Test that the service runs and uses our configured (TCP) port.
This should prevent https://github.com/NixOS/nixpkgs/issues/475043
("nixos/scanservjs: settings (host/port) ignored in v3.0.4") from
happening again.
(cherry picked from commit 32157e1c52)
scanservjs has been ignoring the configuration options set by the NixOS
module since the v3.0.4 upgrade. This fixes it.
Create dirs/files in the NixOS module as needed by the new scanservjs
build.
Fixes: 7432e50d62 ("scanservjs: 2.27.1 -> 3.0.4")
Fixes: https://github.com/NixOS/nixpkgs/issues/475043 ("nixos/scanservjs: settings (host/port) ignored in v3.0.4")
Co-authored-by: Bjørn Forsman <bjorn.forsman@gmail.com>
(cherry picked from commit 008e87e5c2)
rebar3 itself actually compiles, it's just the tests that are failing.
Patch to disable another warning until upstream fixes the tests.
(cherry picked from commit 09d3443b49)
MLX backends require xcrun metal/metalib which are unavailable in the
Nix sandbox. Pass -DOLLAMA_MLX_BACKENDS="" to cmake to skip the
Metal toolchain check. Core Metal/llama.cpp backend is unaffected.
(cherry picked from commit b195b40fb0)
Addresses two review comments — different reviewers, same direction:
* @SuperSandro2000 on the original PR #528150 (line 118 of
pkgs/by-name/ol/ollama/package.nix): "Why are we not using tag if
there is a tag?". Drop the SHA + `# tag b9509` shape that required
reviewers to cross-check the SHA matched the inline comment.
* @prusnak on this follow-up #528374: "I think we should use `tag`
instead of `rev`." `fetchFromGitHub`'s dedicated `tag` field is
preferred over `rev = "<tag-string>"` — same git object, same
tarball, same hash, but signals intent at the schema level and
renders into the store path nicely.
* Line 113 prose comment (the other half of SuperSandro's review on
#528150): "We should not repeat the version in this comment and
have to update that, too, on every update." Drop `currently b9509`
from the prose; the remaining text explains the mechanism (tracks
upstream's `LLAMA_CPP_VERSION` file, pre-staged because
FetchContent can't network in the sandbox) without naming a
specific version that would drift on every bump.
Pure source-readability change. `nix-build -A ollama --no-out-link`
on x86_64-linux produces the same store path as master, confirming
the tag resolves to the same git object → same tarball → same hash
→ no rebuild impact.
The same lines exist on `release-26.05` via the original backport
#528272; happy to mirror this fix there if you apply the
`backport release-26.05` label.
Assisted-by: Claude <noreply@anthropic.com>
(cherry picked from commit 1e9315fd0c)
Previously the eval comparison was skipped entirely when packages were
added or removed between revisions, leaving only a "stats were skipped"
message. cmp-stats already joins on the stats chunks present in both
revisions, so a comparison can still be produced. Always run it and add
a GitHub note caveating that the figures are approximate when the
package sets differ.
Assisted-by: claude-code with claude-opus-4-7[1m]-xhigh
(cherry picked from commit 25f9394b8a)
The built-in browser does not work and shows "TLS support is not
available". Fix this by wrapping `glib-networking` and adding it to the
environment variable `GIO_EXTRA_MODULES`.
Fixes: #528935
Signed-off-by: Felix Singer <felixsinger@posteo.net>
(cherry picked from commit d2a5c9bf0b)
Upstream's intended bypass is TrustedUids in fwupd.conf, but on NixOS
the fwupd-refresh uid is allocated at activation time and is not known
during evaluation. Add a polkit rule keyed on the user name instead.
(cherry picked from commit d9bf382cad)
When instantiating an environment with the Python interpreter built
with both free threading (aka. without GIL) and `pydebug`, the value
of `passthru.executable` doesn't match any installed file. This was
noticed when building CI pipelines that require the Python interpreter
built with both debug features and free threading.
The cause is that `executable` was built from `libPrefix`, which only
tracks the `t` suffix from `--without-gil` and not the `d` suffix from
`--with-pydebug`. `libPrefix` doubles as the stdlib install directory,
and cpython deliberately shares that directory between debug and
non-debug builds of a given version, so the `d` is intentionally
absent there.
This slipped through because cpython only ever installs a
`python$VERSION -> python$LDVERSION` symlink (e.g. `python3.13 ->
python3.13d`). For debug-only builds the old code happened to ask for
`python3.13`, which is that symlink, so it worked by accident. For
FT+debug, `libPrefix` is `python3.13t`, but cpython installs no such
file; only `python3.13` (symlink) and `python3.13td` (binary).
Fix: append `d` to `executable` (and to the `cp<ver>` wheel ABI tag in
`pythonABITags`) when `enableDebug` is true.
Reproducer for the problem as a bash script:
```bash
set -euo pipefail
nixpkgs="${1:-<nixpkgs>}" # Either custom path if provided, or just <nixpkgs>
read -r -d '' expr <<EOF || true
let
pkgs = import ${nixpkgs} { };
py = pkgs.python313FreeThreading.override {
enableDebug = true;
self = py;
pythonAttr = "python313FreeThreading";
};
in py
EOF
executable=$(nix-instantiate --eval --json --expr "($expr).executable" | tr -d '"')
echo "passthru.executable = ${executable}"
out=$(nix-build --no-out-link --expr "$expr")
echo "store path: ${out}"
if [[ -e "${out}/bin/${executable}" ]]; then
echo "result: OK (binary exists)"
exit 0
fi
echo "result: FAIL (${out}/bin/${executable} not found)"
echo "actually installed:"
ls "${out}/bin/" | grep '^python3\.' | sed 's/^/ /'
exit 1
```
(cherry picked from commit fa6a2e8f1f)
The problem was that Cargo didn't have a way to find a linker for the
build platform which is required to link the build script. So, when
cross compiling we add in the standard build -> build compiler so that
it can compile the build script.
This fix was taken from the ideas of @magicquark and @nwf in
https://github.com/NixOS/nixpkgs/issues/523378.
Fixes#523378
(cherry picked from commit bbe694f8ea)
Two darwin-only issues surfaced when building on x86_64-darwin:
1. The conditional postPatch removed three test files
(ml/backend/ggml/ggml_test.go, ml/nn/pooling/pooling_test.go,
model/models/nemotronh/model_omni_test.go) that no longer exist
in v0.30.5 upstream. The `rm` failed with "No such file or directory"
and aborted patchPhase. Tests in the new paths
(e.g. fs/ggml/ggml_test.go) pass on darwin without removal — verified
via the test phase in this commit's local build.
2. preFixup ran `patchelf --shrink-rpath` unconditionally; patchelf is
ELF-only and darwin's Mach-O dylibs don't carry the build-dir RPATH
problem in the first place. Gated on stdenv.hostPlatform.isLinux.
Verified: nix-build -A ollama on x86_64-darwin (macOS 15.6.1, Sequoia)
lands /nix/store/.../ollama-0.30.5; checkPhase green for all listed
packages including x/models/gemma4; ollama --version reports 0.30.5.
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit bba51cb247)
Upstream patch release; notably fixes a divide-by-zero crash in
gemma3:12b. Bumps the vendored llama.cpp pin b9493 -> b9509 to match
upstream's LLAMA_CPP_VERSION. Verified ollama-cuda + ollama-vulkan
build on x86_64-linux.
https://github.com/ollama/ollama/releases/tag/v0.30.5
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit 0e1071782c)
Two layers were missing for ollama-vulkan after the 0.30.x bump's switch to
per-accelerator runners via ExternalProject_Add:
1. spirv-headers wasn't in nativeBuildInputs, so the parent cmake configure
never even saw `SPIRV-HeadersConfig.cmake`. Add it (header-only — native
is the right slot).
2. The runner sub-builds (`ollama-llama-server-vulkan` et al.) are launched
by `cmake/local.cmake`'s `ExternalProject_Add`, whose child cmake process
inherits env vars but not the parent's `-D` flags. Even after fixing
(1), the child's `find_package(SPIRV-Headers REQUIRED)` at
`ggml-vulkan/CMakeLists.txt:14` couldn't see the config, and once that
was worked around with `CMAKE_PREFIX_PATH` as env, the compile then
failed with `fatal error: spirv/unified1/spirv.hpp` — because
upstream's `target_link_libraries(ggml-vulkan PRIVATE Vulkan::Vulkan)`
notably does NOT link `SPIRV-Headers::SPIRV-Headers`, so the interface
include path the cmake config exports never flows into the compile
commands. Force the include via `NIX_CFLAGS_COMPILE` rather than
patching upstream's CMakeLists across llama.cpp pins.
Verified: `ollama-vulkan` builds end-to-end; `$out/lib/ollama/vulkan/libggml-vulkan.so`
is present (not a silent CPU fallback like the cuda variant suffered in
the first 0.30 attempt).
🤖 Assisted by Claude
(cherry picked from commit 6432d78bff)
Notable upstream build changes folded into this bump:
* llama.cpp moved from in-tree vendoring to CMake FetchContent, pinned
via the `LLAMA_CPP_VERSION` file at the repo root (b9493 here →
llama.cpp commit a731805c). Pre-stage it as `fetchFromGitHub` and
apply Ollama's compat patch in `postPatch` — neither
`cmake/local.cmake` nor `llama/server/CMakeLists.txt` auto-applies
the patch when the source is overridden via
`FETCHCONTENT_SOURCE_DIR_LLAMA_CPP` (the parent's `ExternalProject_Add`
passes `OLLAMA_LLAMA_CPP_SKIP_COMPAT_PATCH=ON` to the child build).
The `apply-patch.cmake` script is idempotent.
* Since 0.30, `cmake/local.cmake` splits the llama.cpp build into
per-runner sub-projects gated by `OLLAMA_LLAMA_BACKENDS`. Without
setting it, only the CPU runner is built — `ollama-cuda` /
`ollama-rocm` / `ollama-vulkan` would all silently fall back to CPU
at runtime, with `libggml-{cuda,hip,vulkan}.so` absent from
`$out/lib/ollama`. Map the package's `acceleration` value to the
cmake backend name the elseif chain accepts:
cuda → cuda_v${cudaMajor} (cuda_v12 / cuda_v13)
rocm → rocm_v${rocmMajor}_${rocmMinor} (rocm_v7_1 / rocm_v7_2)
vulkan → vulkan
* `cmd/launch/*_test.go` are integration tests for user-facing CLI
launchers (claude, qwen, cline, codex, kimi, droid, openclaw,
hermes, …) that install the target binary via npm and exec it on
PATH. Both prerequisites are unavailable in the nix sandbox, so the
launch subpackage's tests can't pass here. Drop them — same
precedent as the existing darwin Metal test removals.
* The llama.cpp sub-build is driven by ExternalProject_Add and does
not inherit the parent's `CMAKE_SKIP_BUILD_RPATH` setting, so its
`.so` payloads end up with build-dir entries in RPATH. Strip with
`patchelf --shrink-rpath --allowed-rpath-prefixes /nix/store` in
preFixup; `$ORIGIN` is preserved unconditionally (non-absolute
entries always allowed) so peer-lib lookup in `$out/lib/ollama`
still works.
Drive-by cleanup: deadnix + statix passes (overrideModAttrs unused
lambda args → `_:_`, `inherit (rocmPackages) stdenv;` /
`inherit (vulkan-tools) stdenv;` for `buildGoModule.override`, drop
unused `coreutils` input — the old launch-test substitutions that
needed coreutils are dropped along with the tests).
Release notes:
https://github.com/ollama/ollama/releases/tag/v0.30.4https://github.com/ollama/ollama/releases/tag/v0.30.0
Assisted-by: Claude Opus 4.7 <noreply@anthropic.com>
(cherry picked from commit 63e0d2d52d)
Otherwise the recursive chown can fail, hence wpa_supplicant doesn't
start, if some read-only file has been bind-mounted into
/etc/wpa_supplicant.
This can happen if one uses `extraConfigFile` to add a file that is
under /etc/wpa_supplicant.
(cherry picked from commit 197a055a02)
polyc linking script hardcodes the linker to be the value of `$CXX` at
compile time. This is bad for environments without `g++` in path. Fix
this by patching the correct path into the script.
Co-Authored-By: Ricardo Correia <someplaceguy@wizy.org>
Co-Authored-By: Ivan Trubach <mr.trubach@icloud.com>
(cherry picked from commit 3a717e7522)
Compilation requires running one of the make build targets, so cross
compilation isn't possible
Also remove old design patterns in favour of newer ones.
(cherry picked from commit 6e36170c0f)
The previous `if ! ( ... )` wrapper put the check body in a context
where bash ignores `set -e`, so a failing command in the middle of a
check would not abort it and the switch would proceed. Run the
subshell outside any conditional and capture $? explicitly instead.
(cherry picked from commit 69dc41f083)
needed so github-desktop's git wrapper (dugite) can find subcommands
like `git-submodule` etc. Retrieve the full list with `ls -l $(nix build
--print-out-paths nixpkgs#git)/libexec/git-core | grep -vE '( -> )?git$'
| awk '{ print $7 }'`.
Fixes#524797
(cherry picked from commit 3fd65b2bc8)
Weblate generates an SSH wrapper with some preset options
that uses the absolute path of the ssh binary internally.
As the wrapper is only regenerated when the generator itself
is changed, this absolute nix store path becomes unusable once
ssh is updated and the path is garbage collected.
As generating the wrappers is a quick operation, simply deleting the wrapper
directory before service start ensures they are up to date.
(cherry picked from commit 9ea977e104)
virtual-machine releases use virtualisation.incus.package to find
where the agent-loader configuration is defined. In practice it's
likely not a problem, but when marking lts v6 on 25.11 as vulnerable
it exposed the mismatch. For correctness we should ensure the VM
tests are using the agent loader from the relevant incus package.
(cherry picked from commit 9bebd86680)
Environment variables to pass to Heroic.
For example:
pkgs.heroic.override {
extraEnv.PROTON_ENABLE_WAYLAND = true;
}
Adds feature parity with `steam` package.
(cherry picked from commit 6b9bf6240f)
Build against the default OCaml (5.4) set instead of the 5.3 pin, using the
module-mode launcher (ocaml-hol). Carries a patch so the pa_j chooser
accepts camlp5 8.05, links findlib into ocaml-hol, and sets up the runtime
OCAMLPATH/CAML_LD_LIBRARY_PATH. Drops the camlp5 8.03.2 downgrade.
(cherry picked from commit 7579aa2942)
camlp5's META requires pcre2 and fmt, but they were only buildInputs, so
findlib consumers of camlp5 could not resolve them. Move them to
propagatedBuildInputs.
(cherry picked from commit 74a82ccd8e)
In 52a23a9 the configuration `data-dir $out/share/aspell` was
introduced to make sure that `aspell --lang=<LANG> create
master ...` finds the LANG.dat file. However, the correct location
for language data files is $out/lib/aspell. This confusion also
broke filter discovery as described in #476684.
This commit fixes the location of language data files.
Note: `aspell --lang=<LANG> create master ...` will fail if the
dictionary has not been installed in the environment via
`aspellWithDicts (dict: [ dict.<LANG> ])` which is expected.
Fixes#476684
(cherry picked from commit e7dd5593e8)
Upstream added versions with -exp-\d suffix which broke the script.
Instead of adding another filter to the current query, let's try getting
the latest stable version instead.
IIRC previously they didn't correctly mark stable releases which is why
we didn't use this method.
(cherry picked from commit 1c03a3fb23)
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Mullvad Browser.
(cherry picked from commit 75b48cfbf1)
This came up in Firefox as
https://bugzilla.mozilla.org/show_bug.cgi?id=2042197, where policies
caused different behavior to be active (also see
https://github.com/NixOS/nixpkgs/pull/524793). We should not observe any
such differences, but this indicates that the policy is unnecessary for
disabling the updater.
Tor/Mullvad Browser have supported is-packaged-app for a long time
(https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/985),
and it's preferred by Firefox (i.e. it actually has meaning there:
https://searchfox.org/firefox-main/search?q=is-packaged-app&path=&case=false®exp=false), so we switch from `system-install` to that one. This shouldn't
change anything else user visible.
This removes the "Your browser is being managed by your organization."
text from about:preferences and changes about:policies from showing this
singular policy to "The Enterprise Policies service is inactive." (the
intended upstream behavior), so this seems like a win for clarity.
Tested by downgrading the version in the derivation, and seeing no
update UI appear, either in the hamburger menu in the toolbar or under
Help > About Tor Browser.
(cherry picked from commit 8fce018efd)
Replace the `passthru.tests` --version test by running versionCheckHook
during the package build.
As `haskellPackages.mkDerivation` is very locked-down and doesn't allow
access to things like `nativeInstallCheckInputs` (or any input lists),
we add a separate `.overrideAttrs` call to the pipeline.
Running phase: installCheckPhase
Executing versionCheckPhase
Successfully managed to find version 1.3.0 in the output of the command /nix/store/3fg7y7qww3c3hvyb66n75d9j5y362n4j-nixfmt-1.3.0/bin/nixfmt --version
nixfmt 1.3.0
Finished versionCheckPhase
(cherry picked from commit ce5210e9c7)
Apply the Linux patch to the initialization string for `clang_path_include`
instead of replacing `clang_path_include` with the patched string. This
allows the correct value for Darwin to be selected by the ternary expression.
(cherry picked from commit 6f2c0a34f3)
Because stdenv instructs meson to enable all features automatically,
it's redundant to have any lib.mesonEnable that just sets a literal
true. Keeping the `supported_build` feature flag to explicitly convey
the intention behind it.
(cherry picked from commit 6fe7674824)
Especially major versions contain API breakage and we always require
a compatible home-assistant version. Not all API surfaces are
being exercised in home-assistant tests, so don't fool yourself by
nixpkgs-review not revealing any breakages.
(cherry picked from commit ed1de9a708)
Obsidian's app:// scheme lacks `corsEnabled`, which breaks the internal
PDF viewer on Electron 40. Add it to the scheme registration.
Fixes#523846
Assisted-by: Claude Code (Claude Opus 4.8)
(cherry picked from commit d54367545e)
A non-interactive polkit authentication agent that answers PAM prompts
from a file descriptor. Provides the missing `sudo --stdin` equivalent
for run0/systemd-run, which authorise via polkit and otherwise require
a controlling terminal for pkttyagent.
Used by the upcoming `nixos-rebuild --elevate=run0
--ask-elevate-password`.
Reason for backport:
Useful for VM tests of run0systemd-run/pkexec independent of
`nixos-rebuild`. Also useful for tools such as run0-sudo-shim to emulate
`sudo --stdin` with run0. That shim may be used with nixpkgs 26.05,
handling that is significantly easier if `polkit-stdin-agent` is
universally available.
(cherry picked from commit 4d4952ae28)
The check phase for the config file has to replace any instances of
user and group with the current ones, since logrotate checks whether
they actually exist. However, the create/createolddir substitution
expressions didn't take all different parameter formats into
account. Mainly, if the mode was specified, but not user and group,
the result would be something like
create 0644nixbld nixbld
since it relies on matching a space at the end of the mode
specification.
To fix this, always append a space before the substituted user and
group.
Also, simplify the formatting by using extended regex and check for
word boundaries after create/createolddir to exclude any incorrect or
unsupported suffixes.
(cherry picked from commit dfe85974ca)
The unquoted $out/${libDir}/is-packaged-app path word-splits on
applicationNames containing spaces (e.g. "Firefox Developer Edition"),
breaking the Darwin build for firefox-devedition and similar variants.
Regression from 1da3ca7373.
(cherry picked from commit a2e905224c)
This avoids an unfixable Hydra build failure [1] caused by the file
required by `requireFile` not being present in Hydra's store.
A long-term fix for this and similar issues is already on `master` [2]
but constitutes a breaking change, which is why we cannot backport it.
[1] https://hydra.nixos.org/build/329892892
[2] https://github.com/NixOS/nixpkgs/pull/515536
Not-cherry-picked-because: Different fix on master, not backportable
By using unittest's assertEqual you actually see how often the
activation script was being run, i.e. the expected value.
(cherry picked from commit 864a84d3e9)
(cherry picked from commit b1a881edb9)
stc-ng starts every active target (including default.target) and then
explicitly restarts nixos-activation.service. As a Type=oneshot without
RemainAfterExit the unit is inactive after login, so the default.target
start job re-runs it via Wants=, and the explicit restart runs it again
(or, depending on ordering, SIGTERMs the currently running script and re-runs it).
Set RemainAfterExit=yes so target starts are a no-op for an already-run
activation, and restartIfChanged=false so the unit-diff pass leaves it
alone when the script changes. The explicit restart in stc-ng remains
the single trigger per switch. Print that restart so it is visible in
the switch output, and drop it from the "NOT restarting" list.
Extend the user-activation-scripts test to assert the activation is
only run once, and never killed.
(cherry picked from commit 663a59e0b6)
The previous "FragmentPath not under /etc" deny-list swept up units that
were never managed by a per-user manager (e.g. dbus-broker, whose
FragmentPath systemd reports under /run/current-system/sw/share via
systemd.packages) and missed nothing it should have caught, but for the
wrong reason.
Make the intent explicit. A unit is a migration candidate iff it is
active, the new generation defines it in /etc/systemd/user, and either
* its FragmentPath is under $XDG_CONFIG_HOME/systemd/user (the
home-manager case; ~/.config shadows /etc, so we must wait for
sd-switch to remove the copy), or
* its FragmentPath is anywhere else outside /etc and the previous
generation did not have it in /etc (package-shipped units found via
$XDG_DATA_HOME / $XDG_DATA_DIRS, e.g. ~/.nix-profile/share; /etc
outranks these so it wins on daemon-reload).
The "previous generation did not have it" guard keeps units that have
always been in /etc, but whose FragmentPath systemd reports elsewhere, out
of the candidate set, and the existing now_etc check verifies /etc
actually won before acting. Compare FragmentPath by parent directory
instead of string prefix while here.
Covered by a new switch-test case that seeds a unit in
~/.local/share/systemd/user.
(cherry picked from commit 6ced06a1b3)
The post-activation pass added in 5cc82c4922 to handle units migrating
from a per-user manager (home-manager) to NixOS unconditionally restarts
or starts any candidate. dbus-broker.service explicitly opts out of
restarts via reloadIfChanged because restarting the session bus kills
running clients; the second pass ignored that and restarted it anyway.
Apply the same X-ReloadIfChanged / X-RestartIfChanged / RefuseManualStop /
RefuseManualStart / X-OnlyManualStart checks that handle_modified_unit
performs, so a migrated unit is reloaded, skipped, restarted or started
as its directives require.
Covered by new switch-test specialisations for reloadIfChanged and
restartIfChanged = false.
(cherry picked from commit 76c8d45099)
Fixes odd bulletpoints and bare URLs that are prohibited by most
Markdown linters and specs.
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Iae14dce3d158ac11c59d9117694ccde46a6a6964
(cherry picked from commit b786821e13)
Follow-up to the 9.0.4 update in aa9f3b7824 that broke the (completely
optional) tests, because upstream renamed the already ignored tests (as
they try to access internet resources) in 5ebe8ea15f.
(cherry picked from commit 45185e91bf)
This should help debugging config values. I verified that `pnpm config
list` works across pnpm_8, pnpm_9, pnpm_10, pnpm_10_29_2 and pnpm_11.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit d5cbb9e641)
These checks are still performed in fetchPnpmDeps. These checks require
access to the registries used in the lockfile, making it infeasible to
run during configurePhase in a sandboxed build.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 599909067c)
See 63147b12a5
Apparently on i686-linux the test isn't flaky but failing reliably.
So restarting on Hydra won't help, and waiting for staging*
would take a few weeks.
(cherry picked from commit 664e60aa95)
This might be a nice way to use our reach to remind users to donate to
FLOSS projects that they use and love.
Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
(cherry picked from commit 9d2f2d71e4)
This patch is merged upstream and can be reverted on the next update.
Fetchpatch does not work against framagit.org, which is why I vendored
the patch instead.
(cherry picked from commit 1a7b7c7ddf)
machine-learning[1920443]: mkdir -p failed for path /var/empty/.config/matplotlib: [Errno 1] Operation not permitted: '/var/empty/.config'
machine-learning[1920443]: Matplotlib created a temporary cache directory at /tmp/matplotlib-uo52wf71 because there was an issue with the default path (/var/empty/.config/matplotlib); it is highly recommended to set the MPLCONFIGDIR environment variable to a writable directory, in particular to speed up the import of Matplotlib and to better support multiprocessing.
(cherry picked from commit cb2ed10279)
By default, Git commands will trigger background processes to perform
repository maintenance. As of Git v2.54.0, and in particular as of
452b12c2e0 (builtin/maintenance: use "geometric" strategy by default,
2026-02-24), Git has changed the strategy it uses to decide whether
maintenance needs performing, and as a result will kick off background
maintenance processes much more often.
These background processes will potentially change the contents of the
`.git` directory while `nix-prefetch-git` is deleting it. This results in
effectively random failures, when files are added to the `.git`
directory during the `rm -rf` operation (causing it to fail) or after
the operation has completed (causing the `.git` directory to be
recreated and resulting in a FOD hash mismatch).
This also causes problems for the determinism of Git's own tests.
They've resolved this in 09505b1115 (t: fix races caused by background
maintenance, 2026-02-24) by having the maintenance processes run in the
foreground. The discussion in that commit explains they considered just
disabling maintenance entirely, but opted for the foreground option
because disabling maintenance would mean the tests looked even less like
how most Git users work with Git.
`nix-prefetch-git` is nothing like most Git users. In almost every
case, the `.git` directory will be deleted during or immediately after
the script is called. The repositories certainly don't benefit from
ongoing maintenance. To avoid the non-determinism created by the
background maintenance processes, just disable maintenance entirely.
This is done with `git config` after initialising the repository, rather
than `git config --global` earlier in the script, as `git config
--global` will fail if `fetchgit` was called with a `gitConfig`
argument.
It would be possible to set this option with
`GIT_CONFIG_[COUNT|KEY_<n>|VALUE_<n>]` environment variables; I've opted
against that because (a) they're less familiar to most people who might
want to come to edit this script in future and (b) because if someone is
using those values themselves via `impureEnvVars` or similar, making our
configuration play nicely with someone else's would require some fairly
complex logic.
I haven't made this a configurable option: any use of `nix-prefetch-git`
will run with maintenance disabled, as I cannot think of a use case
where it would be useful. If there is such a use case, it would be
straightforward to extend `nix-prefetch-git` and `fetchgit` to allow
users to change the behaviour.
Fixes#524215.
(cherry picked from commit 011471c7f2)
Update to latest pre-release to fix multiple security vulnerabilities:
- CVE-2026-9500: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9501: heap-buffer-overflow in decode.c (read_2004_compressed_section)
- CVE-2026-9502: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9503: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9504: null pointer dereference in dwggrep.c (main)
- CVE-2026-9529: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9530: heap-buffer-overflow in decode.c (decompress_R2004_section)
- CVE-2026-9605: heap-buffer-overflow in decode.c (decompress_R2004_section)
Individual backports were not feasible as the decompressor was significantly
refactored on upstream's main branch between 0.13.4 and the fixes.
(cherry picked from commit b27ee09e7d)
The 9.4.14 tarball is no longer hosted at download.nomachine.com; the
old URL now redirects to the vendor homepage and breaks fetchurl. Bump
to the current upstream release. Both x86_64 and i686 release tarballs
use build suffix _2.
Hashes recomputed via nix-prefetch-url against
https://download.nomachine.com/download/9.5/Linux/.
(cherry picked from commit 0f906ee9b4)
The crates.io API server's 1 req/sec rate limit currently surfaces as
intermittent HTTP 403 errors when vendoring lockfiles. Switch to the CDN
endpoint as recommended by upstream (rust-lang/crates.io#13482), mirroring
the fix already applied to fetchCargoVendor in #512735.
fetchurl is content-addressed by sha256, so the URL change does not affect
any downstream store paths.
Fixes#524979
(cherry picked from commit f830e6112b)
Versions before 144 vendor bindgen 0.69, which emits invalid Rust for
libc++ 21's attributed basic_string::__self_view alias on Darwin.
This was exposed by commit 0758fc3add ("darwin.libcxx:
20.1.0+apple-sdk-26.0 -> 21.1.6+apple-sdk-26.4"), where libc++
changed `basic_string::__self_view` from a typedef to an attributed
`using` alias. bindgen then drops the alias template parameter and emits
`basic_string___self_view = ...<_CharT>`.
The solution is to blocklist the unused `string_view` internals for the
profiler Rust API. They are not used in the actual build.
Note: Mozilla 144 updated vendored bindgen via:
https://bugzilla.mozilla.org/show_bug.cgi?id=1985509
Assisted-by: Codex gpt-5.5 xhigh
(cherry picked from commit c19203e06f)
I suspect it was commit 0968bb28e2 that
broke the build with nodejs_24, presumably because of npm updating from
11.11.1 to 11.12.1.
(cherry picked from commit 78df8f88a5)
The fix in #523016 fixes an issue with the default gateway, however it
does so by unconditionally defining `networking.interfaces.eth0`. This
makes so if you had other methods of defining the addresses for eth0,
those now get blanked out.
Instead, move the logic around so we only define
networking.interfaces.eth0 if we really have to.
(cherry picked from commit 217d834eb9)
With kernel lockdown the tun kmod is not necessarily available in stage2,
but Lix dependes on it through pasta.
nix-daemon[682677]: remote pid 682659 is user build (trusted)
nix-daemon[682711]: Failed to open() /dev/net/tun: No such device
nix-daemon[682702]: Failed to set up tap device in namespace
(cherry picked from commit 34fbf0285a)
Commit 5aa9012bb3 (nixos: replace 'text' with structured PAM rules
(#420889), 2026-04-14) resulted in the vsftpd module no longer creating
a PAM module, and therefore configurations relying on `cfg.localUsers`
stopped permitting logins unless the PAM module was being set up by
other configuration.
In the absence of a better fix, document this change of behaviour as a
regression. Per the discussion at [0], provide a mechanims to restore
the previous behaviour, but with the caveat that this may be insecure.
I'd prefer more useful advice, but if I had a better understanding of
NixOS's PAM configuration and how it interacts with vsftpd, I'd just be
providing the better fix in the first place.
[0]: https://github.com/NixOS/nixpkgs/issues/515531#issuecomment-4367747991
(cherry picked from commit 93699b88a5)
This replaces the earlier 2.86 patch.
One may consider bumping the source to something newer than the 8 year old release, but that's out of scope for this fix.
Signed-off-by: benaryorg <binary@benary.org>
(cherry picked from commit 79f6dec101)
Define ANSI_FUNC so corkscrew uses ANSI C function definitions instead of legacy K&R definitions rejected by modern Clang/C23.
Assisted-by: OpenCode (openai/gpt-5.5)
(cherry picked from commit 47eb5f6f4d)
The test created ZFS datasets with canmount=noauto, but pam_zfs_key's
mount_dataset() now checks canmount == ZFS_CANMOUNT_ON and skips
mounting otherwise (added in
https://github.com/openzfs/zfs/commit/387ed5ca41). Use the default
canmount=on and unmount before unloading the key to compensate for
the auto-mount that happens when the key is loaded during creation.
This also silences the warning for forceImportRoot.
Assisted-by: opencode with DeepSeek V4 Flash Free
(cherry picked from commit 3fdfb983c7)
also switches to the new `generate_db.py` script
this was done because the old `lensfun_convert_db_v2_to_v1.py` script has been
removed upstream and this is the new preferred method
additionally, this adds the optional `lensfunDatabases` argument which can be
used to override the lens database used when building the package
(cherry picked from commit f652ee5019)
This gives us better UI in the PR by hiding the commits that are already
on the base branch (mostly staging) after the periodic merge. Without
this, the PR has 100s of commits listed after a few days.
(cherry picked from commit 5439176950)
Replace gitUpdater with a shell script that invokes
update-source-version once per system using
--source-key, so both per-arch AppImage hashes are
refreshed on each version bump.
(cherry picked from commit ec5d28b85b)
MemoryDenyWriteExecute=true breaks pyopenssl's cffi calls, used in the remote access feature.
```
2026-05-24 17:32:58.344 ERROR (MainThread) [music_assistant] Error doing task: Task exception was never retrieved
Traceback (most recent call last):
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcpeerconnection.py", line 1084, in __connect
await dtlsTransport.start(self.__remoteDtls[self.__sctp])
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 518, in start
self.__local_certificate._create_ssl_context(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
srtp_profiles=self._srtp_profiles
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/mmv9717wjskv3q5v4768dq0fq5hf4jry-python3.13-aiortc-1.14.0/lib/python3.13/site-packages/aiortc/rtcdtlstransport.py", line 198, in _create_ssl_context
ctx.set_verify(
~~~~~~~~~~~~~~^
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, lambda *args: True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 867, in inner
return f(self, *args, **kwargs)
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 1390, in set_verify
self._verify_helper = _VerifyHelper(callback)
~~~~~~~~~~~~~^^^^^^^^^^
File "/nix/store/5kwsndvbzfj3dv4fwpdlgin42mgbd4xk-python3.13-pyopenssl-26.0.0/lib/python3.13/site-packages/OpenSSL/SSL.py", line 527, in __init__
self.callback = _ffi.callback(
~~~~~~~~~~~~~^
"int (*)(int, X509_STORE_CTX *)", wrapper
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
```
(cherry picked from commit 6b53fc13e3)
I assume quadradical doesn't want to re-assume maintainership simply because I reverted the package drop for my own purposes.
(cherry picked from commit 261eac2ed0)
qbz uses pactl for PipeWire device enumeration and sink routing, and
pw-metadata for bit-perfect sample rate queries. Without these on PATH,
audio playback fails with "Failed to run pactl: No such file or directory".
(cherry picked from commit feafc3f846)
If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
options:
- "Please select a version."
- "- Unstable (26.11)"
- "- Stable (26.05)"
- "- Unstable (26.05)"
- "- Stable (25.11)"
default:0
validations:
required:true
@@ -99,7 +99,7 @@ body:
attributes:
label:"Are you using nix-darwin?"
description:|
[`nix-darwin`](https://github.com/nix-darwin/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
[`nix-darwin`](https://github.com/LnL7/nix-darwin) is a set of NixOS-like modules for macOS systems. Depending on your issue, this information may be relevant.
If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 140,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
[Nixpkgs](https://github.com/nixos/nixpkgs) is a collection of over 120,000 software packages that can be installed with the [Nix](https://nixos.org/nix/) package manager.
It also implements [NixOS](https://nixos.org/nixos/), a purely-functional Linux distribution.
@@ -309,8 +309,6 @@ pnpm is available as the top-level package `pnpm`. Additionally, there are varia
When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The function `fetchPnpmDeps` can create this pnpm store derivation. In conjunction, the setup hook `pnpmConfigHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the fetcher and setup hook above:
There is also the [`pnpmBuildHook`](#pnpm-build-hook) for building packages with `pnpm`, as seen in [](#ex-pnpm-build-hook).
```nix
{
fetchPnpmDeps,
@@ -366,7 +364,7 @@ It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_9` or `pnp
+let
+ # Optionally override pnpm to use a custom nodejs version
+ # Make sure that the same nodejs version is referenced in nativeBuildInputs
@@ -513,10 +511,10 @@ Changes can include workarounds or bug fixes to existing PNPM issues.
##### Version history {#javascript-pnpm-fetcherVersion-versionHistory}
Version 3 is the minimum supported value. Versions 1 and 2 were removed in the 26.11 release; packages that still use them fail to evaluate and must migrate to `fetcherVersion = 3` (or later) and regenerate their hashes.
Version 3 is the recommended value for new packages. Versions 1 and 2 are deprecated and scheduled for removal in the 26.11 release; existing packages must migrate.
- 1: Initial version, nothing special. (removed in 26.11)
- 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975) (removed in 26.11)
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details.
-`hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details.
-`python3Packages.django-health-check` has been updated to major version 4. See its [migration guide](https://codingjoe.dev/django-health-check/migrate-to-v4/) and [changelog](https://github.com/codingjoe/django-health-check/releases/tag/4.0.0) for breaking changes.
-`libgdata` has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.
-`uhttpmock` providing 0.0 ABI was removed. `uhttpmock_1_0` providing 1.0 ABI was renamed to `uhttpmock` and `uhttpmock_1_0` was kept as an alias.
- The ARMv5 Linux kernel build now uses a standard configuration and generates a standard compressed image instead of the deprecated legacy U‐Boot image format.
`lib.systems.{examples,platforms}.{sheevaplug,pogoplug4}` have been unified into `lib.systems.examples.armv5tel-multiplatform`.
Note that there is no official support for ARMv5 and it is not possible to build even a simple NixOS configuration out of the box.
- Support for the legacy U‐Boot image format has been removed from the Linux kernel builders, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
-`requireFile` now sets `meta.license = lib.licenses.unfree` by default. Users of `requireFile`-based derivations that preserve this default will need to explicitly allow their evaluation as described in [](#sec-allow-unfree).
-`librest` providing 0.7 ABI was removed. `librest_1_0` providing 1.0 ABI was renamed to `librest` and `librest_1_0` was kept as an alias.
-`fetchPnpmDeps`' `fetcherVersion = 1` and `fetcherVersion = 2` have been
removed, as announced in the 26.05 release. Packages still using them now
throw an evaluation error and must migrate to `fetcherVersion = 3` (or later)
and regenerate their hashes. See the
[pnpm `fetcherVersion` section](#javascript-pnpm-fetcherVersion) of the manual
for details.
-Create the first release note entry in this section!
## Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for `fetchgit`, `fetchpypi` and `fetchFromGithub` fetchers.
`mkDerivation` has been adjusted to reuse this information.
Package-URLs allow reliably identifying and locating software packages.
Maintainers of derivations using the adapted fetchers should rely on the `drv.src.meta.identifiers.v1.purl` default identifier and can enhance their `drv.meta.identifiers.v1.purls` list once they would like to have additional identifiers.
Maintainers using `fetchurl` for `drv.src` are urged to adapt their `drv.meta.identifiers.purlParts` for proper identification.
-Create the first release note entry in this section!
@@ -77,7 +77,7 @@ A link or a list of links to the location of Changelog for a package. A link may
### `license` {#var-meta-license}
The license, or licenses, for the package. One from the attribute set defined in [`nixpkgs/lib/licenses/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses/licenses.nix). At this moment using both a list of licenses and a single license is valid. If the license field is in the form of a list representation, then it means that parts of the package are licensed differently. Each license should preferably be referenced by their attribute. The non-list attribute value can also be a space delimited string representation of the contained attribute `shortNames` or `spdxIds`. The following are all valid examples:
The license, or licenses, for the package. One from the attribute set defined in [`nixpkgs/lib/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix). At this moment using both a list of licenses and a single license is valid. If the license field is in the form of a list representation, then it means that parts of the package are licensed differently. Each license should preferably be referenced by their attribute. The non-list attribute value can also be a space delimited string representation of the contained attribute `shortNames` or `spdxIds`. The following are all valid examples:
- Single license referenced by attribute (preferred) `lib.licenses.gpl3Only`.
- Single license referenced by its attribute shortName (frowned upon) `"gpl3Only"`.
@@ -157,8 +157,6 @@ The list of Nix platform types for which the [Hydra](https://github.com/nixos/hy
}
```
Note that this does not affect whether reverse dependencies of the package are built on Hydra.
### `broken` {#var-meta-broken}
If set to `true`, the package is marked as "broken", meaning that it won’t show up in [search.nixos.org](https://search.nixos.org/packages), and cannot be built or installed unless [explicitly allowed](#sec-allow-broken).
@@ -216,7 +214,7 @@ If this list is not empty, the package is marked as "insecure", meaning that it
## Licenses {#sec-meta-license}
The `meta.license` attribute should preferably contain a value from `lib.licenses` defined in [`nixpkgs/lib/licenses/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses/licenses.nix), or in-place license description of the same format if the license is unlikely to be useful in another expression.
The `meta.license` attribute should preferably contain a value from `lib.licenses` defined in [`nixpkgs/lib/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses.nix), or in-place license description of the same format if the license is unlikely to be useful in another expression.
Although it’s typically better to indicate the specific license, a few generic options are available:
@@ -342,30 +340,3 @@ A readonly attribute that concatenates all CPE parts in one string.
A readonly attribute containing the list of guesses for what CPE for this package can look like. It includes all variants of version handling mentioned above. Each item is an attrset with attributes `cpeParts` and `cpe` for each guess.
### Package URL {#sec-meta-identifiers-purl}
[Package-URL](https://github.com/package-url/purl-spec) (PURL) is a specification to reliably identify and locate software packages.
Through identification of software packages, additional (non-major) use cases are e.g. software license cross-verification via third party databases or initial vulnerability response management.
Package-URLs shall default to the `mkDerivation.src`, as the original consumed software package is the single source of truth.
This attribute contains an attribute set of all parts of the PURL for this package.
* `type` mandatory [type](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/docs/standard/summary.md) which needs to be provided
* `spec` specify the PURL in accordance with the [purl-spec](https://github.com/package-url/purl-spec/blob/18fd3e395dda53c00bc8b11fe481666dc7b3807a/purl-specification.md)
An extendable list attribute which defaults to a single element equal to [`meta.identifiers.purl`](#var-meta-identifiers-purl).
It provides an interface for additional identifiers of `mkDerivation.src` or for identifiers of vendored dependencies inside `mkDerivation.src`, which maintainers may carefully consider to specify as well.
Additional identifiers are generally not recommended, as they might cause maintenance overhead or diverge.
For example, a source distribution `pkg:github` may be hard to keep correctly aligned with the corresponding binary distribution `pkg:pypi`.
A consistent style greatly increases the usability of all documentation and communication.
Use this page as a reference and style guide for our internal and external documentation.
### Knowledge Expectations
**Assume competence, not familiarity.**
Write for someone who knows a great deal — up to but not including this project.
**What readers know:**
- Basic computer operation
- Command line familiarity
- General interest in systems configuration
**What readers don't know:**
- NixOS-specific concepts
- NixOS ecosystem details or grammar
- NixOS workflows
If specific knowledge is required, mention it at the start of the page.
#### Show, Don't Tell
The fastest path to understanding is a working example.
People learn by doing, not by reading about doing.
**Recommended structure:**
- Start with the minimal working code or command
- Briefly explain what it does
- Cover edge cases or variations
- Link to further information instead of including it
#### Grammar and Style
**Sentence structure:**
- Use simple, direct sentences
- Break complex ideas into multiple short sentences
- Avoid nested clauses
**Bad:**
> The following command, which utilizes nixos-generate-config to produce a comprehensive hardware configuration, will write the results back into the respective configuration directory located on your local machine.
What the user does is hidden in the middle.
`nixos-generate-config` is a leaked implementation detail.
Users care about *detecting hardware*, not *the tool that does it*.
**Good:**
> This command detects your hardware and saves the configuration.
#### Content Organization
Lead with value. State what the reader will accomplish before explaining how.
**Bad:**
> To create a new NixOS configuration that you can later use as a webserver, first navigate to your project directory, then add a new host configuration file with the desired machine name.
**Good:**
Add a webserver configuration to your NixOS setup:
```nix
# hosts/webserver/configuration.nix
{...}:
{
services.nginx.enable=true;
}
```
Use **progressive disclosure**. Introduce concepts only when needed.
**Recommended structure:**
1. State the goal (one sentence)
2. Show the simplest working example
3. Explain concepts if needed
4. Provide advanced options separately or link to the reference
#### No Meta-commentary
Don't describe what the documentation does. Just do it.
**Don't:**
> This section explains how to configure networking.
> The following guide walks you through setting up a web server.
**Do:**
> Configure networking by setting:
> Set up a web server:
#### Code Examples
**Keep examples focused:**
- Show one concept at a time
- Use realistic but simple scenarios
- Avoid dependencies on other examples
**Minimal comments**
Let the code speak for itself.
Paste code examples directly and without further alteration.
**Bad:**
```nix
# This sets the hostname for the machine
{
networking.hostName="webserver";# Change this to your machine's hostname
# This enables SSH access
services.openssh.enable=true;# Required for remote deployment
}
```
**Good:**
```nix
{
networking.hostName="webserver";
services.openssh.enable=true;
}
```
#### Lead with Practical Examples
Don't front-load theory. Readers want to accomplish something first, then understand why it works.
- Show configuration as *what you want*, not *how the module system works*
- Introduce Nix-specific concepts only when they are needed to complete the task
- Defer language mechanics to reference pages or `nix.dev`
**Bad:**
> Before adding a service, you need to understand the NixOS module system and attribute set merging.
**Good:**
Enable nginx:
```nix
{services.nginx.enable=true;}
```
This adds nginx to your system configuration. Rebuild to apply:
```bash
sudo nixos-rebuild switch
```
#### Teach Nix through examples, not theory
Users learn the NixOS module system by seeing patterns first.
- Start with a working example
- Explanation follows the code
- Link deeper concepts instead of inlining them
- Link to `nix.dev` for optional learning
#### General Rules
- Abbreviate keys like `ssh-ed25519 AAAAC3NzaC…`
- Abbreviate IP addresses like `192.168.XXX.XXX`
- Variables are capitalized and start with `$`, e.g. `$YOUR_HOSTNAME`
- Variables should be directly usable during copy-paste
- Do **not** describe missing code parts (`#elided`, `#omitted`)
- **Machine vs Host**: use "machine" for the NixOS system identity, "host" for the physical or virtual hardware
#### Capitalization
- GB / RAM / HDD
- bootable USB drive
- Wi-Fi / DHCP / DNS
- macOS / NixOS / Nix / Linux
- Flakes
- git
#### Headings
Use sentence case. A reader scanning only headings should understand the page.
**Don't:**
> Getting Started
> Overview
> Configure The Database
**Do:**
> Set up a PostgreSQL database
> Configure networking
> Add a user to the system
#### Imperative Mood, Voice, and Person
Use imperative mood for instructions. Address the reader as "you", not "the user". Use active voice; in other words, make the subject do the action.
**Don't:**
> The user should run the following command.
> The configuration will need to be updated.
> The key is generated by the system.
**Do:**
> Run the command.
> Update the configuration.
> The system generates the key.
#### Tense
Use present tense for descriptions. Future tense makes documentation feel tentative.
**Don't:**
> This will create a new folder.
> Running this command will install the package.
**Do:**
> This creates a new folder.
> Running this command installs the package.
#### Be Confident
State facts. Don't hedge with "should," "might," "typically," or "usually" unless the behavior genuinely varies.
**Don't:**
> This should create the configuration file.
> The service will usually start automatically.
**Do:**
> This creates the configuration file.
> The service starts automatically.
#### Avoid Nominalizations
A nominalization is a verb turned into a noun, often by adding *-tion*, *-meant*, or *-ance* (e.g. "explanation", "selection"). The fix: find the hidden verb and use it directly.
**Don't:**
> Make a selection from the list.
> Provide an explanation of the error.
**Do:**
> Select from the list.
> Explain the error.
#### Plain Words
Technical precision for technical terms; plain language for everything else.
- "use" not "utilize"
- "start" not "initiate"
- "end" not "terminate"
- "help" not "facilitate"
- "send" not "transmit"
- "set up" not "establish"
- "find out" not "ascertain"
#### Filler Words and Weak Phrases
Cut words and phrases that add length without meaning.
> In order to deploy, you first need to run the command, which allows you to push the config.
> It's worth noting that this requires root access.
**Do:**
> Run `nixos-rebuild switch`.
> To deploy, run:
> This requires root access.
Every word must earn its place.
#### Writing Procedures
One instruction per sentence. Don't pack multiple actions into one sentence.
**Don't:**
> Navigate to your project directory and run the command, then check the output.
**Do:**
1. Navigate to your project directory.
2. Run the command.
3. Check the output.
Don't bury the negative. Key limitations should be prominent, not a footnote after a positive description.
**Don't:**
> This service supports multiple roles, integrates with existing modules, and works great for most setups (note that multiple instances are not supported).
**Do:**
> This service does not support multiple instances.
#### Consistent Terminology
Pick a term and stick to it. Don't swap synonyms to avoid repetition. In technical documentation, repetition is clarity.
**Don't:**
> Create a machine... configure the host... deploy the node.
**Do:**
> Create a machine... configure the machine... deploy the machine.
#### Links
Use descriptive link text. Never use "click here" or "this link."
**Don't:**
> For more information, see `[this page](url)`.
> Click `[here](url)` to read the reference.
**Do:**
> See the `[NixOS options reference](url)` for details.
> Read the `[NixOS module system guide](url)`.
Only link when the destination is directly relevant, not for generic background context (sometimes known as "Wikipedia-style links"). Readers feel obligated to click links, fearing they'll miss something important. Don't send them to a generic article about a technology when they're looking for how *your* system uses it.
**Don't:**
> Our software uses [SQLite](https://sqlite.org/) for storage.
(Note that in the above example, the SQLite link is the SQLite home page, which is likely not pertinent.)
**Do:**
> See `[database schema](url)` for the full table structure.
#### UI Language
Match UI element names exactly: wording, casing, and spacing (even if a label seems oddly worded).
**Don't:**
> Click the generator button.
> Select the save option.
**Do:**
> Click **Generate a Key**.
> Click **Save Changes**.
Someone will go looking for a button labeled "generator." They will not find it. They will be frustrated.
Consistency between documentation and interface builds confidence. Words are part of the interface.
:::{.tip}
This can be tricky as UI changes; we don't yet have a policy in place for how to handle this. We welcome comments and suggestions.
:::
#### Clean system discipline
Your machine has things new users don't: cached credentials, installed tools, environment variables, existing configuration. When writing or updating documentation:
**Don't:**
> Write steps from memory on your development machine, assuming what works there will work everywhere.
**Do:**
> - Start on a clean system — a fresh VM or new user account
> - Take notes in real time as you work through the steps
> - Document every warning, prompt, or unexpected output the system shows
Also think in combinations: WSL vs native Linux, with and without existing keys. You don't need to test every matrix square — but you need to know which ones diverge.
#### Never type code — always copy-paste
Always copy commands and code from a terminal where you just ran them successfully. Never retype from memory.
**Don't:**
> Retype a command from memory into the documentation.
> Retype code into a code-block from memory
**Do:**
> Paste commands directly from the shell or IDE.
> Paste code that has been successfully validated with nix-instantiate or nix-build
Replace sensitive values with placeholders: `<YOUR-KEY>`, `<YOUR-HOST>`, `<YOUR-TOKEN>`.
Typed-from-memory commands introduce subtle errors. Even the most experienced software developers have occasional typos.
@@ -152,7 +152,7 @@ There are several ways to tweak how Nix handles a package which has been marked
Note that `allowlistedLicenses` only applies to unfree licenses unless `allowUnfree` is enabled. It is not a generic allowlist for all types of licenses. `blocklistedLicenses` applies to all licenses.
A complete list of licenses can be found in the file [`nixpkgs/lib/licenses/licenses.nix`](https://github.com/NixOS/nixpkgs/blob/master/lib/licenses/licenses.nix) of the nixpkgs tree.
A complete list of licenses can be found in the file `lib/licenses.nix` of the nixpkgs tree.
@@ -899,19 +899,6 @@ checkConfigError 'Did you mean .enable., .ebe. or .enabled.\?' config ./error-ty
checkConfigError 'Did you mean .services\.myservice\.port. or .services\.myservice\.enable.\?' config.services.myservice ./error-typo-submodule.nix
checkConfigError 'Did you mean .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificate. or .services\.nginx\.virtualHosts\."example\.com"\.ssl\.certificateKey.\?' config.services.nginx.virtualHosts.\"example.com\" ./error-typo-deeply-nested.nix
checkConfigError 'A definition for option .attrListInt.badValue.a. is not of type .signed integer.. Definition values:' config.attrListIntStrict.badValue ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badListElem. is not of type .attribute list of string.. Each list element must be a single-key attribute set, but got 2 keys' config.attrListStrict.badListElem ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badString. is not of type .attribute list of string.. TypeError: Definition values:' config.attrListStrict.badString ./declare-attrList.nix
checkConfigError 'A definition for option .attrList.badListString. is not of type .attribute list of string.. Each list element must be an attribute set, but got string' config.attrListStrict.badListString ./declare-attrList.nix
checkConfigError 'The option .merged. in .*/declare-attrList-type-merge.nix. is already declared in .*/declare-attrList-type-merge.nix' config.merged ./declare-attrList-type-merge.nix
"description":"Maintain ACME-related packages and modules.",
"id":3806126,
"maintainers":{},
"maintainers":{
"emilazy":18535642
},
"members":{
"arianvp":628387,
"emilazy":18535642,
"m1cr0man":3044438
},
"name":"ACME"
@@ -71,11 +72,10 @@
"description":"coordinates efforts towards bootstrappable builds (see https://bootstrappable.org/)",
"id":9141350,
"maintainers":{
"philiptaron":43863,
"zeuner":2545850
},
"members":{
"philiptaron":43863
},
"members":{},
"name":"bootstrapping"
},
"categorization":{
@@ -176,6 +176,7 @@
"description":"Improve Darwin-support across Nixpkgs and help maintainers without access to Darwin hardware. Apply to join through https://github.com/NixOS/nixpkgs/issues/323144 to keep the process transparent.",
"id":2385202,
"maintainers":{
"emilazy":18535642,
"toonn":1486805
},
"members":{
@@ -205,7 +206,6 @@
"donn":12652988,
"dwt":57199,
"eclairevoyant":848000,
"emilazy":18535642,
"ethancedwards8":60861925,
"fiddlerwoaroof":808745,
"fulsomenko":14945057,
@@ -410,9 +410,7 @@
"jtojnar":705123
},
"members":{
"bobby285271":20080233,
"dasj19":7589338,
"hedning":71978
"bobby285271":20080233
},
"name":"GNOME"
},
@@ -556,11 +554,12 @@
"id":9955829,
"maintainers":{
"RossComputerGuy":19699320,
"alyssais":2768870
"alyssais":2768870,
"emilazy":18535642
},
"members":{
"Ericson2314":1055245,
"emilazy":18535642,
"peterwaller-arm":52030119,
"rrbutani":7833358,
"sternenseemann":3154475
},
@@ -695,8 +694,7 @@
"description":"",
"id":174820,
"maintainers":{
"Ericson2314":1055245,
"tomberek":178444
"Ericson2314":1055245
},
"members":{
"Mic92":96200,
@@ -704,6 +702,7 @@
"edolstra":1148549,
"lisanna-dettwyler":72424138,
"lovesegfault":7243783,
"tomberek":178444,
"xokdvium":145775305
},
"name":"Nix team"
@@ -852,15 +851,15 @@
"description":"Team that is interested in reproducible builds",
"id":7625643,
"maintainers":{
"raboof":131856,
"zimbatm":3248
"raboof":131856
},
"members":{
"Artturin":56650223,
"Atemu":18599032,
"RaitoBezarius":314564,
"davidak":91113,
"mschwaig":3856390
"mschwaig":3856390,
"zimbatm":3248
},
"name":"reproducible"
},
@@ -964,13 +963,13 @@
"description":"Maintain the standard environment and its surrounding logic.",
@@ -6,7 +6,7 @@ Status: in development. This functionality is new in NixOS 25.11, and significan
Traditionally, NixOS services were defined using sets of options *in* modules, not *as* modules. This made them non-modular, resulting in problems with composability, reuse, and portability.
A configuration management framework is an application of `evalModules` with the `class` and `specialArgs` input attribute set to particular values.
NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/nix-darwin/nix-darwin).
NixOS is such a configuration management framework, and so are [Home Manager](https://github.com/nix-community/home-manager) and [`nix-darwin`](https://github.com/lnl7/nix-darwin).
The service management component of a configuration management framework is the set of module options that connects Nix expressions with the underlying service (or process) manager.
For NixOS this is the module wrapping [`systemd`](https://systemd.io/), on `nix-darwin` this is the module wrapping [`launchd`](https://en.wikipedia.org/wiki/Launchd).
- [kiwix-serve](https://wiki.kiwix.org/wiki/Kiwix-serve), a service that serves ZIM files (such as Wikipedia archives) over HTTP. Available as [services.kiwix-serve](#opt-services.kiwix-serve.enable).
- [matterjs-server](https://github.com/matter-js/matterjs-server), a Matter controller with a Home Assistant compatible WebSocket API. Available as [services.matterjs-server](#opt-services.matterjs-server.enable).
- [Remark42](https://remark42.com/), a self-hosted comment engine. Available as [services.remark42](#opt-services.remark42.enable).
- [LibreChat](https://www.librechat.ai/), open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as [services.librechat](#opt-services.librechat.enable).
@@ -197,8 +195,6 @@
- `services.home-assistant.config.lovelace.mode` has been renamed to `lovelace.dashboards` and `lovelace.resource_mode` to match the [configuration format](https://www.home-assistant.io/dashboards/dashboards/) required by Home Assistant 2026.8. Users who explicitly set `lovelace.mode` should remove it; the module generates the correct entries automatically.
- `fulcrum` has been updated to 2.x. If run against an existing v1.x database without the `--db-upgrade` flag it refuses to start; the upgrade takes around an hour on Bitcoin mainnet.
- `opentrack`, `slushload`, `synthesia`, `vtfedit`, `winbox`, `wineasio`, and `yabridge` use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.
- []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-The default PostgreSQL version for new NixOS installations (i.e. with `system.stateVersion >= 26.11`) is v18.
-Create the first release note entry in this section!
## New Modules {#sec-release-26.11-new-modules}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-[tranquil](https://tangled.org/tranquil.farm/tranquil-pds) is an ATProto PDS (personal data server) implementation in Rust. A featureful, spec conscious and community driven alternative to the Bluesky reference implementation PDS. Available as [services.tranquil-pds](#opt-services.tranquil-pds.enable).
-Create the first release note entry in this section!
- [FlapAlerted](https://github.com/Kioubit/FlapAlerted), detects BGP flapping events and provides statistics based on BGP update messages. Available as [services.flap-alerted](#opt-services.flap-alerted.enable).
@@ -18,18 +18,10 @@
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`boot.vesa` has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set `boot.kernelParams = [ "vga=0x317" "nomodeset" ];` directly.
- Support for the legacy U‐Boot image format has been removed from the initrd generators, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
- Python 2 has been removed from the top-level package set, as it is long past end-of-life. The `python2`, `python27`, `python2Full`, `python27Full`, `python2Packages`, and `python27Packages` attributes, along with the legacy `python`, `pythonFull`, and `pythonPackages` aliases, now throw an error directing you to `python3`. The `isPy2` and `isPy27` package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside the `resholve` package for its `oil` dependency and is not exposed for general use.
-`services.timesyncd.extraConfig` has been removed in favor of the structured [](#opt-services.timesyncd.settings.Time) option. Use `services.timesyncd.settings.Time` to set any `timesyncd.conf(5)` option directly. For example, replace `services.timesyncd.extraConfig = "PollIntervalMaxSec=180";` with `services.timesyncd.settings.Time.PollIntervalMaxSec = 180;`.
-Create the first release note entry in this section!
## Other Notable Changes {#sec-release-26.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
-`boot.loader.systemd-boot` gained support for [Automatic Boot Assessment](https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/) via the new [`boot.loader.systemd-boot.bootCounting`](#opt-boot.loader.systemd-boot.bootCounting.enable) options, allowing automatic detection of and recovery from bad NixOS generations. As part of this change, boot loader entries on the ESP/XBOOTLDR partition are now named `nixos-<content-hash>.conf` instead of `nixos-generation-<n>.conf`; existing entries are migrated automatically on the next `nixos-rebuild boot`/`switch`.
- The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`.
-Create the first release note entry in this section!
The upstream default configuration is available at [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml). To print the generated default configuration from the package, run:
Encryption needs additional bridge-side setup. See the [bridge encryption documentation](https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html) for details.
# TODO: Get upstream to add an environment File option. Refer to https://github.com/NixOS/nixpkgs/pull/404871#issuecomment-2895663652 and https://github.com/mautrix/discord/issues/187
# Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
ProtectSystem="strict";
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
