The problem was that Cargo didn't have a way to find a linker for the
build platform which is required to link the build script. So, when
cross compiling we add in the standard build -> build compiler so that
it can compile the build script.
This fix was taken from the ideas of @magicquark and @nwf in
https://github.com/NixOS/nixpkgs/issues/523378.
Fixes#523378
(cherry picked from commit bbe694f8ea)
Two darwin-only issues surfaced when building on x86_64-darwin:
1. The conditional postPatch removed three test files
(ml/backend/ggml/ggml_test.go, ml/nn/pooling/pooling_test.go,
model/models/nemotronh/model_omni_test.go) that no longer exist
in v0.30.5 upstream. The `rm` failed with "No such file or directory"
and aborted patchPhase. Tests in the new paths
(e.g. fs/ggml/ggml_test.go) pass on darwin without removal — verified
via the test phase in this commit's local build.
2. preFixup ran `patchelf --shrink-rpath` unconditionally; patchelf is
ELF-only and darwin's Mach-O dylibs don't carry the build-dir RPATH
problem in the first place. Gated on stdenv.hostPlatform.isLinux.
Verified: nix-build -A ollama on x86_64-darwin (macOS 15.6.1, Sequoia)
lands /nix/store/.../ollama-0.30.5; checkPhase green for all listed
packages including x/models/gemma4; ollama --version reports 0.30.5.
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit bba51cb247)
Upstream patch release; notably fixes a divide-by-zero crash in
gemma3:12b. Bumps the vendored llama.cpp pin b9493 -> b9509 to match
upstream's LLAMA_CPP_VERSION. Verified ollama-cuda + ollama-vulkan
build on x86_64-linux.
https://github.com/ollama/ollama/releases/tag/v0.30.5
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit 0e1071782c)
Two layers were missing for ollama-vulkan after the 0.30.x bump's switch to
per-accelerator runners via ExternalProject_Add:
1. spirv-headers wasn't in nativeBuildInputs, so the parent cmake configure
never even saw `SPIRV-HeadersConfig.cmake`. Add it (header-only — native
is the right slot).
2. The runner sub-builds (`ollama-llama-server-vulkan` et al.) are launched
by `cmake/local.cmake`'s `ExternalProject_Add`, whose child cmake process
inherits env vars but not the parent's `-D` flags. Even after fixing
(1), the child's `find_package(SPIRV-Headers REQUIRED)` at
`ggml-vulkan/CMakeLists.txt:14` couldn't see the config, and once that
was worked around with `CMAKE_PREFIX_PATH` as env, the compile then
failed with `fatal error: spirv/unified1/spirv.hpp` — because
upstream's `target_link_libraries(ggml-vulkan PRIVATE Vulkan::Vulkan)`
notably does NOT link `SPIRV-Headers::SPIRV-Headers`, so the interface
include path the cmake config exports never flows into the compile
commands. Force the include via `NIX_CFLAGS_COMPILE` rather than
patching upstream's CMakeLists across llama.cpp pins.
Verified: `ollama-vulkan` builds end-to-end; `$out/lib/ollama/vulkan/libggml-vulkan.so`
is present (not a silent CPU fallback like the cuda variant suffered in
the first 0.30 attempt).
🤖 Assisted by Claude
(cherry picked from commit 6432d78bff)
Notable upstream build changes folded into this bump:
* llama.cpp moved from in-tree vendoring to CMake FetchContent, pinned
via the `LLAMA_CPP_VERSION` file at the repo root (b9493 here →
llama.cpp commit a731805c). Pre-stage it as `fetchFromGitHub` and
apply Ollama's compat patch in `postPatch` — neither
`cmake/local.cmake` nor `llama/server/CMakeLists.txt` auto-applies
the patch when the source is overridden via
`FETCHCONTENT_SOURCE_DIR_LLAMA_CPP` (the parent's `ExternalProject_Add`
passes `OLLAMA_LLAMA_CPP_SKIP_COMPAT_PATCH=ON` to the child build).
The `apply-patch.cmake` script is idempotent.
* Since 0.30, `cmake/local.cmake` splits the llama.cpp build into
per-runner sub-projects gated by `OLLAMA_LLAMA_BACKENDS`. Without
setting it, only the CPU runner is built — `ollama-cuda` /
`ollama-rocm` / `ollama-vulkan` would all silently fall back to CPU
at runtime, with `libggml-{cuda,hip,vulkan}.so` absent from
`$out/lib/ollama`. Map the package's `acceleration` value to the
cmake backend name the elseif chain accepts:
cuda → cuda_v${cudaMajor} (cuda_v12 / cuda_v13)
rocm → rocm_v${rocmMajor}_${rocmMinor} (rocm_v7_1 / rocm_v7_2)
vulkan → vulkan
* `cmd/launch/*_test.go` are integration tests for user-facing CLI
launchers (claude, qwen, cline, codex, kimi, droid, openclaw,
hermes, …) that install the target binary via npm and exec it on
PATH. Both prerequisites are unavailable in the nix sandbox, so the
launch subpackage's tests can't pass here. Drop them — same
precedent as the existing darwin Metal test removals.
* The llama.cpp sub-build is driven by ExternalProject_Add and does
not inherit the parent's `CMAKE_SKIP_BUILD_RPATH` setting, so its
`.so` payloads end up with build-dir entries in RPATH. Strip with
`patchelf --shrink-rpath --allowed-rpath-prefixes /nix/store` in
preFixup; `$ORIGIN` is preserved unconditionally (non-absolute
entries always allowed) so peer-lib lookup in `$out/lib/ollama`
still works.
Drive-by cleanup: deadnix + statix passes (overrideModAttrs unused
lambda args → `_:_`, `inherit (rocmPackages) stdenv;` /
`inherit (vulkan-tools) stdenv;` for `buildGoModule.override`, drop
unused `coreutils` input — the old launch-test substitutions that
needed coreutils are dropped along with the tests).
Release notes:
https://github.com/ollama/ollama/releases/tag/v0.30.4https://github.com/ollama/ollama/releases/tag/v0.30.0
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit 63e0d2d52d)
Otherwise the recursive chown can fail, hence wpa_supplicant doesn't
start, if some read-only file has been bind-mounted into
/etc/wpa_supplicant.
This can happen if one uses `extraConfigFile` to add a file that is
under /etc/wpa_supplicant.
(cherry picked from commit 197a055a02)
polyc linking script hardcodes the linker to be the value of `$CXX` at
compile time. This is bad for environments without `g++` in path. Fix
this by patching the correct path into the script.
Co-Authored-By: Ricardo Correia <someplaceguy@wizy.org>
Co-Authored-By: Ivan Trubach <mr.trubach@icloud.com>
(cherry picked from commit 3a717e7522)
Compilation requires running one of the make build targets, so cross
compilation isn't possible
Also remove old design patterns in favour of newer ones.
(cherry picked from commit 6e36170c0f)
The previous `if ! ( ... )` wrapper put the check body in a context
where bash ignores `set -e`, so a failing command in the middle of a
check would not abort it and the switch would proceed. Run the
subshell outside any conditional and capture $? explicitly instead.
(cherry picked from commit 69dc41f083)
needed so github-desktop's git wrapper (dugite) can find subcommands
like `git-submodule` etc. Retrieve the full list with `ls -l $(nix build
--print-out-paths nixpkgs#git)/libexec/git-core | grep -vE '( -> )?git$'
| awk '{ print $7 }'`.
Fixes#524797
(cherry picked from commit 3fd65b2bc8)
Weblate generates an SSH wrapper with some preset options
that uses the absolute path of the ssh binary internally.
As the wrapper is only regenerated when the generator itself
is changed, this absolute nix store path becomes unusable once
ssh is updated and the path is garbage collected.
As generating the wrappers is a quick operation, simply deleting the wrapper
directory before service start ensures they are up to date.
(cherry picked from commit 9ea977e104)
virtual-machine releases use virtualisation.incus.package to find
where the agent-loader configuration is defined. In practice it's
likely not a problem, but when marking lts v6 on 25.11 as vulnerable
it exposed the mismatch. For correctness we should ensure the VM
tests are using the agent loader from the relevant incus package.
(cherry picked from commit 9bebd86680)
Environment variables to pass to Heroic.
For example:
pkgs.heroic.override {
extraEnv.PROTON_ENABLE_WAYLAND = true;
}
Adds feature parity with `steam` package.
(cherry picked from commit 6b9bf6240f)
Build against the default OCaml (5.4) set instead of the 5.3 pin, using the
module-mode launcher (ocaml-hol). Carries a patch so the pa_j chooser
accepts camlp5 8.05, links findlib into ocaml-hol, and sets up the runtime
OCAMLPATH/CAML_LD_LIBRARY_PATH. Drops the camlp5 8.03.2 downgrade.
(cherry picked from commit 7579aa2942)
camlp5's META requires pcre2 and fmt, but they were only buildInputs, so
findlib consumers of camlp5 could not resolve them. Move them to
propagatedBuildInputs.
(cherry picked from commit 74a82ccd8e)
In 52a23a9 the configuration `data-dir $out/share/aspell` was
introduced to make sure that `aspell --lang=<LANG> create
master ...` finds the LANG.dat file. However, the correct location
for language data files is $out/lib/aspell. This confusion also
broke filter discovery as described in #476684.
This commit fixes the location of language data files.
Note: `aspell --lang=<LANG> create master ...` will fail if the
dictionary has not been installed in the environment via
`aspellWithDicts (dict: [ dict.<LANG> ])` which is expected.
Fixes#476684
(cherry picked from commit e7dd5593e8)
Upstream added versions with -exp-\d suffix which broke the script.
Instead of adding another filter to the current query, let's try getting
the latest stable version instead.
IIRC previously they didn't correctly mark stable releases which is why
we didn't use this method.
(cherry picked from commit 1c03a3fb23)
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Mullvad Browser.
(cherry picked from commit 75b48cfbf1)
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Tor Browser.
(cherry picked from commit 8fce018efd)
Replace the `passthru.tests` --version test by running versionCheckHook
during the package build.
As `haskellPackages.mkDerivation` is very locked-down and doesn't allow
access to things like `nativeInstallCheckInputs` (or any input lists),
we add a separate `.overrideAttrs` call to the pipeline.
Running phase: installCheckPhase
Executing versionCheckPhase
Successfully managed to find version 1.3.0 in the output of the command /nix/store/3fg7y7qww3c3hvyb66n75d9j5y362n4j-nixfmt-1.3.0/bin/nixfmt --version
nixfmt 1.3.0
Finished versionCheckPhase
(cherry picked from commit ce5210e9c7)
Apply the Linux patch to the initialization string for `clang_path_include`
instead of replacing `clang_path_include` with the patched string. This
allows the correct value for Darwin to be selected by the ternary expression.
(cherry picked from commit 6f2c0a34f3)
Because stdenv instructs meson to enable all features automatically,
it's redundant to have any lib.mesonEnable that just sets a literal
true. Keeping the `supported_build` feature flag to explicitly convey
the intention behind it.
(cherry picked from commit 6fe7674824)
Especially major versions contain API breakage and we always require
a compatible home-assistant version. Not all API surfaces are
being exercised in home-assistant tests, so don't fool yourself by
nixpkgs-review not revealing any breakages.
(cherry picked from commit ed1de9a708)
Obsidian's app:// scheme lacks `corsEnabled`, which breaks the internal
PDF viewer on Electron 40. Add it to the scheme registration.
Fixes#523846
Assisted-by: Claude Code (Claude Opus 4.8)
(cherry picked from commit d54367545e)
A non-interactive polkit authentication agent that answers PAM prompts
from a file descriptor. Provides the missing `sudo --stdin` equivalent
for run0/systemd-run, which authorise via polkit and otherwise require
a controlling terminal for pkttyagent.
Used by the upcoming `nixos-rebuild --elevate=run0
--ask-elevate-password`.
Reason for backport:
Useful for VM tests of run0systemd-run/pkexec independent of
`nixos-rebuild`. Also useful for tools such as run0-sudo-shim to emulate
`sudo --stdin` with run0. That shim may be used with nixpkgs 26.05,
handling that is significantly easier if `polkit-stdin-agent` is
universally available.
(cherry picked from commit 4d4952ae28)
The check phase for the config file has to replace any instances of
user and group with the current ones, since logrotate checks whether
they actually exist. However, the create/createolddir substitution
expressions didn't take all different parameter formats into
account. Mainly, if the mode was specified, but not user and group,
the result would be something like
create 0644nixbld nixbld
since it relies on matching a space at the end of the mode
specification.
To fix this, always append a space before the substituted user and
group.
Also, simplify the formatting by using extended regex and check for
word boundaries after create/createolddir to exclude any incorrect or
unsupported suffixes.
(cherry picked from commit dfe85974ca)
The unquoted $out/${libDir}/is-packaged-app path word-splits on
applicationNames containing spaces (e.g. "Firefox Developer Edition"),
breaking the Darwin build for firefox-devedition and similar variants.
Regression from 1da3ca7373.
(cherry picked from commit a2e905224c)
This avoids an unfixable Hydra build failure [1] caused by the file
required by `requireFile` not being present in Hydra's store.
A long-term fix for this and similar issues is already on `master` [2]
but constitutes a breaking change, which is why we cannot backport it.
[1] https://hydra.nixos.org/build/329892892
[2] https://github.com/NixOS/nixpkgs/pull/515536
Not-cherry-picked-because: Different fix on master, not backportable
By using unittest's assertEqual you actually see how often the
activation script was being run, i.e. the expected value.
(cherry picked from commit 864a84d3e9)
(cherry picked from commit b1a881edb9)
stc-ng starts every active target (including default.target) and then
explicitly restarts nixos-activation.service. As a Type=oneshot without
RemainAfterExit the unit is inactive after login, so the default.target
start job re-runs it via Wants=, and the explicit restart runs it again
(or, depending on ordering, SIGTERMs the currently running script and re-runs it).
Set RemainAfterExit=yes so target starts are a no-op for an already-run
activation, and restartIfChanged=false so the unit-diff pass leaves it
alone when the script changes. The explicit restart in stc-ng remains
the single trigger per switch. Print that restart so it is visible in
the switch output, and drop it from the "NOT restarting" list.
Extend the user-activation-scripts test to assert the activation is
only run once, and never killed.
(cherry picked from commit 663a59e0b6)
The previous "FragmentPath not under /etc" deny-list swept up units that
were never managed by a per-user manager (e.g. dbus-broker, whose
FragmentPath systemd reports under /run/current-system/sw/share via
systemd.packages) and missed nothing it should have caught, but for the
wrong reason.
Make the intent explicit. A unit is a migration candidate iff it is
active, the new generation defines it in /etc/systemd/user, and either
* its FragmentPath is under $XDG_CONFIG_HOME/systemd/user (the
home-manager case; ~/.config shadows /etc, so we must wait for
sd-switch to remove the copy), or
* its FragmentPath is anywhere else outside /etc and the previous
generation did not have it in /etc (package-shipped units found via
$XDG_DATA_HOME / $XDG_DATA_DIRS, e.g. ~/.nix-profile/share; /etc
outranks these so it wins on daemon-reload).
The "previous generation did not have it" guard keeps units that have
always been in /etc, but whose FragmentPath systemd reports elsewhere, out
of the candidate set, and the existing now_etc check verifies /etc
actually won before acting. Compare FragmentPath by parent directory
instead of string prefix while here.
Covered by a new switch-test case that seeds a unit in
~/.local/share/systemd/user.
(cherry picked from commit 6ced06a1b3)
The post-activation pass added in 5cc82c4922 to handle units migrating
from a per-user manager (home-manager) to NixOS unconditionally restarts
or starts any candidate. dbus-broker.service explicitly opts out of
restarts via reloadIfChanged because restarting the session bus kills
running clients; the second pass ignored that and restarted it anyway.
Apply the same X-ReloadIfChanged / X-RestartIfChanged / RefuseManualStop /
RefuseManualStart / X-OnlyManualStart checks that handle_modified_unit
performs, so a migrated unit is reloaded, skipped, restarted or started
as its directives require.
Covered by new switch-test specialisations for reloadIfChanged and
restartIfChanged = false.
(cherry picked from commit 76c8d45099)
Fixes odd bulletpoints and bare URLs that are prohibited by most
Markdown linters and specs.
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Iae14dce3d158ac11c59d9117694ccde46a6a6964
(cherry picked from commit b786821e13)
Follow-up to the 9.0.4 update in aa9f3b7824 that broke the (completely
optional) tests, because upstream renamed the already ignored tests (as
they try to access internet resources) in 5ebe8ea15f.
(cherry picked from commit 45185e91bf)
This should help debugging config values. I verified that `pnpm config
list` works across pnpm_8, pnpm_9, pnpm_10, pnpm_10_29_2 and pnpm_11.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit d5cbb9e641)
These checks are still performed in fetchPnpmDeps. These checks require
access to the registries used in the lockfile, making it infeasible to
run during configurePhase in a sandboxed build.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 599909067c)
See 63147b12a5
Apparently on i686-linux the test isn't flaky but failing reliably.
So restarting on Hydra won't help, and waiting for staging*
would take a few weeks.
(cherry picked from commit 664e60aa95)
This might be a nice way to use our reach to remind users to donate to
FLOSS projects that they use and love.
Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
(cherry picked from commit 9d2f2d71e4)
This patch is merged upstream and can be reverted on the next update.
Fetchpatch does not work against framagit.org, which is why I vendored
the patch instead.
(cherry picked from commit 1a7b7c7ddf)
machine-learning[1920443]: mkdir -p failed for path /var/empty/.config/matplotlib: [Errno 1] Operation not permitted: '/var/empty/.config'
machine-learning[1920443]: Matplotlib created a temporary cache directory at /tmp/matplotlib-uo52wf71 because there was an issue with the default path (/var/empty/.config/matplotlib); it is highly recommended to set the MPLCONFIGDIR environment variable to a writable directory, in particular to speed up the import of Matplotlib and to better support multiprocessing.
(cherry picked from commit cb2ed10279)
By default, Git commands will trigger background processes to perform
repository maintenance. As of Git v2.54.0, and in particular as of
452b12c2e0 (builtin/maintenance: use "geometric" strategy by default,
2026-02-24), Git has changed the strategy it uses to decide whether
maintenance needs performing, and as a result will kick off background
maintenance processes much more often.
These background processes will potentially change the contents of the
`.git` directory while `nix-prefetch-git` is deleting it. This results in
effectively random failures, when files are added to the `.git`
directory during the `rm -rf` operation (causing it to fail) or after
the operation has completed (causing the `.git` directory to be
recreated and resulting in a FOD hash mismatch).
This also causes problems for the determinism of Git's own tests.
They've resolved this in 09505b1115 (t: fix races caused by background
maintenance, 2026-02-24) by having the maintenance processes run in the
foreground. The discussion in that commit explains they considered just
disabling maintenance entirely, but opted for the foreground option
because disabling maintenance would mean the tests looked even less like
how most Git users work with Git.
`nix-prefetch-git` is nothing like most Git users. In almost every
case, the `.git` directory will be deleted during or immediately after
the script is called. The repositories certainly don't benefit from
ongoing maintenance. To avoid the non-determinism created by the
background maintenance processes, just disable maintenance entirely.
This is done with `git config` after initialising the repository, rather
than `git config --global` earlier in the script, as `git config
--global` will fail if `fetchgit` was called with a `gitConfig`
argument.
It would be possible to set this option with
`GIT_CONFIG_[COUNT|KEY_<n>|VALUE_<n>]` environment variables; I've opted
against that because (a) they're less familiar to most people who might
want to come to edit this script in future and (b) because if someone is
using those values themselves via `impureEnvVars` or similar, making our
configuration play nicely with someone else's would require some fairly
complex logic.
I haven't made this a configurable option: any use of `nix-prefetch-git`
will run with maintenance disabled, as I cannot think of a use case
where it would be useful. If there is such a use case, it would be
straightforward to extend `nix-prefetch-git` and `fetchgit` to allow
users to change the behaviour.
Fixes#524215.
(cherry picked from commit 011471c7f2)
Update to latest pre-release to fix multiple security vulnerabilities:
- CVE-2026-9500: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9501: heap-buffer-overflow in decode.c (read_2004_compressed_section)
- CVE-2026-9502: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9503: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9504: null pointer dereference in dwggrep.c (main)
- CVE-2026-9529: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9530: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9605: heap-buffer-overflow in decode.c (decompress_R2004_section)
Individual backports were not feasible as the decompressor was significantly
refactored on upstream's main branch between 0.13.4 and the fixes.
(cherry picked from commit b27ee09e7d)
The 9.4.14 tarball is no longer hosted at download.nomachine.com; the
old URL now redirects to the vendor homepage and breaks fetchurl. Bump
to the current upstream release. Both x86_64 and i686 release tarballs
use build suffix _2.
Hashes recomputed via nix-prefetch-url against
https://download.nomachine.com/download/9.5/Linux/.
(cherry picked from commit 0f906ee9b4)
The crates.io API server's 1 req/sec rate limit currently surfaces as
intermittent HTTP 403 errors when vendoring lockfiles. Switch to the CDN
endpoint as recommended by upstream (rust-lang/crates.io#13482), mirroring
the fix already applied to fetchCargoVendor in #512735.
fetchurl is content-addressed by sha256, so the URL change does not affect
any downstream store paths.
Fixes#524979
(cherry picked from commit f830e6112b)
Versions before 144 vendor bindgen 0.69, which emits invalid Rust for
libc++ 21's attributed basic_string::__self_view alias on Darwin.
This was exposed by commit 0758fc3add ("darwin.libcxx:
20.1.0+apple-sdk-26.0 -> 21.1.6+apple-sdk-26.4"), where libc++
changed `basic_string::__self_view` from a typedef to an attributed
`using` alias. bindgen then drops the alias template parameter and emits
`basic_string___self_view = ...<_CharT>`.
The solution is to blocklist the unused `string_view` internals for the
profiler Rust API. They are not used in the actual build.
Note: Mozilla 144 updated vendored bindgen via:
https://bugzilla.mozilla.org/show_bug.cgi?id=1985509
Assisted-by: Codex gpt-5.5 xhigh
(cherry picked from commit c19203e06f)
I suspect it was commit 0968bb28e2 that
broke the build with nodejs_24, presumably because of npm updating from
11.11.1 to 11.12.1.
(cherry picked from commit 78df8f88a5)
The fix in #523016 fixes an issue with the default gateway, however it
does so by unconditionally defining `networking.interfaces.eth0`. This
makes so if you had other methods of defining the addresses for eth0,
those now get blanked out.
Instead, move the logic around so we only define
networking.interfaces.eth0 if we really have to.
(cherry picked from commit 217d834eb9)
With kernel lockdown the tun kmod is not necessarily available in stage2,
but Lix dependes on it through pasta.
nix-daemon[682677]: remote pid 682659 is user build (trusted)
nix-daemon[682711]: Failed to open() /dev/net/tun: No such device
nix-daemon[682702]: Failed to set up tap device in namespace
(cherry picked from commit 34fbf0285a)
Commit 5aa9012bb3 (nixos: replace 'text' with structured PAM rules
(#420889), 2026-04-14) resulted in the vsftpd module no longer creating
a PAM module, and therefore configurations relying on `cfg.localUsers`
stopped permitting logins unless the PAM module was being set up by
other configuration.
In the absence of a better fix, document this change of behaviour as a
regression. Per the discussion at [0], provide a mechanims to restore
the previous behaviour, but with the caveat that this may be insecure.
I'd prefer more useful advice, but if I had a better understanding of
NixOS's PAM configuration and how it interacts with vsftpd, I'd just be
providing the better fix in the first place.
[0]: https://github.com/NixOS/nixpkgs/issues/515531#issuecomment-4367747991
(cherry picked from commit 93699b88a5)
This replaces the earlier 2.86 patch.
One may consider bumping the source to something newer than the 8 year old release, but that's out of scope for this fix.
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit 79f6dec101)
Define ANSI_FUNC so corkscrew uses ANSI C function definitions instead of legacy K&R definitions rejected by modern Clang/C23.
Assisted-by: OpenCode (openai/gpt-5.5)
(cherry picked from commit 47eb5f6f4d)
The test created ZFS datasets with canmount=noauto, but pam_zfs_key's
mount_dataset() now checks canmount == ZFS_CANMOUNT_ON and skips
mounting otherwise (added in
https://github.com/openzfs/zfs/commit/387ed5ca41). Use the default
canmount=on and unmount before unloading the key to compensate for
the auto-mount that happens when the key is loaded during creation.
This also silences the warning for forceImportRoot.
Assisted-by: opencode with DeepSeek V4 Flash Free
(cherry picked from commit 3fdfb983c7)
also switches to the new `generate_db.py` script
this was done because the old `lensfun_convert_db_v2_to_v1.py` script has been
removed upstream and this is the new preferred method
additionally, this adds the optional `lensfunDatabases` argument which can be
used to override the lens database used when building the package
(cherry picked from commit f652ee5019)
This gives us better UI in the PR by hiding the commits that are already
on the base branch (mostly staging) after the periodic merge. Without
this, the PR has 100s of commits listed after a few days.
(cherry picked from commit 5439176950)
Replace gitUpdater with a shell script that invokes
update-source-version once per system using
--source-key, so both per-arch AppImage hashes are
refreshed on each version bump.
(cherry picked from commit ec5d28b85b)
MemoryDenyWriteExecute=true breaks pyopenssl's cffi calls, used in the remote access feature.
```
2026-05-24 17:32:58.344 ERROR (MainThread) [music_assistant] Error doing task: Task exception was never retrieved
Traceback (most recent call last):
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcpeerconnection.py", line 1084, in __connect
await dtlsTransport.start(self.__remoteDtls[self.__sctp])
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 518, in start
self.__local_certificate._create_ssl_context(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
srtp_profiles=self._srtp_profiles
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 198, in _create_ssl_context
ctx.set_verify(
~~~~~~~~~~~~~~^
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda *args: True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 867, in inner
return f(self, *args, **kwargs)
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 1390, in set_verify
self._verify_helper = _VerifyHelper(callback)
~~~~~~~~~~~~~^^^^^^^^^^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 527, in __init__
self.callback = _ffi.callback(
~~~~~~~~~~~~~^
"int (*)(int, X509_STORE_CTX *)", wrapper
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
```
(cherry picked from commit 6b53fc13e3)
I assume quadradical doesn't want to re-assume maintainership simply because I reverted the package drop for my own purposes.
(cherry picked from commit 261eac2ed0)
qbz uses pactl for PipeWire device enumeration and sink routing, and
pw-metadata for bit-perfect sample rate queries. Without these on PATH,
audio playback fails with "Failed to run pactl: No such file or directory".
(cherry picked from commit feafc3f846)
If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
options:
- "Please select a version."
- "- Unstable (26.11)"
- "- Beta (26.05)"
- "- Unstable (26.05)"
- "- Stable (25.11)"
default:0
validations:
@@ -100,7 +99,7 @@ body:
attributes:
label:"Are you using nix-darwin?"
description:|
[`nix-darwin`](https://github.com/nix-darwin/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
[`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/).
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for the NixOS 25.11 release](https://hydra.nixos.org/jobset/nixos/release-25.11)
* [Continuous package builds for the NixOS 26.05 release](https://hydra.nixos.org/jobset/nixos/release-26.05)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for the NixOS 25.11 release](https://hydra.nixos.org/job/nixos/release-25.11/tested#tabs-constituents)
* [Tests for the NixOS 26.05 release](https://hydra.nixos.org/job/nixos/release-26.05/tested#tabs-constituents)
Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/.
When successful build and test criteria are met, the Nixpkgs expressions are distributed via [Nix channels](https://nix.dev/manual/nix/stable/command-ref/nix-channel.html).
This is usually a bug. Please consider reporting it to the software maintainers.
In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
* When building the shared library in question from source, use the following linker flags to force turning off the
executable flag:
```nix
mkDerivation {
# …
env.NIX_LDFLAGS = "-z,noexecstack";
}
```
* If the sources are not available, the execstack-flag can be cleared with `patchelf`:
```
patchelf --clear-execstack binary-only.so
```
* If the shared library to be loaded actually requires an executable stack and it isn't turned
on by the application loading it, you may force allowing that behavior by setting the
following environment variable:
```
GLIBC_TUNABLES=glibc.rtld.execstack=2
```
**Do not set this globally!** This makes your setup inherently less secure.
- Node.js default version has been updated from 22 LTS to 24 LTS.
This introduces some breaking changes; Refer to the [upstream migration article](https://nodejs.org/en/blog/migrations/v22-to-v24) for details.
@@ -74,6 +112,8 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
- The `nodePackages` package set has been removed entirely from nixpkgs. This package set was created to ease the maintenance burden of maintaining lots of
NodeJS-based packages within nixpkgs, but became a burden itself. Over the past several releases, there has been a focus on removing it in favor of the more modern nixpkgs packaging strategies.
After a long time, this package set has been deprecated and removed. If you are using its package set in your own config, please use the top-level packages instead.(i.e `pkgs.package-name` instead of `pkgs.nodePackages.package-name`).
@@ -111,6 +151,23 @@
- `nodePackages.wavedrom-cli` has been removed, as it was unmaintained within nixpkgs.
- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
- The `migrate sql` CLI command is now `migrate sql up`
- OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
GRUB2 is likely unable to boot from filesystems with these features enabled.
- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
- `requireFile` now treats any `message` or `url` argument as a literal string, rather than subjecting it to Bash here-doc expansion. This allows including strings like `$PWD` in the message without needing to know about and handle the undocumented Bash expansion.
- `nodePackages.browserify` has been removed, as it was unmaintained within nixpkgs.
@@ -126,8 +183,6 @@
- `kanata` now requires `karabiner-dk` version 6.0+ or later.
The package has been updated to use the new `karabiner-dk` package and the `darwinDriver` output stays at the version defined in the package.
- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
- Keycloak has been updated to 26.6.X, bringing a lot of new features like federated client authentication, JWT authorization grants, workflows and the ability to do
zero-downtime patch releases. Read more about [all the exciting new capabilities in keycloak 26.6 here](https://github.com/keycloak/keycloak/releases/tag/26.6.0)
and [consult the migration guide to 26.6](https://www.keycloak.org/docs/latest/upgrading/index.html#migrating-to-26-6-0) to find out whether this is a breaking
@@ -177,7 +232,7 @@
- `iroh` has been removed and split up into `iroh-dns-server` and `iroh-relay`.
- the `xorg` package set has been deprecated, packages have moved to the top level.
- The `xorg` package set has been deprecated, packages have moved to the top level.
- `python3Packages.buildPythonPackage` and `python3Packages.buildPythonApplication` now throw errors in the presence of `pytestFlagsArray`.
Please use [`pytestFlags` and `(enabled|disabled)(TestPaths|Tests|TestMarks)`](#using-pytestcheckhook) instead.
@@ -214,23 +269,12 @@
- `jetbrains.plugins.addPlugins` no longer supports plugin names or ID strings.
You can still use `addPlugins` with plugin derivations, such as plugins packaged outside of Nixpkgs.
- The `programs.captive-browser` module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure `programs.captive-browser.dhcp-dns` manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
- NetBox was updated to `>= 4.5.5`. Have a look at the breaking changes
of the [4.5 release](https://github.com/netbox-community/netbox/releases/tag/v4.5.0),
make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_5;` in your configuration.
- The `services.yggdrasil` module has been refactored with the following breaking changes:
- The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via `services.yggdrasil.settings`.
- The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use `services.yggdrasil.settings.PrivateKeyPath` to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
- Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
- If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
- If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
- `pocket-id` has been updated to version 2 that contains [breaking changes](https://pocket-id.org/docs/setup/major-releases/migrate-v2).
- `services.xserver` will now throw an error if an X11 driver specified in `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
- `asio` (standalone version of `boost::asio`) has been updated from 1.24.0 to 1.36.0. Some breaking changes were introduced between these
two versions, and the one affected most was the removal of `asio::io_service` in favor of `asio::io_context` in 1.33.0. `asio_1_32_0` is
retained for packages that have not completed migration. `asio_1_10` has been removed as no packages depend on it anymore.
@@ -253,8 +297,6 @@
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
- The `services.avahi.wideArea` option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
- `coreth` has been removed, as upstream has moved it into `avalanchego`.
- `nodePackages.prebuild-install` was removed because it appeared to be unmaintained upstream.
@@ -284,8 +326,6 @@
- `shisho` has been removed because it's archived. `semgrep`, `opengrep`, and `ast-grep` provide similar functionality.
- `services.openssh.settings.AcceptEnv` is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- All Xfce packages have been moved to top level (e.g. if you previously added `pkgs.xfce.xfce4-whiskermenu-plugin` to `environment.systemPackages`, you will need to change it to `pkgs.xfce4-whiskermenu-plugin`). The `xfce` scope will be removed in NixOS 26.11.
- The Dovecot IMAP server has been updated to version 2.4, with the `dovecot` attribute now referring to this backwards-incompatible version. The attribute `dovecot_2_3` refers to the previous version. The Pigeonhole plugin has been similarly updated to 2.4, with the version compatible with Dovecot 2.3 being at `dovecot_pigeonhole_0_5`. See <https://doc.dovecot.org/latest/installation/upgrade/2.3-to-2.4.html> for more information on how to upgrade.
@@ -296,12 +336,8 @@
- `vimPlugins.nvim-treesitter` has been updated to `main` branch, which is a full and incompatible rewrite. If you can't or don't want to update, you should use `vimPlugins.nvim-treesitter-legacy`.
- `services.taskchampion-sync-server` module has had an option `services.taskchampion-sync-server.dynamicUser` added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- Package `jellyseerr` has been renamed to `seerr` following the upstream rename.
- The default packages in `services.jenkins.packages` have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
- The `pie` hardening flag has been removed and will now error, after being deprecated in 25.11. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.
- `pqos-wrapper` was removed as it has been unmaintained since 2022 and not widely used.
@@ -314,6 +350,8 @@
- `linuxPackages.nvidiaPackages` now follows NVIDIA's official release branches by exposing `production`, `new_feature`, and `beta`. The convenience aliases `latest` (newer of `production` and `new_feature`) and `bleeding_edge` (newer of `latest` and `beta`) are provided; note that `beta` now refers strictly to the beta branch.
- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
- `balatro` now supports the Google Play and Xbox PC versions of the game. Pass the `apk` or `Assets.zip` as `balatro.override { src = "…" }`.
- `uptime-kuma` has been updated to v2, which requires an automated migration that can take a few hours. **A backup is highly recommended.**
@@ -324,16 +362,22 @@
- The `libcxxhardeningextensive` hardening flag has been **disabled** by default. Enabling it by default in 25.11 was unintentional and may have had a negative effect on performance in some cases. `libcxxhardeningfast` remains enabled by default.
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
- `rspamd` has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
- `budgie` has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
- The packages `ibtool`, `actool` and `re-plistbuddy` have been added, providing reimplementations of the corresponding proprietary Apple tools. They are more compatible with the originals than the previously existing `xcbuild` package, and should enable more darwin software to be built from source.
- GNU Taler has been updated to version 1.3.
This release focuses on getting everything ready for a deployment of GNU Taler by Magnet bank.
For more details, see the [upstream release notes](https://www.taler.net/en/news/2025-13.html).
- The `services.nextcloud-spreed-signaling` NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
- `collabora-desktop` The desktop version of Collabora Office is now available, package version `25.05.9.2-2`.
- `fetchPnpmDeps` and `pnpmConfigHook` were added as top-level attributes, replacing the now deprecated `pnpm.fetchDeps` and `pnpm.configHook` attributes.
@@ -368,8 +412,6 @@
- Updated `gonic` to 0.21.0. A full ("slow") scan is recommended after upgrading to v0.21.0 to pick up the newly scanned fields (contributors, ISRCs, record labels, per-track years, ARTIST_CREDIT).
- the `autossh-ng` NixOS module was introduced as a simpler alternative to the existing `autossh` module.
- Added `haskell.packages.microhs`, a set of Haskell packages built with MicroHs.
- `gnuradio`: Overriding the `.pkgs` package set is now possible with a `packageOverrides` function, like with `python.pkgs` and other language-specific package sets.
@@ -388,8 +430,6 @@ gnuradioMinimal.override {
}
```
- Added `headplane` and `headplane-agent` packages, and `services.headplane` service.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@@ -422,4 +462,3 @@ gnuradioMinimal.override {
- The builder `php.buildComposerProject2` for PHP applications has been improved for better reliability and stability.
- The `services.drupal` module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
-`python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
-`requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
-Create the first release note entry in this section!
## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers.
`mkDerivation` has been adjusted to reuse this information.
Package-URLs allow reliably identifying and locating software packages.
Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers.
Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification.
-Create the first release note entry in this section!
@@ -157,8 +157,6 @@ The list of Nix platform types for which the [Hydra](https://github.com/nixos/hy
}
```
Note that this does not affect whether reverse dependencies of the package are built on Hydra.
### `broken` {#var-meta-broken}
If set to `true`, the package is marked as "broken", meaning that it won’t show up in [search.nixos.org](https://search.nixos.org/packages), and cannot be built or installed unless [explicitly allowed](#sec-allow-broken).
@@ -342,30 +340,3 @@ A readonly attribute that concatenates all CPE parts in one string.
A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
### Package URL {#sec-meta-identifiers-purl}
[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages.
Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management.
Package-URLs shall default to the `mkDerivation.src`, as the original consumed software package is the single source of truth.
This attribute contains an attribute set of all parts of the PURL for this package.
* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided
* `spec` specify the PURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md)
An extendable list attribute which defaults to a single element equal to [`meta.identifiers.purl`](#var-meta-identifiers-purl).
It provides an interface for additional identifiers of `mkDerivation.src` or for identifiers of vendored dependencies inside `mkDerivation.src`, which maintainers may carefully consider to specify as well.
Additional identifiers are generally not recommended, as they might cause maintenance overhead or diverge.
For example, a source distribution `pkg:github` may be hard to keep correctly aligned with the corresponding binary distribution `pkg:pypi`.
@@ -899,19 +899,6 @@ checkConfigError 'Did you mean .enable., .ebe. or .enabled.\?' config ./error-ty
checkConfigError 'Did you mean .services\.myservice\.port. or .services\.myservice\.enable.\?' config.services.myservice ./error-typo-submodule.nix
checkConfigError 'Did you mean .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificate. or .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificateKey.\?' config.services.nginx.virtualHosts.\"example.com\" ./error-typo-deeply-nested.nix
checkConfigError 'A definition for option .attrListInt.badValue.a. is not of type .signed integer.. Definition values:' config.attrListIntStrict.badValue ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badListElem. is not of type .attribute list of string.. Each list element must be a single-key attribute set, but got 2 keys' config.attrListStrict.badListElem ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badString. is not of type .attribute list of string.. TypeError: Definition values:' config.attrListStrict.badString ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badListString. is not of type .attribute list of string.. Each list element must be an attribute set, but got string' config.attrListStrict.badListString ./declare-attrList.nix
checkConfigError 'The option .merged. in .*/declare-attrList-type-merge.nix. is already declared in .*/declare-attrList-type-merge.nix' config.merged ./declare-attrList-type-merge.nix
@@ -6,7 +6,7 @@ Status: in development. This functionality is new in NixOS 25.11, and significan
Traditionally, NixOS services were defined using sets of options *in* modules, not *as* modules. This made them non-modular, resulting in problems with composability, reuse, and portability.
A configuration management framework is an application of `evalModules` with the `class` and `specialArgs` input attribute set to particular values.
NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/nix-darwin/nix-darwin).
NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/lnl7/nix-darwin).
The service management component of a configuration management framework is the set of module options that connects Nix expressions with the underlying service (or process) manager.
For NixOS this is the module wrapping [`systemd`](https://systemd.io/), on `nix-darwin` this is the module wrapping [`launchd`](https://en.wikipedia.org/wiki/Launchd).
- If you use LUKS disk encryption, ensure that `fileSystems."/".device` is set to `"/dev/mapper/<name>"`, where `<name>` matches the name in your `boot.initrd.luks.devices.<name>` definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add `"x-systemd.device-timeout=infinity"` to `fileSystems."/".options` instead. If you need to disable the timeout before you can boot into the system, pass `systemd.default_device_timeout_sec=infinity` on the kernel command line.
- The `cryptsetup-askpass` program is not available; use `systemctl default` instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use `ssh -o RequestTTY=force` to ensure `systemctl default` gets a TTY to prompt on.
- Many kernel parameters have been replaced with native systemd versions; see [](#sec-boot-problems).
-`/dev/root` is not available with the systemd stage 1. In the old scripted stage 1, `/dev/root` was a symlink created by the init script from the `root=` kernel command line. With systemd stage 1, this symlink is not provided. If your configuration uses `/dev/root` in `fileSystems`, replace it with a stable device path such as `/dev/disk/by-label/...`, `/dev/disk/by-uuid/...`, or the appropriate `/dev/mapper/...` path.
- The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using `nix-channel`.
This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the `--attr` option of `nixos-rebuild` or `nixos-install`.
@@ -60,6 +61,10 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [](#opt-services.autossh-ng.sessions) NixOS module was introduced as a simpler alternative to the existing [](#opt-services.autossh.sessions) module.
- [services.nextcloud-spreed-signaling](#opt-services.nextcloud-spreed-signaling.enable) NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
- [OpenThread Border Router](https://openthread.io/), a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as [services.openthread-border-router](#opt-services.openthread-border-router.enable).
- [Atuin](https://atuin.sh), magical shell history — sync, search and backup your terminal history. Available as [programs.atuin](#opt-programs.atuin.enable).
@@ -69,9 +74,9 @@
- [Goupile](https://goupile.org/en), an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as [services.goupile](#opt-services.goupile.enable).
- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as `services.knot-resolver`. A module for knot-resolver 5 was already available as `services.kresd`.
- [knot-resolver](https://www.knot-resolver.cz/), in version 6. Available as [services.knot-resolver](#opt-services.knot-resolver.enable). A module for knot-resolver 5 was already available as [services.kresd](#opt-services.kresd.enable).
- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as `services.immichframe`.
- [ImmichFrame](https://immichframe.dev/), display your photos from Immich as a digital photo frame. Available as [services.immichframe](#opt-services.immichframe.enable).
- [PdfDing](https://www.pdfding.com/), manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as [services.pdfding](#opt-services.pdfding.enable).
@@ -79,7 +84,7 @@
- [reaction](https://reaction.ppom.me/), a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as [services.reaction](#opt-services.reaction.enable).
- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old `services.varnish` module is still available.
- [vinyl-cache](https://vinyl-cache.org) as the Varnish Cache project renamed itself. Available as [services.vinyl-cache](#opt-services.vinyl-cache.enable). To aid the migration, the old [services.varnish](#opt-services.varnish.enable) module is still available.
- [papra](https://papra.app/), an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as [services.papra](#opt-services.papra.enable).
@@ -91,8 +96,6 @@
- [kiwix-serve](https://wiki.kiwix.org/wiki/Kiwix-serve), a service that serves ZIM files (such as Wikipedia archives) over HTTP. Available as [services.kiwix-serve](#opt-services.kiwix-serve.enable).
- [matterjs-server](https://github.com/matter-js/matterjs-server), a Matter controller with a Home Assistant compatible WebSocket API. Available as [services.matterjs-server](#opt-services.matterjs-server.enable).
- [Remark42](https://remark42.com/), a self-hosted comment engine. Available as [services.remark42](#opt-services.remark42.enable).
- [LibreChat](https://www.librechat.ai/), open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as [services.librechat](#opt-services.librechat.enable).
@@ -103,7 +106,7 @@
- [bentopdf](https://github.com/alam00000/bentopdf), a privacy-first PDF toolkit running completely in-browser. Available as [services.bentopdf](#opt-services.bentopdf.enable).
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as `services.hyprwhspr-rs`.
- [hyprwhspr-rs](https://github.com/better-slop/hyprwhspr-rs), a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as [services.hyprwhspr-rs](#opt-services.hyprwhspr-rs.enable).
- [DankMaterialShell](https://danklinux.com), a complete desktop shell for Wayland compositors built with Quickshell. Available as [programs.dms-shell](#opt-programs.dms-shell.enable).
@@ -131,19 +134,19 @@
- [Dawarich](https://dawarich.app/), a self-hostable location history tracker. Available as [services.dawarich](#opt-services.dawarich.enable).
- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux.
- [Howdy](https://github.com/boltgolt/howdy), a Windows Hello™ style facial authentication program for Linux. Available as [services.howdy](#opt-services.howdy.enable)
- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive.
- [SuiteNumérique Drive](https://github.com/suitenumerique/drive), a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as [services.lasuite-drive](#opt-services.lasuite-drive.enable).
- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy.
- [linux-enable-ir-emitter](https://github.com/EmixamPP/linux-enable-ir-emitter), a tool used to set up IR cameras, used with Howdy. Available as [services.linux-enable-ir-emitter](#opt-services.linux-enable-ir-emitter.enable).
- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as `services.udp-over-tcp`.
- [udp-over-tcp](https://github.com/mullvad/udp-over-tcp), a tunnel for proxying UDP traffic over a TCP stream. Available as [](#opt-services.udp-over-tcp.udp2tcp) and [](#opt-services.udp-over-tcp.tcp2udp).
- [turborepo-remote-cache](https://ducktors.github.io/turborepo-remote-cache/), an open-source implementation of the [Turborepo custom remote cache server](https://turbo.build/repo/docs/core-concepts/remote-caching#self-hosting). Available as [services.turborepo-remote-cache](#opt-services.turborepo-remote-cache.enable).
- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as `services.rsshub`.
- [RSSHub](https://github.com/DIYgod/RSSHub), a service to convert many sources into rss. Available as [services.rsshub](#opt-services.rsshub.enable).
- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login.
- [ReFrame](https://github.com/AlynxZhou/reframe), a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as [services.reframe](#opt-services.reframe.enable)
- [Komodo Periphery](https://github.com/moghtech/komodo), a multi-server Docker and Git deployment agent by Komodo. Available as [services.komodo-periphery](#opt-services.komodo-periphery.enable).
@@ -159,7 +162,7 @@
- [Headplane](https://headplane.net), a feature-complete Web UI for Headscale. Available as [services.headplane](#opt-services.headplane.enable).
- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as `programs.whois`.
- [whois](https://packages.qa.debian.org/w/whois.html), an intelligent WHOIS client. Available as [programs.whois](#opt-programs.whois.enable).
- [porxie](https://codeberg.org/Blooym/porxie), a correct and efficient ATProto blob proxy for secure content delivery. Available as [services.porxie](#opt-services.porxie.enable).
@@ -169,12 +172,29 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [](#opt-services.openssh.settings.AcceptEnv) is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
- The default packages in [](#opt-services.jenkins.packages) have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
- [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable) module has had an option [](#opt-services.taskchampion-sync-server.dynamicUser) added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set `services.taskchampion-sync-server.dynamicUser` to `true` and migrate `/var/lib/taskchampion-sync-server` to `/var/lib/private/taskchampion-sync-server`.
- The [programs.captive-browser](#opt-programs.captive-browser.enable) module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to [GHSA-wc3r-c66x-8xmc](https://github.com/NixOS/nixpkgs/security/advisories/GHSA-wc3r-c66x-8xmc) (CVE-2026-25740). If you're using this module, you must either configure [](#opt-programs.captive-browser.dhcp-dns) manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
- The [services.yggdrasil](#opt-services.yggdrasil.enable) module has been refactored with the following breaking changes:
- The `services.yggdrasil.configFile` option has been removed. Configuration should now be specified directly via [](#opt-services.yggdrasil.settings).
- The `services.yggdrasil.persistentKeys` option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use [](#opt-services.yggdrasil.settings.PrivateKeyPath) to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
- Storing `PrivateKey` directly in `settings` is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
- If you previously used `configFile`, migrate your configuration to the `settings` option and extract the private key to a separate file referenced by `PrivateKeyPath`.
- If you previously used `persistentKeys`, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via `PrivateKeyPath`.
- [services.xserver](#opt-services.xserver.enable) will now throw an error if an X11 driver specified in `videoDriver(s)` cannot be found. Previously, unknown drivers would be silently ignored.
- The [](#opt-services.avahi.wideArea) option now defaults to `false` as a mitigation against [`CVE-2024-52615`/`GHSA-x6vp-f33h-h32g`](https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g).
- `systemd.coredump.extraConfig` has been removed in favor of the structured [](#opt-systemd.coredump.settings.Coredump) option. Use `systemd.coredump.settings.Coredump` to set any `coredump.conf(5)` option directly. For example, replace `systemd.coredump.extraConfig = "Storage=journal";` with `systemd.coredump.settings.Coredump.Storage = "journal";`.
- `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
- `fulcrum` has been updated to 2.x. If run against an existing v1.x database without the `--db-upgrade` flag it refuses to start; the upgrade takes around an hour on Bitcoin mainnet.
- `opentrack`, `slushload`, `synthesia`, `vtfedit`, `winbox`, `wineasio`, and `yabridge` use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.
- []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:
@@ -186,9 +206,9 @@
- `services.crabfit` was removed because its upstream packages are unmaintained and insecure.
- `services.opensnitch.settings.Rules.Path` now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
- [services.opensnitch.settings.Rules.Path](#opt-services.opensnitch.settings.Rules.Path) now defaults to `/var/lib/opensnitch/rules` instead of the previous `/etc/opensnitchd/rules` because it contains mutable data.
- `services.mosquitto` now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
- [services.mosquitto](#opt-services.mosquitto.enable) now generates per-listener authentication and access control via the upstream `password-file` and `acl-file` plugins instead of the deprecated `password_file` and `acl_file` options. The plugins contain the same code, so behaviour is unchanged, but [](#opt-services.mosquitto.package) must now be at least version 2.1.
- `sing-box` has been updated to 1.13.0, which has removed some deprecated options. See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.
@@ -209,7 +229,7 @@
- `linux_hardened` kernel has been removed due to a lack of maintenance.
- `services.tandoor-recipes` now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
- [services.tandoor-recipes](#opt-services.tandoor-recipes.enable) now uses a sub-directory for media files by default starting with `26.05`. Existing setups should move media files out of the data directory and adjust `services.tandoor-recipes.extraConfig.MEDIA_ROOT` accordingly. See [Migrating media files for pre 26.05 installations](#module-services-tandoor-recipes-migrating-media).
- `linux-rt` kernel has been removed due to a lack of maintenance.
@@ -221,10 +241,10 @@
- `services.uptime` has been removed because the package it relies on does not exist anymore in nixpkgs.
- `services.mattermost` now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
- [services.mattermost](#opt-services.mattermost.enable) now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module.
See the [migration steps](https://docs.mattermost.com/deployment-guide/manual-postgres-migration.html) if you were not running Postgres.
Note that version 11 also restricts the user limit to 250 [by default](https://forum.mattermost.com/t/clarification-request-on-user-limits-max-250-user-server-v-11/25309);
see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with `services.mattermost.package` to change this behavior. For example:
see the `pkgs.mattermost` removeUserLimit and removeFreeBadge options combined with [](#opt-services.mattermost.package) to change this behavior. For example:
```nix
{
@@ -237,10 +257,10 @@
- `post-resume.target` has been removed. See {manpage}`systemd.special(7)` about `sleep.target` for instructions on ordering a process after resume with `ExecStop=`.
- `services.vsftpd` no longer automatically configures a PAM module. This means configurations using `services.vsftpd.localUsers` will no longer work unless `services.vsftpd.enableVirtualUsers` and `services.vsftpd.userDbPath` are also configured. The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
- [services.vsftpd](#opt-services.vsftpd.enable) no longer automatically configures a PAM module. This means configurations using [](#opt-services.vsftpd.localUsers) will no longer work unless [](#opt-services.vsftpd.enableVirtualUsers) and [](#opt-services.vsftpd.userDbPath) are also configured. The old behaviour can be restored by setting `security.pam.services.vsftpd.enable = true`, although this only ever worked by accident and may not be secure.
- `services.kubernetes.addons.dns.coredns` has been renamed to `services.kubernetes.addons.dns.corednsImage` and now expects a
package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead
- `services.kubernetes.addons.dns.coredns` has been renamed to [](#opt-services.kubernetes.addons.dns.corednsImage) and now expects a
package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with `dockerTools.buildImage` is used, instead
of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
```nix
@@ -254,7 +274,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
}
```
- `services.stalwart-mail` has been renamed to `services.stalwart` to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
- `services.stalwart-mail` has been renamed to [`services.stalwart`](#opt-services.stalwart.enable) to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:
- Addition of module-specific `stateVersion` option, which on existing installations of Stalwart must be set to the same as `system.stateVersion`.
@@ -264,9 +284,9 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Default value for `services.stalwart.dataDir` has changed to `/var/lib/stalwart`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `/var/lib/stalwart-mail`.
- Default tracer name and type have changed to `journal`. If `stateVersion` is older than `26.05`, will fallback to legacy value of `stdout`.
- `services.eintopf` has been renamed to `services.lauti` to align with upstream re-brand as a community online calendar.
- `services.eintopf` has been renamed to [services.lauti](#opt-services.lauti.enable) to align with upstream re-brand as a community online calendar.
- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with `services.oauth2-proxy.clientSecretFile` and `services.oauth2-proxy.cookie.secretFile` respectively. This was done to ensure secrets don't get made world-readable.
- `services.oauth2-proxy.clientSecret` and `services.oauth2-proxy.cookie.secret` have been replaced with [](#opt-services.oauth2-proxy.clientSecretFile) and [](#opt-services.oauth2-proxy.cookie.secretFile) respectively. This was done to ensure secrets don't get made world-readable.
- [`services.grafana.settings.security.secret_key`](#opt-services.grafana.settings.security.secret_key) doesn't have a
default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly.
@@ -286,18 +306,11 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
- `services.headplane` has been updated to 0.6.2, which introduces several changes to the configuration schema:
- `services.headplane.settings.oidc.redirect_uri` is deprecated. Use `services.headplane.settings.server.base_url` instead; the OIDC redirect URI is now automatically derived from it. Ensure `base_url` is the bare host URL without the `/admin` suffix.
- `services.headplane.settings.oidc.user_storage_file` is deprecated. Headplane 0.6.2 still accepts it to migrate the old JSON user database into the new internal SQL database.
- `services.headplane.settings.oidc.strict_validation` is deprecated and has no effect.
- `services.headplane.settings.oidc.token_endpoint_auth_method` now defaults to `null` (auto-detection), which typically falls back to `client_secret_basic`. Previous versions defaulted to `client_secret_post`.
- `services.headplane.settings.integration.agent.cache_ttl` is deprecated and has no effect in 0.6.2.
- `services.immich` no longer supports pgvecto.rs since the package has been removed from nixpkgs.
- [services.immich](#opt-services.immich.enable) no longer supports pgvecto.rs since the package has been removed from nixpkgs.
As a result, options `services.immich.database.enableVectors` and `services.immich.database.enableVectorchord` have been removed, and VectorChord is now always used.
If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the [migration guide](https://github.com/NixOS/nixpkgs/blob/nixos-25.11/nixos/modules/services/web-apps/immich.md#migrating-from-pgvecto-rs-to-vectorchord-pre-2511-installations-module-services-immich-vectorchord-migration).
- `services.cgit` before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `services.cgit.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
- [](#opt-services.cgit) before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable `opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles` (or disable the git-http-backend).
- `rocmPackages_6` has been removed. `rocmPackages` has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.
@@ -307,9 +320,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- The Bash implementation of the `nixos-rebuild` program is removed. All switchable systems now use the Python rewrite. Any prior usage of `system.rebuild.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.
- `services.desktopManager.gnome` no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
- MATE packages have been moved to top level (e.g. if you previously added `pkgs.mate.caja` to `environment.systemPackages`, you will need to change it to `pkgs.caja`).
- [services.desktopManager.gnome](#opt-services.desktopManager.gnome.enable) no longer installs the Geary e-mail client since it is not part of the GNOME [core applications](https://apps.gnome.org/) list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add `programs.geary.enable = true;` to your configuration.
- `walker` has been updated to 2.0.0+, which is a complete rewrite in rust.
@@ -321,7 +332,7 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
- Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.
- `services.tor` no longer bind mounts Unix sockets of onion services into its chroot
- [services.tor](#opt-services.tor.enable) no longer bind mounts Unix sockets of onion services into its chroot
because it was not reliable. Users should do it themselves using either `JoinsNamespaceOf=` and Unix sockets in `/tmp`
or `BindPaths=` from a persistent parent directory of each Unix socket.
See <https://github.com/NixOS/nixpkgs/issues/481673>.
@@ -330,14 +341,14 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- `services.xserver.cmt` has been removed as the `xf86-input-cmt` package was broken and unmaintained upstream.
- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and `programs.acpilight` offer replacements.
- `programs.light` was removed from nixpkgs due to the corresponding package being unmaintained upstream. `brightnessctl` and [hardware.acpilight](#opt-hardware.acpilight.enable) offer replacements.
- `ceph` has been upgraded to v20. See the [Ceph "tentacle" release notes](https://docs.ceph.com/en/latest/releases/tentacle/#v20-2-0-tentacle) for details and recommended upgrade procedure.
Note that **upgrades of server-side components are one-way**, and downgrading e.g. an OSD from *Tentacle* to *Squid* is not just not supported but is known to break.
- `services.unifi`'s `jrePackage` option now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
- [](#opt-services.unifi.jrePackage) now defaults to `jdk25_headless` instead of `jdk17_headless`, in order to be compatible with new versions of `unifi`.
- The `networking.wireless` module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
- The [networking.wireless](#opt-networking.wireless.enable) module has been security hardened by default: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).
@@ -357,30 +368,20 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- In both "networkd" and "scripted" backends, the configuration of name servers is now part of `network-local-commands.service` (fixes issue [#445496](https://github.com/NixOS/nixpkgs/issues/445496)).
- The issue that resulted in a completely unconfigured network if both `resolvconf` was disabled and no default gateway configured, has also been fixed.
- `kratos` has been updated from 1.3.1 to [25.4.0](https://github.com/ory/kratos/releases/tag/v25.4.0). Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:
- The `migrate sql` CLI command is now `migrate sql up`
- OIDC registration validation errors are now placed in the `default` node group instead of `oidc`
- `pdns` has been updated to version [v5.0.x](https://doc.powerdns.com/authoritative/changelog/5.0.html), which introduces breaking changes. Check out the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-5-0-0) for details.
- In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}`services.pdns-recursor.old-settings` has been removed and {option}`services.pdns-recursor.yaml-settings` consequently renamed to [](#opt-services.pdns-recursor.settings).
- `services.angrr` now uses TOML for configuration. Define policies with `services.angrr.settings` (generate TOML file) or point to a file using `services.angrr.configFile`. The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of `services.angrr.settings` options for examples and details.
- [services.angrr](#opt-services.angrr.enable) now uses TOML for configuration. Define policies with [](#opt-services.angrr.settings) (generate TOML file) or point to a file using [](#opt-services.angrr.configFile). The legacy options `services.angrr.period`, `services.angrr.ownedOnly`, and `services.angrr.removeRoot` have been removed. See `man 5 angrr` and the description of [](#opt-services.angrr.settings) options for examples and details.
- `services.homepage-dashboard.environmentFile` has been renamed to `services.homepage-dashboard.environmentFiles`, and now expects a list of strings.
- `services.homepage-dashboard.environmentFile` has been renamed to [](#opt-services.homepage-dashboard.environmentFiles), and now expects a list of strings.
- `services.pingvin-share` has been removed as the `pingvin-share.backend` package was broken and the project was archived upstream.
- `geph` package's built-in GUI `geph5-client-gui` has been [removed](https://github.com/geph-official/geph5/commit/f2221fb8386312daf2cef05483ebb353ff48bdb4) by the upstream. All users who wish to continue using the GUI should install the `gephgui-wry`, which is consistent with the official release version.
- `services.jellyseerr` has been renamed to `services.seerr` following the upstream changes. Notable breaking changes:
- `services.jellyseerr` has been renamed to [services.seerr](#opt-services.seerr.enable) following the upstream changes. Notable breaking changes:
- systemd service name changed accordingly.
- Default config directory moved from `/var/lib/jellyseerr/config` to `/var/lib/seerr/`.
- If `stateVersion` is older than `26.05`, the module fall backs to the legacy path value.
- `services.vikunja` has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
- [services.vikunja](#opt-services.vikunja.enable) has been updated to Vikunja [v1.0.0](https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/), which introduces multiple breaking changes.
Notable breaking changes:
- CORS is enabled by default. The module now sets
`services.vikunja.settings.service.publicurl` by default. Custom overrides must ensure it is
@@ -391,16 +392,11 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- SQLite paths are now relative to `service.rootpath` unless absolute. Startup now validates file
storage and OAuth providers.
- `xfsprogs` was updated to version 6.18.0, which enables parent pointers and exchange-range by default. Upstream recommends not to use these features with kernels older than 6.18.
GRUB2 is likely unable to boot from filesystems with these features enabled.
- `services.xtreemfs` has been removed as the `xtreemfs` package was broken and unmaintained upstream.
- `lunarvim` package has been removed, as it was abandoned upstream and relied on an old version of `neovim` to work properly.
- `opengfw` package and `services.opengfw` module have been removed as the upstream GitHub repository and website have been shut down.
- `services.esphome` no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
- [services.esphome](#opt-services.esphome.enable) no longer uses `DynamicUser`. The service now runs as a static `esphome` system user. systemd handles the migration from `/var/lib/private/esphome` automatically, but users with [impermanence](https://github.com/nix-community/impermanence) setups should ensure `/var/lib/esphome` is persisted.
- `programs.pqos-wrapper` module has been deleted as the corresponding package has been dropped from nixpkgs.
@@ -410,6 +406,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
- Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding `config.systemd.package.version` to the switch inhibitors for your system. You can still forcefully switch into any generation by setting `NIXOS_NO_CHECK=1`.
- `switch-to-configuration` now reloads a service instead of restarting it when the only change to its unit is `ExecReload=`, and takes no action when `ExecReload=` is removed. Previously both cases triggered a restart.
- [`hardware.nvidia.branch`](#opt-hardware.nvidia.branch) was added to select the NVIDIA driver branch; setting [`hardware.nvidia.package`](#opt-hardware.nvidia.package) overrides this.
@@ -418,12 +418,10 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- `nixos/nvidia` now uses EGL external platform ICD libraries built from source (`egl-gbm`, `egl-wayland`, `egl-wayland2`, `egl-x11`) instead of relying on vendor-provided binaries for these components.
- `hardware.nvidia.moduleParams` was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
- [](#opt-hardware.nvidia.moduleParams) was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to `modprobe` configuration instead of being passed through global kernel command-line parameters.
- [hardware.xpadneo](#opt-hardware.xpadneo.enable) now supports configuring kernel module parameters via a freeform [settings](#opt-hardware.xpadneo.settings) option, with convenience options for [rumble attenuation](#opt-hardware.xpadneo.rumbleAttenuation) and [controller quirks](#opt-hardware.xpadneo.quirks).
- Wine has been updated to the 11.0 branch. Please check the [upstream announcement](https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0) for more details.
- `security.acme` now defaults to a dynamic renewal duration, if
remains unset. This accommodates certificates with different ACME profile:
@@ -433,44 +431,37 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
- For shortlived certificates with a total validity below 10 days renewal
will happen after half of the total lifetime has passed
- The module for the Dovecot IMAP server, *services.dovecot*, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
- The module for the Dovecot IMAP server, [services.dovecot2](#opt-services.dovecot2.enable), now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
Also see the list of available settings for [Dovecot 2.3](https://doc.dovecot.org/2.3/settings/core/) or [2.4](https://doc.dovecot.org/2.4.2/core/summaries/settings.html).
- Cinnamon has been updated to 6.6, please check the [upstream announcement](https://www.linuxmint.com/rel_zena_whatsnew.php) for more details.
- [](#opt-fonts.fontconfig.useEmbeddedBitmaps) is now set to `true` by default.
- Rspamd has been updated to 4.0. Please check the upstream [migration](https://docs.rspamd.com/tutorials/migration/#migration-to-rspamd-400) documentation, especially if you run a sharded Redis deployment.
- Budgie has been updated to 10.10, please check the [upstream announcement](https://buddiesofbudgie.org/blog/budgie-10-10-released) for more details.
- `fonts.fontconfig.useEmbeddedBitmaps` is now set to `true` by default.
- `stestrCheckHook` was added: This test hook runs `stestr run`. You can disable tests with `disabledTests` and `disabledTestsRegex`.
- `services.frp` now supports multiple instances through `services.frp.instances` to make it possible to run multiple frp clients or servers at the same time.
- `hyphen` now supports over 40 language variants through `hyphenDicts` and now allows to enable all supported languages through `hyphenDicts.all`.
- [services.frp](#opt-services.frp.instances) now supports multiple instances through [](#opt-services.frp.instances) to make it possible to run multiple frp clients or servers at the same time.
- [services.resolved](#opt-services.resolved.enable) module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant `systemd.sleep.settings.Sleep`, which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
- `systemd.sleep.extraConfig` was replaced by [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-systemd.sleep.settings.Sleep), which is used to generate the `sleep.conf` configuration file. See {manpage}`sleep.conf.d(5)` for available options.
- Support for Bluetooth audio based on `bluez-alsa` has been added to the `hardware.alsa` module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
- `services.atuin` now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
- Support for Bluetooth audio based on `bluez-alsa` has been added to the [hardware.alsa](#opt-hardware.alsa.enable) module. It can be enabled with the new [enableBluetooth](#opt-hardware.alsa.enableBluetooth) option.
- [services.atuin](#opt-services.atuin.enable) now has an `environmentFile` option to safely allow configuring secrets, such as an `ATUIN_DB_URI` containing a Postgres password.
- `systemd.network.*` has been updated to support all configuration options from upstream `networkd` version 259.
- `networking.resolvconf.enable` now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- [](#opt-networking.resolvconf.enable) now defaults to `true` unconditionally instead of `!(config.environment.etc ? "resolv.conf")`. If you set `environment.etc."resolv.conf"` yourself, then you should also set `networking.resolvconf.enable = false`.
- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
- The [services.drupal](#opt-services.drupal.enable) module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new `webRoot` option for identifying custom webroots in source code, a new `configRoot` option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.
- `services.openssh.enableRecommendedAlgorithms` has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
- [services.openssh](#opt-services.openssh.enable) now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving [](#opt-services.openssh.enable) disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.
- `services.openssh.banner` has been removed. Use `services.openssh.settings.Banner` instead.
- [](#opt-services.openssh.enableRecommendedAlgorithms) has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See <https://github.com/NixOS/nixpkgs/pull/471330>.
- IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.
- `services.openssh.banner` has been removed. Use [](#opt-services.openssh.settings.Banner) instead.
- `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.
- IPVLAN interfacescan now be configured through the [](#opt-networking.ipvlans) option in the networking module.
- [services.caddy](#opt-services.caddy.enable) now supports setting [](#opt-services.caddy.httpPort) and [](#opt-services.caddy.httpsPort) and opening them in the firewall via [](#opt-services.caddy.openFirewall).
- The latest available version of Nextcloud is v33 (available as `pkgs.nextcloud33`). The installation logic is as follows:
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
@@ -483,59 +474,19 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
If you set custom Caddy options for a InvoicePlane site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.
- `services.slurm` now supports slurmrestd usage through the [](#opt-services.slurm.rest.enable) NixOS options.
- The `networking.firewall.logRefusedConnections` option now defaults to
- The [](#opt-networking.firewall.logRefusedConnections) option now defaults to
`false`. Logging of refused or dropped incoming connections can generate a
very high volume of kernel log messages on internet-facing systems, causing
the kernel ring buffer (dmesg) to rotate quickly and potentially discard more
relevant diagnostic information.
- The `services.calibre-web` systemd service has been hardened with additional sandboxing restrictions.
- The [services.calibre-web](#opt-services.calibre-web.enable) systemd service has been hardened with additional sandboxing restrictions.
- `services.kanidm` options for server, client and unix were moved under dedicated namespaces.
For each component `enableComponent` and `componentSettings` are now `component.enable` and
`component.settings`. The unix module now supports using SSH keys from Kanidm via
`services.kanidm.unix.sshIntegration = true`.
- `mdbook-linkcheck` has been removed as it is unmaintained and incompatible with the latest version of `mdbook`. Users can instead migrate to `mdbook-linkcheck2`.
- `glibc` has been updated to version 2.42.
This version no longer makes the stack executable when a shared library requires this. A symptom
- Create the first release note entry in this section!
- [FlapAlerted](https://github.com/Kioubit/FlapAlerted), detects BGP flapping events and provides statistics based on BGP update messages. Available as [services.flap-alerted](#opt-services.flap-alerted.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
-Create the first release note entry in this section!
## Other Notable Changes {#sec-release-26.11-notable-changes}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
