In preparation for fetching pre-releases, which are not available in the
standard GNU mirrors, just in the ‘alpha’ ones.
srcRepo has been flipped, since repo states do not include the
autoconf/automake generated files of the release tarballs.
emacs-macport, which was already built from repo sources, had to enable
srcRepo, which the flip makes it redundant, and hence is gone.
The problem was that Cargo didn't have a way to find a linker for the
build platform which is required to link the build script. So, when
cross compiling we add in the standard build -> build compiler so that
it can compile the build script.
This fix was taken from the ideas of @magicquark and @nwf in
https://github.com/NixOS/nixpkgs/issues/523378.
Fixes#523378
Reorganize the passthru.tests to be able to comment out/disable
individual tests that were previously hidden in an attrset.
Also comment out tests that are currently broken on master. Once this is
merged, the tests in passthru.nixosTests serve as a hard quality gate
for merging changes to systemd as per the newly addded README that lives
next to the systemd derivation. These tests were only commented out
because I believe they are still valuable and should be fixed. However,
actually fixing them is out of scope for this change.
This removed the `installer-systemd-stage-1` tests because they were to
costly to evaluate and build for normal maintainers. We also don't have
all the other installer tests here. All tests use systemd, but we need
to balance the executability in a sensible timescale with test coverage.
This establishes a repeatable and clear process for preparing and
testing changes to systemd. It should help existing maintainers to
follow a consistent process with clear judgment (when these tests pass,
the change is good to merge) and potential new maintainers.
1. Use lib.cmakeBool in cmakeFlags
2. Define in qt{5,6}-packages.nix more elgantly using callPackage
3. Always set all qt flags explicitly
4. Remove `libsForQt5.mlt` (should have been done in 084c1fefd8 version bump).
Two darwin-only issues surfaced when building on x86_64-darwin:
1. The conditional postPatch removed three test files
(ml/backend/ggml/ggml_test.go, ml/nn/pooling/pooling_test.go,
model/models/nemotronh/model_omni_test.go) that no longer exist
in v0.30.5 upstream. The `rm` failed with "No such file or directory"
and aborted patchPhase. Tests in the new paths
(e.g. fs/ggml/ggml_test.go) pass on darwin without removal — verified
via the test phase in this commit's local build.
2. preFixup ran `patchelf --shrink-rpath` unconditionally; patchelf is
ELF-only and darwin's Mach-O dylibs don't carry the build-dir RPATH
problem in the first place. Gated on stdenv.hostPlatform.isLinux.
Verified: nix-build -A ollama on x86_64-darwin (macOS 15.6.1, Sequoia)
lands /nix/store/.../ollama-0.30.5; checkPhase green for all listed
packages including x/models/gemma4; ollama --version reports 0.30.5.
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
Upstream patch release; notably fixes a divide-by-zero crash in
gemma3:12b. Bumps the vendored llama.cpp pin b9493 -> b9509 to match
upstream's LLAMA_CPP_VERSION. Verified ollama-cuda + ollama-vulkan
build on x86_64-linux.
https://github.com/ollama/ollama/releases/tag/v0.30.5
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
This used to be a non-exposed part of the systemd derivation. However,
in #509324 this was removed. Re-add this to use it for systemd-import
and systemd-sysupdate to provide a minimal gnupg without bash. This
fixes the bashless tests.
Rejecting an unwieldy originalist interpretation of the max_output_size
infrastructure mandate [1] — which, by checking NAR size pre-compression,
might be read to foreclose in-NAR densification — this commit resolves
the tension between binary cache availability and statutory size
discipline through equitable artifact pre-densification.
Specifically, we execute xz compression during the postInstall phase
of an intermediate derivation, coupled with a non-Hydra wrapper that
decompresses the payload transparently. This insulates end-users from
the underlying .tar.xz monolith while satisfying the strict procedural
requirements of the build farm's sensors.
We acknowledge reservations regarding the broader applicability of the
unorthodox pattern incepted herein.
See also Jakštys, commit msg. to bbd0655ae8 (2024) ("[intending]
to replace the `passthru.data-compressed` derivations that ha[d]
accumulated in nixpkgs with something more reusable"),
bbd0655ae8
Cf. Luna Nova, hipblaslt/default.nix ll. 113-114 (2026) (patching
hipblaslt C++ runtime to transparently decompress zstd-compressed
.dat files, as "required to keep [the] output under [H]ydra size
limit"), fc1f8110e8/pkgs/development/rocm-modules/hipblaslt/default.nix (L113-L114)
Cf. SuperSandro2000, Review of NixOS/nixpkgs#511524 (this PR) (2026)
("[w]hy not compress the well compressable [.olean] files in nix
with zstd?") (in dicta; a fortiori),
https://github.com/NixOS/nixpkgs/pull/511524#discussion_r3137725277
But cf. Yureka, gclient2nix.py ll. 162-167 (2025) (characterizing
recompression as "bypassing the size limit (making it count the
compressed instead of uncompressed size) rather than complying with
it"), 4dc9b83879/pkgs/by-name/gc/gclient2nix/gclient2nix.py (L162-L167)
[1] NixOS Infrastructure Cap., 170012a468/build/hydra.nix (L116)
Lean binaries derive sysroot from IO.appPath; patch all of them
rather than just lean and lake. Add cadical to symlinkJoin paths
instead of bundling a copy via INSTALL_CADICAL.
ed10debb3c
Strip ephemeral setup.json build artifacts from library outputs.
These are produced per-module during compilation and not included
in upstream cache distributions
(https://github.com/NixOS/nixpkgs/issues/510957).
Disable Hydra builds for mathlib since the output exceeds the NAR
size limit.
Pre-build static library for batteries so downstream executables
can link against it.
Refactor update.sh to pin each dependency to the rev from mathlib's
lake-manifest.json.
This expands on https://github.com/NixOS/nixpkgs/pull/498928 that
introduced __structuredAttrs here by actually using data in
`.attrs.json` when it makes sense, instead of relying on environment
variables. This leads to less temporary files, faster execution and
nicer code.
Replace `services.timesyncd.extraConfig` with a freeform `services.timesyncd.settings.Time` submodule, rendered via `utils.systemdUtils.lib.settingsToSections`. `extraConfig` is removed via `mkRemovedOptionModule`.
`servers` and `fallbackServers` are kept as typed wrappers; they now bridge into `settings.Time.NTP` / `settings.Time.FallbackNTP` via `mkDefault` so users can still override them through `settings.Time`.
Adds `nixos/tests/systemd-timesyncd` to assert the rendered `timesyncd.conf` contents.
Pinned the web UI build to nodejs_latest because the current nodejs lts (v24.15.0)
has an ESM-loader file-descriptor regression (https://github.com/nodejs/node/issues/62012)
that throws EBADF on fstat and, on darwin, aborts the vite/SvelteKit build
with a libuv kqueue assertion.
Assisted-by: Claude Code (Opus 4.8)
Two layers were missing for ollama-vulkan after the 0.30.x bump's switch to
per-accelerator runners via ExternalProject_Add:
1. spirv-headers wasn't in nativeBuildInputs, so the parent cmake configure
never even saw `SPIRV-HeadersConfig.cmake`. Add it (header-only — native
is the right slot).
2. The runner sub-builds (`ollama-llama-server-vulkan` et al.) are launched
by `cmake/local.cmake`'s `ExternalProject_Add`, whose child cmake process
inherits env vars but not the parent's `-D` flags. Even after fixing
(1), the child's `find_package(SPIRV-Headers REQUIRED)` at
`ggml-vulkan/CMakeLists.txt:14` couldn't see the config, and once that
was worked around with `CMAKE_PREFIX_PATH` as env, the compile then
failed with `fatal error: spirv/unified1/spirv.hpp` — because
upstream's `target_link_libraries(ggml-vulkan PRIVATE Vulkan::Vulkan)`
notably does NOT link `SPIRV-Headers::SPIRV-Headers`, so the interface
include path the cmake config exports never flows into the compile
commands. Force the include via `NIX_CFLAGS_COMPILE` rather than
patching upstream's CMakeLists across llama.cpp pins.
Verified: `ollama-vulkan` builds end-to-end; `$out/lib/ollama/vulkan/libggml-vulkan.so`
is present (not a silent CPU fallback like the cuda variant suffered in
the first 0.30 attempt).
🤖 Assisted by Claude
Notable upstream build changes folded into this bump:
* llama.cpp moved from in-tree vendoring to CMake FetchContent, pinned
via the `LLAMA_CPP_VERSION` file at the repo root (b9493 here →
llama.cpp commit a731805c). Pre-stage it as `fetchFromGitHub` and
apply Ollama's compat patch in `postPatch` — neither
`cmake/local.cmake` nor `llama/server/CMakeLists.txt` auto-applies
the patch when the source is overridden via
`FETCHCONTENT_SOURCE_DIR_LLAMA_CPP` (the parent's `ExternalProject_Add`
passes `OLLAMA_LLAMA_CPP_SKIP_COMPAT_PATCH=ON` to the child build).
The `apply-patch.cmake` script is idempotent.
* Since 0.30, `cmake/local.cmake` splits the llama.cpp build into
per-runner sub-projects gated by `OLLAMA_LLAMA_BACKENDS`. Without
setting it, only the CPU runner is built — `ollama-cuda` /
`ollama-rocm` / `ollama-vulkan` would all silently fall back to CPU
at runtime, with `libggml-{cuda,hip,vulkan}.so` absent from
`$out/lib/ollama`. Map the package's `acceleration` value to the
cmake backend name the elseif chain accepts:
cuda → cuda_v${cudaMajor} (cuda_v12 / cuda_v13)
rocm → rocm_v${rocmMajor}_${rocmMinor} (rocm_v7_1 / rocm_v7_2)
vulkan → vulkan
* `cmd/launch/*_test.go` are integration tests for user-facing CLI
launchers (claude, qwen, cline, codex, kimi, droid, openclaw,
hermes, …) that install the target binary via npm and exec it on
PATH. Both prerequisites are unavailable in the nix sandbox, so the
launch subpackage's tests can't pass here. Drop them — same
precedent as the existing darwin Metal test removals.
* The llama.cpp sub-build is driven by ExternalProject_Add and does
not inherit the parent's `CMAKE_SKIP_BUILD_RPATH` setting, so its
`.so` payloads end up with build-dir entries in RPATH. Strip with
`patchelf --shrink-rpath --allowed-rpath-prefixes /nix/store` in
preFixup; `$ORIGIN` is preserved unconditionally (non-absolute
entries always allowed) so peer-lib lookup in `$out/lib/ollama`
still works.
Drive-by cleanup: deadnix + statix passes (overrideModAttrs unused
lambda args → `_:_`, `inherit (rocmPackages) stdenv;` /
`inherit (vulkan-tools) stdenv;` for `buildGoModule.override`, drop
unused `coreutils` input — the old launch-test substitutions that
needed coreutils are dropped along with the tests).
Release notes:
https://github.com/ollama/ollama/releases/tag/v0.30.4https://github.com/ollama/ollama/releases/tag/v0.30.0
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
Upstream only allows specific target OS' and architectures. Adjust meta.platforms to reflect what upstream allows, to allow
reverse deps to use lib.meta.availableOn for deciding if they should depend on this.
The previous `if ! ( ... )` wrapper put the check body in a context
where bash ignores `set -e`, so a failing command in the middle of a
check would not abort it and the switch would proceed. Run the
subshell outside any conditional and capture $? explicitly instead.
wasm3 has been in a minimal maintenance mode for several years, and has
seen no commits since mid 2024. Given that it has several known
vulnerabilities (which have been marked in Nixpkgs since 2022), doesn't
seem very maintained, and is not used anywhere else in Nixpkgs, there
does not seem to be reason to keep it around.
Recent Beeper releases moved the app code from resources/app into resources/app.asar. Extract the ASAR back into resources/app in postExtract, remove the packed ASAR, and apply the existing updater patches at the extracted paths.
Assisted-by: OpenAI Codex (GPT-5)
Part of #526161.
The previous approach prefixed $PATH to make a fusermount available, but
this would be gone if we'd just replace it to fuse3, as #526670
attempted (which would break mounting via fstab).
Instead, patch the source to try our suid wrapper (which is always
preferred so mounting as non-root still works), and then fallback to a
fusermount from $PATH (to work on non-NixOS distros)
Ideally this would also try fusermount3, but whether to do that is
probably something for upstream to decide, and other distros probably
also provide a symlink for compatibility reasons.
Closes#526670.
Installed plugin outputs can include test or metadata Lua files next to runtime modules. Skip common directory and filename patterns during automatic discovery so require checks stay focused on importable runtime modules.
Add regression coverage for ignored directories and test/meta module filenames.
Add regression coverage showing neovimRequireCheckHook runs for a luarocks-backed buildNeovimPlugin derivation after module discovery scans the installed output.
Automatic discovery previously scanned src, but install hooks can move Lua modules before neovimRequireCheckHook runs. Scan out instead so require checks cover the installed plugin layout.
withExtraComponents pulled in bundled-python3-unix through the alpha/beta -> core dependency closure, reintroducing Google's bundled Python after package.nix removed platform/bundledpythonunix.
Strip bundled-python3 components and dependency edges when update.sh generates components.json, remove their .install metadata, and add a gke-gcloud-auth-plugin passthru test.
This also reverts the Tcl/Tk component inputs added by ed4596bd96 (google-cloud-sdk: fix build, #468388), since the bundled Python component that needed _tkinter support is no longer generated.
Resolves#527193
In 9e78baf, Aarch64 machines were added the `-device virtio-gpu-pci`
argument, to mirror `-vga std` option that was added unconditionally to
virtualised x86_64 machines. This also enabled screenshots on aarch64
machines to be taken in tests. Since then, in a7ca287, the `-vga std`
option was removed, because that is the default value of this option
embedded in QEMU since version 2.2.
Removing it from the hard-coded list of qemu options makes it possible
for the user to choose their own `-vga` value. Similarly, for Aarch
virtualised machines, choosing unconditionally the `-device virtio-gpu-pci`
option instead of e.g `-device virtio-gpu-gl-pci`, can be bothersome too - see:
https://discourse.nixos.org/t/test-an-aarch64-linux-vm-wayland-compositor-from-an-x86-64-linux-host/77416/2
This commit is similar to 44c6c2ef16 which
was reverted in #527048.
Fix a cache miss when `cudaSupport = false` but
`cudaPackages.cudaMajorMinorVersion` is not the default (as could be the
case with an overlay like `cudaPackages = cudaPackages_13_1;`)
Triton JIT-compiles cuda_utils.c at runtime using whatever `cc`/`gcc`
is on PATH. In environments without a compiler in PATH (e.g. deployed
Nix environments), this fails with linker errors (cannot find crti.o,
-lc, -lgcc_s).
Hardcode the Nix cc-wrapper path as the default fallback for the CC
lookup in build.py, matching the pattern already used in the test's
axpy-cuda derivation.
Assisted-by: Claude Code (claude-opus-4-6)
Originally submitted at https://github.com/NixOS/nixpkgs/pull/526003
Weblate generates an SSH wrapper with some preset options
that uses the absolute path of the ssh binary internally.
As the wrapper is only regenerated when the generator itself
is changed, this absolute nix store path becomes unusable once
ssh is updated and the path is garbage collected.
As generating the wrappers is a quick operation, simply deleting the wrapper
directory before service start ensures they are up to date.
Add requests-mock and pytest-asyncio to nativeCheckInputs.
The enabled upstream checks use the requests_mock fixture, and the pytest configuration references asyncio_mode.
This actually didn't work due to multiple issues:
- Some statements used machine.execute, swallowing nonzero exit codes.
In this particular case, it caused the mountpoint to stick around.
- using `fileSytems."/plain"` has no effect in VM tests,
virtualisation.fileSystems."/plain" needs to be used instead
- `switch-to-configuration test` was invoked, so not actually switching
at all.
- Checking for `data.txt` to be present is a bit brittle. /tmp can be
cleaned up. We can just add a known text and grep for that.
virtual-machine releases use virtualisation.incus.package to find
where the agent-loader configuration is defined. In practice it's
likely not a problem, but when marking lts v6 on 25.11 as vulnerable
it exposed the mismatch. For correctness we should ensure the VM
tests are using the agent loader from the relevant incus package.
Otherwise the recursive chown can fail, hence wpa_supplicant doesn't
start, if some read-only file has been bind-mounted into
/etc/wpa_supplicant.
This can happen if one uses `extraConfigFile` to add a file that is
under /etc/wpa_supplicant.
Expose the actual rust build as a top-level by-name package and have
the wrapper take it as an argument, so overlays can patch or override
it without needing to thread the new drv through the wrapper explicitly.
The CalledProcessError can only come from the append-initrd-secrets
script, so catching it in the generic write loop and then asserting
on the writer type to reach back into its `source` is the wrong
layer. Move the catch, the pristine-initrd fallback and the warning
into InitrdWithSecretsWriter itself, and pass `critical` through the
writer protocol so it can decide between aborting and falling back.
The writer carries the generation number so the warning can still
name the affected generation. write_boot_files no longer knows
anything about secrets and the isinstance assertion is gone.
Suggested-by: Will Fancher <elvishjerricco@gmail.com>
Whether a write failure must be fatal is a property of the destination
path (is it needed by the configuration we are switching to?), not of
the particular BootFile instance that happened to survive
deduplication. Compute the set of critical paths up front and look it
up in write_boot_files, so the dedup loop no longer needs to pick the
"right" instance and becomes a plain order-preserving seen-set walk.
This leaves BootFile.current unused.
Suggested-by: Will Fancher <elvishjerricco@gmail.com>
This guarantees the descriptor is closed even when copyfileobj raises,
matching the other writer implementations. The append-initrd-secrets
script reopens the file by path, so flush() is enough before invoking
it and the explicit close() is no longer needed.
Tell the user what actually happens (the old secrets stay in place) and
how to get rid of the warning, instead of just saying it is "normal".
Suggested-by: Will Fancher <elvishjerricco@gmail.com>
Shared kernels and initrds appear once per generation in boot_files, so
InitrdWithSecretsWriter rebuilt the same file repeatedly. Prefer the
current configuration's entry so its failures stay fatal.
has_gc_root() iterated the entire BootFileList for every file on the
ESP, giving O(files * roots) comparisons. Build the set of kept paths
once and use O(1) membership tests instead.
After removing or renaming a file in boot.initrd.secrets, older
generations' append scripts start failing. Aborting on that blocks
deploying the new configuration, so only treat a failure as fatal when
it belongs to the configuration being switched to.
Appending to the existing file made it grow on every rebuild and a
failed script could leave it half-written. Always rebuild from the
pristine initrd into a temp file and rename into place.
dbus-broker (now the default since #512050) calls
sd_id128_get_machine() which returns -ENOMEDIUM for an
all-zero machine-id, causing it to crash-loop and the test
to hang on multi-user.target.
The substitution in melpa-packages.nix rewrote `"mozc_emacs_helper"` in
`mozc.el` to `${pkgs.ibus-engines.mozc}/lib/mozc/mozc_emacs_helper`,
but that path no longer exists.
Since the Bazel-based rewrite and the optional ibus split in #483843,
`mozc_emacs_helper` is installed at `$out/bin/` of the base `mozc` package,
while `$out/lib/mozc/` only contains `mozc_server`,
`mozc_renderer`, and `mozc_tool`.
As a result, `mozc.el` invoked a non-existent helper and `mozc-mode` failed to start with
> 変換エンジンプログラムの起動に失敗しました。
Switch the reference to `pkgs.mozc` so it points at the actual binary
location and avoids pulling in the IBus front-end for Emacs users.
Assisted-by: Claude Code (claude-opus-4-7)
Without the chnage the eval fails as:
$ nix build --no-link -f. bats.tests
error:
… while evaluating the attribute 'resholve'
at pkgs/by-name/ba/bats/package.nix:250:5:
249| inherit bash-preexec locate-dominating-file;
250| resholve = resholve.tests.cli;
| ^
251| }
… while evaluating the attribute 'tests.cli'
at pkgs/development/misc/resholve/resholve.nix:58:5:
57| ;
58| tests = callPackage ./test.nix {
| ^
59| inherit
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: function 'anonymous lambda' called with unexpected argument 'python27'
at pkgs/development/misc/resholve/test.nix:1:1:
1| {
| ^
2| lib,
Environment variables to pass to Heroic.
For example:
pkgs.heroic.override {
extraEnv.PROTON_ENABLE_WAYLAND = true;
}
Adds feature parity with `steam` package.
polyc linking script hardcodes the linker to be the value of `$CXX` at
compile time. This is bad for environments without `g++` in path. Fix
this by patching the correct path into the script.
Co-Authored-By: Ricardo Correia <someplaceguy@wizy.org>
Co-Authored-By: Ivan Trubach <mr.trubach@icloud.com>
Compilation requires running one of the make build targets, so cross
compilation isn't possible
Also remove old design patterns in favour of newer ones.
This also performs some maintenance:
- fix warning, that bf-reg cannot be found in bfb-install
- migrate to fuse 3
- fix console handling, which is still not upstream
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Now that ARMv5 no longer uses `uImage`, there’s no point in keeping
around support for this deprecated format that the rest of the NixOS
infrastructure doesn’t handle. Modern U‐Boot setups should not
be affected in any way by this.
Now that ARMv5 no longer uses `uImage`, there’s no point in keeping
around support for this deprecated format that the rest of the NixOS
infrastructure doesn’t handle. Modern U‐Boot setups should not
be affected in any way by this.
The `sheevaplug` kernel configuration was added a very long time
ago and has not been adjusted for years. `pogoplug4` was identical
to `sheevaplug` except for an even more stripped‐down kernel
configuration, no device tree support, and a different load address
for the uImage.
These days, the stock kernel configuration builds and there has been
an upstream device tree for the Pogoplug Series 4 for years; unify
`sheevaplug` and `pogoplug4` into an `armv5tel-multiplatform` that
uses the standard configuration.
ARMv5 was also the only platform that defaulted to uImage, the [legacy
U‐Boot image format] that is deprecated upstream. Our bootloader
machinery in NixOS does not handle these images in any special way
and even the original ARMv6 Raspberry Pi platform defaults to the
standard zImage. We switch `armv5tel-multiplatform` to zImage to match.
[legacy U‐Boot image format]: https://docs.u-boot.org/en/latest/usage/cmd/bootm.html#legacy-boot
It is of course natural to worry about backwards compatibility
here: this switches to a different kernel image format and drops
support for root on NFS along with random oddities like KGDB and
LatencyTOP. Renaming the platform is intended to help mitigate
this risk.
The reality, however, is that it is currently very
difficult to build a configuration for ARMv5. I found
<https://github.com/thefloweringash/sheevaplug-nix> online as
an example configuration from many years ago; it already set
`autoModules`, and builds U‐Boot using `CONFIG_DISTRO_DEFAULTS`,
which should work out of the box without requiring the legacy U‐Boot
image format.
Even then, however, I confirmed with the author that it hasn’t
been used in years, and I could barely get it to build with
a modern Nixpkgs: OpenSSH is broken, Nix is broken, multiple
default `environment.systemPackages` in the SD image profile
are broken, `boot.initrd.includeDefaultModules` is broken, and
`hardware.enableAllHardware` is broken.
I conclude that if anyone is actively building systems on ARMv5, they
have a forked Nixpkgs or a very custom setup. Given our general move
to standard boot chains and no platform‐specific hacks, and the
decaying state of our unofficial support for 32‐bit ARM, I think
it is not worth maintaining support for the legacy image format for
this one ancient platform.
If anyone is running a heavily stripped‐down NixOS configuration on
mission‐critical SheevaPlugs using a custom Nix‐free deployment
setup relying on the legacy U‐Boot image format and somehow none
of these kernel changes manage to loudly break their build, hopefully
they’ll at least notice the release notes entry! Otherwise there’s
always JTAG…
These were not used by the selection logic or
`lib/systems/examples.nix`, so any consumer would have to be including
them explicitly. Since we’re moving away from setting Linux kernel
configuration in the platform structure, breaking these explictily
won’t reduce the convenience and will help signal to any such expert
users that they need to move their kernel configuration elsewhere.
None of these successfully build a kernel, and as we’re moving
away from putting kernel configuration in the platform structure and
don’t package the vendor kernels that all but `fuloong2f_n32` expect,
there’s no point to keeping these kernel configurations in Nixpkgs.
Replace the `passthru.tests` --version test by running versionCheckHook
during the package build.
As `haskellPackages.mkDerivation` is very locked-down and doesn't allow
access to things like `nativeInstallCheckInputs` (or any input lists),
we add a separate `.overrideAttrs` call to the pipeline.
Running phase: installCheckPhase
Executing versionCheckPhase
Successfully managed to find version 1.3.0 in the output of the command /nix/store/3fg7y7qww3c3hvyb66n75d9j5y362n4j-nixfmt-1.3.0/bin/nixfmt --version
nixfmt 1.3.0
Finished versionCheckPhase
Writing a multi-line /proc/<pid>/[ug]id_map only requires
CAP_SETUID/CAP_SETGID over the parent user namespace, not full root.
shadow's own --with-fcaps install mode (70971457b761) sets exactly
cap_setuid+ep / cap_setgid+ep, and Arch, Fedora and Debian have shipped
these binaries with file capabilities instead of setuid for years.
The setuid variant already drops to the same single capability before
the uid_map write (see lib/idmapping.c), so the privilege at the point
attacker-controlled data reaches the kernel is unchanged. The reduction
is in the startup window: with file capabilities the process never has
euid 0 and never holds the full capability set during NSS lookups,
/etc/subuid parsing and /proc/<pid> opening.
The only functional difference is that mapping host uid 0 into a child
namespace additionally needs CAP_SETFCAP, which the setuid path got
implicitly. NixOS never puts uid 0 into auto-allocated subuid ranges,
and granting it manually is a deliberate root-equivalent configuration;
the release notes document the override for that case.
nixosTests.{shadow,podman,docker-rootless} pass; the latter two
exercise newuidmap/newgidmap via rootless containers.
Supersedes #461172.
Co-authored-by: Rasheeq Azad <rasheeqhere@gmail.com>
With fetcherVersion = 1 and 2 removed, the minimum supported version is 3,
so every store is a reproducible tarball with consistent permissions. Drop
the now-unreachable `fetcherVersion < 3` branches:
- always bundle the store into pnpm-store.tar.zst (drop the direct-to-$out path)
- always write $out/.fetcher-version (drop the `> 1` guard)
- always normalise permissions (drop the `>= 2` guard)
- always extract the tarball in pnpmConfigHook and serve.nix (drop the cp
fallback and the `|| echo 1` default)
The `>= 4` SQLite-dump guard is kept, since v3 and v4 still differ. Output
for existing v3/v4 derivations is byte-identical, so no hashes change.
Assisted-by: claude-code with claude-opus-4-7[1m]-xhigh
fetcherVersion = 1 and 2 were deprecated in the 26.05 release and
scheduled for removal in 26.11. Remove them from supportedFetcherVersions
and replace the deprecation warning with a hard throw that points users
at the migration to fetcherVersion = 3.
No in-tree package still uses fetcherVersion = 1 or 2. The now-unreachable
v1/v2 code paths are removed in a follow-up commit.
Assisted-by: claude-code with claude-opus-4-7[1m]-xhigh
Seemingly the upstream stopped updating their AUR[^1]. We were using
Repology for easy queries against this repo.
Switch to scraping upstream's APT repo.
Looks like they only distribute the amd64 binaries of _1password-gui
from their repo, as opposed to _1password-cli which ships both amd64 and
aarch64. We assume updates are releases for both architectures, at the
same time.
[^1] https://aur.archlinux.org/packages/1password
time-sync.target has Wants/After=time-set.target, every OnCalendar=
timer gains an implicit After=time-set.target, and
systemd.special(7) documents it as the hook for "system clock has
been set from a local source". Without the unit file the target is
not-found, so WantedBy=time-set.target on third-party units is
silently ignored and the timer ordering is a no-op.
I'm not exactly sure when this happened, but Youki is no longer being maintained under the _containers_ organization on GitHub, and instead in its own _youki-dev_ organization.
Warp has been failing to build in the darwin sandbox for a long time,
because of some failing tests, even with local networking enabled. This
does not surface when using it from the cache, because hydra builds
without sandbox. But for development / nixpkgs-review, this is heavily
annoying. Disabling these two tests makes the build pass on the
community builder for me.
Especially major versions contain API breakage and we always require
a compatible home-assistant version. Not all API surfaces are
being exercised in home-assistant tests, so don't fool yourself by
nixpkgs-review not revealing any breakages.
Remove python27Packages, python2Packages, and pythonPackages alias
mentions; drop the "python refers to CPython 2.7" sentence and the
Python 2 namespace-collision note; strip Python-2-only inline comments
from the venvShellHook example.
Keep all pypy2/pypy27 references — pypy27 stays defined inside
pythonInterpreters as the bootstrap for pypy3.
Follow-up to c5feb3c424 / #525613, which fixed zfsroot and
separateBootZfs after a2e55e31d6 flipped the default of
boot.zfs.forceImportRoot to false, but missed the clevis ZFS tests.
Without a matching hostId on the installer side, the target refuses to
import the pool ("pool was previously in use from another system").
This seems to no longer be used upstream. I'm having a hard time
pinpointing exactly when this occurred via SourceForge, but the source
archive from `ario.src` doesn't mention libsoup at all, the package
builds and runs, and Debian seems to have removed the dependency at some
point as well.
CMakeLists.txt contains logic for bundling libcxx and codesigning the
binaries on macOS, both of which are unnecessary with Nix. Most of the
existing compiler/linker options are no longer needed with recent
updates.
This resolves#523878 where /etc/ is readonly and /etc/machine-id
cannot be created. Instead, /etc/machine-id is initialized to
"uninitialized" by systemd-tmpfiles in initrd and persisted in
/var/lib/nixos.
Upstream no longer actually uses libsoup 2.4, as reported in
https://github.com/Philip-Scott/Spice-up/issues/328. Since this is the
case, and libsoup 2.4 is likely to be removed soon due to having had
known vulnerabilities for years, we drop the dependency to keep this
package working.
The current uhttpmock package refers to the 0.5.x release series/0.0
ABI. This is outdated, relies on the insecure libsoup 2.4, and has no
in-tree dependents. Thus, we drop it.
Obsidian's app:// scheme lacks `corsEnabled`, which breaks the internal
PDF viewer on Electron 40. Add it to the scheme registration.
Fixes#523846
Assisted-by: Claude Code (Claude Opus 4.8)
For easier overriding with `git.override` or `git.overrideAttrs`,
determine whether configuration related to running the install checks is
present based on whether the install checks are actually being run, not
on the function argument which may not be the same.
The unquoted $out/${libDir}/is-packaged-app path word-splits on
applicationNames containing spaces (e.g. "Firefox Developer Edition"),
breaking the Darwin build for firefox-devedition and similar variants.
Regression from 1da3ca7373.
`librest` in Nixpkgs currently refers to the old 0.8 release. The
current release version is 0.10, which is in Nixpkgs as `librest_1_0`
(since both needed to coexist for some time while dependents were
migrated). Since the old librest version was dependent on insecure
libraries (libsoup 2.4) and has no in-tree dependents, we drop it. We
also rename `librest_1_0` to `librest`, as that's the most
straightforward name, and migrate it to `pkgs/by-name` for cleanliness.
`libchamplain` has referred to the version that links to libsoup 2.4 by
default, and has thus been marked insecure for quite some time. All of
the (few) dependents support building with the libsoup 3 version, so we
drop the insecure version entirely.
Build against the default OCaml (5.4) set instead of the 5.3 pin, using the
module-mode launcher (ocaml-hol). Carries a patch so the pa_j chooser
accepts camlp5 8.05, links findlib into ocaml-hol, and sets up the runtime
OCAMLPATH/CAML_LD_LIBRARY_PATH. Drops the camlp5 8.03.2 downgrade.
camlp5's META requires pcre2 and fmt, but they were only buildInputs, so
findlib consumers of camlp5 could not resolve them. Move them to
propagatedBuildInputs.
The deprecated singular `pnpmWorkspace` attribute (superseded by
`pnpmWorkspaces` in #350751) has no remaining in-tree users, so the
assert and hook check pointing users to the new attribute are no
longer needed.
Assisted-by: Claude Code (Claude Opus 4.7)
By doing this, we can cache the rest of the file, including the import
of problems.nix. This allows genCheckProblems to be cached on every
bootstrapping stage, and not re-called each time.
https://github.com/rancher/rke2/releases/tag/v1.36.1%2Brke2r1
Upstream ingress-nginx Retirement & Transition to Traefik
Because ingress-nginx was retired upstream as of March 2026, Traefik is now the default for new
clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid
breakage). This transition brings the following structural changes:
- Airgapped Environments: The rke2-images-core tarball now contains Traefik images instead of
ingress-nginx. The standalone rke2-images-traefik tarball has been removed. Users who must
continue using ingress-nginx will now need to manually provide the rke2-images-ingress-nginx
tarball.
- Future Removal: The ingress-nginx chart will not receive any additional updates and will be
completely removed in v1.37 for community users.
- Prime Customers: Please refer to the official product documentation for specific Prime
considerations.
Upstream changed the default bundled load balancer starting in RKE2 v1.36. This adapts the auto
deploy test accordingly.
From the RKE2 release notes:
Because ingress-nginx was retired upstream as of March 2026, Traefik is now the default for new
clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid
breakage). This transition brings the following structural changes:
- Airgapped Environments: The rke2-images-core tarball now contains Traefik images instead of
ingress-nginx. The standalone rke2-images-traefik tarball has been removed. Users who must continue
using ingress-nginx will now need to manually provide the rke2-images-ingress-nginx tarball.
- Future Removal: The ingress-nginx chart will not receive any additional updates and will be
completely removed in v1.37 for community users.
- Prime Customers: Please refer to the official product documentation for specific Prime
considerations.
The check phase for the config file has to replace any instances of
user and group with the current ones, since logrotate checks whether
they actually exist. However, the create/createolddir substitution
expressions didn't take all different parameter formats into
account. Mainly, if the mode was specified, but not user and group,
the result would be something like
create 0644nixbld nixbld
since it relies on matching a space at the end of the mode
specification.
To fix this, always append a space before the substituted user and
group.
Also, simplify the formatting by using extended regex and check for
word boundaries after create/createolddir to exclude any incorrect or
unsupported suffixes.
After d95261b435, the following flake.nix fails:
```nix
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
outputs = { nixpkgs, ... }: {
nixosConfigurations.demo = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ lib, ... }: {
boot.loader.grub.enable = false;
fileSystems."/" = { device = "none"; fsType = "tmpfs"; };
nixpkgs.config.packageOverrides =
lib.mkIf false (_: { });
})
];
};
};
}
```
This is the error:
```
$ nix build /tmp/tmp.vWEVitTgK9/#nixosConfigurations.demo.config.system.build.toplevel
evaluation warning: system.stateVersion is not set, defaulting to 26.05. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion.
error:
… while calling the 'derivationStrict' builtin
at <nix/derivation-internal.nix>:37:12:
36|
37| strict = derivationStrict drvAttrs;
| ^
38|
… while evaluating derivation 'nixos-system-nixos-26.05.20260409.4c1018d'
whose name attribute is located at /nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/pkgs/stdenv/generic/make-derivation.nix:541:11
… while evaluating attribute 'buildCommand' of derivation 'nixos-system-nixos-26.05.20260409.4c1018d'
at /nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/nixos/modules/system/activation/top-level.nix:64:7:
63| passAsFile = [ "extraDependencies" ];
64| buildCommand = systemBuilder;
| ^
65|
… while evaluating the option `environment.etc.dbus-1.source':
… while evaluating the default value of option `pythonTestDriverPackage`
… while evaluating the module argument `hostPkgs' in "/nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/nixos/lib/testing/driver.nix":
… noting that argument `hostPkgs` is not externally provided, so querying `_module.args` instead, requiring `config`
… while evaluating the option `hostPkgs':
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: The option `hostPkgs' was accessed but has no value defined. Try setting the option.
```
Setting a `defaultText` fixes the issue.
I've also added a regression test under `nixos/tests/nixos-test-driver/` and
fixed a typo in the option description ("implemetnation").
mvnGoal allows overriding the main Maven goal used in the derivation.
mvnOffline allows defaults to `true`, but allows the offline (`-o`) argument
to `mvn` to be removed for special cases (e.g. `deploy` goal) where we
will just rely on the Nix sandbox enforcing offline operation.
Locally this just prefixes activation commands with `run0 --`, so the
user's normal polkit agent (graphical or pkttyagent) handles auth.
For --target-host, run0 would need a controlling terminal, which we
deliberately do not allocate over SSH. Instead the equivalent
`systemd-run --uid=0 --pipe --wait ...` form is used. Without
--ask-elevate-password this relies on a polkit rule on the target
granting the deploying user `org.freedesktop.systemd1.manage-units`.
With --ask-elevate-password the command is wrapped in
polkit-stdin-agent, which registers a per-process polkit agent for the
child and answers the PAM conversation from stdin.
A transient unit does not inherit the SSH login environment. On NixOS
the unit's PATH is just the systemd store path, so neither `env` nor
`nix-env` would be found inside it. Elevator.wrap_remote() therefore
now takes the env mapping and the command, and returns the full remote
argv: sudo keeps the existing `/bin/sh -c 'exec /usr/bin/env -i ...'`
wrapper inside itself, while run0 puts the shell wrapper *around*
systemd-run and forwards the resolved values into the unit via
--setenv. The Arg/Args/EnvValue/PRESERVE_ENV types and the env-shell
helper move from process.py into elevate.py to avoid a circular import,
and callers are updated to import them from there.
polkit-stdin-agent is resolved on the machine doing the elevation
rather than baked in as a host-arch store path, which would be wrong
for --no-reexec, cross-arch deploys (re-exec hits ENOEXEC and falls
back), --rollback/--store-path, and Darwin deployers. Locally that is
PATH. Remotely, Elevator.for_target_config() binds the elevator to the
toplevel just placed on the target, and a small /bin/sh picker tries
<toplevel>/sw/bin/polkit-stdin-agent (target-arch, in the copied
closure) then PATH, exiting with an actionable error pointing at
system.tools.nixos-rebuild.enableRun0Elevation when neither resolves.
That option (added here) puts the agent in environment.systemPackages
and asserts security.polkit.enable.
A nixos-rebuild-target-host subtest exercises the full remote run0
path (polkit-stdin-agent + systemd-run + activation) end-to-end.
Drop the now-unused stdenv argument from package.nix while here.
Closes#507054.
A non-interactive polkit authentication agent that answers PAM prompts
from a file descriptor. Provides the missing `sudo --stdin` equivalent
for run0/systemd-run, which authorise via polkit and otherwise require
a controlling terminal for pkttyagent.
Used by the upcoming `nixos-rebuild --elevate=run0
--ask-elevate-password`. The machine performing the elevation enables
system.tools.nixos-rebuild.enableRun0Elevation (added in the next
commit), which puts this package on PATH locally and at
<toplevel>/sw/bin on a remote target.
Remote no longer carries auth state, the elevator owns the password
end-to-end. The prompt itself lives in Elevator.with_prompted_password()
so the CLI entry point stays a thin orchestrator and all
elevation-related plumbing is in one module.
--elevate={none,sudo} picks the privilege-elevation backend and
--ask-elevate-password (-S) prompts locally and feeds the password to
whichever backend is selected.
--sudo and --ask-sudo-password are kept as silent aliases that map onto
the new flags. --use-remote-sudo stays deprecated as before.
Mechanical replacement of `sudo: bool` with `elevate: Elevator` across
run_wrapper, nix.py and services.py, plus test updates. The temporary
shim in run_wrapper is removed.
`args.elevator` is constructed in execute() from the existing --sudo /
--ask-sudo-password flags so the CLI surface is unchanged in this
commit.
Replaces the inline sudo command assembly with calls into the Elevator
introduced in the previous commit. The `sudo: bool` parameter is kept
as a temporary shim that constructs a SudoElevator internally, so no
caller or test changes are needed and the existing test suite proves
the move is behaviour-preserving.
The shim is removed in the next commit.
Adds elevate.py with an Elevator base, NoElevator and SudoElevator.
Nothing uses it yet. This is a pure addition so the next commit can
swap run_wrapper over without mixing new code with the move.
The SudoElevator wrapping is byte-for-byte what run_wrapper currently
emits (including NIX_SUDOOPTS handling), so behaviour is unchanged
once the switch happens.
Motivated by #507054: threading a second `run0: bool` alongside
`sudo: bool` through every signature does not scale and makes invalid
combinations representable.
The commit 011471c7f2 ("fetchgit: disable git maintenance") disabled
git's maintenance mode, but that does not affect git repositories with
submodules.
Switch to using the GIT_CONFIG_* environment variables. This is done in
a way to make the approach more generic, but also kinda not the best
("insane") so that it works with any future change, even with
`impureEnvVars`.
Maybe `git -c maintenance.auto=false` can work but I cannot figure out
how to use that here. I would prefer disabling maintenance mode in Git's
derivation itself but did not find any build-time knob to toggle that.
TL;DR add `assert` to correct location for type-narrowing
typeshed recently updated their definition of `select` in bcb6399e15.
The result is that the members of the lists passed to `select` now
require an upper bound of `FileDescriptorLike`.
The `self.shell` variable is typed as `socket | None`, but previously
passed checking against typeshed due to the missing upper-bound.
Despite the source code including a type-narrowing `assert`, `ty` does
not make use of it within the inner function that `select` is used in,
meaning `self.shell` wasn't narrowed at the appropriate place.
Now that typeshed has added this upper-bound, type-checking starts to fail, as evidenced in
https://github.com/NixOS/nixpkgs/pull/523288#issuecomment-4529738483.
So the correct fix is just to add the `assert` into the inner function.
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Mullvad Browser.
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Tor Browser.
needed so github-desktop's git wrapper (dugite) can find subcommands
like `git-submodule` etc. Retrieve the full list with `ls -l $(nix build
--print-out-paths nixpkgs#git)/libexec/git-core | grep -vE '( -> )?git$'
| awk '{ print $7 }'`.
Fixes#524797
This module was deprecated in 26.05 and is being removed in 26.11.
Generating your own dhparams has been obsoleted by RFC 7919 (2016).
DHE itself has been obsoleted by ECHDE (RFC8422, 2018) and Hybrid PQ
(draft-ietf-tls-ecdhe-mlkem, 2026) key exchanges.
TLS 1.3 (RFC8446, 2018) stopped defining any DHE cipher suites and lists
this as a major difference from TLS 1.2.
rdma makes use of `dlopen` internally to load a "provider" plugin
based on the nic (intel, broadcom, etc). that's fundamentally
incompatible with static builds.
Treat empty GitHub GraphQL tag refs as inconclusive.
Use the existing tag feed/git fallback path instead of treating an empty API result as authoritative no-tags state.
Make the --enable-scripting optional to allow for minimalized
builds and ensure lua is correctly referenced in cross builds.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
Since version 0.38.3, spotatui supports showing cover art via
`ratatui-image` (using Sixel/Kitty) if enabled using the `cover-art`
Cargo feature. This enables that feature, because it incurs no extra
dependencies, except those pulled in by Cargo.
When firewalld serves as the backend for networking.firewall, changes
to allowedTCPPorts, zones, settings etc. rewrite /etc/firewalld/*
but firewalld.service was never reloaded. Add reloadTriggers pointing
to firewalld.conf, all zone XMLs and service XMLs so
switch-to-configuration reloads the daemon on nixos-rebuild switch.
nixos/firewalld: treefmt
Upstream added versions with -exp-\d suffix which broke the script.
Instead of adding another filter to the current query, let's try getting
the latest stable version instead.
IIRC previously they didn't correctly mark stable releases which is why
we didn't use this method.
By using unittest's assertEqual you actually see how often the
activation script was being run, i.e. the expected value.
(cherry picked from commit 864a84d3e9)
stc-ng starts every active target (including default.target) and then
explicitly restarts nixos-activation.service. As a Type=oneshot without
RemainAfterExit the unit is inactive after login, so the default.target
start job re-runs it via Wants=, and the explicit restart runs it again
(or, depending on ordering, SIGTERMs the currently running script and re-runs it).
Set RemainAfterExit=yes so target starts are a no-op for an already-run
activation, and restartIfChanged=false so the unit-diff pass leaves it
alone when the script changes. The explicit restart in stc-ng remains
the single trigger per switch. Print that restart so it is visible in
the switch output, and drop it from the "NOT restarting" list.
Extend the user-activation-scripts test to assert the activation is
only run once, and never killed.
The previous "FragmentPath not under /etc" deny-list swept up units that
were never managed by a per-user manager (e.g. dbus-broker, whose
FragmentPath systemd reports under /run/current-system/sw/share via
systemd.packages) and missed nothing it should have caught, but for the
wrong reason.
Make the intent explicit. A unit is a migration candidate iff it is
active, the new generation defines it in /etc/systemd/user, and either
* its FragmentPath is under $XDG_CONFIG_HOME/systemd/user (the
home-manager case; ~/.config shadows /etc, so we must wait for
sd-switch to remove the copy), or
* its FragmentPath is anywhere else outside /etc and the previous
generation did not have it in /etc (package-shipped units found via
$XDG_DATA_HOME / $XDG_DATA_DIRS, e.g. ~/.nix-profile/share; /etc
outranks these so it wins on daemon-reload).
The "previous generation did not have it" guard keeps units that have
always been in /etc, but whose FragmentPath systemd reports elsewhere, out
of the candidate set, and the existing now_etc check verifies /etc
actually won before acting. Compare FragmentPath by parent directory
instead of string prefix while here.
Covered by a new switch-test case that seeds a unit in
~/.local/share/systemd/user.
The post-activation pass added in 5cc82c4922 to handle units migrating
from a per-user manager (home-manager) to NixOS unconditionally restarts
or starts any candidate. dbus-broker.service explicitly opts out of
restarts via reloadIfChanged because restarting the session bus kills
running clients; the second pass ignored that and restarted it anyway.
Apply the same X-ReloadIfChanged / X-RestartIfChanged / RefuseManualStop /
RefuseManualStart / X-OnlyManualStart checks that handle_modified_unit
performs, so a migrated unit is reloaded, skipped, restarted or started
as its directives require.
Covered by new switch-test specialisations for reloadIfChanged and
restartIfChanged = false.
Introduces sv-lang version 10.
Needed by circt for its slang frontend in newer versions. Includes a
patch to install BS_thread_pool.hpp when SLANG_USE_THREADS is enabled.
Different versions of sv-lang are not compatible, so packages depending
on this package need a specific version. The original sv-lang (v9.1)
becomes sv-lang_9.
Replace `systemd.user.extraConfig` with a freeform `systemd.user.settings.Manager` submodule, rendered via `utils.systemdUtils.lib.settingsToSections`. `extraConfig` is removed via `mkRemovedOptionModule`. Mirrors the existing `systemd.settings.Manager` migration of the system-side manager.
Updates the two in-tree consumers (`nixos/modules/testing/test-instrumentation.nix` and `nixos/tests/systemd.nix`) to the new option.
Adds `nixos/tests/systemd-user-settings` to assert the rendered `user.conf` contents.
Drop the `with utils;`, `with systemdUtils.unitOptions;` and `with lib;` blocks and qualify all references with `lib.`, `utils.systemdUtils.lib.` and `utils.systemdUtils.types.` instead. No behavioural change.
Prefix `lib.` on `mkOption`, `mkIf`, `types.*`, `literalExpression`, `optionalString` and `concatStringsSep` so the module no longer relies on `with lib;`. No behavioural change.
1. SDL_compat is not the library's name, it is sdl12-compat
2. Underscores are not allows in nixpkgs package names
3. Capitals are not allowed in nixpkgs package names
In 52a23a9 the configuration `data-dir $out/share/aspell` was
introduced to make sure that `aspell --lang=<LANG> create
master ...` finds the LANG.dat file. However, the correct location
for language data files is $out/lib/aspell. This confusion also
broke filter discovery as described in #476684.
This commit fixes the location of language data files.
Note: `aspell --lang=<LANG> create master ...` will fail if the
dictionary has not been installed in the environment via
`aspellWithDicts (dict: [ dict.<LANG> ])` which is expected.
Fixes#476684
If passthru.tests were being run for reverse deps by default, this wouldn't be necessary. But they aren't. So make the connection between qtmir and Lomiri more explicit.
Use jdk21 and gradle to build JSpecify from source.
Note: this produces an identical binary to the jspecify-1.0.0.jar
on Maven Central:
sha256 = 1fad6e6be7557781e4d33729d49ae1cdc8fdda6fe477bb0cc68ce351eafdfbab
Upstream was an early-access release and is unmaintained. Note also that
the first LTS release of Java to support the FFM API is JDK 25.
jextract (currently based on JDK 25) should be used instead.
Apply the Linux patch to the initialization string for `clang_path_include`
instead of replacing `clang_path_include` with the patched string. This
allows the correct value for Darwin to be selected by the ternary expression.
In 9e78baf5c7, Aarch machines were added
the `-device virtio-gpu-pci` argument, to mirror `-vga std` option that
was added unconditionally to virtualised x86_64 machines. Since then,
in a7ca287ecb, the `-vga std` option was
removed, because that is the default value of this option embedded in
QEMU since version 2.2.
Removing it from the hard-coded list of qemu options makes it possible
for the user to choose their own `-vga` value. Similarly, for Aarch
virtualised machines, choosing unconditionally the `-device
virtio-gpu-pci` option instead of e.g `-device virtio-gpu-gl-pci`,
can be bothersome too - see:
https://discourse.nixos.org/t/test-an-aarch64-linux-vm-wayland-compositor-from-an-x86-64-linux-host/77416/2
Upstream's first notarized release. The 1.4.0 DMG is signed by
Dan Oak (Team ID VH8UL6UKQL) rather than the original ther0n
team; ther0n acknowledged this in
ther0n/UnnaturalScrollWheels#111.
Migrate to SRI hash, add nix-update-script, add meta.changelog,
add jesssullivan as co-maintainer.
Tested on aarch64-darwin: builds, codesign --verify --deep
--strict and stapler validate both pass.
bootstrap is not autoconf and rejects the --enable-static/
--disable-shared flags injected by the static stdenv adapter;
set dontAddStaticConfigureFlags to avoid them
FindLibArchive doesn't handle static libarchive correctly,
use pkg-config to find correct entry manually and pass via
NIX_LDFLAGS.
kwsys's DynamicLoader test is inimical to -static so
disable BUILD_TESTING in that case.
Co-authored-by: Luna Nova <git@lunnova.dev>
The Blender License was never activated or used, and does not nullify
that Blender itself is license under the GPL. The “indefinite
cancellation” also occurred in 2005 (over 20 years ago).
Because stdenv instructs meson to enable all features automatically,
it's redundant to have any lib.mesonEnable that just sets a literal
true. Keeping the `supported_build` feature flag to explicitly convey
the intention behind it.
Those are currently missing any maintainer, but they really should have some that get pinged if they are touched. I also personally edited them at some point and read them to the level of having at least the basic understanding of how to perform a review for them.
The installCheckPhase uses `[ $f == $out/bin/*.dwarf ]` to skip .dwarf
files, but when no .dwarf files exist, the glob doesn't expand and bash's
`[` builtin fails with "unary operator expected".
Switch to `[[ ]]` which handles glob patterns correctly without expansion.
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 120,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 140,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
# Manuals
@@ -47,9 +47,9 @@ Here are some of the main ones:
Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/).
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for the NixOS 25.11 release](https://hydra.nixos.org/jobset/nixos/release-25.11)
* [Continuous package builds for the NixOS 26.05 release](https://hydra.nixos.org/jobset/nixos/release-26.05)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for the NixOS 25.11 release](https://hydra.nixos.org/job/nixos/release-25.11/tested#tabs-constituents)
* [Tests for the NixOS 26.05 release](https://hydra.nixos.org/job/nixos/release-26.05/tested#tabs-constituents)
Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/.
When successful build and test criteria are met, the Nixpkgs expressions are distributed via [Nix channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
@@ -309,6 +309,8 @@ pnpm is available as the top-level package `pnpm`. Additionally, there are varia
When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The function `fetchPnpmDeps` can create this pnpm store derivation. In conjunction, the setup hook `pnpmConfigHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the fetcher and setup hook above:
There is also the [`pnpmBuildHook`](#pnpm-build-hook) for building packages with `pnpm`, as seen in [](#ex-pnpm-build-hook).
```nix
{
fetchPnpmDeps,
@@ -511,10 +513,10 @@ Changes can include workarounds or bug fixes to existing PNPM issues.
##### Version history {#javascript-pnpm-fetcherVersion-versionHistory}
Version 3 is the recommended value for new packages. Versions 1 and 2 are deprecated and scheduled for removal in the 26.11 release; existing packages must migrate.
Version 3 is the minimum supported value. Versions 1 and 2 were removed in the 26.11 release; packages that still use them fail to evaluate and must migrate to `fetcherVersion = 3` (or later) and regenerate their hashes.
This is usually a bug. Please consider reporting it to the software maintainers.
In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
* When building the shared library in question from source, use the following linker flags to force turning off the
executable flag:
```nix
mkDerivation {
# …
env.NIX_LDFLAGS = "-z,noexecstack";
}
```
* If the sources are not available, the execstack-flag can be cleared with `patchelf`:
```
patchelf --clear-execstack binary-only.so
```
* If the shared library to be loaded actually requires an executable stack and it isn't turned
on by the application loading it, you may force allowing that behavior by setting the
following environment variable:
```
GLIBC_TUNABLES=glibc.rtld.execstack=2
```
**Do not set this globally!** This makes your setup inherently less secure.
- Node.js default version has been updated from 22 LTS to 24 LTS.
This introduces some breaking changes; Refer to the [upstream migration article](https://nodejs.org/en/blog/migrations/v22-to-v24) for details.
@@ -74,6 +112,8 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
- The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
@@ -111,6 +151,23 @@
- `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.
- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
- The `migrate sql` CLI command is now `migrate sql up`
- OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
GRUB2 is likely unable to boot from filesystems with these features enabled.
- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
- `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion. This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.
- `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.
@@ -126,8 +183,6 @@
- `kanata` now requires `karabiner-dk` version 6.0+ or later.
The package has been updated to use the new `karabiner-dk` package and the `darwinDriver` output stays at the version defined in the package.
- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
@@ -177,7 +232,7 @@
- `iroh` has been removed and split up into `iroh-dns-server` and `iroh-relay`.
- the `xorg` package set has been deprecated, packages have moved to the top level.
- The `xorg` package set has been deprecated, packages have moved to the top level.
- `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
@@ -214,23 +269,12 @@
- `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.
You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.
- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
- NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.
- The `services.yggdrasil` module has been refactored with the following breaking changes:
- The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
- The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
- Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
- If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
- If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
- `pocket-id` has been updated to version 2 that contains [breaking changes](https://pocket-id.org/docs/setup/major-releases/migrate-v2).
- `services.xserver` will now throw an error if an X11 driver specified in `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
- `asio` (standalone version of `boost::asio`) has been updated from 1.24.0 to 1.36.0. Some breaking changes were introduced between these
two versions, and the one affected most was the removal of `asio::io_service` in favor of `asio::io_context` in 1.33.0. `asio_1_32_0` is
retained for packages that have not completed migration. `asio_1_10` has been removed as no packages depend on it anymore.
@@ -253,8 +297,6 @@
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
- `coreth` has been removed, as upstream has moved it into `avalanchego`.
- `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -284,8 +326,6 @@
- `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.
- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.
- The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
@@ -296,12 +336,8 @@
- `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.
- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- Package `jellyseerr` has been renamed to `seerr` following the upstream rename.
- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
- The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.
- `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
@@ -314,6 +350,8 @@
- `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.
- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
- `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.
- `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
@@ -324,16 +362,22 @@
- The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
- `rspamd` has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
- `budgie` has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
- GNU Taler has been updated to version 1.3.
This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
For more details, see the [upstream release notes](https://www.taler.net/en/news/2025-13.html).
- The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
- `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.
- `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.
@@ -368,8 +412,6 @@
- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
- Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
- `gnuradio`: Overriding the `.pkgs` package set is now possible with a `packageOverrides` function, like with `python.pkgs` and other language-specific package sets.
@@ -388,8 +430,6 @@ gnuradioMinimal.override {
}
```
- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -422,4 +462,3 @@ gnuradioMinimal.override {
- The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.
- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details.
-`hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
-`python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
-`libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
-`uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
- The ARMv5 Linux kernel build now uses a standard configuration and generates a standard compressed image instead of the deprecated legacy U‐Boot image format.
`lib.systems.{examples,platforms}.{sheevaplug,pogoplug4}` have been unified into `lib.systems.examples.armv5tel-multiplatform`.
Note that there is no official support for ARMv5 and it is not possible to build even a simple NixOS configuration out of the box.
- Support for the legacy U‐Boot image format has been removed from the Linux kernel builders, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
-`requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
-`librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
-`fetchPnpmDeps`' `fetcherVersion = 1` and `fetcherVersion = 2` have been
removed, as announced in the 26.05 release. Packages still using them now
throw an evaluation error and must migrate to `fetcherVersion = 3` (or later)
and regenerate their hashes. See the
[pnpm `fetcherVersion` section](#javascript-pnpm-fetcherVersion) of the manual
for details.
## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
A consistent style greatly increases the usability of all documentation and communication.
Use this page as a reference and style guide for our internal and external documentation.
### Knowledge Expectations
**Assume competence, not familiarity.**
Write for someone who knows a great deal — up to but not including this project.
**What readers know:**
- Basic computer operation
- Command line familiarity
- General interest in systems configuration
**What readers don't know:**
- NixOS-specific concepts
- NixOS ecosystem details or grammar
- NixOS workflows
If specific knowledge is required, mention it at the start of the page.
#### Show, Don't Tell
The fastest path to understanding is a working example.
People learn by doing, not by reading about doing.
**Recommended structure:**
- Start with the minimal working code or command
- Briefly explain what it does
- Cover edge cases or variations
- Link to further information instead of including it
#### Grammar and Style
**Sentence structure:**
- Use simple, direct sentences
- Break complex ideas into multiple short sentences
- Avoid nested clauses
**Bad:**
> The following command, which utilizes nixos-generate-config to produce a comprehensive hardware configuration, will write the results back into the respective configuration directory located on your local machine.
What the user does is hidden in the middle.
`nixos-generate-config` is a leaked implementation detail.
Users care about *detecting hardware*, not *the tool that does it*.
**Good:**
> This command detects your hardware and saves the configuration.
#### Content Organization
Lead with value. State what the reader will accomplish before explaining how.
**Bad:**
> To create a new NixOS configuration that you can later use as a webserver, first navigate to your project directory, then add a new host configuration file with the desired machine name.
**Good:**
Add a webserver configuration to your NixOS setup:
```nix
# hosts/webserver/configuration.nix
{...}:
{
services.nginx.enable=true;
}
```
Use **progressive disclosure**. Introduce concepts only when needed.
**Recommended structure:**
1. State the goal (one sentence)
2. Show the simplest working example
3. Explain concepts if needed
4. Provide advanced options separately or link to the reference
#### No Meta-commentary
Don't describe what the documentation does. Just do it.
**Don't:**
> This section explains how to configure networking.
> The following guide walks you through setting up a web server.
**Do:**
> Configure networking by setting:
> Set up a web server:
#### Code Examples
**Keep examples focused:**
- Show one concept at a time
- Use realistic but simple scenarios
- Avoid dependencies on other examples
**Minimal comments**
Let the code speak for itself.
Paste code examples directly and without further alteration.
**Bad:**
```nix
# This sets the hostname for the machine
{
networking.hostName="webserver";# Change this to your machine's hostname
# This enables SSH access
services.openssh.enable=true;# Required for remote deployment
}
```
**Good:**
```nix
{
networking.hostName="webserver";
services.openssh.enable=true;
}
```
#### Lead with Practical Examples
Don't front-load theory. Readers want to accomplish something first, then understand why it works.
- Show configuration as *what you want*, not *how the module system works*
- Introduce Nix-specific concepts only when they are needed to complete the task
- Defer language mechanics to reference pages or `nix.dev`
**Bad:**
> Before adding a service, you need to understand the NixOS module system and attribute set merging.
**Good:**
Enable nginx:
```nix
{services.nginx.enable=true;}
```
This adds nginx to your system configuration. Rebuild to apply:
```bash
sudo nixos-rebuild switch
```
#### Teach Nix through examples, not theory
Users learn the NixOS module system by seeing patterns first.
- Start with a working example
- Explanation follows the code
- Link deeper concepts instead of inlining them
- Link to `nix.dev` for optional learning
#### General Rules
- Abbreviate keys like `ssh-ed25519 AAAAC3NzaC…`
- Abbreviate IP addresses like `192.168.XXX.XXX`
- Variables are capitalized and start with `$`, e.g. `$YOUR_HOSTNAME`
- Variables should be directly usable during copy-paste
- Do **not** describe missing code parts (`#elided`, `#omitted`)
- **Machine vs Host**: use "machine" for the NixOS system identity, "host" for the physical or virtual hardware
#### Capitalization
- GB / RAM / HDD
- bootable USB drive
- Wi-Fi / DHCP / DNS
- macOS / NixOS / Nix / Linux
- Flakes
- git
#### Headings
Use sentence case. A reader scanning only headings should understand the page.
**Don't:**
> Getting Started
> Overview
> Configure The Database
**Do:**
> Set up a PostgreSQL database
> Configure networking
> Add a user to the system
#### Imperative Mood, Voice, and Person
Use imperative mood for instructions. Address the reader as "you", not "the user". Use active voice; in other words, make the subject do the action.
**Don't:**
> The user should run the following command.
> The configuration will need to be updated.
> The key is generated by the system.
**Do:**
> Run the command.
> Update the configuration.
> The system generates the key.
#### Tense
Use present tense for descriptions. Future tense makes documentation feel tentative.
**Don't:**
> This will create a new folder.
> Running this command will install the package.
**Do:**
> This creates a new folder.
> Running this command installs the package.
#### Be Confident
State facts. Don't hedge with "should," "might," "typically," or "usually" unless the behavior genuinely varies.
**Don't:**
> This should create the configuration file.
> The service will usually start automatically.
**Do:**
> This creates the configuration file.
> The service starts automatically.
#### Avoid Nominalizations
A nominalization is a verb turned into a noun, often by adding *-tion*, *-meant*, or *-ance* (e.g. "explanation", "selection"). The fix: find the hidden verb and use it directly.
**Don't:**
> Make a selection from the list.
> Provide an explanation of the error.
**Do:**
> Select from the list.
> Explain the error.
#### Plain Words
Technical precision for technical terms; plain language for everything else.
- "use" not "utilize"
- "start" not "initiate"
- "end" not "terminate"
- "help" not "facilitate"
- "send" not "transmit"
- "set up" not "establish"
- "find out" not "ascertain"
#### Filler Words and Weak Phrases
Cut words and phrases that add length without meaning.
> In order to deploy, you first need to run the command, which allows you to push the config.
> It's worth noting that this requires root access.
**Do:**
> Run `nixos-rebuild switch`.
> To deploy, run:
> This requires root access.
Every word must earn its place.
#### Writing Procedures
One instruction per sentence. Don't pack multiple actions into one sentence.
**Don't:**
> Navigate to your project directory and run the command, then check the output.
**Do:**
1. Navigate to your project directory.
2. Run the command.
3. Check the output.
Don't bury the negative. Key limitations should be prominent, not a footnote after a positive description.
**Don't:**
> This service supports multiple roles, integrates with existing modules, and works great for most setups (note that multiple instances are not supported).
**Do:**
> This service does not support multiple instances.
#### Consistent Terminology
Pick a term and stick to it. Don't swap synonyms to avoid repetition. In technical documentation, repetition is clarity.
**Don't:**
> Create a machine... configure the host... deploy the node.
**Do:**
> Create a machine... configure the machine... deploy the machine.
#### Links
Use descriptive link text. Never use "click here" or "this link."
**Don't:**
> For more information, see `[this page](url)`.
> Click `[here](url)` to read the reference.
**Do:**
> See the `[NixOS options reference](url)` for details.
> Read the `[NixOS module system guide](url)`.
Only link when the destination is directly relevant, not for generic background context (sometimes known as "Wikipedia-style links"). Readers feel obligated to click links, fearing they'll miss something important. Don't send them to a generic article about a technology when they're looking for how *your* system uses it.
**Don't:**
> Our software uses [SQLite](https://sqlite.org/) for storage.
(Note that in the above example, the SQLite link is the SQLite home page, which is likely not pertinent.)
**Do:**
> See `[database schema](url)` for the full table structure.
#### UI Language
Match UI element names exactly: wording, casing, and spacing (even if a label seems oddly worded).
**Don't:**
> Click the generator button.
> Select the save option.
**Do:**
> Click **Generate a Key**.
> Click **Save Changes**.
Someone will go looking for a button labeled "generator." They will not find it. They will be frustrated.
Consistency between documentation and interface builds confidence. Words are part of the interface.
:::{.tip}
This can be tricky as UI changes; we don't yet have a policy in place for how to handle this. We welcome comments and suggestions.
:::
#### Clean system discipline
Your machine has things new users don't: cached credentials, installed tools, environment variables, existing configuration. When writing or updating documentation:
**Don't:**
> Write steps from memory on your development machine, assuming what works there will work everywhere.
**Do:**
> - Start on a clean system — a fresh VM or new user account
> - Take notes in real time as you work through the steps
> - Document every warning, prompt, or unexpected output the system shows
Also think in combinations: WSL vs native Linux, with and without existing keys. You don't need to test every matrix square — but you need to know which ones diverge.
#### Never type code — always copy-paste
Always copy commands and code from a terminal where you just ran them successfully. Never retype from memory.
**Don't:**
> Retype a command from memory into the documentation.
> Retype code into a code-block from memory
**Do:**
> Paste commands directly from the shell or IDE.
> Paste code that has been successfully validated with nix-instantiate or nix-build
Replace sensitive values with placeholders: `<YOUR-KEY>`, `<YOUR-HOST>`, `<YOUR-TOKEN>`.
Typed-from-memory commands introduce subtle errors. Even the most experienced software developers have occasional typos.
- If you use LUKS disk encryption, ensure that `fileSystems."/".device` is set to `"/dev/mapper/<name>"`, where `<name>` matches the name in your `boot.initrd.luks.devices.<name>` definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add `"x-systemd.device-timeout=infinity"` to `fileSystems."/".options` instead. If you need to disable the timeout before you can boot into the system, pass `systemd.default_device_timeout_sec=infinity` on the kernel command line.
- The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
- Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).
-`/dev/root` is not available with the systemd stage 1. In the old scripted stage 1, `/dev/root` was a symlink created by the init script from the `root=` kernel command line. With systemd stage 1, this symlink is not provided. If your configuration uses `/dev/root` in `fileSystems`, replace it with a stable device path such as `/dev/disk/by-label/...`, `/dev/disk/by-uuid/...`, or the appropriate `/dev/mapper/...` path.
- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
@@ -60,6 +61,10 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [](#opt-services.autossh-ng.sessions) NixOS module was introduced as a simpler alternative to the existing [](#opt-services.autossh.sessions) module.
- [services.nextcloud-spreed-signaling](#opt-services.nextcloud-spreed-signaling.enable) NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
- [OpenThread Border Router](https://openthread.io/), a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as [services.openthread-border-router](#opt-services.openthread-border-router.enable).
- [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).
@@ -69,9 +74,9 @@
- [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).
- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as [services.knot-resolver](#opt-services.knot-resolver.enable). A module for knot-resolver 5 was already available as [services.kresd](#opt-services.kresd.enable).
- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.
- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as [services.immichframe](#opt-services.immichframe.enable).
- [PdfDing](https://www.pdfding.com/), manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as [services.pdfding](#opt-services.pdfding.enable).
@@ -79,7 +84,7 @@
- [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).
- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old [services.varnish](#opt-services.varnish.enable) module is still available.
- [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).
@@ -103,7 +108,7 @@
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
- [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).
@@ -131,19 +136,19 @@
- [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).
- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. Available as [services.howdy](#opt-services.howdy.enable)
- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive.
- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as [services.lasuite-drive](#opt-services.lasuite-drive.enable).
- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.
- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. Available as [services.linux-enable-ir-emitter](#opt-services.linux-enable-ir-emitter.enable).
- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.
- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as [](#opt-services.udp-over-tcp.udp2tcp) and [](#opt-services.udp-over-tcp.tcp2udp).
- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).
- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.
- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as [services.rsshub](#opt-services.rsshub.enable).
- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login.
- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as [services.reframe](#opt-services.reframe.enable)
- [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).
@@ -159,7 +164,7 @@
- [Headplane](https://headplane.net), a feature-complete Web UI for Headscale. Available as [services.headplane](#opt-services.headplane.enable).
- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as `programs.whois`.
- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as [programs.whois](#opt-programs.whois.enable).
- [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).
@@ -169,6 +174,25 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [](#opt-services.openssh.settings.AcceptEnv) is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- The default packages in [](#opt-services.jenkins.packages) have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
- [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable) module has had an option [](#opt-services.taskchampion-sync-server.dynamicUser) added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- The [programs.captive-browser](#opt-programs.captive-browser.enable) module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure [](#opt-programs.captive-browser.dhcp-dns) manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
- The [services.yggdrasil](#opt-services.yggdrasil.enable) module has been refactored with the following breaking changes:
- The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via [](#opt-services.yggdrasil.settings).
- The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use [](#opt-services.yggdrasil.settings.PrivateKeyPath) to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
- Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
- If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
- If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
- [services.xserver](#opt-services.xserver.enable) will now throw an error if an X11 driver specified in `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
- The [](#opt-services.avahi.wideArea) option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
- `systemd.coredump.extraConfig` has been removed in favor of the structured [](#opt-systemd.coredump.settings.Coredump) option. Use `systemd.coredump.settings.Coredump` to set any `coredump.conf(5)` option directly. For example, replace `systemd.coredump.extraConfig = "Storage=journal";` with `systemd.coredump.settings.Coredump.Storage = "journal";`.
- `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
@@ -186,9 +210,9 @@
- `services.crabfit` was removed because its upstream packages are unmaintained and insecure.
- `services.opensnitch.settings.Rules.Path` now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
- [services.opensnitch.settings.Rules.Path](#opt-services.opensnitch.settings.Rules.Path) now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
- `services.mosquitto` now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
- [services.mosquitto](#opt-services.mosquitto.enable) now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
- `sing-box` has been updated to 1.13.0, which has removed some deprecated options. See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.
@@ -209,7 +233,7 @@
- `linux_hardened` kernel has been removed due to a lack of maintenance.
- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
- [services.tandoor-recipes](#opt-services.tandoor-recipes.enable) now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
- `linux-rt` kernel has been removed due to a lack of maintenance.
@@ -221,10 +245,10 @@
- `services.uptime` has been removed because the package it relies on does not exist anymore in nixpkgs.
- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
- [services.mattermost](#opt-services.mattermost.enable) now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:
see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with [](#opt-services.mattermost.package) to change this behavior. For example:
```nix
{
@@ -237,10 +261,10 @@
- `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.
- `services.vsftpd` no longer automatically configures a PAM module. This means configurations using `services.vsftpd.localUsers` will no longer work unless `services.vsftpd.enableVirtualUsers` and `services.vsftpd.userDbPath` are also configured. The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
- [services.vsftpd](#opt-services.vsftpd.enable) no longer automatically configures a PAM module. This means configurations using [](#opt-services.vsftpd.localUsers) will no longer work unless [](#opt-services.vsftpd.enableVirtualUsers) and [](#opt-services.vsftpd.userDbPath) are also configured. The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
- `services.kubernetes.addons.dns.coredns` has been renamed to [](#opt-services.kubernetes.addons.dns.corednsImage) and now expects a
package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with `dockerTools.buildImage` is used, instead
of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
```nix
@@ -254,7 +278,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
}
```
- `services.stalwart-mail` has been renamed to `services.stalwart` to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
- `services.stalwart-mail` has been renamed to [`services.stalwart`](#opt-services.stalwart.enable) to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
- Addition of module-specific `stateVersion` option, which on existing installations of Stalwart must be set to the same as `system.stateVersion`.
@@ -264,9 +288,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Default value for `services.stalwart.dataDir` has changed to `/var/lib/stalwart`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `/var/lib/stalwart-mail`.
- Default tracer name and type have changed to `journal`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `stdout`.
- `services.eintopf` has been renamed to `services.lauti` to align with upstream re-brand as a community online calendar.
- `services.eintopf` has been renamed to [services.lauti](#opt-services.lauti.enable) to align with upstream re-brand as a community online calendar.
- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.
- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with [](#opt-services.oauth2-proxy.clientSecretFile) and [](#opt-services.oauth2-proxy.cookie.secretFile) respectively. This was done to ensure secrets don't get made world-readable.
- [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a
default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.
@@ -286,18 +310,11 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
- `services.headplane` has been updated to 0.6.2, which introduces several changes to the configuration schema:
- `services.headplane.settings.oidc.redirect_uri` is deprecated. Use `services.headplane.settings.server.base_url` instead; the OIDC redirect URI is now automatically derived from it. Ensure `base_url` is the bare host URL without the `/admin` suffix.
- `services.headplane.settings.oidc.user_storage_file` is deprecated. Headplane 0.6.2 still accepts it to migrate the old JSON user database into the new internal SQL database.
- `services.headplane.settings.oidc.strict_validation` is deprecated and has no effect.
- `services.headplane.settings.oidc.token_endpoint_auth_method` now defaults to `null` (auto-detection), which typically falls back to `client_secret_basic`. Previous versions defaulted to `client_secret_post`.
- `services.headplane.settings.integration.agent.cache_ttl` is deprecated and has no effect in 0.6.2.
- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.
- [services.immich](#opt-services.immich.enable) no longer supports pgvecto.rs since the package has been removed from nixpkgs.
As a result, options `services.immich.database.enableVectors` and `services.immich.database.enableVectorchord` have been removed, and VectorChord is now always used.
If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the [migration guide](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/services/web-apps/immich.md#migrating-from-pgvecto-rs-to-vectorchord-pre-2511-installations-module-services-immich-vectorchord-migration).
- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
- [](#opt-services.cgit) before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
- `rocmPackages_6` has been removed. `rocmPackages` has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.
@@ -307,9 +324,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- The Bash implementation of the `nixos-rebuild` program is removed. All switchable systems now use the Python rewrite. Any prior usage of `system.rebuild.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.
- `services.desktopManager.gnome` no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
- [services.desktopManager.gnome](#opt-services.desktopManager.gnome.enable) no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
- `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.
@@ -321,7 +336,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.
- `services.tor` no longer bind mounts Unix sockets of onion services into its chroot
- [services.tor](#opt-services.tor.enable) no longer bind mounts Unix sockets of onion services into its chroot
because it was not reliable. Users should do it themselves using either `JoinsNamespaceOf=` and Unix sockets in `/tmp`
or `BindPaths=` from a persistent parent directory of each Unix socket.
See <https://github.com/NixOS/nixpkgs/issues/481673>.
@@ -330,14 +345,14 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- `services.xserver.cmt` has been removed as the `xf86-input-cmt` package was broken and unmaintained upstream.
- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and `programs.acpilight` offer replacements.
- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and [hardware.acpilight](#opt-hardware.acpilight.enable) offer replacements.
- `ceph` has been upgraded to v20. See the [Ceph "tentacle" release notes](https://docs.ceph.com/en/latest/releases/tentacle/#v20-2-0-tentacle) for details and recommended upgrade procedure.
Note that **upgrades of server-side components are one-way**, and downgrading e.g. an OSD from *Tentacle* to *Squid* is not just not supported but is known to break.
- `services.unifi`'s `jrePackage` option now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
- [](#opt-services.unifi.jrePackage) now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
- The `networking.wireless` module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
- The [networking.wireless](#opt-networking.wireless.enable) module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).
@@ -357,30 +372,20 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).
- The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.
- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
- The `migrate sql` CLI command is now `migrate sql up`
- OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
- In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}`services.pdns-recursor.old-settings` has been removed and {option}`services.pdns-recursor.yaml-settings` consequently renamed to [](#opt-services.pdns-recursor.settings).
- `services.angrr` now uses TOML for configuration. Define policies with `services.angrr.settings` (generate TOML file) or point to a file using `services.angrr.configFile`. The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of `services.angrr.settings` options for examples and details.
- [services.angrr](#opt-services.angrr.enable) now uses TOML for configuration. Define policies with [](#opt-services.angrr.settings) (generate TOML file) or point to a file using [](#opt-services.angrr.configFile). The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of [](#opt-services.angrr.settings) options for examples and details.
- `services.homepage-dashboard.environmentFile` has been renamed to `services.homepage-dashboard.environmentFiles`, and now expects a list of strings.
- `services.homepage-dashboard.environmentFile` has been renamed to [](#opt-services.homepage-dashboard.environmentFiles), and now expects a list of strings.
- `services.pingvin-share` has been removed as the `pingvin-share.backend` package was broken and the project was archived upstream.
- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
- `services.jellyseerr` has been renamed to `services.seerr` following the upstream changes. Notable breaking changes:
- `services.jellyseerr` has been renamed to [services.seerr](#opt-services.seerr.enable) following the upstream changes. Notable breaking changes:
- systemd service name changed accordingly.
- Default config directory moved from `/var/lib/jellyseerr/config` to `/var/lib/seerr/`.
- If `stateVersion` is older than `26.05`, the module fall backs to the legacy path value.
- `services.vikunja` has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
- [services.vikunja](#opt-services.vikunja.enable) has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
Notable breaking changes:
- CORS is enabled by default. The module now sets
`services.vikunja.settings.service.publicurl` by default. Custom overrides must ensure it is
@@ -391,16 +396,11 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- SQLite paths are now relative to `service.rootpath` unless absolute. Startup now validates file
storage and OAuth providers.
- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
GRUB2 is likely unable to boot from filesystems with these features enabled.
- `services.xtreemfs` has been removed as the `xtreemfs` package was broken and unmaintained upstream.
- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
- `opengfw` package and `services.opengfw` module have been removed as the upstream GitHub repository and website have been shut down.
- `services.esphome` no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
- [services.esphome](#opt-services.esphome.enable) no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
- `programs.pqos-wrapper` module has been deleted as the corresponding package has been dropped from nixpkgs.
@@ -410,6 +410,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- `switch-to-configuration` now reloads a service instead of restarting it when the only change to its unit is `ExecReload=`, and takes no action when `ExecReload=` is removed. Previously both cases triggered a restart.
- [`hardware.nvidia.branch`](#opt-hardware.nvidia.branch) was added to select the NVIDIA driver branch; setting [`hardware.nvidia.package`](#opt-hardware.nvidia.package) overrides this.
@@ -418,12 +422,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- `nixos/nvidia` now uses EGL external platform ICD libraries built from source (`egl-gbm`, `egl-wayland`, `egl-wayland2`, `egl-x11`) instead of relying on vendor-provided binaries for these components.
- `hardware.nvidia.moduleParams` was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
- [](#opt-hardware.nvidia.moduleParams) was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
- [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).
- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
- `security.acme` now defaults to a dynamic renewal duration, if
remains unset. This accommodates certificates with different ACME profile:
@@ -433,44 +435,37 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- For shortlived certificates with a total validity below 10 days renewal
will happen after half of the total lifetime has passed
- The module for the Dovecot IMAP server, *services.dovecot*, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
- The module for the Dovecot IMAP server, [services.dovecot2](#opt-services.dovecot2.enable), now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
Also see the list of available settings for [Dovecot 2.3](https://doc.dovecot.org/2.3/settings/core/) or [2.4](https://doc.dovecot.org/2.4.2/core/summaries/settings.html).
- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
- [](#opt-fonts.fontconfig.useEmbeddedBitmaps) is now set to `true` by default.
- Rspamd has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
- `fonts.fontconfig.useEmbeddedBitmaps` is now set to `true` by default.
- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
- `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
- [services.frp](#opt-services.frp.instances) now supports multiple instances through [](#opt-services.frp.instances) to make it possible to run multiple frp clients or servers at the same time.
- [services.resolved](#opt-services.resolved.enable) module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant `systemd.sleep.settings.Sleep`, which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-systemd.sleep.settings.Sleep), which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
- Support for Bluetooth audio based on `bluez-alsa` has been added to the `hardware.alsa` module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
- `services.atuin` now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
- Support for Bluetooth audio based on `bluez-alsa` has been added to the [hardware.alsa](#opt-hardware.alsa.enable) module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
- [services.atuin](#opt-services.atuin.enable) now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
- `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.
- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- [](#opt-networking.resolvconf.enable) now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
- The [services.drupal](#opt-services.drupal.enable) module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
- `services.openssh.enableRecommendedAlgorithms` has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
- [services.openssh](#opt-services.openssh.enable) now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving [](#opt-services.openssh.enable) disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
- `services.openssh.banner` has been removed. Use `services.openssh.settings.Banner` instead.
- [](#opt-services.openssh.enableRecommendedAlgorithms) has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
- IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.
- `services.openssh.banner` has been removed. Use [](#opt-services.openssh.settings.Banner) instead.
- `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.
- IPVLAN interfacescan now be configured through the [](#opt-networking.ipvlans) option in the networking module.
- [services.caddy](#opt-services.caddy.enable) now supports setting [](#opt-services.caddy.httpPort) and [](#opt-services.caddy.httpsPort) and opening them in the firewall via [](#opt-services.caddy.openFirewall).
- The latest available version of Nextcloud is v33 (available as `pkgs.nextcloud33`). The installation logic is as follows:
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
@@ -483,59 +478,19 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.
- `services.slurm` now supports slurmrestd usage through the [](#opt-services.slurm.rest.enable) NixOS options.
- The `networking.firewall.logRefusedConnections` option now defaults to
- The [](#opt-networking.firewall.logRefusedConnections) option now defaults to
`false`. Logging of refused or dropped incoming connections can generate a
very high volume of kernel log messages on internet-facing systems, causing
the kernel ring buffer (dmesg) to rotate quickly and potentially discard more
relevant diagnostic information.
- The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions.
- The [services.calibre-web](#opt-services.calibre-web.enable) systemd service has been hardened with additional sandboxing restrictions.
- `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
For each component `enableComponent` and `componentSettings` are now `component.enable` and
`component.settings`. The unix module now supports using SSH keys from Kanidm via
`services.kanidm.unix.sshIntegration = true`.
- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
- `glibc` has been updated to version 2.42.
This version no longer makes the stack executable when a shared library requires this. A symptom
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-Create the first release note entry in this section!
-[tranquil](https://tangled.org/tranquil.farm/tranquil-pds) is an ATProto PDS (personal data server) implementation in Rust. A featureful, spec conscious and community driven alternative to the Bluesky reference implementation PDS. Available as [services.tranquil-pds](#opt-services.tranquil-pds.enable).
- [FlapAlerted](https://github.com/Kioubit/FlapAlerted), detects BGP flapping events and provides statistics based on BGP update messages. Available as [services.flap-alerted](#opt-services.flap-alerted.enable).
-`boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
- Support for the legacy U‐Boot image format has been removed from the initrd generators, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
- Python 2 has been removed from the top-level package set, as it is long past end-of-life. The `python2`, `python27`, `python2Full`, `python27Full`, `python2Packages`, and `python27Packages` attributes, along with the legacy `python`, `pythonFull`, and `pythonPackages` aliases, now throw an error directing you to `python3`. The `isPy2` and `isPy27` package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside the `resholve` package for its `oil` dependency and is not exposed for general use.
-`systemd.user.extraConfig` has been removed in favor of the structured [](#opt-systemd.user.settings.Manager) option. Use `systemd.user.settings.Manager` to set any `systemd-user.conf(5)` option directly. For example, replace `systemd.user.extraConfig = "DefaultTimeoutStartSec=60";` with `systemd.user.settings.Manager.DefaultTimeoutStartSec = 60;`.
-`services.timesyncd.extraConfig` has been removed in favor of the structured [](#opt-services.timesyncd.settings.Time) option. Use `services.timesyncd.settings.Time` to set any `timesyncd.conf(5)` option directly. For example, replace `services.timesyncd.extraConfig = "PollIntervalMaxSec=180";` with `services.timesyncd.settings.Time.PollIntervalMaxSec = 180;`.
## Other Notable Changes {#sec-release-26.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-Create the first release note entry in this section!
-`boot.loader.systemd-boot` gained support for [Automatic Boot Assessment](https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/) via the new [`boot.loader.systemd-boot.bootCounting`](#opt-boot.loader.systemd-boot.bootCounting.enable) options, allowing automatic detection of and recovery from bad NixOS generations. As part of this change, boot loader entries on the ESP/XBOOTLDR partition are now named `nixos-<content-hash>.conf` instead of `nixos-generation-<n>.conf`; existing entries are migrated automatically on the next `nixos-rebuild boot`/`switch`.
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
Copy a file to the boot filesystem (XBOOTLDR if in use, otherwise ESP), basing the destination filename on the store path that's being copied from. Return the destination path, relative to the boot filesystem mountpoint.
raiseException("Could not find any previously installed systemd-boot. If you are switching to systemd-boot from a different bootloader, you need to run `nixos-rebuild switch --install-bootloader`")
raiseException(
"Could not find any previously installed systemd-boot. If you are switching to systemd-boot from a different bootloader, you need to run `nixos-rebuild switch --install-bootloader`"
)
ifavailable_matchisNone:
raiseException("could not determine systemd-boot version")
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
