-- [TuneD](https://tuned-project.org/), a system tuning service for Linux. Available as [services.tuned](#opt-services.tuned.enable).
-
-- [yubikey-manager](https://github.com/Yubico/yubikey-manager), a tool for configuring YubiKey devices. Available as [programs.yubikey-manager](#opt-programs.yubikey-manager.enable).
-
-- [Linkwarden](https://linkwarden.app/) a self-hosted collaborative bookmark manager to collect, read, annotate, and fully preserve what matters, all in one place. Available as [services.linkwarden](#opt-services.linkwarden.enable).
-
-- [Draupnir](https://github.com/the-draupnir-project/draupnir), a Matrix moderation bot. Available as [services.draupnir](#opt-services.draupnir.enable).
-
-- [Pangolin](https://github.com/fosrl/pangolin), a tunneled reverse proxy server with access control. Available as [services.pangolin](#opt-services.pangolin.enable).
-
-- [postfix-tlspol](https://github.com/Zuplu/postfix-tlspol), MTA-STS and DANE resolver and TLS policy server for Postfix. Available as [services.postfix-tlspol](#opt-services.postfix-tlspol.enable).
-
 - [crowdsec](https://www.crowdsec.net/), a free, open-source and collaborative IPS. Available as [services.crowdsec](#opt-services.crowdsec.enable).
 
 - [crowdsec-firewall-bouncer](https://www.crowdsec.net/), the CrowdSec Remediation Component for fetching new and old decisions from a CrowdSec API and adding them to a blocklist used by supported firewalls. Available as [services.crowdsec-firewall-bouncer](#opt-services.crowdsec-firewall-bouncer.enable).
 
-- [tsidp](https://github.com/tailscale/tsidp), a simple OIDC / OAuth Identity Provider (IdP) server for your tailnet. Available as [services.tsidp](#opt-services.tsidp.enable).
+- Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after [May 2, 2025](https://github.com/moby/moby/pull/49910).
 
-- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](options.html#opt-services.newt.enable).
+- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available at [services.docuseal](#opt-services.docuseal.enable).
+
+- [Draupnir](https://github.com/the-draupnir-project/draupnir), a Matrix moderation bot. Available as [services.draupnir](#opt-services.draupnir.enable).
+
+- [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).
+
+- [ente](https://github.com/ente-io/ente), a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as [services.ente.api](#opt-services.ente.api.enable) and [services.ente.web](#opt-services.ente.web.enable).
+
+- [ErsatzTV](https://ersatztv.org), a personal IPTV server. Available as [services.ersatztv](#opt-services.ersatztv.enable).
+
+- [Fediwall](https://fediwall.social), a web application for live displaying toots from mastodon, inspired by mastowall. Available as [services.fediwall](#opt-services.fediwall.enable).
+
+- [FileBrowser](https://filebrowser.org/), a web application for managing and sharing files. Available as [services.filebrowser](#opt-services.filebrowser.enable).
+
+- [FirewallD](https://firewalld.org/), a firewall daemon with D-Bus interface providing a dynamic firewall. Available as [services.firewalld](#opt-services.firewalld.enable) and a [networking.firewall.backend](#opt-networking.firewall.backend).
+
+- [fw-fanctrl](https://github.com/TamtamHero/fw-fanctrl), a simple systemd service to better control Framework Laptop's fan(s). Available as [hardware.fw-fanctrl](#opt-hardware.fw-fanctrl.enable).
+
+- [go-httpbin](https://github.com/mccutchen/go-httpbin), a reasonably complete and well-tested golang port of httpbin, with zero dependencies outside the go stdlib. Available as [services.go-httpbin](#opt-services.go-httpbin.enable).
+
+- [gtklock](https://github.com/jovanlanik/gtklock), a GTK-based lockscreen for Wayland. Available as [programs.gtklock](#opt-programs.gtklock.enable).
+
+- [Homebridge](https://github.com/homebridge/homebridge), a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as [services.homebridge](#opt-services.homebridge.enable).
 
 - [IfState](https://ifstate.net), manage host interface settings in a declarative manner. Available as [networking.ifstate](options.html#opt-networking.ifstate.enable) and [boot.initrd.network.ifstate](options.html#opt-boot.initrd.network.ifstate.enable).
 
-- [qBittorrent](https://www.qbittorrent.org/), is a bittorrent client programmed in C++ / Qt that uses libtorrent by Arvid Norberg. Available as [services.qbittorrent](#opt-services.qbittorrent.enable).
+- [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).
 
-- [Speedify](https://speedify.com/), a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as [services.speedify](#opt-services.speedify.enable).
+- [LACT](https://github.com/ilya-zlobintsev/LACT), a GPU monitoring and configuration tool, can now be enabled through [services.lact.enable](#opt-services.lact.enable).
+  Note that for LACT to work properly on AMD GPU systems, you need to enable [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable).
 
-- [Szurubooru](https://github.com/rr-/szurubooru), an image board engine inspired by services such as Danbooru, dedicated for small and medium communities. Available as [services.szurubooru](#opt-services.szurubooru.enable).
+- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
+
+- [LibreTranslate](https://libretranslate.com), a free and open source machine translation API. Available as [services.libretranslate](#opt-services.libretranslate.enable).
+
+- [Linkwarden](https://linkwarden.app/) a self-hosted collaborative bookmark manager to collect, read, annotate, and fully preserve what matters, all in one place. Available as [services.linkwarden](#opt-services.linkwarden.enable).
+
+- [Linyaps](https://linyaps.org.cn/), a cross-distribution package manager with sandboxed apps and shared runtime. Available as [services.linyaps](#opt-services.linyaps.enable).
+
+- [llama-swap](https://github.com/mostlygeek/llama-swap), a light weight transparent proxy server that provides automatic model swapping to llama.cpp's server (or any server with an OpenAI compatible endpoint). Available as [](#opt-services.llama-swap.enable).
+
+- [local-content-share](https://github.com/Tanq16/local-content-share), a simple web-app for storing/sharing text snippets and files in your local network. Available as [services.local-content-share](#opt-services.local-content-share.enable).
 
 - [LubeLogger](https://lubelogger.com/), a vehicle maintenance and fuel mileage tracker.
   Available as [services.lubelogger](#opt-services.lubelogger.enable).
 
-- The [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP) can now be enabled through [services.nipap.enable](#opt-services.nipap.enable).
+- [mautrix-discord](https://github.com/mautrix/discord), a Matrix-Discord puppeting/relay bridge. Available as [services.mautrix-discord](#opt-services.mautrix-discord.enable).
 
-- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).
-
-- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
-
-- [ente](https://github.com/ente-io/ente), a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as [services.ente.api](#opt-services.ente.api.enable) and  [services.ente.web](#opt-services.ente.web.enable).
-
-- [PairDrop](https://github.com/schlagmichdoch/pairdrop), a peer-to-peer file transfer web app. Available as [services.pairdrop](#opt-services.pairdrop.enable).
-
-- [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).
-
-- [dwl](https://codeberg.org/dwl/dwl), a compact, hackable compositor for Wayland based on wlroots. Available as [programs.dwl](#opt-programs.dwl.enable).
+- [Neat IP Address Planner](https://spritelink.github.io/NIPAP/) (NIPAP), a sleek, intuitive and powerful IP address management system. Available as [services.nipap.enable](#opt-services.nipap.enable).
 
 - [nebula-lighthouse-service](https://github.com/manuels/nebula-lighthouse-service), a public Nebula VPN lighthouse service. Available as [services.nebula-lighthouse-service](#opt-services.nebula-lighthouse-service.enable).
 
-- [angrr](https://github.com/linyinfeng/angrr), a service that automatically cleans up old auto GC roots. Available as [services.angrr](#opt-services.angrr.enable).
+- [Newt](https://github.com/fosrl/newt), a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as [services.newt](options.html#opt-services.newt.enable).
 
-- [Sharkey](https://joinsharkey.org), a Sharkish microblogging platform. Available as [services.sharkey](#opt-services.sharkey.enable).
+- [nixbit](https://github.com/pbek/nixbit), a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as [programs.nixbit](#opt-programs.nixbit.enable).
 
-- [fw-fanctrl](https://github.com/TamtamHero/fw-fanctrl), a simple systemd service to better control Framework Laptop's fan(s). Available as [hardware.fw-fanctrl](#opt-hardware.fw-fanctrl.enable).
+- [nix-store-veritysetup](https://github.com/nikstur/nix-store-veritysetup-generator), a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as [boot.initrd.nix-store-veritysetup](options.html#opt-boot.initrd.nix-store-veritysetup.enable).
 
-- [SillyTavern](https://sillytavern.app/), LLM Frontend for Power Users. Available as [services.sillytavern](#opt-services.sillytavern.enable).
+- [nvme-rs](https://github.com/liberodark/nvme-rs), NVMe monitoring [services.nvme-rs](#opt-services.nvme-rs.enable).
 
-- [mautrix-discord](https://github.com/mautrix/discord), a Matrix-Discord puppeting/relay bridge. Available as [services.mautrix-discord](#opt-services.mautrix-discord.enable).
+- [Overseerr](https://overseerr.dev), a request management and media discovery tool for the Plex ecosystem. Available as [services.overseerr](#opt-services.overseerr.enable).
 
-- [Timekpr-nExT](https://mjasnik.gitlab.io/timekpr-next/), a time managing application that helps optimizing time spent at computer for your subordinates, children or even for yourself. Available as [](#opt-services.timekpr.enable).
-
-- [SuiteNumérique Meet](https://github.com/suitenumerique/meet) is an open source alternative to Google Meet and Zoom powered by LiveKit: HD video calls, screen sharing, and chat features. Built with Django and React. Available as [services.lasuite-meet](#opt-services.lasuite-meet.enable).
-
-- [Prometheus Storagebox Exporter](https://github.com/fleaz/prometheus-storagebox-exporter), a Prometheus exporter for Hetzner storage boxes.
-
-- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).
-
-- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available at [services.rauc](#opt-services.rauc.enable).
-
-- [lemurs](https://github.com/coastalwhite/lemurs), a customizable TUI display/login manager. Available at [services.displayManager.lemurs](#opt-services.displayManager.lemurs.enable).
-
-- [docuseal](https://github.com/docusealco/docuseal), a DocuSign alternative. Create, fill, and sign digital documents. Available at [services.docuseal](#opt-services.docuseal.enable).
+- [PairDrop](https://github.com/schlagmichdoch/pairdrop), a peer-to-peer file transfer web app. Available as [services.pairdrop](#opt-services.pairdrop.enable).
 
 - [paisa](https://github.com/ananthakumaran/paisa), a personal finance tracker and dashboard. Available as [services.paisa](#opt-services.paisa.enable).
 
-- [conman](https://github.com/dun/conman), a serial console management program. Available as [services.conman](#opt-services.conman.enable).
+- [Pangolin](https://github.com/fosrl/pangolin), a tunneled reverse proxy server with access control. Available as [services.pangolin](#opt-services.pangolin.enable).
+
+- [Pi-hole](https://pi-hole.net/), a DNS sinkhole for advertisements based on Dnsmasq. Available as [services.pihole-ftl](#opt-services.pihole-ftl.enable), and [services.pihole-web](#opt-services.pihole-web.enable) for the web GUI and API.
+
+- [pmount](https://salsa.debian.org/debian/pmount), a tool that allows normal users to mount removable devices without requiring root privileges Available at [programs.pmount](#opt-programs.pmount.enable).
+
+- [postfix-tlspol](https://github.com/Zuplu/postfix-tlspol), a MTA-STS and DANE resolver and TLS policy server for Postfix. Available as [services.postfix-tlspol](#opt-services.postfix-tlspol.enable).
 
 - [Prometheus Tailscale Exporter](https://github.com/adinhodovic/tailscale-exporter), a Prometheus exporter for Tailscale Tailnet metrics.
 
-- [KMinion](https://github.com/redpanda-data/kminion), feature-rich Prometheus exporter for Apache Kafka. Available as [services.prometheus.exporters.kafka](options.html#opt-services.prometheus.exporters.kafka).
+- [Prometheus Storagebox Exporter](https://github.com/fleaz/prometheus-storagebox-exporter), a Prometheus exporter for Hetzner storage boxes.
 
-- [Beszel](https://beszel.dev), a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as [`services.beszel.agent`](options.html#opt-services.beszel.agent.enable) and [`services.beszel.hub`](options.html#opt-services.beszel.hub.enable).
+- [qBittorrent](https://www.qbittorrent.org/), a bittorrent client programmed in C++ / Qt that uses libtorrent by Arvid Norberg. Available as [services.qbittorrent](#opt-services.qbittorrent.enable).
+
+- [radicle-ci-broker](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), a tool for running CI for repositories in the local [Radicle](https://radicle.xyz/) node. Available as [services.radicle.ci.broker.enable](#opt-services.radicle.ci.broker.enable).
+
+- [radicle-native-ci](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE), an adapter for the [Radicle CI broker](https://app.radicle.xyz/nodes/seed.radicle.xyz/rad:zwTxygwuz5LDGBq255RA2CbNGrz8), for performing CI runs locally. Available as [services.radicle.ci.adapters.native](#opt-services.radicle.ci.adapters.native.instances).
+
+- [rauc](https://rauc.io/) (the Robust Auto-Update Controller), a daemon that allows reliable and secure software updates in embedded Linux systems. Available at [services.rauc](#opt-services.rauc.enable).
+
+- [ringboard](https://github.com/SUPERCILEX/clipboard-history), a fast, efficient, and composable clipboard manager for Linux. Available for x11 as [services.ringboard](#opt-services.ringboard.x11.enable) and for Wayland as [services.ringboard](#opt-services.ringboard.wayland.enable).
+
+- [rsync](https://rsync.samba.org/), an open source utility that provides fast incremental file transfer. Available as [services.rsync](options.html#opt-services.rsync).
+
+- [Sharkey](https://joinsharkey.org), a Sharkish microblogging platform. Available as [services.sharkey](#opt-services.sharkey.enable).
+
+- [SillyTavern](https://sillytavern.app/), an LLM Frontend for Power Users. Available as [services.sillytavern](#opt-services.sillytavern.enable).
+
+- [SuiteNumérique Docs](https://github.com/suitenumerique/docs), a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as [services.lasuite-docs](#opt-services.lasuite-docs.enable).
+
+- [SuiteNumérique Meet](https://github.com/suitenumerique/meet), an open source alternative to Google Meet and Zoom powered by LiveKit. It features HD video calls, screen sharing, and chat features. Available as [services.lasuite-meet](#opt-services.lasuite-meet.enable).
+
+- [Speedify](https://speedify.com/), a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as [services.speedify](#opt-services.speedify.enable).
 
 - [Spoolman](https://github.com/Donkie/Spoolman), a inventory management system for Filament spools. Available as [services.spoolman](#opt-services.spoolman.enable).
 
+- [Sshwifty](https://github.com/nirui/sshwifty), a Telnet and SSH client for your browser. Available as [services.sshwifty](#opt-services.sshwifty.enable).
+
+- [Szurubooru](https://github.com/rr-/szurubooru), an image board engine inspired by services such as Danbooru, dedicated for small and medium communities. Available as [services.szurubooru](#opt-services.szurubooru.enable).
+
 - [Temporal](https://temporal.io/), a durable execution platform that enables
   developers to build scalable applications without sacrificing productivity or
   reliability. Available as [services.temporal](#opt-services.temporal.enable).
 
-- `services.libvirtd.autoSnapshot`, a backup service for libvirt managed vms.
+- [Timekpr-nExT](https://mjasnik.gitlab.io/timekpr-next/), a time managing application that helps optimizing time spent at computer for your subordinates, children or even for yourself. Available as [](#opt-services.timekpr.enable).
 
-- [Sshwifty](https://github.com/nirui/sshwifty), a Telnet and SSH client for your browser. Available as [services.sshwifty](#opt-services.sshwifty.enable).
+- [tlsrpt-reporter](https://github.com/sys4/tlsrpt-reporter), an application suite to generate and deliver TLSRPT reports. Available as [services.tlsrpt](#opt-services.tlsrpt.enable).
 
-- Added `nixos-init`, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via `system.nixos-init.enable = true;`.
+- [tsidp](https://github.com/tailscale/tsidp), a simple OIDC / OAuth Identity Provider (IdP) server for your tailnet. Available as [services.tsidp](#opt-services.tsidp.enable).
 
-- [nvme-rs](https://github.com/liberodark/nvme-rs), NVMe monitoring [services.nvme-rs](#opt-services.nvme-rs.enable).
+- [TuneD](https://tuned-project.org/), a system tuning service for Linux. Available as [services.tuned](#opt-services.tuned.enable).
 
-- [ringboard](https://github.com/SUPERCILEX/clipboard-history), a fast, efficient, and composable clipboard manager for Linux. Available for x11 as [services.ringboard](#opt-services.ringboard.x11.enable) and for wayland as [services.ringboard](#opt-services.ringboard.wayland.enable).
+- [tuwunel](https://matrix-construct.github.io/tuwunel/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-tuwunel](#opt-services.matrix-tuwunel.enable).
 
-- [Tenstorrent](https://tenstorrent.com) hardware module has been added.
+- [umami](https://github.com/umami-software/umami), a simple, fast, privacy-focused alternative to Google Analytics. Available with [services.umami](#opt-services.umami.enable).
 
-- [nixbit](https://github.com/pbek/nixbit), a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as [programs.nixbit](#opt-programs.nixbit.enable).
+- [wayvnc](https://github.com/any1/wayvnc), a VNC server for wlroots based Wayland compositors. Available as [programs.wayvnc](#opt-programs.wayvnc.enable).
 
-- [ErsatzTV](https://ersatztv.org), a personal IPTV server. Available as [services.ersatztv](#opt-services.ersatztv.enable)
+- [XPPen](https://www.xp-pen.com/), an official closed-source driver for XP Pen tablets. Available as [programs.xppen](#opt-programs.xppen.enable).
+
+- [Warpgate](https://warpgate.null.page), an SSH, HTTPS, MySQL and Postgres bastion. Available as [services.warpgate](#opt-services.warpgate.enable). Note that you need to run `warpgate recover-access` to recover builtin admin account, as the initialisation script uses a throwaway value to initialise its database.
+
+- [yubikey-manager](https://github.com/Yubico/yubikey-manager), a tool for configuring YubiKey devices. Available as [programs.yubikey-manager](#opt-programs.yubikey-manager.enable).
 
 ## Backward Incompatibilities {#sec-release-25.11-incompatibilities}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- The Perl implementation of the `switch-to-configuration` program is removed. All switchable systems now use the Rust rewrite. Any prior usage of `system.switch.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.
+- `boot.enableContainers` is only turned on when a declarative NixOS container is defined in `containers`.
+  If you use the `nixos-container` tool for imperative container management, set `boot.enableContainers = true;` explicitly.
 
-- The `no-broken-symlink` build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).
+- Configurations with `boot.initrd.systemd.enable && !boot.initrd.enable` will have their `init` script at `$toplevel/init` instead of `$toplevel/prepare-root`. This is because it does not make sense for systemd stage 1 to affect the `init` script when stage 1 is entirely disabled (e.g. containers).
+
+- `command-not-found` package is now disabled by default; it works only for nix-channels based systems, and requires setup for it to work.
 
 - `hardware.amdgpu.amdvlk` and the `amdvlk` package have been removed, as they have been deprecated by AMD. These have been replaced with the RADV driver from Mesa, which is enabled by default.
 
+- `firezone` has changed how the `Everyone` group behaves. Service Accounts are no longer considered part of `Everyone`.
+
+- `i18n.inputMethod.fcitx5.plasma6Support` has been removed because qt6 is the only one used for fcitx5-configtool now.
+
 - Linux 5.4 and all its variants have been removed since mainline will reach its end of life within the support-span of 25.11.
 
+- `miniflux` no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your `miniflux` PostgreSQL database externally, disable the extension with `DROP EXTENSION IF EXISTS hstore;`.
+
+- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change it's user to `netbox` using `runuser`.
+
+- NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.
+
+- `programs.cardboard` was removed due to the package having been broken since at least November 2024.
+
+- `programs.goldwarden` has been removed, due to the software not working with newer versions of the Bitwarden and Vaultwarden servers, as well as it being abandoned upstream.
+
+- `programs.skim.fuzzyCompletions` has been removed in favor of adding the completions to the package itself.
+
+- `Prosody` has been updated to major release 13 which removed some obsoleted modules and brought a couple of major and breaking changes:
+  - The `http_files` module is now disabled by default because it now requires `http_files_dir` to be configured.
+  - The `vcard_muc` module has been removed and got replaced by the inbuilt `muc_vcard` module.
+  - The `http_upload` module has been removed and you must migrate to the `http_file_share` module to stay XEP-0423 compliant. The `httpFileShare` options got expanded to better facility that.
+  - The `admin_shell` module is now always being loaded to make `prosodyctl` functional.
+  - The `mime_types_file` setting is now set to `"${pkgs.mailcap}/etc/mime.types"` to prevent errors.
+  For a complete list of changes, please see [their announcement](https://blog.prosody.im/prosody-13.0.0-released/).
+
+- `programs.river` has been renamed to `programs.river-classic` following an upstream decision.
+
+- `services.chatgpt-retrieval-plugin` was removed due to the package having been broken since at least November 2024.
+
+- `services.dwm-status.extraConfig` was replaced by [RFC0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-services.dwm-status.settings), which is used to generate the config file. `services.dwm-status.order` is now moved to [](#opt-services.dwm-status.settings.order), as it's a part of the config file.
+
+- `services.forgejo.dump.age` now defaults to `4w`, which deletes dumps older than 4 weeks. This new behaviour could result in older backups being deleted.
+
+- `services.gateone` has been removed as the package was removed such that it does not work.
+
+- `services.journald.gateway.user` and `services.journald.gateway.system` now defaults to `false`. This new behaviour matches the default behaviour of the [`systemd-journal-gatewayd`](https://www.freedesktop.org/software/systemd/man/latest/systemd-journal-gatewayd.service.html) service itself.
+
+- `services.nextcloud.notify_push.enable` now installs the notify_push app. Therefore the appstore is now disabled when using `notify_push`. See `services.nextcloud.appstoreEnable`.
+
+- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
+
+- `services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.
+
+- `services.private-gpt` has been removed by lack of maintenance upstream.
+
+- `services.quorum` has been removed as the `quorum` package was broken and abandoned upstream.
+
+- `services.seafile` has been removed, as it is unmaintained and outdated.
+  See [the manual](https://manual.seafile.com/13.0/upgrade/upgrade_notes_for_13.0.x/#important-release-changes)
+  for details and next steps.
+
+- `services.tor.torsocks.enable` no longer defaults to true if Tor and Tor client functionality is enabled.
+
+- The `boot.readOnlyNixStore` has been removed. Control over bind mount options on `/nix/store` is now offered by the `boot.nixStoreMountOpts` option.
+
+- The `dovecot` systemd service was renamed from `dovecot2` to `dovecot`. The former is now just an alias. Update any overrides on the systemd unit to the new name.
+
+- The `NIXOS_EXTRA_MODULE_PATH` variable from configuration evaluation has been deprecated.
+  We recommend a workflow where you update the expression files instead, but if you wish to continue
+  to use this variable, you may do so with a module like:
+
+  ```nix
+  {
+    imports = [
+      (builtins.getEnv "NIXOS_EXTRA_MODULE_PATH")
+    ];
+  }
+  ```
+
+  This has the benefit that your configuration hints at the non-standard workflow.
+
+- The `file-roller` module has been removed due to not being required for function, file roller itself has also been removed from the `services.desktopManager.gnome` module as it's not part of GNOME core applications.
+
+- The Perl implementation of the `switch-to-configuration` program is removed. All switchable systems now use the Rust rewrite. Any prior usage of `system.switch.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.
+
+- The Pocket ID module ([`services.pocket-id`](#opt-services.pocket-id.enable)) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
+
+- The Postfix module has been updated and likely requires configuration changes:
+  - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure
+    - [services.postfix.settings.main.smtpd_tls_chain_files](#opt-services.postfix.settings.main.smtpd_tls_chain_files) for server certificates,
+    - [services.postfix.settings.main.smtp_tls_chain_files](#opt-services.postfix.settings.main) for client certificates.
+
+- The `services.meilisearch` module now always defaults to the latest version of meilisearch, as the previous `meilisearch_1_11` package was removed. This is only an issue if you were using the old version.
+
+- The `services.mysql` module now restarts the database `on-abnormal`, which means that it now will be restarted in certain situations, it wasn't before. For example an OOM-kill.
+
 - The `services.nginx.sso` module has switched to generating its configuration
   file in `/run`. You should manually delete `/var/lib/nginx-sso/config.yaml` to
   avoid storing secret values to disk.
 
+- The `services.postgresql` module now sets up a systemd unit `postgresql.target`. Depending on `postgresql.target` guarantees that postgres is in read-write mode and initial/ensure scripts were executed. Depending on `postgresql.service` only guarantees a read-only connection.
+
 - The `services.polipo` module has been removed as `polipo` is unmaintained and archived upstream.
 
-- `services.nextcloud.notify_push.enable` now installs the notify_push app. Therefore the appstore is now disabled when using `notify_push`. See `services.nextcloud.appstoreEnable`.
+- The `services.postfixadmin` module has been removed due to a lack of active maintainers.
 
-- `boot.enableContainers` is only turned on when a declarative NixOS container is defined in `containers`.
-  If you use the `nixos-container` tool for imperative container management, set `boot.enableContainers = true;` explicitly.
+- The `services.siproxd` module has been removed as `siproxd` is unmaintained and broken with libosip 5.x.
 
-- `etcd` package was upgraded to 3.6, see [migration notes](https://etcd.io/docs/v3.6/upgrades/upgrade_3_6/) for incompatibilities and upgrade procedure.
+- The `services.snapserver` module has been migrated to use the settings option and render a configuration file instead of passing every option over the command line.
 
-- `services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.
+- []{#sec-release-25.11-incompatibilities-sourcehut-removed} The `services.sourcehut` module and corresponding `sourcehut` packages were removed due to being broken and unmaintained.
+
+- The `services.traccar.settings` attribute has been reworked. Instead of the previous flat attribute set the new implementation uses nested attribute sets. You need to update you configuration manually. For instance, `services.traccar.settings.loggerConsole` becomes `services.traccar.settings.logger.console`.
+
+- The `services.tt-rss` module and package have been removed as upstream development ceased on 2025-11-01, and the source is no longer available officially.
+
+- The systemd target `kbrequest.target` is now unset by default, instead of being forcibly symlinked to `rescue.target`. In case you were relying on this behavior (Alt + ArrowUp on the tty causing the current target to be changed to `rescue.target`), you can restore it by setting `systemd.targets.rescue.aliases = [ "kbrequest.target" ];` in your configuration.
+
+- The `wstunnel` module was converted to RFC42-style settings, you will need to update your NixOS config if you make use of this module.
+
+- `services.xserver.windowManager.yeahwm` was removed due to the package being broken and unmaintained upstream.
+
+- The zookeeper project changed their logging tool to logback, therefore `services.zookeeper.logging` option has been updated to expect a logback compatible string.
 
 - `virtualisation.lxd` has been removed due to lack of Nixpkgs maintenance. Users can migrate to `virtualisation.incus`, a fork of LXD, as a replacement. See [Incus migration documentation](https://linuxcontainers.org/incus/docs/main/howto/server_migrate_lxd/) for migration information.
 
@@ -250,171 +344,16 @@
     | /run/libvirt/nix-ovmf/AAVMF_CODE.ms.fd | /run/libvirt/nix-ovmf/edk2-aarch64-code.fd       |
     | /run/libvirt/nix-ovmf/AAVMF_VARS.ms.fd | /run/libvirt/nix-ovmf/edk2-arm-vars.fd           |
 
-- The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)
-  for all the details and how to ensure smooth upgrades.
-
-- `services.forgejo.dump.age` now defaults to `4w`, which deletes dumps older than 4 weeks. This new behaviour could result in older backups being deleted.
-
-- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.
-  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.
-
-- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).
-
-- `services.seafile` has been removed, as it is unmaintained and outdated.
-  See [the manual](https://manual.seafile.com/13.0/upgrade/upgrade_notes_for_13.0.x/#important-release-changes)
-  for details and next steps.
-
-- The `zigbee2mqtt` package was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.
-
-- []{#sec-release-25.11-incompatibilities-sourcehut-removed} The `services.sourcehut` module and corresponding `sourcehut` packages were removed due to being broken and unmaintained.
-- The zookeeper project changed their logging tool to logback, therefore `services.zookeeper.logging` option has been updated to expect a logback compatible string.
-- The `dovecot` systemd service was renamed from `dovecot2` to `dovecot`. The former is now just an alias. Update any overrides on the systemd unit to the new name.
-
-- Configurations with `boot.initrd.systemd.enable && !boot.initrd.enable` will have their `init` script at `$toplevel/init` instead of `$toplevel/prepare-root`. This is because it does not make sense for systemd stage 1 to affect the `init` script when stage 1 is entirely disabled (e.g. containers).
-
-- `programs.goldwarden` has been removed, due to the software not working with newer versions of the Bitwarden and Vaultwarden servers, as well as it being abandoned upstream.
-
-- The `chatgpt-retrieval-plugin` package and `services.chatgpt-retrieval-plugin` module were removed due to the package having been broken since at least November 2024.
-
-- The `cardboard` package and `programs.cardboard` module were removed due to the package having been broken since at least November 2024.
-
-- The default `kops` version is now 1.33.0 and versions 1.30 and older have been dropped. See [Upgrading Kubernetes](https://kops.sigs.k8s.io/tutorial/upgrading-kubernetes/) for instructions on how to update kOps.
-
-- `programs.skim.fuzzyCompletions` has been removed in favor of adding the completions to the package itself.
-
-- `Prosody` has been updated to major release 13 which removed some obsoleted modules and brought a couple of major and breaking changes:
-  - The `http_files` module is now disabled by default because it now requires `http_files_dir` to be configured.
-  - The `vcard_muc` module has been removed and got replaced by the inbuilt `muc_vcard` module.
-  - The `http_upload` module has been removed and you must migrate to the `http_file_share` module to stay XEP-0423 compliant. The `httpFileShare` options got expanded to better facility that.
-  - The `admin_shell` module is now always being loaded to make `prosodyctl` functional.
-  - The `mime_types_file` setting is now set to `"${pkgs.mailcap}/etc/mime.types"` to prevent errors.
-  For a complete list of changes, please see [their announcement](https://blog.prosody.im/prosody-13.0.0-released/).
-
-- The `yeahwm` package and `services.xserver.windowManager.yeahwm` module were removed due to the package being broken and unmaintained upstream.
-
-- `services.nixseparatedebuginfod.enable = true;` has been replaced by `services.nixseparatedebuginfod2.enable = true`. If you only use the official binary cache `https://cache.nixos.org` then no further configuration should be needed. If you have other https substituters, you can add them to `services.nixseparatedebuginfod2.subsituters`. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option `environment.debuginfodServers`.
-
-- The `services.snapserver` module has been migrated to use the settings option and render a configuration file instead of passing every option over the command line.
-
-- The `services.meilisearch` module now always defaults to the latest version of meilisearch, as the previous `meilisearch_1_11` package was removed. This is only an issue if you were using the old version.
-
-- `services.journald.gateway.user` and `services.journald.gateway.system` now defaults to `false`. This new behaviour matches the default behaviour of the [`systemd-journal-gatewayd`](https://www.freedesktop.org/software/systemd/man/latest/systemd-journal-gatewayd.service.html) service itself.
-
-- The `services.postgresql` module now sets up a systemd unit `postgresql.target`. Depending on `postgresql.target` guarantees that postgres is in read-write mode and initial/ensure scripts were executed. Depending on `postgresql.service` only guarantees a read-only connection.
-
-- The `services.mysql` module now restarts the database `on-abnormal`, which means that it now will be restarted in certain situations, it wasn't before. For example an OOM-kill.
-
-- The `services.tt-rss` module and package have been removed as upstream development ceased on 2025-11-01, and the source is no longer available officially.
-
-- The `services.siproxd` module has been removed as `siproxd` is unmaintained and broken with libosip 5.x.
-
-- The `services.postfixadmin` module has been removed due to a lack of active maintainers.
-
-- `services.tor.torsocks.enable` no longer defaults to true if Tor and Tor client functionality is enabled.
-
-- `netbox-manage` script created by the `netbox` module no longer uses `sudo -u netbox` internally. It can be run as root and will change it's user to `netbox` using `runuser`
-
-- `services.gateone` has been removed as the package was removed such that it does not work.
-
-- `services.quorum` has been removed as the `quorum` package was broken and abandoned upstream.
-
-- `orjail` package has been removed as it is broken by the latest firejail release and seems unmaintained.
-
-- `teleport` has been upgraded from major version 17 to major version 18.
-Refer to [upstream upgrade instructions](https://goteleport.com/docs/upgrading/overview/)
-and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
-
-- `services.dwm-status.extraConfig` was replaced by [RFC0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-services.dwm-status.settings), which is used to generate the config file. `services.dwm-status.order` is now moved to [](#opt-services.dwm-status.settings.order), as it's a part of the config file.
-
-- `gitversion` was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.
-  See the [6.0.0 release notes for GitVersion](https://github.com/GitTools/GitVersion/releases/tag/6.0.0) for details on the breaking changes, [the documentation on the configuration format](https://gitversion.net/docs/reference/configuration) for the new configuration specification, and [the documentation on version variables](https://gitversion.net/docs/reference/variables) for what is now supported.
-
-- `renovate` was updated to v41. See the upstream release notes for [v40](https://github.com/renovatebot/renovate/releases/tag/40.0.0) and [v41](https://github.com/renovatebot/renovate/releases/tag/41.0.0) for breaking changes.
-
-- The "NIXOS_EXTRA_MODULE_PATH" variable from configuration evaluation has been deprecated.
-  We recommend a workflow where you update the expression files instead, but if you wish to continue
-  to use this variable, you may do so with a module like:
-
-  ```nix
-  {
-    imports = [
-      (builtins.getEnv "NIXOS_EXTRA_MODULE_PATH")
-    ];
-  }
-  ```
-
-  This has the benefit that your configuration hints at the non-standard workflow.
-
-- `i18n.inputMethod.fcitx5.plasma6Support` has been removed because qt6 is the only one used for fcitx5-configtool now.
-
-- `firezone` has changed how the `Everyone` group behaves. Service Accounts are no longer considered part of `Everyone`.
-
-- The `file-roller` module has been removed due to not being required for function, file roller itself has also been removed from the `services.desktopManager.gnome` module as it's not part of GNOME core applications.
-
-- The `boot.readOnlyNixStore` has been removed. Control over bind mount options on `/nix/store` is now offered by the `boot.nixStoreMountOpts` option.
-
-- Direct use of `pkgs.formats.systemd` has been deprecated, and should now be instantiated with `pkgs.formats.systemd { }` similarly to other items in `pkgs.formats`.
-
-- The Postfix module has been updated and likely requires configuration changes:
-  - The `services.postfix.sslCert` and `sslKey` options were removed and you now need to configure
-    - [services.postfix.settings.main.smtpd_tls_chain_files](#opt-services.postfix.settings.main.smtpd_tls_chain_files) for server certificates,
-    - [services.postfix.settings.main.smtp_tls_chain_files](#opt-services.postfix.settings.main) for client certificates.
-
 - `vmalert` now supports multiple instances with the option `services.vmalert.instances."".enable`
 
 - [`virtualisation.waydroid.package`](#opt-virtualisation.waydroid.package) now defaults to `waydroid-nftables` on systems with nftables enabled.
 
 - [`services.victorialogs.package`](#opt-services.victorialogs.package) now defaults to `victorialogs`, as `victoriametrics` no longer contains the VictoriaLogs binaries.
 
-- The `services.traccar.settings` attribute has been reworked. Instead of the previous flat attribute set the new implementation uses nested attribute sets. You need to update you configuration manually. For instance, `services.traccar.settings.loggerConsole` becomes `services.traccar.settings.logger.console`.
-
-- The `wstunnel` module was converted to RFC42-style settings, you will need to update your NixOS config if you make use of this module.
-
-- [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream.
-
-- The `asterisk-lts` package was changed to v22 from v18. The default `asterisk` package was changed to v22 from v20. Asterisk version 18 has been dropped due to being EOL. The `asterisk-stable` (v20) package was unchanged. You may need to update /var/lib/asterisk to match the template files in `${asterisk-...}/var/lib/asterisk`.
-
-- NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.
-
-- `river` 0.3.x has been renamed to `river-classic` upstream, and the package renamed accordingly. `programs.river` has been renamed to `programs.river-classic`.
-
-- `command-not-found` package is now disabled by default; it works only for nix-channels based systems, and requires setup for it to work.
-
-- The systemd target `kbrequest.target` is now unset by default, instead of being forcibly symlinked to `rescue.target`. In case you were relying on this behavior (Alt + ArrowUp on the tty causing the current target to be changed to `rescue.target`), you can restore it by setting `systemd.targets.rescue.aliases = [ "kbrequest.target" ];` in your configuration.
-
-- `miniflux` no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your `miniflux` PostgreSQL database externally, disable the extension with `DROP EXTENSION IF EXISTS hstore;`.
-
 ## Other Notable Changes {#sec-release-25.11-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- `services.clamsmtp` is unmaintained and was removed from Nixpkgs.
-
-- The latest available version of Nextcloud is v32 (available as `pkgs.nextcloud32`). The installation logic is as follows:
-  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
-  - If [`system.stateVersion`](#opt-system.stateVersion) is >=25.05, `pkgs.nextcloud32` will be installed by default.
-  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud31` will be installed by default.
-  - `nextcloud30` is EOL and was thus removed.
-  - Please note that an upgrade from v30 (or older) to v32 directly is not possible. Please upgrade to `nextcloud31` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](#opt-services.nextcloud.package).
-
-- `services.eris-server` was removed from Nixpkgs due to a hostile upstream.
-
-- `prosody` gained a config check option named `services.prosody.checkConfig` which runs `prosodyctl check config` and is turned on by default.
-
-- `services.dependency-track` removed its configuration of the JVM heap size. This lets the JVM choose its maximum heap size automatically, which should work much better in practice for most users. For deployments on systems with little RAM, it may now be necessary to manually configure a maximum heap size using  {option}`services.dependency-track.javaArgs`.
-
-- `services.dnscrypt-proxy2` was renamed to `services.dnscrypt-proxy` to match the package name. The systemd service is now also `dnscrypt-proxy`, but the old name is still provided as an alias for backwards compatibility.
-
-- `services.dnscrypt-proxy` gains a `package` option to specify dnscrypt-proxy package to use.
-
-- `boot.plymouth` now has a [`package`](#opt-boot.plymouth.package) option to specify the package used in the module.
-
-- `services.limesurvey` now supports nginx as reverse-proxy. Available through [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
-
-- `services.nextcloud.configureRedis` now defaults to `true` in accordance with upstream recommendations to have caching for file locking. See the [upstream doc](https://docs.nextcloud.com/server/31/admin_manual/configuration_files/files_locking_transactional.html) for further details.
-
-- mate-wayland-session 1.28.4 is now using the default wayfire decorator instead of firedecor, thus `services.xserver.desktopManager.mate.enableWaylandSession` is no longer shipping firedecor. If you are experiencing broken window decorations after upgrade, backup and remove `~/.config/mate/wayfire.ini` and re-login.
--
 - A new option [](#opt-boot.isNspawnContainer) has been added. This option will be used to guard nspawn-specific configuration in NixOS since [](#opt-boot.isContainer) is also used for different container-runtimes such as LXC.
   - The new option is automatically set to `true` by the declarative container module and `nixos-container` when not using flakes.
     - Existing setups can be migrated by running either
@@ -424,23 +363,39 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
   - In all other cases, you'll need to set this option to `true` yourself.
   - `boot.isNspawnContainer` being `true` implies [](#opt-boot.isContainer) being `true`.
 
-- `users.users.*.linger` now defaults to `null` rather than `false`, meaning NixOS will not attempt to enable or disable lingering for that user account, instead allowing for imperative control over lingering using the `loginctl` commands. In practice, this is unlikely to make a difference for most people, as new users are created without lingering configured. There is a new, related option, `users.manageLingering`, which can be used to prevent NixOS attempting to manage lingering entirely.
-
-- Due to [deprecation of gnome-session X11 support](https://blogs.gnome.org/alatiera/2025/06/08/the-x11-session-removal/), `services.desktopManager.pantheon` now defaults to pantheon-wayland session. The X11 session has been removed, see [this issue](https://github.com/elementary/session-settings/issues/91) for details.
+- `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
+  This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.
 
 - `bcachefs` file systems will now use the out-of-tree module for supported kernels. The in-tree module has been removed, and users will need to switch to kernels that support the out-of-tree module.
 
-- `services.filesender` and the package `filesender` have been removed because they depend on `simplesamlphp`.
+- `boot.plymouth` now has a [`package`](#opt-boot.plymouth.package) option to specify the package used in the module.
 
-- `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.
+- Drivers and utlities for [Tenstorrent](https://tenstorrent.com) have been added. Available as [hardware.tenstorrent](#opt-hardware.tenstorrent.enable).
 
-- `services.mattermost` has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.
+- Due to [deprecation of gnome-session X11 support](https://blogs.gnome.org/alatiera/2025/06/08/the-x11-session-removal/), `services.desktopManager.pantheon` now defaults to pantheon-wayland session. The X11 session has been removed, see [this issue](https://github.com/elementary/session-settings/issues/91) for details.
 
-- `simplesamlphp` has been removed since the package was severely outdated, unmaintained in nixpkgs and having known vulnerabilities.
+- `libvirt` now supports using `nftables` backend.
+  - The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd.
 
-- `networking.wireless.networks.<name>` now has an option to specify SSID, hence allowing duplicated SSID setup. The BSSID option is added along side with this.
+- `linux_libre` & `linux_latest_libre` have been removed due to a lack of maintenance.
 
-- Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.
+- Immich now has support for [VectorChord](https://github.com/tensorchord/VectorChord) when using the PostgreSQL configuration provided by `services.immich.database.enable`, which replaces `pgvecto-rs`. VectorChord support can be toggled with the option `services.immich.database.enableVectorChord`. Additionally, `pgvecto-rs` support is now disabled from NixOS 25.11 onwards using the option `services.immich.database.enableVectors`. This option will be removed fully in the future once Immich drops support for `pgvecto-rs` fully. See [Immich migration instructions](#module-services-immich-vectorchord-migration).
+
+- It is now possible to configure the default source address using the new options [networking.defaultGateway.source](#opt-networking.defaultGateway.source),
+  [networking.defaultGateway6.source](#opt-networking.defaultGateway6.source).
+
+- mate-wayland-session 1.28.4 is now using the default wayfire decorator instead of firedecor, thus `services.xserver.desktopManager.mate.enableWaylandSession` is no longer shipping firedecor. If you are experiencing broken window decorations after upgrade, backup and remove `~/.config/mate/wayfire.ini` and re-login.
+
+- `networking.wireless.networks.<name>` now has an option to specify SSID, hence allowing duplicated SSID setup. The BSSID option is added alongside with this.
+
+- Options under [networking.getaddrinfo](#opt-networking.getaddrinfo.enable) are now allowed to declaratively configure address selection and sorting behavior of `getaddrinfo` in dual-stack networks.
+
+- Potential race conditions in the network setup when using `networking.interfaces` have been fixed by disabling duplicate address detection (DAD)
+  for statically configured IPv6 addresses.
+
+- `prosody` gained a config check option named `services.prosody.checkConfig` which runs `prosodyctl check config` and is turned on by default.
+
+- Revamp of the ACME certificate acquisition and renewal process to help scale systems with lots (100+) of certificates.
 
   Units and targets have been reshaped to better support more specific dependency propagation and avoid
   superfluously triggering unchanged units:
@@ -455,12 +410,65 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
 
   Note that system activation will complete before all certificates may have been renewed or acquired.
 
-- `php81` was removed.
+- `services.clamsmtp` is unmaintained and was removed from Nixpkgs.
 
-- `libvirt` now supports using `nftables` backend.
-  - The `virtualisation.libvirtd.firewallBackend` option can be used to configure the firewall backend used by libvirtd.
+- `services.clickhouse` has added the `serverConfig` and `userConfig` options. You may also use `extraServerConfig` and `extraUserConfig` to pass plain text XML.
 
-- The third-party `ant-contrib` is no longer included in the `ant` package.
+- `services.dependency-track` removed its configuration of the JVM heap size. This lets the JVM choose its maximum heap size automatically, which should work much better in practice for most users. For deployments on systems with little RAM, it may now be necessary to manually configure a maximum heap size using  {option}`services.dependency-track.javaArgs`.
+
+- `services.dnscrypt-proxy2` was renamed to `services.dnscrypt-proxy` to match the package name. The systemd service is now also `dnscrypt-proxy`, but the old name is still provided as an alias for backwards compatibility.
+
+- `services.dnscrypt-proxy` gains a `package` option to specify dnscrypt-proxy package to use.
+
+- `services.eris-server` was removed from Nixpkgs due to a hostile upstream.
+
+- `services.filesender` and the package `filesender` have been removed because they depend on `simplesamlphp`.
+
+- `services.gitea` supports sending notifications with sendmail again. To do this, activate the parameter `services.gitea.mailerUseSendmail` and configure SMTP server.
+
+- [services.gnome.gnome-keyring](#opt-services.gnome.gnome-keyring.enable) does not ship with an SSH agent anymore, as this is now handled by the `gcr_4` package instead of `gnome-keyring`. A new module has been added to support this, under [](#opt-services.gnome.gcr-ssh-agent.enable) (its default value has been set to [](#opt-services.gnome.gnome-keyring.enable) to ensure a smooth transition). See the [relevant upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67) for more details.
+
+- `services.grafana` does no longer send usage statistics by default.
+
+- `services.k3s` now shares most of its code with `services.rke2`. The merge resulted in both modules providing more options, with `services.rke2` receiving the most improvements.
+  Existing configurations for either module should not be affected.
+
+- [services.libvirtd.autoSnapshot](options.html#opt-services.libvirtd.autoSnapshot.enable) has been added as a backup service for libvirt managed VMs.
+
+- `services.limesurvey` now supports nginx as reverse-proxy. Available through [services.limesurvey.webserver](#opt-services.limesurvey.webserver).
+
+- `services.mattermost` has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.
+
+- `services.matter-server` now hosts a debug dashboard on the configured port. Open the port on the firewall with `services.matter-server.openFirewall`.
+
+- `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.
+
+- `services.nebula.networks.<name>` will now store configuration files in `/etc/nebula/<name>.yml` and supports config reloading.
+
+- `services.logind.extraConfig` was converted to RFC42-style `services.logind.settings.Login`.
+
+- `services.nginx.recommendedProxySettings` now sets `X-Forwarded-Server` to the hostname of nginx instead of the original host.
+
+- `services.netbird.server` now uses dedicated packages split out due to relicensing of server components to AGPLv3 with version `0.53.0`,
+
+- `services.nextcloud.configureRedis` now defaults to `true` in accordance with upstream recommendations to have caching for file locking. See the [upstream doc](https://docs.nextcloud.com/server/31/admin_manual/configuration_files/files_locking_transactional.html) for further details.
+
+- `services.ntpd-rs` now performs configuration validation.
+
+- `services.opentelemetry-collector` has a new option `validateConfigFile` option that checks the configuration file during build. It is enabled by default if the configuration file is in the Nix store.
+
+- `services.restic.backups` now includes a `command` option for passing a command to the [--stdin-from-command](https://github.com/restic/restic/pull/4410) flag.
+
+- `services.pds` has been renamed to `services.bluesky-pds`.
+
+- `services.pfix-srsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.pfix-srsd.configurePostfix](#opt-services.pfix-srsd.configurePostfix) option.
+
+- `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.
+
+- `services.varnish.http_address` has been superseeded by `services.varnish.listen` which is now
+  structured config for all of varnish's `-a` variations.
+
+- `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.
 
 - `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.
   - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec`
@@ -469,66 +477,20 @@ and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).
   - `systemd.watchdog.kexecTime` was renamed to `systemd.settings.Manager.KExecWatchdogSec`
   - `systemd.enableCgroupAccounting` was removed. Cgroup accounting now needs to be disabled directly using `systemd.settings.Manager.*Accounting`.
 
-- `services.logind.extraConfig` was converted to RFC42-style `services.logind.settings.Login`.
+- The `ksycoca` cache in Plasma 6 will no longer be re-built when `$XDG_CACHE_HOME` is not set to `$HOME/.cache`.
 
-- `services.ntpd-rs` now performs configuration validation.
+- The latest available version of Nextcloud is v32 (available as `pkgs.nextcloud32`). The installation logic is as follows:
+  - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
+  - If [`system.stateVersion`](#opt-system.stateVersion) is >=25.05, `pkgs.nextcloud32` will be installed by default.
+  - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud31` will be installed by default.
+  - `nextcloud30` is EOL and was thus removed.
+  - Please note that an upgrade from v30 (or older) to v32 directly is not possible. Please upgrade to `nextcloud31` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](#opt-services.nextcloud.package).
 
-- Immich now has support for [VectorChord](https://github.com/tensorchord/VectorChord) when using the PostgreSQL configuration provided by `services.immich.database.enable`, which replaces `pgvecto-rs`. VectorChord support can be toggled with the option `services.immich.database.enableVectorChord`. Additionally, `pgvecto-rs` support is now disabled from NixOS 25.11 onwards using the option `services.immich.database.enableVectors`. This option will be removed fully in the future once Immich drops support for `pgvecto-rs` fully. See [Immich migration instructions](#module-services-immich-vectorchord-migration)
-
-- `services.restic.backups` now includes a `command` option for passing a command to the [--stdin-from-command](https://github.com/restic/restic/pull/4410) flag.
-
-- `services.grafana` does no longer send usage statistics by default.
-
-- `services.postsrsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.postsrsd.configurePostfix](#opt-services.postsrsd.configurePostfix) option.
-
-- `services.pfix-srsd` now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the [services.pfix-srsd.configurePostfix](#opt-services.pfix-srsd.configurePostfix) option.
-
-- `services.monero` now includes the `environmentFile` option for adding secrets to the Monero daemon config.
-
-- `services.netbird.server` now uses dedicated packages split out due to relicensing of server components to AGPLv3 with version `0.53.0`,
-
-- `linux_libre` & `linux_latest_libre` have been removed due to a lack of maintenance.
-
-- `services.nebula.networks.<name>` will now store configuration files in `/etc/nebula/<name>.yml` and supports config reloading.
-
-- `services.pds` has been renamed to `services.bluesky-pds`.
-
-- `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.
-
-- `services.matter-server` now hosts a debug dashboard on the configured port. Open the port on the firewall with `services.matter-server.openFirewall`.
-
-- `services.k3s` now shares most of its code with `services.rke2`. The merge resulted in both modules providing more options, with `services.rke2` receiving the most improvements.
-  Existing configurations for either module should not be affected.
+- The `nettools` package (ifconfig, arp, mii-tool, netstat, route) is not installed by default anymore. The suite is unmaintained and users should migrate to `iproute2` and `ethtool` instead.
 
 - The new option [networking.ipips](#opt-networking.ipips) has been added to create IP within IP kind of tunnels (including 4in6, ip6ip6 and ipip).
   With the existing [networking.sits](#opt-networking.sits) option (6in4), it is now possible to create all combinations of IPv4 and IPv6 encapsulation.
 
-- It is now possible to configure the default source address using the new options [networking.defaultGateway.source](#opt-networking.defaultGateway.source),
-  [networking.defaultGateway6.source](#opt-networking.defaultGateway6.source).
+- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).
 
-- Potential race conditions in the network setup when using `networking.interfaces` have been fixed by disabling duplicate address detection (DAD)
-  for statically configured IPv6 addresses.
-
-- `strongSwan` has been updated to 6.0. See [strongSwan 6.0.0 release notes](https://github.com/strongswan/strongswan/releases/tag/6.0.0) for a complete list of changes.
-
-- `slurm` no longer supports gtk2.
-
-- `amdgpu` kernel driver overdrive mode can now be enabled by setting [hardware.amdgpu.overdrive.enable](#opt-hardware.amdgpu.overdrive.enable) and customized through [hardware.amdgpu.overdrive.ppfeaturemask](#opt-hardware.amdgpu.overdrive.ppfeaturemask).
-  This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}`programs.corectrl.gpuOverclock.enable` and {option}`programs.tuxclocker.enableAMD`.
-
-- `services.varnish.http_address` has been superseeded by `services.varnish.listen` which is now
-  structured config for all of varnish's `-a` variations.
-
-- `services.nginx.recommendedProxySettings` now sets `X-Forwarded-Server` to the hostname of nginx instead of the original host.
-
-- [](#opt-services.gnome.gnome-keyring.enable) does not ship with an SSH agent anymore, as this is now handled by the `gcr_4` package instead of `gnome-keyring`. A new module has been added to support this, under [](#opt-services.gnome.gcr-ssh-agent.enable) (its default value has been set to [](#opt-services.gnome.gnome-keyring.enable) to ensure a smooth transition). See the [relevant upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67) for more details.
-
-- The `nettools` package (ifconfig, arp, mii-tool, netstat, route) is not installed by default anymore. The suite is unmaintained and users should migrate to `iproute2` and `ethtool` instead.
-
-- `sparkleshare` has been removed as it no longer builds and has been abandoned upstream.
-
-- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.
-
-- `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.
-
-- `services.opentelemetry-collector` has a new option `validateConfigFile` option that checks the configuration file during build. It is enabled by default if the configuration file is in the Nix store.
+- `users.users.*.linger` now defaults to `null` rather than `false`, meaning NixOS will not attempt to enable or disable lingering for that user account, instead allowing for imperative control over lingering using the `loginctl` commands. In practice, this is unlikely to make a difference for most people, as new users are created without lingering configured. There is a new, related option, `users.manageLingering`, which can be used to prevent NixOS attempting to manage lingering entirely.

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -22,4 +22,4 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- Create the first release note entry in this section!
+- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

nixos/modules/config/nix-channel.nix

@@ -71,7 +71,7 @@ in
       defaultChannel = mkOption {
         internal = true;
         type = types.str;
-        default = "https://channels.nixos.org/nixos-unstable";
+        default = "https://channels.nixos.org/nixos-25.11";
         description = "Default NixOS channel to which the root user is subscribed.";
       };
     };

nixos/modules/hardware/all-firmware.nix

@@ -36,7 +36,18 @@ in
 
   options = {
 
-    hardware.enableAllFirmware = lib.mkEnableOption "all firmware regardless of license";
+    hardware.enableAllFirmware = lib.mkOption {
+      default = false;
+      example = true;
+
+      description = ''
+        Whether to enable all firmware, including [unfree packages that must be explictly allowed](https://nixos.org/manual/nixpkgs/unstable/#sec-allow-unfree).
+
+        Alternatively, use the {option}`hardware.enableRedistributableFirmware` option.
+      '';
+
+      type = lib.types.bool;
+    };
 
     hardware.enableRedistributableFirmware =
       lib.mkEnableOption "firmware with a license allowing redistribution"
@@ -74,16 +85,6 @@ in
         ++ lib.optional pkgs.stdenv.hostPlatform.isAarch raspberrypiWirelessFirmware;
     })
     (lib.mkIf cfg.enableAllFirmware {
-      assertions = [
-        {
-          assertion = !cfg.enableAllFirmware || pkgs.config.allowUnfree;
-          message = ''
-            the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files.
-              This requires nixpkgs.config.allowUnfree to be true.
-              An alternative is to use the hardware.enableRedistributableFirmware option.
-          '';
-        }
-      ];
       hardware.firmware =
         with pkgs;
         [

nixos/modules/misc/version.nix

@@ -58,6 +58,7 @@ let
       VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
       VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
       DEFAULT_HOSTNAME = config.system.nixos.distroId;
+      SUPPORT_END = "2026-06-30";
     }
     // cfg.extraOSReleaseArgs;
 

nixos/modules/module-list.nix

@@ -913,7 +913,6 @@
   ./services/misc/podgrab.nix
   ./services/misc/polaris.nix
   ./services/misc/portunus.nix
-  ./services/misc/preload.nix
   ./services/misc/pufferpanel.nix
   ./services/misc/pykms.nix
   ./services/misc/radicle.nix
@@ -1946,7 +1945,6 @@
   ./virtualisation/libvirtd.nix
   ./virtualisation/lxc.nix
   ./virtualisation/lxcfs.nix
-  ./virtualisation/multipass.nix
   ./virtualisation/nixos-containers.nix
   ./virtualisation/oci-containers.nix
   ./virtualisation/oci-options.nix

nixos/modules/programs/wayland/niri.nix

@@ -23,9 +23,10 @@ in
       {
         environment.systemPackages = [
           cfg.package
-        ]
+        ];
+
         # Required for xdg-desktop-portal-gnome's FileChooser to work properly
-        ++ lib.optionals cfg.useNautilus [
+        services.dbus.packages = lib.mkIf cfg.useNautilus [
           pkgs.nautilus
         ];
 

nixos/modules/rename.nix

@@ -71,6 +71,16 @@ in
       "programs"
       "gnome-documents"
     ] "The corresponding package was removed from nixpkgs.")
+    (mkRemovedOptionModule
+      [
+        "services"
+        "preload"
+      ]
+      ''
+        The corresponding package was removed from nixpkgs,
+        due to lack of usage and being broken since its introduction.
+      ''
+    ) # added 2025-11-29
     (mkRemovedOptionModule [
       "programs"
       "goldwarden"
@@ -431,6 +441,9 @@ in
       to periodically collect random data from the device and mix it
       into the kernel's RNG.
     '')
+    (mkRemovedOptionModule [ "virtualisation" "multipass" ] ''
+      virtualisation.multipass has been removed since it was unmaintained in nixpkgs
+    '')
     # Do NOT add any option renames here, see top of the file
   ];
 }

nixos/modules/services/desktops/espanso.nix

@@ -29,9 +29,7 @@ in
       capabilities = "cap_dac_override+p";
       owner = "root";
       group = "root";
-      source = lib.getExe (
-        pkgs.espanso-wayland.override { securityWrapperPath = config.security.wrapperDir; }
-      );
+      source = lib.getExe (cfg.package.override { securityWrapperPath = config.security.wrapperDir; });
     };
     systemd.user.services.espanso = {
       description = "Espanso daemon";

nixos/modules/services/games/quake3-server.nix

@@ -108,7 +108,7 @@ in
       systemd.services.q3ds = {
         description = "Quake 3 dedicated server";
         wantedBy = [ "multi-user.target" ];
-        after = [ "networking.target" ];
+        after = [ "network.target" ];
 
         environment.HOME = if baseq3InStore then home else cfg.baseq3;
 

nixos/modules/services/hardware/undervolt.nix

@@ -16,29 +16,37 @@ let
         limit != null && window != null
       ) "Both power limit and window must be set";
       "${toString limit} ${toString window}";
-  cliArgs = lib.cli.toCommandLineGNU { } {
-    inherit (cfg)
-      verbose
-      temp
-      turbo
-      ;
-    # `core` and `cache` are both intentionally set to `cfg.coreOffset` as according to the undervolt docs:
-    #
-    #     Core or Cache offsets have no effect. It is not possible to set different offsets for
-    #     CPU Core and Cache. The CPU will take the smaller of the two offsets, and apply that to
-    #     both CPU and Cache. A warning message will be displayed if you attempt to set different offsets.
-    core = cfg.coreOffset;
-    cache = cfg.coreOffset;
-    gpu = cfg.gpuOffset;
-    uncore = cfg.uncoreOffset;
-    analogio = cfg.analogioOffset;
+  cliArgs =
+    let
+      optionFormat = optionName: {
+        option = "--${optionName}";
+        sep = null;
+        explicitBool = false;
+      };
+    in
+    lib.cli.toCommandLine optionFormat {
+      inherit (cfg)
+        verbose
+        temp
+        turbo
+        ;
+      # `core` and `cache` are both intentionally set to `cfg.coreOffset` as according to the undervolt docs:
+      #
+      #     Core or Cache offsets have no effect. It is not possible to set different offsets for
+      #     CPU Core and Cache. The CPU will take the smaller of the two offsets, and apply that to
+      #     both CPU and Cache. A warning message will be displayed if you attempt to set different offsets.
+      core = cfg.coreOffset;
+      cache = cfg.coreOffset;
+      gpu = cfg.gpuOffset;
+      uncore = cfg.uncoreOffset;
+      analogio = cfg.analogioOffset;
 
-    temp-bat = cfg.tempBat;
-    temp-ac = cfg.tempAc;
+      temp-bat = cfg.tempBat;
+      temp-ac = cfg.tempAc;
 
-    power-limit-long = mkPLimit cfg.p1.limit cfg.p1.window;
-    power-limit-short = mkPLimit cfg.p2.limit cfg.p2.window;
-  };
+      power-limit-long = mkPLimit cfg.p1.limit cfg.p1.window;
+      power-limit-short = mkPLimit cfg.p2.limit cfg.p2.window;
+    };
 in
 {
   options.services.undervolt = {

nixos/modules/services/home-automation/govee2mqtt.nix

@@ -53,7 +53,7 @@ in
       description = "Govee2MQTT Service";
       wantedBy = [ "multi-user.target" ];
       after = [
-        "networking.target"
+        "network.target"
         "network-online.target"
       ];
       requires = [ "network-online.target" ];

nixos/modules/services/mail/roundcube.nix

@@ -244,7 +244,7 @@ in
     services.phpfpm.pools.roundcube = {
       user = if localDB then user else "nginx";
       phpOptions = ''
-        error_log = 'stderr'
+        error_log = '/dev/stderr'
         log_errors = on
         post_max_size = ${cfg.maxAttachmentSize}
         upload_max_filesize = ${cfg.maxAttachmentSize}

nixos/modules/services/misc/ersatztv.nix

@@ -20,12 +20,14 @@ let
     bool
     float
     int
+    package
     ;
   cfg = config.services.ersatztv;
   defaultEnv = {
     ETV_UI_PORT = 8409;
     ETV_BASE_URL = "/";
   };
+
 in
 {
   options = {
@@ -54,6 +56,8 @@ in
             int
             float
             bool
+            path
+            package
           ]);
         default = defaultEnv;
         example = {
@@ -108,7 +112,7 @@ in
           ETV_CONFIG_FOLDER = "/var/lib/ersatztv/config";
           ETV_TRANSCODE_FOLDER = "/var/lib/ersatztv/transcode";
         }
-        // cfg.environment;
+        // (lib.mapAttrs (_: s: if lib.isBool s then lib.boolToString s else toString s) cfg.environment);
       };
     };
 

nixos/modules/services/misc/gollum.nix

@@ -18,6 +18,11 @@ in
       ]
       "MathJax rendering might be discontinued in the future, use services.gollum.math instead to enable KaTeX rendering or file a PR if you really need Mathjax"
     )
+    (lib.mkRemovedOptionModule [
+      "services"
+      "gollum"
+      "local-time"
+    ] "Set the value in services.gollum.extraConfig")
   ];
 
   options.services.gollum = {
@@ -38,6 +43,13 @@ in
     extraConfig = lib.mkOption {
       type = lib.types.lines;
       default = "";
+      example = ''
+        wiki_options = {
+          show_local_time: true
+        }
+
+        Precious::App.set(:wiki_options, wiki_options)
+      '';
       description = "Content of the configuration file";
     };
 
@@ -87,12 +99,6 @@ in
       description = "Disable editing pages";
     };
 
-    local-time = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = "Use the browser's local timezone instead of the server's for displaying dates.";
-    };
-
     branch = lib.mkOption {
       type = lib.types.str;
       default = "master";
@@ -159,7 +165,6 @@ in
             ${lib.optionalString cfg.emoji "--emoji"} \
             ${lib.optionalString cfg.h1-title "--h1-title"} \
             ${lib.optionalString cfg.no-edit "--no-edit"} \
-            ${lib.optionalString cfg.local-time "--local-time"} \
             ${lib.optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \
             ${lib.optionalString (cfg.user-icons != null) "--user-icons ${cfg.user-icons}"} \
             ${cfg.stateDir}

nixos/modules/services/misc/ollama.nix

@@ -8,7 +8,7 @@ let
   inherit (lib) literalExpression types;
 
   cfg = config.services.ollama;
-  ollamaPackage = cfg.package.override { inherit (cfg) acceleration; };
+  ollama = lib.getExe cfg.package;
 
   staticUser = cfg.user != null && cfg.group != null;
 in
@@ -37,7 +37,33 @@ in
   options = {
     services.ollama = {
       enable = lib.mkEnableOption "ollama server for local large language models";
-      package = lib.mkPackageOption pkgs "ollama" { };
+      package = lib.mkPackageOption pkgs "ollama" {
+        example = "pkgs.ollama-rocm";
+        default = [
+          (
+            if !(config ? services) || cfg.acceleration == null then
+              "ollama"
+            else if cfg.acceleration == false then
+              "ollama-cpu"
+            else
+              "ollama-${cfg.acceleration}"
+          )
+        ];
+        extraDescription = ''
+          Different packages use different hardware acceleration.
+
+          - `ollama`: default behavior; usually equivalent to `ollama-cpu`
+            - if `nixpkgs.config.rocmSupport` is enabled, is equivalent to `ollama-rocm`
+            - if `nixpkgs.config.cudaSupport` is enabled, is equivalent to `ollama-cuda`
+            - otherwise defaults to `ollama-cpu`
+          - `ollama-cpu`: disable GPU; only use CPU
+          - `ollama-rocm`: supported by most modern AMD GPUs
+            - may require overriding gpu type with `services.ollama.rocmOverrideGfx`
+              if rocm doesn't detect your AMD gpu
+          - `ollama-cuda`: supported by most modern NVIDIA GPUs
+          - `ollama-vulkan`: supported by most GPUs
+        '';
+      };
 
       user = lib.mkOption {
         type = with types; nullOr str;
@@ -110,17 +136,18 @@ in
         example = "rocm";
         description = ''
           What interface to use for hardware acceleration.
+          It is now preferred to set `services.ollama.package` instead.
 
-          - `null`: default behavior
-            - if `nixpkgs.config.rocmSupport` is enabled, uses `"rocm"`
-            - if `nixpkgs.config.cudaSupport` is enabled, uses `"cuda"`
+          - `null`: default behavior; usually equivalent to `false`
+            - if `nixpkgs.config.rocmSupport` is enabled, is equivalent to `"rocm"`
+            - if `nixpkgs.config.cudaSupport` is enabled, is equivalent to `"cuda"`
             - otherwise defaults to `false`
-          - `false`: disable GPU, only use CPU
+          - `false`: disable GPU; only use CPU
           - `"rocm"`: supported by most modern AMD GPUs
             - may require overriding gpu type with `services.ollama.rocmOverrideGfx`
               if rocm doesn't detect your AMD gpu
           - `"cuda"`: supported by most modern NVIDIA GPUs
-          - `"vulkan"`: supported by most modern GPUs on Linux
+          - `"vulkan"`: supported by most GPUs
         '';
       };
       rocmOverrideGfx = lib.mkOption {
@@ -152,17 +179,36 @@ in
           Since `ollama run` is mostly a shell around the ollama server, this is usually sufficient.
         '';
       };
+
       loadModels = lib.mkOption {
         type = types.listOf types.str;
+        apply = builtins.filter (model: model != "");
         default = [ ];
+        example = [
+          "dolphin3"
+          "gemma3"
+          "gemma3:27b"
+          "deepseek-r1:latest"
+          "deepseek-r1:1.5b"
+        ];
         description = ''
           Download these models using `ollama pull` as soon as `ollama.service` has started.
 
           This creates a systemd unit `ollama-model-loader.service`.
+          Use `services.ollama.syncModels` to automatically remove any models not currently declared here.
 
           Search for models of your choice from: <https://ollama.com/library>
         '';
       };
+      syncModels = lib.mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Synchronize all currently installed models with those declared in `services.ollama.loadModels`,
+          removing any models that are installed but not currently declared there.
+        '';
+      };
+
       openFirewall = lib.mkOption {
         type = types.bool;
         default = false;
@@ -207,7 +253,7 @@ in
         // {
           Type = "exec";
           DynamicUser = true;
-          ExecStart = "${lib.getExe ollamaPackage} serve";
+          ExecStart = "${ollama} serve";
           WorkingDirectory = cfg.home;
           StateDirectory = [ "ollama" ];
           ReadWritePaths = [
@@ -266,7 +312,7 @@ in
         };
     };
 
-    systemd.services.ollama-model-loader = lib.mkIf (cfg.loadModels != [ ]) {
+    systemd.services.ollama-model-loader = lib.mkIf (cfg.loadModels != [ ] || cfg.syncModels) {
       description = "Download ollama models in the background";
       wantedBy = [
         "multi-user.target"
@@ -289,35 +335,54 @@ in
         RestartSteps = "10";
       };
 
-      script = ''
-        total=${toString (builtins.length cfg.loadModels)}
-        failed=0
+      script =
+        let
+          binaryInputs = lib.mapAttrs (_: lib.getExe) {
+            parallel = pkgs.parallel;
+            awk = pkgs.gawk;
+            sed = pkgs.gnused;
+          };
+          inherit (binaryInputs)
+            parallel
+            awk
+            sed
+            ;
 
-        for model in ${lib.escapeShellArgs cfg.loadModels}; do
-          '${lib.getExe ollamaPackage}' pull "$model" &
-        done
+          declaredModelsRegex = lib.pipe cfg.loadModels [
+            (map lib.escapeRegex)
+            (lib.concatStringsSep "|")
+            (lib.escape [ "/" ])
+            lib.escapeShellArg
+          ];
+        in
+        ''
+          ${lib.optionalString cfg.syncModels ''
+            installed=$('${ollama}' list | '${awk}' 'NR > 1 {print $1}')
+            ${
+              # if `declaredModelsRegex` is empty, sed will err
+              if (cfg.loadModels != [ ]) then
+                ''
+                  echo declared models regex: ${declaredModelsRegex}
+                  undeclared=$(echo "$installed" | '${sed}' -E /${declaredModelsRegex}/d)
+                ''
+              else
+                ''
+                  undeclared="$installed"
+                ''
+            }
+            if [ -n "$undeclared" ]; then
+              echo removing: $undeclared
+              '${ollama}' rm $undeclared
+            fi
+          ''}
 
-        for job in $(jobs -p); do
-          set +e
-          wait $job
-          exit_code=$?
-          set -e
-
-          if [ $exit_code != 0 ]; then
-            failed=$((failed + 1))
-          fi
-        done
-
-        if [ $failed != 0 ]; then
-          echo "error: $failed out of $total attempted model downloads failed" >&2
-          exit 1
-        fi
-      '';
+          '${parallel}' --tag '${ollama}' pull ::: ${lib.escapeShellArgs cfg.loadModels}
+        '';
     };
 
     networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
 
-    environment.systemPackages = [ ollamaPackage ];
+    environment.systemPackages = [ cfg.package ];
   };
 
   meta.maintainers = with lib.maintainers; [

nixos/modules/services/misc/preload.nix

@@ -1,36 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.preload;
-in
-{
-  meta = {
-    maintainers = pkgs.preload.meta.maintainers;
-  };
-
-  options.services.preload = {
-    enable = lib.mkEnableOption "preload";
-    package = lib.mkPackageOption pkgs "preload" { };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.preload = {
-      description = "Loads data into ram during idle time of CPU.";
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = {
-        EnvironmentFile = "${cfg.package}/etc/conf.d/preload";
-        ExecStart = "${lib.getExe cfg.package} -l '' --foreground $PRELOAD_OPTS";
-        Type = "simple";
-        # Only preload data during CPU idle time
-        IOSchedulingClass = 3;
-        DynamicUser = true;
-        StateDirectory = "preload";
-      };
-    };
-  };
-}

nixos/modules/services/misc/tiddlywiki.nix

@@ -10,7 +10,7 @@ let
   listenParams = lib.concatStrings (
     lib.mapAttrsToList (n: v: " '${n}=${toString v}' ") cfg.listenOptions
   );
-  exe = "${pkgs.nodePackages.tiddlywiki}/lib/node_modules/.bin/tiddlywiki";
+  exe = lib.getExe pkgs.tiddlywiki;
   name = "tiddlywiki";
   dataDir = "/var/lib/" + name;
 

nixos/modules/services/monitoring/alerta.nix

@@ -92,7 +92,7 @@ in
     systemd.services.alerta = {
       description = "Alerta Monitoring System";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       environment = {
         ALERTA_SVR_CONF_FILE = alertaConf;
       };

nixos/modules/services/monitoring/grafana.nix

@@ -2045,7 +2045,7 @@ in
       description = "Grafana Service Daemon";
       wantedBy = [ "multi-user.target" ];
       after = [
-        "networking.target"
+        "network.target"
       ]
       ++ lib.optional usePostgresql "postgresql.target"
       ++ lib.optional useMysql "mysql.service";

nixos/modules/services/monitoring/kapacitor.nix

@@ -169,7 +169,7 @@ in
     systemd.services.kapacitor = {
       description = "Kapacitor Real-Time Stream Processing Engine";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       serviceConfig = {
         ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}";
         User = "kapacitor";

nixos/modules/services/monitoring/librenms.nix

@@ -638,91 +638,101 @@ in
           }"
         ];
       };
-      script = ''
-        set -euo pipefail
+      script =
+        let
+          nginxHasSSL =
+            with config.services.nginx.virtualHosts."${cfg.hostname}";
+            onlySSL || addSSL || forceSSL;
+        in
+        ''
+          set -euo pipefail
 
-        # config setup
-        ln -sf ${configFile} ${cfg.dataDir}/config.php
-        ${pkgs.envsubst}/bin/envsubst -i ${configJson} -o ${cfg.dataDir}/config.json
-        export PHPRC=${phpIni}
+          PATH=$PATH:${lib.makeBinPath (with pkgs; [ gnused ])}
 
-        INIT=false
-        if [[ ! -s ${cfg.dataDir}/.env ]]; then
-          INIT=true
-          # init .env file
-          echo "APP_KEY=" > ${cfg.dataDir}/.env
-          ${artisanWrapper}/bin/librenms-artisan key:generate --ansi
-          ${artisanWrapper}/bin/librenms-artisan webpush:vapid
-          echo "" >> ${cfg.dataDir}/.env
-          echo -n "NODE_ID=" >> ${cfg.dataDir}/.env
-          ${package.phpPackage}/bin/php -r "echo uniqid();" >> ${cfg.dataDir}/.env
-          echo "" >> ${cfg.dataDir}/.env
-        else
-          # .env file already exists --> only update database and cache config
-          ${pkgs.gnused}/bin/sed -i /^DB_/d ${cfg.dataDir}/.env
-          ${pkgs.gnused}/bin/sed -i /^CACHE_DRIVER/d ${cfg.dataDir}/.env
-        fi
-        ${lib.optionalString (cfg.useDistributedPollers || cfg.distributedPoller.enable) ''
-          echo "CACHE_DRIVER=memcached" >> ${cfg.dataDir}/.env
-        ''}
-        echo "DB_DATABASE=${cfg.database.database}" >> ${cfg.dataDir}/.env
-      ''
-      + (
-        if !isNull cfg.database.socket then
-          ''
-            # use socket connection
-            echo "DB_SOCKET=${cfg.database.socket}" >> ${cfg.dataDir}/.env
-            echo "DB_PASSWORD=null" >> ${cfg.dataDir}/.env
-          ''
-        else
-          ''
-            # use TCP connection
-            echo "DB_HOST=${cfg.database.host}" >> ${cfg.dataDir}/.env
-            echo "DB_PORT=${toString cfg.database.port}" >> ${cfg.dataDir}/.env
-            echo "DB_USERNAME=${cfg.database.username}" >> ${cfg.dataDir}/.env
-            echo -n "DB_PASSWORD=" >> ${cfg.dataDir}/.env
-            cat ${cfg.database.passwordFile} >> ${cfg.dataDir}/.env
-          ''
-      )
-      + ''
-        # clear cache if package has changed (cache may contain cached paths
-        # to the old package)
-        OLD_PACKAGE=$(cat ${cfg.dataDir}/package)
-        if [[ $OLD_PACKAGE != "${package}" ]]; then
-          rm -r ${cfg.dataDir}/cache/*
-        fi
+          # config setup
+          ln -sf ${configFile} ${cfg.dataDir}/config.php
+          ${pkgs.envsubst}/bin/envsubst -i ${configJson} -o ${cfg.dataDir}/config.json
+          export PHPRC=${phpIni}
 
-        # convert rrd files when the oneMinutePolling option is changed
-        OLD_ENABLED=$(cat ${cfg.dataDir}/one_minute_enabled)
-        if [[ $OLD_ENABLED != "${lib.boolToString cfg.enableOneMinutePolling}" ]]; then
-          ${package}/scripts/rrdstep.php -h all
-          echo "${lib.boolToString cfg.enableOneMinutePolling}" > ${cfg.dataDir}/one_minute_enabled
-        fi
+          INIT=false
+          if [[ ! -s ${cfg.dataDir}/.env ]]; then
+            INIT=true
+            # init .env file
+            echo "APP_KEY=" > ${cfg.dataDir}/.env
+            ${artisanWrapper}/bin/librenms-artisan key:generate --ansi
+            ${artisanWrapper}/bin/librenms-artisan webpush:vapid
+            echo "" >> ${cfg.dataDir}/.env
+            echo -n "NODE_ID=" >> ${cfg.dataDir}/.env
+            ${package.phpPackage}/bin/php -r "echo uniqid();" >> ${cfg.dataDir}/.env
+            echo "" >> ${cfg.dataDir}/.env
+          else
+            # .env file already exists --> only update database and cache config
+            sed -i /^APP_URL=/d ${cfg.dataDir}/.env
+            sed -i /^DB_/d ${cfg.dataDir}/.env
+            sed -i /^CACHE_DRIVER=/d ${cfg.dataDir}/.env
+          fi
+          ${lib.optionalString (cfg.useDistributedPollers || cfg.distributedPoller.enable) ''
+            echo "CACHE_DRIVER=memcached" >> ${cfg.dataDir}/.env
+          ''}
+          echo "APP_URL=http${lib.optionalString nginxHasSSL "s"}://${cfg.hostname}/" >> ${cfg.dataDir}/.env
+          echo "DB_DATABASE=${cfg.database.database}" >> ${cfg.dataDir}/.env
+        ''
+        + (
+          if !isNull cfg.database.socket then
+            ''
+              # use socket connection
+              echo "DB_SOCKET=${cfg.database.socket}" >> ${cfg.dataDir}/.env
+              echo "DB_PASSWORD=null" >> ${cfg.dataDir}/.env
+            ''
+          else
+            ''
+              # use TCP connection
+              echo "DB_HOST=${cfg.database.host}" >> ${cfg.dataDir}/.env
+              echo "DB_PORT=${toString cfg.database.port}" >> ${cfg.dataDir}/.env
+              echo "DB_USERNAME=${cfg.database.username}" >> ${cfg.dataDir}/.env
+              echo -n "DB_PASSWORD=" >> ${cfg.dataDir}/.env
+              cat ${cfg.database.passwordFile} >> ${cfg.dataDir}/.env
+            ''
+        )
+        + ''
+          # clear cache if package has changed (cache may contain cached paths
+          # to the old package)
+          OLD_PACKAGE=$(cat ${cfg.dataDir}/package)
+          if [[ $OLD_PACKAGE != "${package}" ]]; then
+            rm -r ${cfg.dataDir}/cache/*
+          fi
 
-        # migrate db if package version has changed
-        # not necessary for every package change
-        OLD_VERSION=$(cat ${cfg.dataDir}/version)
-        if [[ $OLD_VERSION != "${package.version}" ]]; then
-          ${artisanWrapper}/bin/librenms-artisan migrate --force --no-interaction
-          echo "${package.version}" > ${cfg.dataDir}/version
-        fi
+          # convert rrd files when the oneMinutePolling option is changed
+          OLD_ENABLED=$(cat ${cfg.dataDir}/one_minute_enabled)
+          if [[ $OLD_ENABLED != "${lib.boolToString cfg.enableOneMinutePolling}" ]]; then
+            ${package}/scripts/rrdstep.php -h all
+            echo "${lib.boolToString cfg.enableOneMinutePolling}" > ${cfg.dataDir}/one_minute_enabled
+          fi
 
-        if [[ $INIT == "true" ]]; then
-          ${artisanWrapper}/bin/librenms-artisan db:seed --force --no-interaction
-        fi
+          # migrate db if package version has changed
+          # not necessary for every package change
+          OLD_VERSION=$(cat ${cfg.dataDir}/version)
+          if [[ $OLD_VERSION != "${package.version}" ]]; then
+            ${artisanWrapper}/bin/librenms-artisan migrate --force --no-interaction
+            echo "${package.version}" > ${cfg.dataDir}/version
+          fi
 
-        # regenerate cache if package has changed
-        if [[ $OLD_PACKAGE != "${package}" ]]; then
-          ${artisanWrapper}/bin/librenms-artisan view:clear
-          ${artisanWrapper}/bin/librenms-artisan optimize:clear
-          ${artisanWrapper}/bin/librenms-artisan view:cache
-          ${artisanWrapper}/bin/librenms-artisan optimize
-          echo "${package}" > ${cfg.dataDir}/package
-        fi
+          if [[ $INIT == "true" ]]; then
+            ${artisanWrapper}/bin/librenms-artisan db:seed --force --no-interaction
+          fi
 
-        # to make sure to not read an outdated .env file
-        ${artisanWrapper}/bin/librenms-artisan config:cache
-      '';
+          # regenerate cache if package has changed
+          if [[ $OLD_PACKAGE != "${package}" ]]; then
+            ${artisanWrapper}/bin/librenms-artisan view:clear
+            ${artisanWrapper}/bin/librenms-artisan optimize:clear
+            ${artisanWrapper}/bin/librenms-artisan view:cache
+            ${artisanWrapper}/bin/librenms-artisan optimize
+            echo "${package}" > ${cfg.dataDir}/package
+          fi
+
+          # to make sure to not read an outdated .env file
+          ${artisanWrapper}/bin/librenms-artisan config:cache
+        '';
     };
 
     programs.mtr.enable = true;

nixos/modules/services/network-filesystems/litestream/default.nix

@@ -74,7 +74,7 @@ in
     systemd.services.litestream = {
       description = "Litestream";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       serviceConfig = {
         EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
         ExecStart = "${cfg.package}/bin/litestream replicate";

nixos/modules/services/networking/dnsmasq.nix

@@ -118,6 +118,8 @@ in
       configFile = lib.mkOption {
         type = lib.types.package;
         readOnly = true;
+        default = dnsmasqConf;
+        defaultText = lib.literalExpression "Path of dnsmasq config file";
         description = ''
           Path to the configuration file of dnsmasq.
         '';
@@ -137,8 +139,6 @@ in
         conf-file = lib.mkDefault (lib.optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf");
         resolv-file = lib.mkDefault (lib.optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf");
       };
-
-      configFile = dnsmasqConf;
     };
 
     networking.nameservers = lib.optional cfg.resolveLocalQueries "127.0.0.1";

nixos/modules/services/networking/firefox-syncserver.nix

@@ -13,7 +13,7 @@ let
   defaultUser = "firefox-syncserver";
 
   dbIsLocal = cfg.database.host == "localhost";
-  dbURL = "mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}";
+  dbURL = "mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?socket=/run/mysqld/mysqld.sock"}";
 
   format = pkgs.formats.toml { };
   settings = {

nixos/modules/services/networking/frp.nix

@@ -64,10 +64,8 @@ in
             Restart = "on-failure";
             RestartSec = 15;
             ExecStart = "${cfg.package}/bin/${executableFile} --strict_config -c ${configFile}";
-            StateDirectoryMode = lib.optionalString isServer "0700";
             DynamicUser = true;
             # Hardening
-            UMask = lib.optionalString isServer "0007";
             CapabilityBoundingSet = serviceCapability;
             AmbientCapabilities = serviceCapability;
             PrivateDevices = true;
@@ -89,6 +87,11 @@ in
             PrivateMounts = true;
             SystemCallArchitectures = "native";
             SystemCallFilter = [ "@system-service" ];
+          }
+          // lib.optionalAttrs isServer {
+            StateDirectory = "frp";
+            StateDirectoryMode = "0700";
+            UMask = "0007";
           };
         };
       };

nixos/modules/services/networking/ifstate.nix

@@ -106,7 +106,7 @@ in
       settings = lib.mkOption {
         inherit (settingsFormat) type;
         default = { };
-        description = "Content of IfState's configuration file. See <https://ifstate.net/2.0/schema/> for details.";
+        description = "Content of IfState's configuration file. See <https://ifstate.net/2.2/schema/> for details.";
       };
     };
 
@@ -131,19 +131,27 @@ in
       settings = lib.mkOption {
         inherit (settingsFormat) type;
         default = { };
-        description = "Content of IfState's initrd configuration file. See <https://ifstate.net/2.0/schema/> for details.";
+        description = "Content of IfState's initrd configuration file. See <https://ifstate.net/2.2/schema/> for details.";
       };
 
       cleanupSettings = lib.mkOption {
         inherit (settingsFormat) type;
         # required by json schema
         default.interfaces = { };
-        description = "Content of IfState's initrd cleanup configuration file. See <https://ifstate.net/2.0/schema/> for details. This configuration gets applied before systemd switches to stage two. The goas is to deconfigurate the whole network in order to prevent access to services, before the firewall is configured. The stage two IfState configuration will start after the firewall is configured.";
+        description = "Content of IfState's initrd cleanup configuration file. See <https://ifstate.net/2.0/schema/> for details. This configuration gets applied before systemd switches to stage two. The goal is to deconfigurate the whole network in order to prevent access to services, before the firewall is configured. The stage two IfState configuration will start after the firewall is configured.";
       };
     };
   };
 
   config = lib.mkMerge [
+    (lib.mkIf (cfg.enable || initrdCfg.enable) {
+      # sane defaults to not let IfState work against the kernel
+      boot.extraModprobeConfig = ''
+        options bonding max_bonds=0
+        options dummy numdummies=0
+        options ifb numifbs=0
+      '';
+    })
     (lib.mkIf cfg.enable {
       assertions = [
         {
@@ -158,13 +166,6 @@ in
 
       networking.useDHCP = lib.mkDefault false;
 
-      # sane defaults to not let IfState work against the kernel
-      boot.extraModprobeConfig = ''
-        options bonding max_bonds=0
-        options dummy numdummies=0
-        options ifb numifbs=0
-      '';
-
       environment = {
         # ifstatecli command should be available to use user, there are other useful subcommands like check or show
         systemPackages = [ cfg.package ];

nixos/modules/services/networking/netbird.nix

@@ -688,6 +688,7 @@ in
             "org.freedesktop.resolve1.set-default-route",
             "org.freedesktop.resolve1.set-dns-servers",
             "org.freedesktop.resolve1.set-domains",
+            "org.freedesktop.resolve1.set-dnssec",
           ];
           var users = ${builtins.toJSON (toHardenedClientList (client: client.user.name))};
 

nixos/modules/services/networking/oink.nix

@@ -12,7 +12,10 @@ let
       lib.mapAttrs' (k: v: lib.nameValuePair (lib.toLower k) v) attrs
     );
   oinkConfig = makeOinkConfig {
-    global = cfg.settings;
+    global = removeAttrs cfg.settings [
+      "apiKey"
+      "secretApiKey"
+    ];
     domains = cfg.domains;
   };
 in

nixos/modules/services/networking/ssh/sshd.nix

@@ -381,6 +381,19 @@ in
         '';
       };
 
+      generateHostKeys = lib.mkOption {
+        type = lib.types.bool;
+        default = config.services.openssh.enable;
+        defaultText = lib.literalExpression "services.openssh.enable";
+        description = ''
+          Whether to generate SSH host keys.
+
+          This can be enabled explicitly if you want to generate host keys but
+          don't want to enable the SSH daemon.
+        '';
+        example = true;
+      };
+
       banner = lib.mkOption {
         type = lib.types.nullOr lib.types.lines;
         default = null;
@@ -669,115 +682,232 @@ in
 
   ###### implementation
 
-  config = lib.mkIf cfg.enable {
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
 
-    users.users.sshd = {
-      isSystemUser = true;
-      group = "sshd";
-      description = "SSH privilege separation user";
-    };
-    users.groups.sshd = { };
-
-    services.openssh.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
-    services.openssh.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
-
-    environment.etc =
-      authKeysFiles
-      // authPrincipalsFiles
-      // {
-        "ssh/moduli".source = cfg.moduliFile;
-        "ssh/sshd_config".source = sshconf;
+      users.users.sshd = {
+        isSystemUser = true;
+        group = "sshd";
+        description = "SSH privilege separation user";
       };
+      users.groups.sshd = { };
 
-    systemd.tmpfiles.settings."ssh-root-provision" = {
-      "/root"."d-" = {
-        user = "root";
-        group = ":root";
-        mode = ":700";
-      };
-      "/root/.ssh"."d-" = {
-        user = "root";
-        group = ":root";
-        mode = ":700";
-      };
-      "/root/.ssh/authorized_keys"."f^" = {
-        user = "root";
-        group = ":root";
-        mode = ":600";
-        argument = "ssh.authorized_keys.root";
-      };
-    };
+      services.openssh.moduliFile = lib.mkDefault "${cfg.package}/etc/ssh/moduli";
+      services.openssh.sftpServerExecutable = lib.mkDefault "${cfg.package}/libexec/sftp-server";
 
-    systemd = {
-      sockets.sshd = lib.mkIf cfg.startWhenNeeded {
-        description = "SSH Socket";
-        wantedBy = [ "sockets.target" ];
-        socketConfig.ListenStream =
-          if cfg.listenAddresses != [ ] then
-            lib.concatMap (
-              { addr, port }:
-              if port != null then [ "${addr}:${toString port}" ] else map (p: "${addr}:${toString p}") cfg.ports
-            ) cfg.listenAddresses
-          else
-            cfg.ports;
-        socketConfig.Accept = true;
-        # Prevent brute-force attacks from shutting down socket
-        socketConfig.TriggerLimitIntervalSec = 0;
-      };
+      environment.etc =
+        authKeysFiles
+        // authPrincipalsFiles
+        // {
+          "ssh/moduli".source = cfg.moduliFile;
+          "ssh/sshd_config".source = sshconf;
+        };
 
-      services."sshd@" = {
-        description = "SSH per-connection Daemon";
-        after = [
-          "network.target"
-          "sshd-keygen.service"
-        ];
-        wants = [ "sshd-keygen.service" ];
-        stopIfChanged = false;
-        path = [ cfg.package ];
-        environment.LD_LIBRARY_PATH = nssModulesPath;
-
-        serviceConfig = {
-          ExecStart = lib.concatStringsSep " " [
-            "-${lib.getExe' cfg.package "sshd"}"
-            "-i"
-            "-D"
-            "-f /etc/ssh/sshd_config"
-          ];
-          KillMode = "process";
-          StandardInput = "socket";
-          StandardError = "journal";
+      systemd.tmpfiles.settings."ssh-root-provision" = {
+        "/root"."d-" = {
+          user = "root";
+          group = ":root";
+          mode = ":700";
+        };
+        "/root/.ssh"."d-" = {
+          user = "root";
+          group = ":root";
+          mode = ":700";
+        };
+        "/root/.ssh/authorized_keys"."f^" = {
+          user = "root";
+          group = ":root";
+          mode = ":600";
+          argument = "ssh.authorized_keys.root";
         };
       };
 
-      services.sshd = lib.mkIf (!cfg.startWhenNeeded) {
-        description = "SSH Daemon";
-        wantedBy = [ "multi-user.target" ];
-        after = [
-          "network.target"
-          "sshd-keygen.service"
-        ];
-        wants = [ "sshd-keygen.service" ];
-        stopIfChanged = false;
-        path = [ cfg.package ];
-        environment.LD_LIBRARY_PATH = nssModulesPath;
+      systemd = {
+        sockets.sshd = lib.mkIf cfg.startWhenNeeded {
+          description = "SSH Socket";
+          wantedBy = [ "sockets.target" ];
+          socketConfig.ListenStream =
+            if cfg.listenAddresses != [ ] then
+              lib.concatMap (
+                { addr, port }:
+                if port != null then [ "${addr}:${toString port}" ] else map (p: "${addr}:${toString p}") cfg.ports
+              ) cfg.listenAddresses
+            else
+              cfg.ports;
+          socketConfig.Accept = true;
+          # Prevent brute-force attacks from shutting down socket
+          socketConfig.TriggerLimitIntervalSec = 0;
+        };
 
-        restartTriggers = [ config.environment.etc."ssh/sshd_config".source ];
-
-        serviceConfig = {
-          Type = "notify-reload";
-          Restart = "always";
-          ExecStart = lib.concatStringsSep " " [
-            (lib.getExe' cfg.package "sshd")
-            "-D"
-            "-f"
-            "/etc/ssh/sshd_config"
+        services."sshd@" = {
+          description = "SSH per-connection Daemon";
+          after = [
+            "network.target"
+            "sshd-keygen.service"
           ];
-          KillMode = "process";
+          wants = lib.mkIf cfg.generateHostKeys [ "sshd-keygen.service" ];
+          stopIfChanged = false;
+          path = [ cfg.package ];
+          environment.LD_LIBRARY_PATH = nssModulesPath;
+
+          serviceConfig = {
+            ExecStart = lib.concatStringsSep " " [
+              "-${lib.getExe' cfg.package "sshd"}"
+              "-i"
+              "-D"
+              "-f /etc/ssh/sshd_config"
+            ];
+            KillMode = "process";
+            StandardInput = "socket";
+            StandardError = "journal";
+          };
+        };
+
+        services.sshd = lib.mkIf (!cfg.startWhenNeeded) {
+          description = "SSH Daemon";
+          wantedBy = [ "multi-user.target" ];
+          after = [
+            "network.target"
+            "sshd-keygen.service"
+          ];
+          wants = lib.mkIf cfg.generateHostKeys [ "sshd-keygen.service" ];
+          stopIfChanged = false;
+          path = [ cfg.package ];
+          environment.LD_LIBRARY_PATH = nssModulesPath;
+
+          restartTriggers = [ config.environment.etc."ssh/sshd_config".source ];
+
+          serviceConfig = {
+            Type = "notify-reload";
+            Restart = "always";
+            ExecStart = lib.concatStringsSep " " [
+              (lib.getExe' cfg.package "sshd")
+              "-D"
+              "-f"
+              "/etc/ssh/sshd_config"
+            ];
+            KillMode = "process";
+          };
         };
       };
 
-      services.sshd-keygen = {
+      networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall cfg.ports;
+
+      security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM {
+        startSession = true;
+        showMotd = true;
+        unixAuth = if cfg.settings.PasswordAuthentication == true then true else false;
+      };
+
+      # These values are merged with the ones defined externally, see:
+      # https://github.com/NixOS/nixpkgs/pull/10155
+      # https://github.com/NixOS/nixpkgs/pull/41745
+      services.openssh.authorizedKeysFiles =
+        lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys"
+        ++ [ "/etc/ssh/authorized_keys.d/%u" ];
+
+      services.openssh.settings.AuthorizedPrincipalsFile = lib.mkIf (
+        authPrincipalsFiles != { }
+      ) "/etc/ssh/authorized_principals.d/%u";
+
+      services.openssh.extraConfig = lib.mkOrder 0 (
+        lib.concatStringsSep "\n" (
+          [
+            "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"
+            "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"
+          ]
+          ++ lib.map (port: ''Port ${toString port}'') cfg.ports
+          ++ lib.map (
+            { port, addr, ... }:
+            ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''
+          ) cfg.listenAddresses
+          ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"
+          ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''
+          ++ [
+            "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"
+          ]
+          ++ lib.optional (cfg.authorizedKeysCommand != "none") ''
+            AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
+            AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
+          ''
+          ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys
+        )
+      );
+
+      system.checks = [
+        (pkgs.runCommand "check-sshd-config"
+          {
+            nativeBuildInputs = [ validationPackage ];
+          }
+          ''
+            ${lib.concatMapStringsSep "\n" (
+              lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null"
+            ) cfg.ports}
+            ${lib.concatMapStringsSep "\n" (
+              la:
+              lib.concatMapStringsSep "\n" (
+                port:
+                "sshd -G -T -C ${lib.escapeShellArg "laddr=${la.addr},lport=${toString port}"} -f ${sshconf} > /dev/null"
+              ) (if la.port != null then [ la.port ] else cfg.ports)
+            ) cfg.listenAddresses}
+            touch $out
+          ''
+        )
+      ];
+
+      assertions = [
+        {
+          assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
+          message = "cannot enable X11 forwarding without setting xauth location";
+        }
+        {
+          assertion =
+            (builtins.match "(.*\n)?(\t )*[Kk][Ee][Rr][Bb][Ee][Rr][Oo][Ss][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}")
+            != null
+            -> cfgc.package.withKerberos;
+          message = "cannot enable Kerberos authentication without using a package with Kerberos support";
+        }
+        {
+          assertion =
+            (builtins.match "(.*\n)?(\t )*[Gg][Ss][Ss][Aa][Pp][Ii][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}")
+            != null
+            -> cfgc.package.withKerberos;
+          message = "cannot enable GSSAPI authentication without using a package with Kerberos support";
+        }
+        (
+          let
+            duplicates =
+              # Filter out the groups with more than 1 element
+              lib.filter (l: lib.length l > 1) (
+                # Grab the groups, we don't care about the group identifiers
+                lib.attrValues (
+                  # Group the settings that are the same in lower case
+                  lib.groupBy lib.strings.toLower (lib.attrNames cfg.settings)
+                )
+              );
+            formattedDuplicates = lib.concatMapStringsSep ", " (
+              dupl: "(${lib.concatStringsSep ", " dupl})"
+            ) duplicates;
+          in
+          {
+            assertion = lib.length duplicates == 0;
+            message = ''Duplicate sshd config key; does your capitalization match the option's? Duplicate keys: ${formattedDuplicates}'';
+          }
+        )
+      ]
+      ++ lib.forEach cfg.listenAddresses (
+        { addr, ... }:
+        {
+          assertion = addr != null;
+          message = "addr must be specified in each listenAddresses entry";
+        }
+      );
+    })
+
+    (lib.mkIf cfg.generateHostKeys {
+      systemd.services.sshd-keygen = {
         description = "SSH Host Keys Generation";
+        wantedBy = [ "multi-user.target" ];
         unitConfig = {
           ConditionFileNotEmpty = map (k: "|!${k.path}") cfg.hostKeys;
         };
@@ -802,119 +932,7 @@ in
           fi
         '');
       };
-    };
-
-    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall cfg.ports;
-
-    security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM {
-      startSession = true;
-      showMotd = true;
-      unixAuth = if cfg.settings.PasswordAuthentication == true then true else false;
-    };
-
-    # These values are merged with the ones defined externally, see:
-    # https://github.com/NixOS/nixpkgs/pull/10155
-    # https://github.com/NixOS/nixpkgs/pull/41745
-    services.openssh.authorizedKeysFiles =
-      lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys"
-      ++ [ "/etc/ssh/authorized_keys.d/%u" ];
-
-    services.openssh.settings.AuthorizedPrincipalsFile = lib.mkIf (
-      authPrincipalsFiles != { }
-    ) "/etc/ssh/authorized_principals.d/%u";
-
-    services.openssh.extraConfig = lib.mkOrder 0 (
-      lib.concatStringsSep "\n" (
-        [
-          "Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}"
-          "AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}"
-        ]
-        ++ lib.map (port: ''Port ${toString port}'') cfg.ports
-        ++ lib.map (
-          { port, addr, ... }:
-          ''ListenAddress ${addr}${lib.optionalString (port != null) (":" + toString port)}''
-        ) cfg.listenAddresses
-        ++ lib.optional cfgc.setXAuthLocation "XAuthLocation ${lib.getExe pkgs.xorg.xauth}"
-        ++ lib.optional cfg.allowSFTP ''Subsystem sftp ${cfg.sftpServerExecutable} ${lib.concatStringsSep " " cfg.sftpFlags}''
-        ++ [
-          "AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}"
-        ]
-        ++ lib.optional (cfg.authorizedKeysCommand != "none") ''
-          AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
-          AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
-        ''
-        ++ lib.map (k: "HostKey ${k.path}") cfg.hostKeys
-      )
-    );
-
-    system.checks = [
-      (pkgs.runCommand "check-sshd-config"
-        {
-          nativeBuildInputs = [ validationPackage ];
-        }
-        ''
-          ${lib.concatMapStringsSep "\n" (
-            lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null"
-          ) cfg.ports}
-          ${lib.concatMapStringsSep "\n" (
-            la:
-            lib.concatMapStringsSep "\n" (
-              port:
-              "sshd -G -T -C ${lib.escapeShellArg "laddr=${la.addr},lport=${toString port}"} -f ${sshconf} > /dev/null"
-            ) (if la.port != null then [ la.port ] else cfg.ports)
-          ) cfg.listenAddresses}
-          touch $out
-        ''
-      )
-    ];
-
-    assertions = [
-      {
-        assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
-        message = "cannot enable X11 forwarding without setting xauth location";
-      }
-      {
-        assertion =
-          (builtins.match "(.*\n)?(\t )*[Kk][Ee][Rr][Bb][Ee][Rr][Oo][Ss][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}")
-          != null
-          -> cfgc.package.withKerberos;
-        message = "cannot enable Kerberos authentication without using a package with Kerberos support";
-      }
-      {
-        assertion =
-          (builtins.match "(.*\n)?(\t )*[Gg][Ss][Ss][Aa][Pp][Ii][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}")
-          != null
-          -> cfgc.package.withKerberos;
-        message = "cannot enable GSSAPI authentication without using a package with Kerberos support";
-      }
-      (
-        let
-          duplicates =
-            # Filter out the groups with more than 1 element
-            lib.filter (l: lib.length l > 1) (
-              # Grab the groups, we don't care about the group identifiers
-              lib.attrValues (
-                # Group the settings that are the same in lower case
-                lib.groupBy lib.strings.toLower (lib.attrNames cfg.settings)
-              )
-            );
-          formattedDuplicates = lib.concatMapStringsSep ", " (
-            dupl: "(${lib.concatStringsSep ", " dupl})"
-          ) duplicates;
-        in
-        {
-          assertion = lib.length duplicates == 0;
-          message = ''Duplicate sshd config key; does your capitalization match the option's? Duplicate keys: ${formattedDuplicates}'';
-        }
-      )
-    ]
-    ++ lib.forEach cfg.listenAddresses (
-      { addr, ... }:
-      {
-        assertion = addr != null;
-        message = "addr must be specified in each listenAddresses entry";
-      }
-    );
-  };
+    })
+  ];
 
 }

nixos/modules/services/system/self-deploy.nix

@@ -179,10 +179,16 @@ in
         ${gitWithRepo} checkout FETCH_HEAD
 
         nix-build${renderNixArgs cfg.nixArgs} ${
-          lib.cli.toCommandLineShellGNU { } {
-            attr = cfg.nixAttribute;
-            out-link = outPath;
-          }
+          lib.cli.toCommandLineShell
+            (optionName: {
+              option = "--${optionName}";
+              sep = null;
+              explicitBool = false;
+            })
+            {
+              attr = cfg.nixAttribute;
+              out-link = outPath;
+            }
         } ${lib.escapeShellArg "${repositoryDirectory}${cfg.nixFile}"}
 
         ${lib.optionalString (

nixos/modules/services/web-apps/convos.nix

@@ -41,7 +41,7 @@ in
     systemd.services.convos = {
       description = "Convos Service";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       environment = {
         CONVOS_HOME = "%S/convos";
         CONVOS_REVERSE_PROXY = if cfg.reverseProxy then "1" else "0";

nixos/modules/services/web-apps/cryptpad.nix

@@ -134,7 +134,7 @@ in
       systemd.services.cryptpad = {
         description = "Cryptpad service";
         wantedBy = [ "multi-user.target" ];
-        after = [ "networking.target" ];
+        after = [ "network.target" ];
         serviceConfig = {
           BindReadOnlyPaths = [
             cryptpadConfigFile

nixos/modules/services/web-apps/dex.nix

@@ -99,7 +99,7 @@ in
       description = "dex identity provider";
       wantedBy = [ "multi-user.target" ];
       after = [
-        "networking.target"
+        "network.target"
       ]
       ++ (optional (cfg.settings.storage.type == "postgres") "postgresql.target");
       path = with pkgs; [ replace-secret ];

nixos/modules/services/web-apps/hedgedoc.nix

@@ -294,7 +294,7 @@ in
       description = "HedgeDoc Service";
       documentation = [ "https://docs.hedgedoc.org/" ];
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       preStart =
         let
           configFile = settingsFormat.generate "hedgedoc-config.json" {

nixos/modules/services/web-apps/hledger-web.nix

@@ -134,7 +134,7 @@ in
           "https://hledger.org/hledger-web.html"
         ];
         wantedBy = [ "multi-user.target" ];
-        after = [ "networking.target" ];
+        after = [ "network.target" ];
         serviceConfig = mkMerge [
           {
             ExecStart = "${pkgs.hledger-web}/bin/hledger-web ${serverArgs}";

nixos/modules/services/web-apps/mediawiki.nix

@@ -40,9 +40,6 @@ let
   cacheDir = "/var/cache/mediawiki";
   stateDir = "/var/lib/mediawiki";
 
-  # https://www.mediawiki.org/wiki/Compatibility
-  php = pkgs.php82;
-
   pkg = pkgs.stdenv.mkDerivation rec {
     pname = "mediawiki-full";
     inherit (src) version;
@@ -79,7 +76,7 @@ let
       }
       ''
         mkdir -p $out/bin
-        makeWrapper ${php}/bin/php $out/bin/mediawiki-maintenance \
+        makeWrapper ${cfg.phpPackage}/bin/php $out/bin/mediawiki-maintenance \
           --set MEDIAWIKI_CONFIG ${mediawikiConfig} \
           --add-flags ${pkg}/share/mediawiki/maintenance/run.php
 
@@ -115,7 +112,7 @@ let
   mediawikiConfig = pkgs.writeTextFile {
     name = "LocalSettings.php";
     checkPhase = ''
-      ${php}/bin/php --syntax-check "$target"
+      ${cfg.phpPackage}/bin/php --syntax-check "$target"
     '';
     text = ''
       <?php
@@ -255,6 +252,11 @@ in
 
       package = mkPackageOption pkgs "mediawiki" { };
 
+      # https://www.mediawiki.org/wiki/Compatibility
+      phpPackage = mkPackageOption pkgs "php" {
+        default = "php82";
+      };
+
       finalPackage = mkOption {
         type = types.package;
         readOnly = true;
@@ -588,7 +590,7 @@ in
     services.phpfpm.pools.mediawiki = {
       inherit user group;
       phpEnv.MEDIAWIKI_CONFIG = "${mediawikiConfig}";
-      phpPackage = php;
+      phpPackage = cfg.phpPackage;
       settings =
         (
           if (cfg.webserver == "apache") then
@@ -712,8 +714,8 @@ in
         fi
 
         echo "exit( \$this->getPrimaryDB()->tableExists( 'user' ) ? 1 : 0 );" | \
-        ${php}/bin/php ${pkg}/share/mediawiki/maintenance/run.php eval --conf ${mediawikiConfig} && \
-        ${php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+        ${cfg.phpPackage}/bin/php ${pkg}/share/mediawiki/maintenance/run.php eval --conf ${mediawikiConfig} && \
+        ${cfg.phpPackage}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
           --confpath /tmp \
           --scriptpath / \
           --dbserver ${lib.escapeShellArg dbAddr} \
@@ -735,7 +737,7 @@ in
           ${lib.escapeShellArg cfg.name} \
           admin
 
-        ${php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick --skip-external-dependencies
+        ${cfg.phpPackage}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick --skip-external-dependencies
       '';
 
       serviceConfig = {

nixos/modules/services/web-apps/miniflux.nix

@@ -64,8 +64,13 @@ in
               example = "127.0.0.1:8080, 127.0.0.1:8081";
             };
             DATABASE_URL = mkOption {
-              type = types.str;
-              defaultText = "user=miniflux host=/run/postgresql dbname=miniflux";
+              type = types.nullOr types.str;
+              defaultText = literalExpression ''
+                if createDatabaseLocally then "user=miniflux host=/run/postgresql dbname=miniflux" else null
+              '';
+              default =
+                if cfg.createDatabaseLocally then "user=miniflux host=/run/postgresql dbname=miniflux" else null;
+
               description = ''
                 Postgresql connection parameters.
                 See [lib/pq](https://pkg.go.dev/github.com/lib/pq#hdr-Connection_String_Parameters) for more details.
@@ -116,9 +121,6 @@ in
         message = "services.miniflux.adminCredentialsFile must be set if services.miniflux.config.CREATE_ADMIN is 1";
       }
     ];
-    services.miniflux.config = {
-      DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux";
-    };
 
     services.postgresql = lib.mkIf cfg.createDatabaseLocally {
       enable = true;
@@ -202,7 +204,7 @@ in
         UMask = "0077";
       };
 
-      environment = lib.mapAttrs (_: toString) cfg.config;
+      environment = lib.mapAttrs (_: toString) (lib.filterAttrs (_: v: v != null) cfg.config);
     };
     environment.systemPackages = [ cfg.package ];
 

nixos/modules/services/web-apps/nextcloud.nix

@@ -1100,8 +1100,8 @@ in
             '';
           };
           mail_smtpstreamoptions = lib.mkOption {
-            type = lib.types.listOf lib.types.str;
-            default = [ ];
+            type = lib.types.attrsOf (lib.types.attrsOf lib.types.anything);
+            default = { };
             description = ''
               This depends on `mail_smtpmode`. Array of additional streams options that will be passed to underlying Swift mailer implementation.
             '';

nixos/modules/services/web-apps/node-red.nix

@@ -119,7 +119,7 @@ in
     systemd.services.node-red = {
       description = "Node-RED Service";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
       environment = {
         HOME = cfg.userDir;
       };

nixos/modules/services/web-apps/outline.nix

@@ -679,7 +679,7 @@ in
         description = "Outline wiki and knowledge base";
         wantedBy = [ "multi-user.target" ];
         after = [
-          "networking.target"
+          "network.target"
         ]
         ++ lib.optional (cfg.databaseUrl == "local") "postgresql.target"
         ++ lib.optional (cfg.redisUrl == "local") "redis-outline.service";

nixos/modules/services/web-apps/powerdns-admin.nix

@@ -84,7 +84,7 @@ in
     systemd.services.powerdns-admin = {
       description = "PowerDNS web interface";
       wantedBy = [ "multi-user.target" ];
-      after = [ "networking.target" ];
+      after = [ "network.target" ];
 
       environment.FLASK_CONF = builtins.toFile "powerdns-admin-config.py" configText;
       environment.PYTHONPATH = pkgs.powerdns-admin.pythonPath;

nixos/modules/services/web-apps/pretalx.nix

@@ -12,9 +12,7 @@ let
 
   configFile = format.generate "pretalx.cfg" cfg.settings;
 
-  finalPackage = cfg.package.override {
-    inherit (cfg) plugins;
-  };
+  inherit (cfg) finalPackage;
 
   pythonEnv = finalPackage.python.buildEnv.override {
     extraLibs =
@@ -41,6 +39,22 @@ in
 
     package = lib.mkPackageOption pkgs "pretalx" { };
 
+    finalPackage = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override {
+        inherit (cfg) plugins;
+      };
+      defaultText = ''
+        config.services.package.override {
+          inherit (config.services.pretalx) plugins;
+        }
+      '';
+      readOnly = true;
+      description = ''
+        The effective pretalx package used. This is the base package with the selected plugins applied.
+      '';
+    };
+
     group = lib.mkOption {
       type = lib.types.str;
       default = "pretalx";
@@ -220,8 +234,8 @@ in
             };
             static = lib.mkOption {
               type = lib.types.path;
-              default = "${cfg.package.static}/";
-              defaultText = lib.literalExpression "\${config.services.pretalx.package}.static}/";
+              default = "${finalPackage.static}/";
+              defaultText = "\${config.services.pretalx.finalPackage.static}/";
               readOnly = true;
               description = ''
                 Path to the directory that contains static files.
@@ -299,7 +313,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # https://docs.pretalx.org/administrator/installation.html
+    # https://docs.pretalx.org/administrator/installation/
 
     environment.systemPackages = [
       (pkgs.writeScriptBin "pretalx-manage" ''
@@ -331,7 +345,7 @@ in
         recommendedTlsSettings = lib.mkDefault true;
         upstreams.pretalx.servers."unix:/run/pretalx/pretalx.sock" = { };
         virtualHosts.${cfg.nginx.domain} = {
-          # https://docs.pretalx.org/administrator/installation.html#step-7-ssl
+          # https://docs.pretalx.org/administrator/installation/#step-8-reverse-proxy
           extraConfig = ''
             more_set_headers "Referrer-Policy: same-origin";
             more_set_headers "X-Content-Type-Options: nosniff";
@@ -442,7 +456,7 @@ in
           preStart =
             let
               versionString = lib.concatStringsSep "\n" (
-                [ "pretalx-${cfg.package.version}" ]
+                [ "pretalx-${finalPackage.version}" ]
                 ++ map (plugin: "${plugin.pname}-${plugin.version}") cfg.plugins
               );
             in

nixos/modules/services/web-apps/weblate.nix

@@ -369,9 +369,10 @@ in
             });
           in
           ''
-            ${gunicorn}/bin/gunicorn \
+            ${lib.getExe gunicorn} \
               --name=weblate \
               --bind='unix:///run/weblate.socket' \
+              --preload \
               weblate.wsgi
           '';
         ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";

nixos/modules/services/web-servers/nginx/default.nix

@@ -205,9 +205,9 @@ let
             ${optionalString (cfg.sslDhparam != null) "ssl_dhparam ${cfg.sslDhparam};"}
 
             ${optionalString cfg.recommendedTlsSettings ''
-              # Keep in sync with https://ssl-config.mozilla.org/#server=nginx&config=intermediate
+              # Consider https://ssl-config.mozilla.org/#server=nginx&config=intermediate as the lower bound
 
-              ssl_ecdh_curve X25519:prime256v1:secp384r1;
+              ssl_conf_command Groups "X25519MLKEM768:X25519:P-256:P-384";
               ssl_session_timeout 1d;
               ssl_session_cache shared:SSL:10m;
               # Breaks forward secrecy: https://github.com/mozilla/server-side-tls/issues/135
@@ -573,10 +573,7 @@ let
 
   mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
 
-  oldHTTP2 = (
-    versionOlder cfg.package.version "1.25.1"
-    && !(cfg.package.pname == "angie" || cfg.package.pname == "angieQuic")
-  );
+  oldHTTP2 = (versionOlder cfg.package.version "1.25.1" && !(cfg.package.pname == "angie"));
 in
 
 {
@@ -778,7 +775,6 @@ in
           that the nginx team recommends to use the mainline version which
           available in nixpkgs as `nginxMainline`.
           Supported Nginx forks include `angie`, `openresty` and `tengine`.
-          For HTTP/3 support use `nginxQuic` or `angieQuic`.
         '';
       };
 
@@ -1374,27 +1370,6 @@ in
           '';
         }
 
-        {
-          assertion =
-            cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic" -> !(cfg.enableQuicBPF);
-          message = ''
-            services.nginx.enableQuicBPF requires using nginxQuic package,
-            which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or
-            `services.nginx.package = pkgs.angieQuic;`.
-          '';
-        }
-
-        {
-          assertion =
-            cfg.package.pname != "nginxQuic" && cfg.package.pname != "angieQuic"
-            -> all (host: !host.quic) (attrValues virtualHosts);
-          message = ''
-            services.nginx.service.virtualHosts.<name>.quic requires using nginxQuic or angie packages,
-            which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;` or
-            `services.nginx.package = pkgs.angieQuic;`.
-          '';
-        }
-
         {
           # The idea is to understand whether there is a virtual host with a listen configuration
           # that requires ACME configuration but has no HTTP listener which will make deterministically fail

nixos/modules/services/web-servers/nginx/vhost-options.nix

@@ -243,9 +243,7 @@ with lib;
       default = true;
       description = ''
         Whether to enable the HTTP/3 protocol.
-        This requires using `pkgs.nginxQuic` package
-        which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
-        and activate the QUIC transport protocol
+        This requires activating the QUIC transport protocol
         `services.nginx.virtualHosts.<name>.quic = true;`.
         Note that HTTP/3 support is experimental and *not* yet recommended for production.
         Read more at <https://quic.nginx.org/>
@@ -258,9 +256,7 @@ with lib;
       default = false;
       description = ''
         Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
-        This requires using `pkgs.nginxQuic` package
-        which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`
-        and activate the QUIC transport protocol
+        This requires activating the QUIC transport protocol
         `services.nginx.virtualHosts.<name>.quic = true;`.
         Note that special application protocol support is experimental and *not* yet recommended for production.
         Read more at <https://quic.nginx.org/>
@@ -272,8 +268,6 @@ with lib;
       default = false;
       description = ''
         Whether to enable the QUIC transport protocol.
-        This requires using `pkgs.nginxQuic` package
-        which can be achieved by setting `services.nginx.package = pkgs.nginxQuic;`.
         Note that QUIC support is experimental and
         *not* yet recommended for production.
         Read more at <https://quic.nginx.org/>

nixos/modules/system/boot/zram-as-tmp.nix

@@ -85,6 +85,10 @@ in
       }
     ];
 
+    boot.supportedFilesystems = {
+      ${cfg.zramSettings.fs-type} = true;
+    };
+
     services.zram-generator.enable = true;
     services.zram-generator.settings =
       let

nixos/modules/virtualisation/incus.nix

@@ -288,7 +288,7 @@ in
         assertion =
           !(
             config.networking.firewall.enable
-            && !config.networking.nftables.enable
+            && !(config.networking.nftables.enable || config.networking.firewall.backend == "nftables")
             && config.virtualisation.incus.enable
           );
         message = "Incus on NixOS is unsupported using iptables. Set `networking.nftables.enable = true;`";

nixos/modules/virtualisation/multipass.nix

@@ -1,66 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.virtualisation.multipass;
-in
-{
-  options = {
-    virtualisation.multipass = {
-      enable = lib.mkEnableOption "Multipass, a simple manager for virtualised Ubuntu instances";
-
-      logLevel = lib.mkOption {
-        type = lib.types.enum [
-          "error"
-          "warning"
-          "info"
-          "debug"
-          "trace"
-        ];
-        default = "debug";
-        description = ''
-          The logging verbosity of the multipassd binary.
-        '';
-      };
-
-      package = lib.mkPackageOption pkgs "multipass" { };
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = [ cfg.package ];
-
-    systemd.services.multipass = {
-      description = "Multipass orchestrates virtual Ubuntu instances.";
-
-      wantedBy = [ "multi-user.target" ];
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-
-      environment = {
-        "XDG_DATA_HOME" = "/var/lib/multipass/data";
-        "XDG_CACHE_HOME" = "/var/lib/multipass/cache";
-        "XDG_CONFIG_HOME" = "/var/lib/multipass/config";
-      };
-
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/multipassd --logger platform --verbosity ${cfg.logLevel}";
-        SyslogIdentifier = "multipassd";
-        Restart = "on-failure";
-        TimeoutStopSec = 300;
-        Type = "simple";
-
-        WorkingDirectory = "/var/lib/multipass";
-
-        StateDirectory = "multipass";
-        StateDirectoryMode = "0750";
-        CacheDirectory = "multipass";
-        CacheDirectoryMode = "0750";
-      };
-    };
-  };
-}

nixos/modules/virtualisation/rosetta.nix

@@ -76,7 +76,7 @@ in
       mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
       fixBinary = true;
       matchCredentials = true;
-      preserveArgvZero = false;
+      preserveArgvZero = true;
 
       # Remove the shell wrapper and call the runtime directly
       wrapInterpreterInShell = false;

nixos/release.nix

@@ -30,7 +30,8 @@ let
 
   version = fileContents ../.version;
   versionSuffix =
-    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "beta")
+    + "${toString (nixpkgs.revCount - 901827)}.${nixpkgs.shortRev}";
 
   # Run the tests for each platform.  You can run a test by doing
   # e.g. ‘nix-build release.nix -A tests.login.x86_64-linux’,

nixos/tests/all-tests.nix

@@ -522,7 +522,7 @@ in
   };
   ergo = runTest ./ergo.nix;
   ergochat = runTest ./ergochat.nix;
-  ersatztv = handleTest ./ersatztv.nix { };
+  ersatztv = runTest ./ersatztv.nix;
   espanso = import ./espanso.nix {
     inherit (pkgs) lib;
     inherit runTest;
@@ -569,6 +569,7 @@ in
     imports = [ ./firefox.nix ];
     _module.args.firefoxPackage = pkgs.firefox-esr-140;
   };
+  firefox-syncserver = runTest ./firefox-syncserver.nix;
   firefoxpwa = runTest ./firefoxpwa.nix;
   firejail = runTest ./firejail.nix;
   firewall = runTest {
@@ -982,7 +983,6 @@ in
   mpd = runTest ./mpd.nix;
   mpv = runTest ./mpv.nix;
   mtp = runTest ./mtp.nix;
-  multipass = runTest ./multipass.nix;
   mumble = runTest ./mumble.nix;
   munge = runTest ./munge.nix;
   munin = runTest ./munin.nix;

nixos/tests/anki-sync-server.nix

@@ -4,11 +4,21 @@ let
     #!${pkgs.python3}/bin/python
 
     import sys
+    import os
 
-    # get site paths from anki itself
-    from runpy import run_path
-    run_path("${pkgs.anki}/bin/.anki-wrapped")
-    import anki
+    # anki is built with buildPythonApplication.
+    # anki.lib is not a 'proper' python library, meaning it
+    # is not recognized in 'withPackages' (due to hasPythonModule in
+    # https://github.com/NixOS/nixpkgs/blob/7ef35a9f3abb638647d68b10cccae549094b8054/pkgs/development/interpreters/python/python-packages-base.nix#L89
+    # and contains the collection of all python libraries used
+    # by anki rather than just the anki itself.
+    anki_libs = "${pkgs.anki.lib}/${pkgs.python3.sitePackages}"
+    if not os.path.isdir(anki_libs):
+      print(f"'{anki_libs}' not found, possible python version mismatch")
+      exit(1)
+    sys.path.append(anki_libs)
+
+    import anki.collection
 
     col = anki.collection.Collection('test_collection')
     endpoint = 'http://localhost:27701'

nixos/tests/certmgr.nix

@@ -103,7 +103,7 @@ let
             };
             systemd.services.cfssl.after = [
               "cfssl-init.service"
-              "networking.target"
+              "network.target"
             ];
 
             systemd.tmpfiles.rules = [ "d /var/ssl 777 root root" ];

nixos/tests/clickhouse/ui.nix

@@ -16,6 +16,8 @@
         ...
       }:
       {
+        virtualisation.memorySize = 1024 * 2;
+
         environment.systemPackages =
           let
             clickhouseSeleniumScript =

nixos/tests/ersatztv.nix

@@ -1,21 +1,41 @@
-import ./make-test-python.nix (
-  { lib, ... }:
+{ lib, ... }:
 
-  {
-    name = "ersatztv";
-    meta.maintainers = with lib.maintainers; [ allout58 ];
+{
+  name = "ersatztv";
+  meta.maintainers = with lib.maintainers; [ allout58 ];
 
-    nodes.machine =
-      { ... }:
-      {
-        services.ersatztv.enable = true;
-      };
+  nodes.basic =
+    { ... }:
+    {
+      services.ersatztv.enable = true;
+    };
+  nodes.reconfigured =
+    { ... }:
+    {
+      services.ersatztv.enable = true;
+      services.ersatztv.environment.ETV_UI_PORT = 8123;
+      services.ersatztv.openFirewall = true;
+    };
 
-    # ErsatzTV doesn't really have an API to speak of currently, so just check if it responds at all
-    testScript = ''
-      machine.wait_for_unit("ersatztv.service")
-      machine.wait_for_open_port(8409)
-      machine.succeed("curl --fail http://localhost:8409/")
+  # ErsatzTV doesn't really have an API to speak of currently, so just check if it responds at all
+  testScript =
+    { nodes, ... }:
+    let
+      basicIp = (lib.head nodes.basic.networking.interfaces.eth1.ipv4.addresses).address;
+      reconfiguredIp = (lib.head nodes.reconfigured.networking.interfaces.eth1.ipv4.addresses).address;
+    in
+    ''
+      start_all()
+      basic.wait_for_unit("ersatztv.service")
+      basic.wait_for_open_port(8409)
+      basic.succeed("curl --fail http://localhost:8409/api/sessions")
+
+      reconfigured.wait_for_unit("ersatztv.service")
+      reconfigured.wait_for_open_port(8123)
+      reconfigured.succeed("curl --fail http://localhost:8123/api/sessions")
+
+      # Test that the firewall is open
+      reconfigured.fail("curl --fail --connect-timeout 5 http://${basicIp}:8409/api/sessions")
+      basic.succeed("curl --fail http://${reconfiguredIp}:8123/api/sessions")
     '';
-  }
-)
+}

nixos/tests/firefox-syncserver.nix

@@ -0,0 +1,32 @@
+{
+  pkgs,
+  ...
+}:
+
+{
+  name = "firefox-syncserver";
+  nodes.machine = {
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+    };
+
+    services.firefox-syncserver = {
+      enable = true;
+      secrets = pkgs.writeText "secret" "this-is-a-test";
+      singleNode = {
+        enable = true;
+        hostname = "firefox-syncserver.local";
+        capacity = 1;
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("firefox-syncserver.service")
+    machine.wait_for_open_port(5000)
+
+    machine.wait_until_succeeds("curl --fail http://127.0.0.1:5000")
+
+  '';
+}

nixos/tests/gollum.nix

@@ -7,6 +7,13 @@
       { pkgs, lib, ... }:
       {
         services.gollum.enable = true;
+        services.gollum.extraConfig = ''
+          wiki_options = {
+            show_local_time: true
+          }
+
+          Precious::App.set(:wiki_options, wiki_options)
+        '';
       };
   };
 

nixos/tests/haproxy.nix

@@ -8,9 +8,6 @@
         services.haproxy = {
           enable = true;
           config = ''
-            global
-              limited-quic
-
             defaults
               mode http
               timeout connect 10s

nixos/tests/ifstate/initrd-partial-broken-config.nix

@@ -28,6 +28,9 @@ in
         };
 
         boot.initrd = {
+          # otherwise the interfaces do not get created
+          kernelModules = [ "virtio_net" ];
+
           network = {
             enable = true;
             ifstate = lib.mkMerge [
@@ -46,6 +49,7 @@ in
               }
             ];
           };
+
           systemd = {
             enable = true;
             network.enable = false;

nixos/tests/ifstate/initrd-wireguard.nix

@@ -10,19 +10,20 @@ let
     {
       enable = true;
       settings = {
-        interfaces = {
-          eth1 = {
-            addresses = [ "2001:0db8:a::${builtins.toString id}/64" ];
-            link = {
-              state = "up";
-              kind = "physical";
-            };
+        namespaces.outside.interfaces.eth1 = {
+          addresses = [ "2001:0db8:a::${builtins.toString id}/64" ];
+          link = {
+            state = "up";
+            kind = "physical";
           };
+        };
+        interfaces = {
           wg0 = {
             addresses = [ "2001:0db8:b::${builtins.toString id}/64" ];
             link = {
               state = "up";
               kind = "wireguard";
+              bind_netns = "outside";
             };
             wireguard = {
               private_key = "!include ${pkgs.writeText "wg_priv.key" wgPriv}";
@@ -61,6 +62,9 @@ in
         };
 
         boot.initrd = {
+          # otherwise the interfaces do not get created
+          kernelModules = [ "virtio_net" ];
+
           network = {
             enable = true;
             ifstate =
@@ -72,12 +76,10 @@ in
                 wgPeerId = 2;
               }
               // {
-                package = pkgs.ifstate.override {
-                  withConfigValidation = false;
-                };
                 allowIfstateToDrasticlyIncreaseInitrdSize = true;
               };
           };
+
           systemd = {
             enable = true;
             network.enable = false;

nixos/tests/ifstate/initrd.nix

@@ -26,12 +26,16 @@ in
       };
 
       boot.initrd = {
+        # otherwise the interfaces do not get created
+        kernelModules = [ "virtio_net" ];
+
         network = {
           enable = true;
           ifstate = mkIfStateConfig 1 // {
             allowIfstateToDrasticlyIncreaseInitrdSize = true;
           };
         };
+
         systemd = {
           enable = true;
           network.enable = false;

nixos/tests/multipass.nix

@@ -1,39 +0,0 @@
-{ pkgs, lib, ... }:
-
-let
-  multipass-image = import ../release.nix {
-    configuration = {
-      # Building documentation makes the test unnecessarily take a longer time:
-      documentation.enable = lib.mkForce false;
-    };
-  };
-
-in
-{
-  name = "multipass";
-
-  meta.maintainers = [ ];
-
-  nodes.machine =
-    { lib, ... }:
-    {
-      virtualisation = {
-        cores = 1;
-        memorySize = 1024;
-        diskSize = 4096;
-
-        multipass.enable = true;
-      };
-    };
-
-  testScript = ''
-    machine.wait_for_unit("sockets.target")
-    machine.wait_for_unit("multipass.service")
-    machine.wait_for_file("/var/lib/multipass/data/multipassd/network/multipass_subnet")
-
-    # Wait for Multipass to settle
-    machine.sleep(1)
-
-    machine.succeed("multipass list")
-  '';
-}

nixos/tests/nginx-http3.nix

@@ -90,7 +90,6 @@ builtins.listToAttrs (
 
           server.wait_for_unit("nginx")
           server.wait_for_open_port(443)
-          client.wait_for_unit("network-online.target")
 
           # Check http connections
           client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'")
@@ -114,7 +113,7 @@ builtins.listToAttrs (
       };
     })
     [
-      pkgs.angieQuic
-      pkgs.nginxQuic
+      pkgs.angie
+      pkgs.nginx
     ]
 )

nixos/tests/nginx-variants.nix

@@ -25,10 +25,8 @@ builtins.listToAttrs (
     })
     [
       "angie"
-      "angieQuic"
       "nginxStable"
       "nginxMainline"
-      "nginxQuic"
       "nginxShibboleth"
       "openresty"
       "tengine"

nixos/tests/ollama-cuda.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
   name = "ollama-cuda";
   meta.maintainers = with lib.maintainers; [ abysssol ];
@@ -7,7 +7,7 @@
     { ... }:
     {
       services.ollama.enable = true;
-      services.ollama.acceleration = "cuda";
+      services.ollama.package = pkgs.ollama-cuda;
     };
 
   testScript = ''

nixos/tests/ollama-rocm.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
   name = "ollama-rocm";
   meta.maintainers = with lib.maintainers; [ abysssol ];
@@ -7,7 +7,7 @@
     { ... }:
     {
       services.ollama.enable = true;
-      services.ollama.acceleration = "rocm";
+      services.ollama.package = pkgs.ollama-rocm;
     };
 
   testScript = ''

nixos/tests/ollama-vulkan.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 {
   name = "ollama-vulkan";
   meta.maintainers = with lib.maintainers; [ abysssol ];
@@ -7,7 +7,7 @@
     { ... }:
     {
       services.ollama.enable = true;
-      services.ollama.acceleration = "vulkan";
+      services.ollama.package = pkgs.ollama-vulkan;
     };
 
   testScript = ''

nixos/tests/openssh.nix

@@ -250,6 +250,15 @@ in
         };
       };
 
+    server-no-sshd-with-key =
+      { pkgs, ... }:
+      {
+        services.openssh.generateHostKeys = true;
+        users.users.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
+      };
+
     client =
       { ... }:
       {
@@ -276,6 +285,10 @@ in
     server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
     server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)
 
+    # sshd-keygen is a oneshot unit, so just wait for multi-user.target, which
+    # pulls it in.
+    server_no_sshd_with_key.wait_for_unit("multi-user.target", timeout=30)
+
     with subtest("manual-authkey"):
         client.succeed(
             '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
@@ -408,6 +421,19 @@ in
 
         server_sftp.wait_for_file("/srv/sftp/uploads/test-file")
 
+    with subtest("keygen without sshd"):
+        client.fail(
+            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@server-no-sshd-with-key true",
+            timeout=30
+        )
+        server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key")
+        server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key.pub")
+        server_no_sshd_with_key.fail("pgrep sshd")
+
+        # Validate the above check for sshd using pgrep does pass on a server
+        # that should have sshd running, just to prove it's a useful test.
+        server.succeed("pgrep sshd")
+
     # None of the per-connection units should have failed.
     server_lazy.fail("systemctl is-failed 'sshd@*.service'")
   '';

nixos/tests/pihole-ftl/default.nix

@@ -2,4 +2,5 @@
 
 {
   basic = runTest ./basic.nix;
+  dnsmasq = runTest ./dnsmasq.nix;
 }

nixos/tests/pihole-ftl/dnsmasq.nix

@@ -0,0 +1,20 @@
+let
+  port = "9077";
+in
+{
+  name = "pihole-ftl-dnsmasq";
+
+  nodes.machine = {
+    services.pihole-ftl = {
+      enable = true;
+      useDnsmasqConfig = true;
+      settings.webserver.port = port;
+    };
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("pihole-ftl.service")
+    machine.wait_for_open_port(${port})
+  '';
+}

nixos/tests/sing-box.nix

@@ -139,7 +139,6 @@ in
 
         services.nginx = {
           enable = true;
-          package = pkgs.nginxQuic;
 
           virtualHosts."${target_host}" = {
             onlySSL = true;

nixos/tests/terminal-emulators.nix

@@ -65,6 +65,7 @@ let
     mate-terminal.cmd = "SHELL=$command mate-terminal --disable-factory"; # factory mode uses dbus, and we don't have a proper dbus session set up
 
     mlterm.pkg = p: p.mlterm;
+    mlterm.kill = true;
 
     qterminal.pkg = p: p.lxqt.qterminal;
     qterminal.kill = true;