Table of Contents
This section lists the release notes for each stable version of NixOS and current unstable revision.
In addition to numerous new and upgraded packages, this release has the following highlights:
Support is planned until the end of April 2021, handing over to 21.03.
GNOME desktop environment was upgraded to 3.36, see its release notes.
maxx package removed along with services.xserver.desktopManager.maxx
module.
Please migrate to cdesktopenv and services.xserver.desktopManager.cde
module.
We now distribute a GNOME ISO.
PHP now defaults to PHP 7.4, updated from 7.3.
PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release.
Python 3 now defaults to Python 3.8 instead of 3.7.
Two new options, authorizedKeysCommand
and authorizedKeysCommandUser, have
been added to the openssh
module. If you have AuthorizedKeysCommand
in your services.openssh.extraConfig you should
make use of these new options instead.
There is a new module for Podman(virtualisation.podman
), a drop-in replacement for the Docker command line.
The new virtualisation.containers
module manages configuration shared by the CRI-O and Podman modules.
Declarative Docker containers are renamed from docker-containers
to virtualisation.oci-containers.containers
.
This is to make it possible to use podman
instead of docker
.
MariaDB has been updated to 10.4, MariaDB Galera to 26.4.
Before you upgrade, it would be best to take a backup of your database.
For MariaDB Galera Cluster, see Upgrading
from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster instead.
Before doing the upgrade read Incompatible
Changes Between 10.3 and 10.4.
After the upgrade you will need to run mysql_upgrade
.
MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more
intuitive. See Authentication from MariaDB 10.4.
unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are
created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use
the traditional mysql_native_password plugin method, one must run the following:
services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); '';
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
calling LOAD DATA INFILE or SELECT * INTO OUTFILE
. In this scenario a variant of the following may be required:
- allow MySQL to read from /home and /tmp directories when using LOAD DATA INFILE
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
- allow MySQL to write to custom folder /var/data
when using SELECT * INTO OUTFILE
, assuming the mysql user has write
access to /var/data
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
The MySQL service no longer runs its systemd
service startup script as root
anymore. A dedicated non root
super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements
as a super admin user before upgrading:
CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
If you use MySQL instead of MariaDB please replace unix_socket
with auth_socket
. If you have changed the value of services.mysql.user
from the default of mysql
to a different user please change 'mysql'@'localhost'
to the corresponding user instead.
Two new option documentation.man.generateCaches
has been added to automatically generate the man-db
caches, which are needed by utilities
like whatis and apropos. The caches are generated during the build of
the NixOS configuration: since this can be expensive when a large number of packages are installed, the
feature is disabled by default.
services.postfix.sslCACert
was replaced by services.postfix.tlsTrustedAuthorities
which now defaults to system certifcate authorities.
Subordinate GID and UID mappings are now set up automatically for all normal users. This will make container tools like Podman work as non-root users out of the box.
The various documented workarounds to use steam have been converted to a module. programs.steam.enable
enables steam, controller support and the workarounds.
Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). hardware.logitech.lcd.enable
enables support for all hardware supported by the g15daemon project.
The following new services were added since the last release:
There is a new security.doas.enable
module that provides doas, a lighter alternative to sudo with many of the same features.
When upgrading from a previous release, please be aware of the following incompatible changes:
buildGoModule
now internally creates a vendor directory
in the source tree for downloaded modules instead of using go's module
proxy protocol. This storage format is simpler and therefore less
likekly to break with future versions of go. As a result
buildGoModule
switched from
modSha256
to the vendorSha256
attribute to pin fetched version data. buildGoModule
still accepts modSha256
with a warning, but support will
be removed in the next release.
Grafana is now built without support for phantomjs by default. Phantomjs support has been
deprecated in Grafana
and the phantomjs project is
currently unmaintained.
It can still be enabled by providing phantomJsSupport = true
to the package instanciation:
{ services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { phantomJsSupport = false; }); }
The supybot module now uses /var/lib/supybot
as its default stateDir path if stateVersion
is 20.09 or higher. It also enables number of
systemd sandboxing options
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
systemd.services.supybot.serviceConfig
.
The security.duosec.skey
option, which stored a secret in the
nix store, has been replaced by a new
security.duosec.secretKeyFile
option for better security.
security.duosec.ikey
has been renamed to
security.duosec.integrationKey.
vmware
has been removed from the services.x11.videoDrivers
defaults.
For VMWare guests set virtualisation.vmware.guest.enable
to true
which will include the appropriate drivers.
The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at least one pre-generated key must be specified.
If you used the boot.initrd.network.ssh.host*Key
options, you'll get an error explaining how to convert your host
keys and migrate to the new
boot.initrd.network.ssh.hostKeys
option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the hostKeys
option
documentation for instructions.
Since this release there's an easy way to customize your PHP
install to get a much smaller base PHP with only wanted
extensions enabled. See the following snippet installing a
smaller PHP with the extensions imagick
,
opcache
, pdo
and
pdo_mysql
loaded:
environment.systemPackages = [ (pkgs.php.withExtensions ({ all, ... }: with all; [ imagick opcache pdo pdo_mysql ]) ) ];
The default php
attribute hasn't lost any
extensions. The opcache
extension has been
added.
All upstream PHP extensions are available under php.extensions.<name?>.
All PHP config
flags have been removed for
the following reasons:
The updated php
attribute is now easily
customizable to your liking by using
php.withExtensions
or
php.buildEnv
instead of writing config files
or changing configure flags.
The remaining configuration flags can now be set directly on
the php
attribute. For example, instead of
php.override { config.php.embed = true; config.php.apxs2 = false; }
you should now write
php.override { embedSupport = true; apxs2Support = false; }
Gollum received a major update to version 5.x and you may have to change some links in your wiki when migrating from gollum 4.x. More information can be found here.
Deluge 2.x was added and is used as default for new NixOS
installations where stateVersion is >= 20.09. If you are upgrading from a previous
NixOS version, you can set service.deluge.package = pkgs.deluge-2_x
to upgrade to Deluge 2.x and migrate the state to the new format.
Be aware that backwards state migrations are not supported by Deluge.
Add option services.nginx.enableSandbox
to starting Nginx web server with additional sandbox/hardening options.
By default, write access to services.nginx.stateDir
is allowed. To allow writing to other folders,
use systemd.services.nginx.serviceConfig.ReadWritePaths
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
The NixOS options nesting.clone
and
nesting.children
have been deleted, and
replaced with named specialisation
configurations.
Replace a nesting.clone
entry with:
{ specialisation.example-sub-configuration = { configuration = { ... }; };
Replace a nesting.children
entry with:
{ specialisation.example-sub-configuration = { inheritParentConfig = false; configuration = { ... }; };
To switch to a specialised configuration at runtime you need to run:
# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test
Before you would have used:
# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test
The Nginx log directory has been moved to /var/log/nginx
, the cache directory
to /var/cache/nginx
. The option services.nginx.stateDir
has
been removed.
The httpd web server previously started its main process as root
privileged, then ran worker processes as a less privileged identity user.
This was changed to start all of httpd as a less privileged user (defined by
services.httpd.user
and
services.httpd.group
). As a consequence, all files that
are needed for httpd to run (included configuration fragments, SSL
certificates and keys, etc.) must now be readable by this less privileged
user/group.
The default value for services.httpd.mpm
has been changed from prefork
to event
. Along with
this change the default value for
services.httpd.virtualHosts.<name>.http2
has been set to true
.
The systemd-networkd
option
systemd.network.networks.<name>.dhcp.CriticalConnection
has been removed following upstream systemd's deprecation of the same. It is recommended to use
systemd.network.networks.<name>.networkConfig.KeepConfiguration
instead.
See systemd.network(5) for details.
The systemd-networkd
option
systemd.network.networks._name_.dhcpConfig
has been renamed to
systemd.network.networks.<name>.dhcpV4Config
following upstream systemd's documentation change.
See systemd.network(5) for details.
In the picom
module, several options that accepted
floating point numbers encoded as strings (for example
services.picom.activeOpacity
) have been changed
to the (relatively) new native float
type. To migrate
your configuration simply remove the quotes around the numbers.
When using buildBazelPackage
from Nixpkgs,
flat
hash mode is now used for dependencies
instead of recursive
. This is to better allow
using hashed mirrors where needed. As a result, these hashes
will have changed.
The rkt module has been removed, it was archived by upstream.
The Bazaar VCS is
unmaintained and, as consequence of the Python 2 EOL, the packages
bazaar
and bazaarTools
were
removed. Breezy, the backward compatible fork of Bazaar (see the
announcement),
was packaged as breezy
and can be used instead.
Regarding Nixpkgs, fetchbzr
,
nix-prefetch-bzr
and Bazaar support in Hydra will
continue to work through Breezy.
In addition to the hostname, the fully qualified domain name (FQDN),
which consists of ${cfg.hostName}
and
${cfg.domain}
is now added to
/etc/hosts
, to allow local FQDN resolution, as used by the
hostname --fqdn
command and other applications that
try to determine the FQDN. These new entries take precedence over entries
from the DNS which could cause regressions in some very specific setups.
Additionally the hostname is now resolved to 127.0.0.2
instead of 127.0.1.1
to be consistent with what
nss-myhostname
(from systemd) returns.
The old behaviour can e.g. be restored by using
networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };
.
The hostname (networking.hostName
) must now be a valid
DNS label (see RFC 1035) and as such must not contain the domain part.
This means that the hostname must start with a letter, end with a letter
or digit, and have as interior characters only letters, digits, and
hyphen. The maximum length is 63 characters. Additionally it is
recommended to only use lower-case characters.
The GRUB specific option boot.loader.grub.extraInitrd
has been replaced with the generic option
boot.initrd.secrets
. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
Due to an existing bug with boot.loader.grub.extraInitrd
,
it is not possible to directly boot an older generation that used that
option. It is still possible to rollback to that generation if the required
initrd file has not been deleted.
The DNSChain package and NixOS module have been removed from Nixpkgs as the software is unmaintained and can't be built. For more information see issue #89205.
In the resilio
module, services.resilio.httpListenAddr
has been changed to listen to [::1]
instead of 0.0.0.0
.
Users of OpenAFS 1.6 must
upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package
version 1.6.24 is marked broken but can be used during transition to
OpenAFS 1.8.x. Use the options
services.openafsClient.packages.module
,
services.openafsClient.packages.programs
and
services.openafsServer.package
to select a different
OpenAFS package. OpenAFS 1.6 will be removed in the next release. The
package openafs
and the service options will then
silently point to the OpenAFS 1.8 release.
See also the OpenAFS Administrator Guide for instructions. Beware of the following when updating servers:
The storage format of the server key has changed and the key must be converted before running the new release.
When updating multiple database servers, turn off the database servers from the highest IP down to the lowest with resting periods in between. Start up in reverse order. Do not concurrently run database servers working with different OpenAFS releases!
Update servers first, then clients.
Radicale's default package has changed from 2.x to 3.x. An upgrade
checklist can be found
here.
You can use the newer version in the NixOS service by setting the
package
to radicale3
, which is done
automatically if stateVersion
is 20.09 or higher.
udpt
experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml.
The new configuration documentation can be found at
the official website and example
configuration is packaged in ${udpt}/share/udpt/udpt.toml
.
We now have a unified services.xserver.displayManager.autoLogin
option interface
to be used for every display-manager in NixOS.
The bitcoind
module has changed to multi-instance, using submodules.
Therefore, it is now mandatory to name each instance.
To use this new multi-instance config with an existing bitcoind data directory and user,
you have to adjust the original config, e.g.:
services.bitcoind = { enable = true; extraConfig = "..."; ... };
To something similar:
services.bitcoind.mainnet = { enable = true; dataDir = "/var/lib/bitcoind"; user = "bitcoin"; extraConfig = "..."; ... };
The key settings are:
dataDir
- to continue using the same data directory.
user
- to continue using the same user so that bitcoind maintains access to its files.
Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. When updating Graylog from a version before 3.3.3 make sure to check the Graylog release info for information on how to avoid the issue.
The dokuwiki
module has changed to multi-instance, using submodules.
Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so
nginx.forceSSL
and nginx.enableACME
are no longer set to true
.
To continue using your service with the original SSL settings, you have to adjust the original config, e.g.:
services.dokuwiki = { enable = true; ... };
To something similar:
services.dokuwiki."mywiki" = { enable = true; nginx = { forceSSL = true; enableACME = true; }; ... };
The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading.
The services.postgresql.dataDir
option is now set to "/var/lib/postgresql/${cfg.package.psqlSchema}"
regardless of your
system.stateVersion
. Users with an existing postgresql install that have a system.stateVersion
of 17.09
or below
should double check what the value of their services.postgresql.dataDir
option is (/var/db/postgresql
) and then explicitly
set this value to maintain compatibility:
services.postgresql.dataDir = "/var/db/postgresql";
The USBGuard module now removes options and instead hardcodes values for IPCAccessControlFiles
, ruleFiles
, and auditFilePath
. Audit logs can be found in the journal.
SD images are now compressed by default using zstd
. The compression for ISO images has also been changed to zstd
, but ISO images are still not compressed by default.
services.journald.rateLimitBurst
was updated from
1000
to 10000
to follow the new
upstream systemd default.
The notmuch package move its emacs-related binaries and
emacs lisp files to a separate output. They're not part
of the default out
output anymore - if you relied on the
notmuch-emacs-mua
binary or the emacs lisp files, access them via
the notmuch.emacs
output.
The default output of buildGoPackage
is now $out
instead of $bin
.
buildGoModule
doCheck
now defaults to true
.
Packages built using buildRustPackage
now use release
mode for the checkPhase
by default.
Please note that Rust packages utilizing a custom build/install procedure
(e.g. by using a Makefile
) or test suites that rely on the
structure of the target/
directory may break due to those assumptions.
For further information, please read the Rust section in the Nixpkgs manual.
The cc- and binutils-wrapper's "infix salt" and _BUILD_
and _TARGET_
user infixes have been replaced with with a "suffix salt" and suffixes and _FOR_BUILD
and _FOR_TARGET
.
This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
Additional Git documentation (HTML and text files) is now available via the git-doc
package.
Default algorithm for ZRAM swap was changed to zstd
.
The scripted networking system now uses .link
files in
/etc/systemd/network
to configure mac address and link MTU,
instead of the sometimes buggy network-link-*
units, which
have been removed.
Bringing the interface up has been moved to the beginning of the
network-addresses-*
unit.
Note this doesn't require systemd-networkd - it's udev that
parses .link
files.
Extra care needs to be taken in the presence of legacy udev rules
to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name.
In such cases, you most likely want to create a 10-*.link
file through systemd.network.links
and set both name and MAC Address / MTU there.
Grafana received a major update to version 7.x. A plugin is now needed for image rendering support, and plugins must now be signed by default. More information can be found in the Grafana documentation.
The hardware.u2f
module, which was installing udev rules
was removed, as udev gained native support to handle FIDO security tokens.
The services.transmission
module
was enhanced with the new options:
services.transmission.credentialsFile
,
services.transmission.openFirewall
,
and services.transmission.performanceNetParameters
.
transmission-daemon
is now started with additional systemd sandbox/hardening options for better security.
Please report
any use case where this is not working well.
In particular, the RootDirectory
option newly set
forbids uploading or downloading a torrent outside of the default directory
configured at settings.download-dir.
If you really need Transmission to access other directories,
you must include those directories into the BindPaths
of the service:
systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
Also, connection to the RPC (Remote Procedure Call) of transmission-daemon
is now only available on the local network interface by default.
Use:
services.transmission.settings.rpc-bind-address = "0.0.0.0";
to get the previous behavior of listening on all network interfaces.
With this release systemd-networkd
(when enabled through networking.useNetworkd
)
has it's netlink socket created through a systemd.socket
unit. This gives us control over
socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
devices the default buffer size (currently 128MB) is not enough.
On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to be brought up during system startup, the receive buffer size will spike for a brief period. Eventually some of the message will be dropped since there is not enough (permitted) buffer space available.
By having systemd-networkd
start with a netlink socket created by
systemd
we can configure the ReceiveBufferSize=
parameter
in the socket options (i.e. systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize
)
without recompiling systemd-networkd
.
Since the actual memory requirements depend on hardware, timing, exact
configurations etc. it isn't currently possible to infer a good default
from within the NixOS module system. Administrators are advised to
monitor the logs of systemd-networkd
for rtnl: kernel receive buffer
overrun
spam and increase the memory limit as they see fit.
Note: Increasing the ReceiveBufferSize=
doesn't allocate any memory. It just increases
the upper bound on the kernel side. The memory allocation depends on the amount of messages that are
queued on the kernel side of the netlink socket.
Specifying mailboxes in the dovecot2 module
as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the name
should be the key of the attribute.
This means that a configuration like this
{ services.dovecot2.mailboxes = [ { name = "Junk"; auto = "create"; } ]; }
should now look like this:
{ services.dovecot2.mailboxes = { Junk.auto = "create"; }; }
netbeans was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
nextcloud has been updated to v19.
If you have an existing installation, please make sure that you're on nextcloud18 before upgrading to nextcloud19 since Nextcloud doesn't support upgrades across multiple major versions.
The nixos-run-vms
script now deletes the
previous run machines states on test startup. You can use the
--keep-vm-state
flag to match the previous
behaviour and keep the same VM state between different test runs.
The nix.buildMachines option is now type-checked. There are no functional changes, however this may require updating some configurations to use correct types for all attributes.
The fontconfig
module stopped generating fontconfig 2.10.x config and cache.
Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore.
In addition to numerous new and upgraded packages, this release has the following highlights:
Support is planned until the end of October 2020, handing over to 20.09.
Core version changes:
gcc: 8.3.0 -> 9.2.0
glibc: 2.27 -> 2.30
linux: 4.19 -> 5.4
mesa: 19.1.5 -> 19.3.3
openssl: 1.0.2u -> 1.1.1d
Desktop version changes:
plasma5: 5.16.5 -> 5.17.5
kdeApplications: 19.08.2 -> 19.12.3
gnome3: 3.32 -> 3.34
pantheon: 5.0 -> 5.1.3
Linux kernel is updated to branch 5.4 by default (from 4.19).
Postgresql for NixOS service now defaults to v11.
The graphical installer image starts the graphical session automatically.
Before you'd be greeted by a tty and asked to enter systemctl start display-manager.
It is now possible to disable the display-manager from running by selecting the Disable display-manager
quirk in the boot menu.
GNOME 3 has been upgraded to 3.34. Please take a look at their Release Notes for details.
If you enable the Pantheon Desktop Manager via
services.xserver.desktopManager.pantheon.enable
, we now default to also use
Pantheon's newly designed greeter
.
Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of
NixOS 20.03 when backwards compatible.
By default zfs pools will now be trimmed on a weekly basis.
Trimming is only done on supported devices (i.e. NVME or SSDs)
and should improve throughput and lifetime of these devices.
It is controlled by the services.zfs.trim.enable
varname.
The zfs scrub service (services.zfs.autoScrub.enable
)
and the zfs autosnapshot service (services.zfs.autoSnapshot.enable
)
are now only enabled if zfs is set in config.boot.initrd.supportedFilesystems
or
config.boot.supportedFilesystems
. These lists will automatically contain
zfs as soon as any zfs mountpoint is configured in fileSystems
.
nixos-option has been rewritten in C++, speeding it up, improving correctness,
and adding a -r
option which prints all options and their values recursively.
services.xserver.desktopManager.default
and services.xserver.windowManager.default
options were replaced by a single services.xserver.displayManager.defaultSession
option to improve support for upstream session files. If you used something like:
services.xserver.desktopManager.default = "xfce"; services.xserver.windowManager.default = "icewm";
you should change it to:
services.xserver.displayManager.defaultSession = "xfce+icewm";
The testing driver implementation in NixOS is now in Python make-test-python.nix
.
This was done by Jacek Galowicz (@tfc), and with the
collaboration of Julian Stecklina (@blitz) and
Jana Traue (@jtraue). All documentation has been updated to use this
testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation,
make-test.nix
, is slated for removal. This should give users of the NixOS integration framework
a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see
this warning everytime they use it:
$
warning: Perl VM tests are deprecated and will be removed for 20.09.
Please update your tests to use the python test driver.
See https://github.com/NixOS/nixpkgs/pull/71684 for details.
API compatibility is planned to be kept for at least the next release with the perl driver.
The following new services were added since the last release:
The kubernetes kube-proxy now supports a new hostname configuration
services.kubernetes.proxy.hostname
which has to
be set if the hostname of the node should be non default.
UPower's configuration is now managed by NixOS and can be customized
via services.upower
.
To use Geary you should enable programs.geary.enable
instead of
just adding it to environment.systemPackages
.
It was created so Geary could function properly outside of GNOME.
./config/console.nix
./hardware/brillo.nix
./hardware/tuxedo-keyboard.nix
./programs/bandwhich.nix
./programs/bash-my-aws.nix
./programs/liboping.nix
./programs/traceroute.nix
./services/backup/sanoid.nix
./services/backup/syncoid.nix
./services/backup/zfs-replication.nix
./services/continuous-integration/buildkite-agents.nix
./services/databases/victoriametrics.nix
./services/desktops/gnome3/gnome-initial-setup.nix
./services/desktops/neard.nix
./services/games/openarena.nix
./services/hardware/fancontrol.nix
./services/mail/sympa.nix
./services/misc/freeswitch.nix
./services/misc/mame.nix
./services/monitoring/do-agent.nix
./services/monitoring/prometheus/xmpp-alerts.nix
./services/network-filesystems/orangefs/server.nix
./services/network-filesystems/orangefs/client.nix
./services/networking/3proxy.nix
./services/networking/corerad.nix
./services/networking/go-shadowsocks2.nix
./services/networking/ntp/openntpd.nix
./services/networking/shorewall.nix
./services/networking/shorewall6.nix
./services/networking/spacecookie.nix
./services/networking/trickster.nix
./services/networking/v2ray.nix
./services/networking/xandikos.nix
./services/networking/yggdrasil.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/gotify-server.nix
./services/web-apps/grocy.nix
./services/web-apps/ihatemoney
./services/web-apps/moinmoin.nix
./services/web-apps/trac.nix
./services/web-apps/trilium.nix
./services/web-apps/shiori.nix
./services/web-servers/ttyd.nix
./services/x11/picom.nix
./services/x11/hardware/digimend.nix
./services/x11/imwheel.nix
./virtualisation/cri-o.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
The dhcpcd package
does not request IPv4 addresses for tap and bridge interfaces anymore by default.
In order to still get an address on a bridge interface, one has to disable
networking.useDHCP
and explicitly enable
networking.interfaces.<name>.useDHCP
on
every interface, that should get an address via DHCP. This way, dhcpcd
is configured in an explicit way about which interface to run on.
GnuPG is now built without support for a graphical passphrase entry
by default. Please enable the gpg-agent
user service
via the NixOS option programs.gnupg.agent.enable
.
Note that upstream recommends using gpg-agent
and
will spawn a gpg-agent
on the first invocation of
GnuPG anyway.
The dynamicHosts
option has been removed from the
NetworkManager
module. Allowing (multiple) regular users to override host entries
affecting the whole system opens up a huge attack vector.
There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using
networking.hosts, provide
them via the DNS server in your network, or use
environment.etc
to add a file into /etc/NetworkManager/dnsmasq.d
reconfiguring hostsdir
.
The 99-main.network
file was removed. Matching all
network interfaces caused many breakages, see
#18962
and #71106.
We already don't support the global networking.useDHCP, networking.defaultGateway and networking.defaultGateway6 options if networking.useNetworkd is enabled, but direct users to configure the per-device networking.interfaces.<name>.… options.
The stdenv now runs all bash with set -u
, to catch the use of undefined variables.
Before, it itself used set -u
but was careful to unset it so other packages' code ran as before.
Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc.
The Way Cooler wayland compositor has been removed, as the project has been officially canceled.
There are no more way-cooler
attribute and programs.way-cooler
options.
The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled.
There is now only one Xfce package-set and module. This means that attributes xfce4-14
and xfceUnstable
all now point to the latest Xfce 4.14
packages. And in the future NixOS releases will be the latest released version of Xfce available at the
time of the release's development (if viable).
The phpfpm module now sets
PrivateTmp=true
in its systemd units for better process isolation.
If you rely on /tmp
being shared with other services, explicitly override this by
setting serviceConfig.PrivateTmp
to false
for each phpfpm unit.
KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have enableQt4Support
option any more.
The BeeGFS module has been removed.
The osquery module has been removed.
Going forward, ~/bin
in the users home directory will no longer be in PATH
by default.
If you depend on this you should set the option environment.homeBinInPath
to true
.
The aforementioned option was added this release.
The buildRustCrate
infrastructure now produces lib
outputs in addition to the out
output.
This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the lib
output.
Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 and bitmap fonts are no longer supported in applications relying on Pango for font rendering (notably, GTK application). See upstream issue for more information.
The roundcube
module has been hardened.
The password of the database is not written world readable in the store any more. If database.host
is set to localhost
, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option database.passwordFile
, which should be set to the path of a file containing the password and readable by the user nginx
only. The database.password
option is insecure and deprecated. Usage of this option will print a warning.
A random des_key
is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
The packages openobex
and obexftp
are no longer installed when enabling Bluetooth via
hardware.bluetooth.enable
.
The dump1090
derivation has been changed to use FlightAware's dump1090
as its upstream. However, this version does not have an internal webserver anymore. The
assets in the share/dump1090
directory of the derivation can be used
in conjunction with an external webserver to replace this functionality.
The fourStore and fourStoreEndpoint modules have been removed.
Polkit no longer has the user of uid 0 (root) as an admin identity. We now follow the upstream default of only having every member of the wheel group admin privileged. Before it was root and members of wheel. The positive outcome of this is pkexec GUI popups or terminal prompts will no longer require the user to choose between two essentially equivalent choices (whether to perform the action as themselves with wheel permissions, or as the root user).
NixOS containers no longer build NixOS manual by default. This saves evaluation time,
especially if there are many declarative containers defined. Note that this is already done
when <nixos/modules/profiles/minimal.nix>
module is included
in container config.
The kresd
services deprecates the interfaces
option
in favor of the listenPlain
option which requires full
systemd.socket compatible
declaration which always include a port.
Virtual console options have been reorganized and can be found under
a single top-level attribute: console
.
The full set of changes is as follows:
i18n.consoleFont
renamed to
console.font
i18n.consoleKeyMap
renamed to
console.keyMap
i18n.consoleColors
renamed to
console.colors
i18n.consolePackages
renamed to
console.packages
i18n.consoleUseXkbConfig
renamed to
console.useXkbConfig
boot.earlyVconsoleSetup
renamed to
console.earlySetup
boot.extraTTYs
renamed to
console.extraTTYs
The awstats module has been rewritten to serve stats via static html pages, updated on a timer, over nginx, instead of dynamic cgi pages over apache.
Minor changes will be required to migrate existing configurations. Details of the required changes can seen by looking through the awstats module.
The httpd module no longer provides options to support serving web content without defining a virtual host. As a
result of this the services.httpd.logPerVirtualHost
option now defaults to true
instead of false
. Please update your
configuration to make use of services.httpd.virtualHosts.
The services.httpd.virtualHosts.<name> option has changed type from a list of submodules to an attribute set of submodules, better matching services.nginx.virtualHosts.<name>.
This change comes with the addition of the following options which mimic the functionality of their nginx
counterparts:
services.httpd.virtualHosts.<name>.addSSL,
services.httpd.virtualHosts.<name>.forceSSL,
services.httpd.virtualHosts.<name>.onlySSL,
services.httpd.virtualHosts.<name>.enableACME,
services.httpd.virtualHosts.<name>.acmeRoot, and
services.httpd.virtualHosts.<name>.useACMEHost.
For NixOS configuration options, the loaOf
type has
been deprecated and will be removed in a future release. In nixpkgs,
options of this type will be changed to attrsOf
instead. If you were using one of these in your configuration, you will
see a warning suggesting what changes will be required.
For example, users.users is a
loaOf
option that is commonly used as follows:
users.users = [ { name = "me"; description = "My personal user."; isNormalUser = true; } ];
This should be rewritten by removing the list and using the
value of name
as the name of the attribute set:
users.users.me = { description = "My personal user."; isNormalUser = true; };
For more information on this change have look at these links: issue #1800, PR #63103.
For NixOS modules, the types types.submodule
and types.submoduleWith
now support
paths as allowed values, similar to how imports
supports paths.
Because of this, if you have a module that defines an option of type
either (submodule ...) path
, it will break since a path
is now treated as the first type instead of the second. To fix this, change
the type to either path (submodule ...)
.
The Buildkite
Agent module and corresponding packages have been updated to
3.x, and to support multiple instances of the agent running at the
same time. This means you will have to rename
services.buildkite-agent
to
services.buildkite-agents.<name>
. Furthermore,
the following options have been changed:
services.buildkite-agent.meta-data
has been renamed to
services.buildkite-agents.<name>.tags,
to match upstreams naming for 3.x.
Its type has also changed - it now accepts an attrset of strings.
Theservices.buildkite-agent.openssh.publicKeyPath
option
has been removed, as it's not necessary to deploy public keys to clone private
repositories.
services.buildkite-agent.openssh.privateKeyPath
has been renamed to
buildkite-agents.<name>.privateSshKeyPath,
as the whole openssh
now only contained that single option.
services.buildkite-agents.<name>.shell has been introduced, allowing to specify a custom shell to be used.
The citrix_workspace_19_3_0
package has been removed as
it will be EOLed within the lifespan of 20.03. For further information,
please refer to the support and maintenance information from upstream.
The gcc5
and gfortran5
packages have been removed.
The services.xserver.displayManager.auto
module has been removed.
It was only intended for use in internal NixOS tests, and gave the false impression
of it being a special display manager when it's actually LightDM.
Please use the services.xserver.displayManager.lightdm.autoLogin
options instead,
or any other display manager in NixOS as they all support auto-login. If you used this module specifically
because it permitted root auto-login you can override the lightdm-autologin pam module like:
security.pam.services.lightdm-autologin.text = lib.mkForce '' auth requisite pam_nologin.so auth required pam_succeed_if.so quiet auth required pam_permit.so account include lightdm password include lightdm session include lightdm '';
The difference is the:
auth required pam_succeed_if.so quiet
line, where default it's:
auth required pam_succeed_if.so uid >= 1000 quiet
not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this.
There have been lots of improvements to the Mailman module. As a result,
The services.mailman.hyperkittyBaseUrl
option has been renamed to services.mailman.hyperkitty.baseUrl
.
The services.mailman.hyperkittyApiKey
option has been removed. This is because having an option
for the Hyperkitty API key meant that the API key would be
stored in the world-readable Nix store, which was a
security vulnerability. A new Hyperkitty API key will be
generated the first time the new Hyperkitty service is run,
and it will then be persisted outside of the Nix store. To
continue using Hyperkitty, you must set services.mailman.hyperkitty.enable
to
true
.
Additionally, some Postfix configuration must now be set manually instead of automatically by the Mailman module:
services.postfix.relayDomains
= [ "hash:/var/lib/mailman/data/postfix_domains" ];services.postfix.config
.transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];services.postfix.config
.local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
This is because some users may want to include other values in these lists as well, and this was not possible if they were set automatically by the Mailman module. It would not have been possible to just concatenate values from multiple modules each setting the values they needed, because the order of elements in the list is significant.
The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.
The networking.interfaces.*.preferTempAddress
option has
been replaced by networking.interfaces.*.tempAddress
.
The new option allows better control of the IPv6 temporary addresses,
including completely disabling them for interfaces where they are not
needed.
Rspamd was updated to version 2.2. Read the upstream migration notes carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis.
The *psu
versions of oraclejdk8 have been removed
as they aren't provided by upstream anymore.
The services.dnscrypt-proxy
module has been removed
as it used the deprecated version of dnscrypt-proxy. We've added
services.dnscrypt-proxy2.enable
to use the supported version.
This module supports configuration via the Nix attribute set
services.dnscrypt-proxy2.settings
, or by passing a TOML configuration file via
services.dnscrypt-proxy2.configFile
.
# Example configuration: services.dnscrypt-proxy2.enable = true; services.dnscrypt-proxy2.settings = { listen_addresses = [ "127.0.0.1:43" ]; sources.public-resolvers = { urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; cache_file = "public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; refresh_delay = 72; }; }; services.dnsmasq.enable = true; services.dnsmasq.servers = [ "127.0.0.1#43" ];
qesteidutil
has been deprecated in favor of qdigidoc
.
sqldeveloper_18 has been removed as it's not maintained anymore,
sqldeveloper has been updated to version 19.4
.
Please note that this means that this means that the oraclejdk is now
required. For further information please read the
release notes.
Haskell env
and shellFor
dev shell environments now organize dependencies the same way as regular builds.
In particular, rather than receiving all the different lists of dependencies mashed together as one big list, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.
This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a buildDepends
or run-time Haskell dependency as a setupDepends
, whereas things would have worked before they may not work now.
The gcc-snapshot-package has been removed. It's marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch.
The nixos-build-vms(8)-script now uses the python test-driver.
The riot-web package now accepts configuration overrides as an attribute set instead of a string.
A formerly used JSON configuration can be converted to an attribute set with builtins.fromJSON
.
The new default configuration also disables automatic guest account registration and analytics to improve privacy.
The previous behavior can be restored by setting config.riot-web.conf = { disable_guests = false; piwik = true; }
.
Stand-alone usage of Upower
now requires
services.upower.enable
instead of just installing into
environment.systemPackages
.
nextcloud has been updated to v18.0.2
. This means
that users from NixOS 19.09 can't upgrade directly since you can only move one version
forward and 19.09 uses v16.0.8
.
To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken:
The pkgs.nextcloud-attribute has been removed and replaced with versioned attributes (currently pkgs.nextcloud17 and pkgs.nextcloud18). With this change major-releases can be backported without breaking stuff and to make upgrade-paths easier.
Existing setups will be detected using system.stateVersion: by default, nextcloud17 will be used, but will raise a warning which notes that after that deploy it's recommended to update to the latest stable version (nextcloud18) by declaring the newly introduced setting services.nextcloud.package.
Users with an overlay (e.g. to use nextcloud at version
v18
on 19.09
) will get an evaluation error
by default. This is done to ensure that our
package-option doesn't select an
older version by accident. It's recommended to use pkgs.nextcloud18
or to set package to
pkgs.nextcloud explicitly.
Please note that if you're coming from 19.03
or older, you have
to manually upgrade to 19.09
first to upgrade your server
to Nextcloud v16.
Hydra has gained a massive performance improvement due to some database schema changes by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps:
At first, an older version of Hydra needs to be deployed which adds those
(nullable) columns. When having set stateVersion
to a value older than 20.03
, this package will be selected
by default from the module when upgrading. Otherwise, the package can be deployed using
the following config:
{ pkgs, ... }: { services.hydra.package = pkgs.hydra-migration; }
Automatically fill the newly added ID columns on the server by running the following command:
$
hydra-backfill-ids
Please note that this process can take a while depending on your database-size!
Deploy a newer version of Hydra to activate the DB optimizations. This can be done by using hydra-unstable. This package already includes flake-support and is therefore compiled against pkgs.nixFlakes.
If your stateVersion is set to
20.03
or greater, hydra-unstable will be used
automatically! This will break your setup if you didn't run the migration.
Please note that Hydra is currently not available with nixStable as this doesn't compile anymore.
pkgs.hydra has been removed to ensure a graceful database-migration
using the dedicated package-attributes. If you still have pkgs.hydra
defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
you need to set services.hydra.package
to pkgs.hydra
explicitly and make sure you know what you're doing!
The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also TokuDB.
SD images are now compressed by default using bzip2
.
The nginx web server previously started its master process as root
privileged, then ran worker processes as a less privileged identity user
(the nginx
user).
This was changed to start all of nginx as a less privileged user (defined by
services.nginx.user
and
services.nginx.group
). As a consequence, all files that
are needed for nginx to run (included configuration fragments, SSL
certificates and keys, etc.) must now be readable by this less privileged
user/group.
To continue to use the old approach, you can configure:
services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features but with potential incompatibilities. Consult the release announcement for more information.
PRETTY_NAME
in /etc/os-release
now uses the short rather than full version string.
The ACME module has switched from simp-le to lego
which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added:
security.acme.acceptTerms,
security.acme.certs.<name>.dnsProvider,
security.acme.certs.<name>.credentialsFile,
security.acme.certs.<name>.dnsPropagationCheck.
As well as this, the options security.acme.acceptTerms
and either
security.acme.email
or security.acme.certs.<name>.email
must be set in order to use the ACME module.
Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le.
In particular private keys will not be preserved. However, the credentials for simp-le are preserved and
thus it is possible to roll back to previous versions without breaking certificate generation.
Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can
have consequences if you embed your public key in apps.
It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token
via boot.initrd.luks.fido2Support
.
Predictably named network interfaces get renamed in stage-1. This means that it is possible to use the proper interface name for e.g. Dropbear setups.
For further reference, please read #68953 or the corresponding discourse thread.
The matrix-synapse-package has been updated to v1.11.1. Due to stricter requirements for database configuration when using postgresql, the automated database setup of the module has been removed to avoid any further edge-cases.
matrix-synapse expects postgresql
-databases to have the options
LC_COLLATE
and LC_CTYPE
set to
'C'
which basically
instructs postgresql
to ignore any locale-based preferences.
Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03:
If you use sqlite3
you don't need to do anything.
If you use postgresql
on a different server, you don't need
to change anything as well since this module was never designed to configure remote databases.
If you use postgresql
and configured your synapse initially on
19.09
or older, you simply need to enable postgresql-support
explicitly:
{ ... }: { services.matrix-synapse = { enable = true; /* and all the other config you've defined here */ }; services.postgresql.enable = true; }
If you deploy a fresh matrix-synapse, you need to configure the database yourself (e.g. by using the services.postgresql.initialScript option). An example for this can be found in the documentation of the Matrix module.
If you initially deployed your matrix-synapse on
nixos-unstable
after the 19.09
-release,
your database is misconfigured due to a regression in NixOS. For now, matrix-synapse will
startup with a warning, but it's recommended to reconfigure the database to set the values
LC_COLLATE
and LC_CTYPE
to
'C'
.
The systemd.network.links option is now respected
even when systemd-networkd is disabled.
This mirrors the behaviour of systemd - It's udev that parses .link
files,
not systemd-networkd.
mongodb has been updated to version 3.4.24
.
Please note that mongodb has been relicensed under their own
sspl
-license. Since it's not entirely free and not OSI-approved,
it's listed as non-free. This means that Hydra doesn't provide prebuilt
mongodb-packages and needs to be built locally.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of April 2020, handing over to 20.03.
Nix has been updated to 2.3; see its release notes.
Core version changes:
systemd: 239 -> 243
gcc: 7 -> 8
glibc: 2.27 (unchanged)
linux: 4.19 LTS (unchanged)
openssl: 1.0 -> 1.1
Desktop version changes:
plasma5: 5.14 -> 5.16
gnome3: 3.30 -> 3.32
PHP now defaults to PHP 7.3, updated from 7.2.
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
The binfmt module is now easier to use. Additional systems can
be added through boot.binfmt.emulatedSystems
.
For instance, boot.binfmt.emulatedSystems = [
"wasm32-wasi" "x86_64-windows" "aarch64-linux" ];
will
set up binfmt interpreters for each of those listed systems.
The installer now uses a less privileged nixos
user whereas before we logged in as root.
To gain root privileges use sudo -i
without a password.
We've updated to Xfce 4.14, which brings a new module services.xserver.desktopManager.xfce4-14
.
If you'd like to upgrade, please switch from the services.xserver.desktopManager.xfce
module as it
will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support
thunarPlugins
and it isn't recommended to use services.xserver.desktopManager.xfce
and services.xserver.desktopManager.xfce4-14
simultaneously or to downgrade from Xfce 4.14 after upgrading.
The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.
This can be achieved with the following options which the desktop manager default enables, excluding games
.
With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually
disable options or use environment.gnome3.excludePackages
which only excluded the optional applications.
environment.gnome3.excludePackages
is now unguarded, it can exclude any package installed with environment.systemPackages
in the GNOME 3 module.
Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.
services.gnome3.core-utilities.enable
Applications removed from defaults:
accerciser
dconf-editor
evolution
gnome-documents
gnome-nettool
gnome-power-manager
gnome-todo
gnome-tweaks
gnome-usage
gucharmap
nautilus-sendto
vinagre
Applications added to defaults:
cheese
geary
services.gnome3.core-shell.enable
Applications added to defaults:
gnome-color-manager
orca
Services enabled:
services.avahi.enable
The following new services were added since the last release:
./programs/dwm-status.nix
The new hardware.printers
module allows to declaratively configure CUPS printers
via the ensurePrinters
and
ensureDefaultPrinter
options.
ensurePrinters
will never delete existing printers,
but will make sure that the given printers are configured as declared.
There is a new services.system-config-printer.enable
and programs.system-config-printer.enable
module
for the program of the same name. If you previously had system-config-printer
enabled through some other
means you should migrate to using one of these modules.
If you're a user of the following desktopManager modules no action is needed:
services.xserver.desktopManager.plasma5
services.xserver.desktopManager.gnome3
services.xserver.desktopManager.pantheon
services.xserver.desktopManager.mate
Note Mate uses programs.system-config-printer
as it doesn't
use it as a service, but its graphical interface directly.
services.blueman.enable
has been added.
If you previously had blueman installed via environment.systemPackages
please
migrate to using the NixOS module, as this would result in an insufficiently configured blueman.
When upgrading from a previous release, please be aware of the following incompatible changes:
Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.
PostgreSQL now uses
/run/postgresql
as its socket
directory instead of /tmp
. So
if you run an application like eg. Nextcloud, where you need to use
the Unix socket path as the database host name, you need to change it
accordingly.
PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.
The options services.prometheus.alertmanager.user
and
services.prometheus.alertmanager.group
have been removed
because the alertmanager service is now using systemd's
DynamicUser mechanism which obviates these options.
The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
The services.nzbget.configFile
and services.nzbget.openFirewall
options were removed as they are managed internally by the nzbget. The
services.nzbget.dataDir
option hadn't actually been used by
the module for some time and so was removed as cleanup.
The services.mysql.pidDir
option was removed, as it was only used by the wordpress
apache-httpd service to wait for mysql to have started up.
This can be accomplished by either describing a dependency on mysql.service (preferred)
or waiting for the (hardcoded) /run/mysqld/mysql.sock
file to appear.
The services.emby.enable
module has been removed, see
services.jellyfin.enable
instead for a free software fork of Emby.
See the Jellyfin documentation:
Migrating from Emby to Jellyfin
IPv6 Privacy Extensions are now enabled by default for undeclared
interfaces. The previous behaviour was quite misleading — even though
the default value for
networking.interfaces.*.preferTempAddress
was
true
, undeclared interfaces would not prefer temporary
addresses. Now, interfaces not mentioned in the config will prefer
temporary addresses. EUI64 addresses can still be set as preferred by
explicitly setting the option to false
for the
interface in question.
Since Bittorrent Sync was superseded by Resilio Sync in 2016, the
bittorrentSync
, bittorrentSync14
,
and bittorrentSync16
packages have been removed in
favor of resilio-sync
.
The corresponding module, services.btsync
has been
replaced by the services.resilio
module.
The httpd service no longer attempts to start the postgresql service. If you have come to depend
on this behaviour then you can preserve the behavior with the following configuration:
systemd.services.httpd.after = [ "postgresql.service" ];
The option services.httpd.extraSubservices
has been
marked as deprecated. You may still use this feature, but it will be
removed in a future release of NixOS. You are encouraged to convert any
httpd subservices you may have written to a full NixOS module.
Most of the httpd subservices packaged with NixOS have been replaced with
full NixOS modules including LimeSurvey, WordPress, and Zabbix. These
modules can be enabled using the services.limesurvey.enable
,
services.mediawiki.enable
, services.wordpress.enable
,
and services.zabbixWeb.enable
options.
The option systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink
was renamed to systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink
(capital L
). This follows
upstreams renaming
of the setting.
As of this release the NixOps feature autoLuks
is deprecated. It no longer works
with our systemd version without manual intervention.
Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.
A new knob named nixops.enableDeprecatedAutoLuks
has been introduced to disable the eval failure and to acknowledge the notice was received and read.
If you plan on using the feature please note that it might break with subsequent updates.
Make sure you set the _netdev
option for each of the file systems referring to block
devices provided by the autoLuks module. Not doing this might render the system in a
state where it doesn't boot anymore.
If you are actively using the autoLuks
module please let us know in
issue #62211.
The setopt declarations will be evaluated at the end of /etc/zshrc
, so any code in programs.zsh.interactiveShellInit
,
programs.zsh.loginShellInit
and programs.zsh.promptInit
may break if it relies on those options being set.
The prometheus-nginx-exporter
package now uses the offical exporter provided by NGINX Inc.
Its metrics are differently structured and are incompatible to the old ones. For information about the metrics,
have a look at the official repo.
The shibboleth-sp
package has been updated to version 3.
It is largely backward compatible, for further information refer to the
release notes
and upgrade guide.
Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
By default, prometheus exporters are now run with DynamicUser
enabled.
Exporters that need a real user, now run under a seperate user and group which follow the pattern <exporter-name>-exporter
, instead of the previous default nobody
and nogroup
.
Only some exporters are affected by the latter, namely the exporters dovecot
, node
, postfix
and varnish
.
The ibus-qt
package is not installed by default anymore when i18n.inputMethod.enabled
is set to ibus
.
If IBus support in Qt 4.x applications is required, add the ibus-qt
package to your environment.systemPackages
manually.
The CUPS Printing service now uses socket-based activation by
default, only starting when needed. The previous behavior can
be restored by setting
services.cups.startWhenNeeded
to
false
.
The services.systemhealth
module has been removed from nixpkgs due to lack of maintainer.
The services.mantisbt
module has been removed from nixpkgs due to lack of maintainer.
Squid 3 has been removed and the squid
derivation now refers to Squid 4.
The services.pdns-recursor.extraConfig
option has been replaced by
services.pdns-recursor.settings
. The new option allows setting extra
configuration while being better type-checked and mergeable.
No service depends on keys.target
anymore which is a systemd
target that indicates if all NixOps keys were successfully uploaded.
Instead, <key-name>-key.service
should be used to define
a dependency of a key in a service. The full issue behind the keys.target
dependency is described at NixOS/nixpkgs#67265.
The following services are affected by this:
The security.acme.directory
option has been replaced by a read-only security.acme.certs.<cert>.directory
option for each certificate you define. This will be
a subdirectory of /var/lib/acme
. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example,
the services.nginx.virtualhosts.<name>.enableACME
option will use this directory option to find the certs for the virtual host.
security.acme.preDelay
and security.acme.activationDelay
options have been removed. To execute a service before certificates
are provisioned or renewed add a RequiredBy=acme-${cert}.service
to any service.
Furthermore, the acme module will not automatically add a dependency on lighttpd.service
anymore. If you are using certficates provided by letsencrypt
for lighttpd, then you should depend on the certificate service acme-${cert}.service>
manually.
For nginx, the dependencies are still automatically managed when services.nginx.virtualhosts.<name>.enableACME
is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs,
instead of depending on the catch-all acme-certificates.target
. This target unit was also removed from the codebase.
This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal
ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at
NixOS/nixpkgs#60180.
The old deprecated emacs
package sets have been dropped.
What used to be called emacsPackagesNg
is now simply called emacsPackages
.
services.xserver.desktopManager.xterm
is now disabled by default if stateVersion
is 19.09 or higher.
Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to
have any desktopManager enabled default.
The WeeChat plugin pkgs.weechatScripts.weechat-xmpp
has been removed as it doesn't receive
any updates from upstream and depends on outdated Python2-based modules.
Old unsupported versions (logstash5
,
kibana5
,
filebeat5
,
heartbeat5
,
metricbeat5
,
packetbeat5
) of the ELK-stack and Elastic beats have been removed.
For NixOS 19.03, both Prometheus 1 and 2 were available to allow for
a seamless transition from version 1 to 2 with existing setups.
Because Prometheus 1 is no longer developed, it was removed.
Prometheus 2 is now configured with services.prometheus
.
Citrix Receiver (citrix_receiver
) has been dropped in favor of Citrix Workspace
(citrix_workspace
).
The services.gitlab
module has had its literal secret options (services.gitlab.smtp.password
,
services.gitlab.databasePassword
,
services.gitlab.initialRootPassword
,
services.gitlab.secrets.secret
,
services.gitlab.secrets.db
,
services.gitlab.secrets.otp
and
services.gitlab.secrets.jws
) replaced by file-based versions (services.gitlab.smtp.passwordFile
,
services.gitlab.databasePasswordFile
,
services.gitlab.initialRootPasswordFile
,
services.gitlab.secrets.secretFile
,
services.gitlab.secrets.dbFile
,
services.gitlab.secrets.otpFile
and
services.gitlab.secrets.jwsFile
). This was done so that secrets aren't stored
in the world-readable nix store, but means that for each option you'll have to create a file with
the same exact string, add "File" to the end of the option name, and change the definition to a
string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword"
becomes services.gitlab.databasePasswordFile = "/path/to/secret_file"
where the
file secret_file
contains the string supersecurepassword
.
The state path (services.gitlab.statePath
) now has the following restriction:
no parent directory can be owned by any other user than root
or the user
specified in services.gitlab.user
; i.e. if services.gitlab.statePath
is set to /var/lib/gitlab/state
, gitlab
and all parent directories
must be owned by either root
or the user specified in services.gitlab.user
.
The networking.useDHCP
option is unsupported in combination with
networking.useNetworkd
in anticipation of defaulting to it.
It has to be set to false
and enabled per
interface with networking.interfaces.<name>.useDHCP = true;
The Twitter client corebird
has been dropped as it is discontinued and does not work against the new Twitter API.
Please use the fork cawbird
instead which has been adapted to the API changes and is still maintained.
The nodejs-11_x
package has been removed as it's EOLed by upstream.
Because of the systemd upgrade,
systemd-timesyncd will no longer work if
system.stateVersion
is not set correctly. When
upgrading from NixOS 19.03, please make sure that
system.stateVersion
is set to
"19.03"
, or lower if the installation dates back to an
earlier version of NixOS.
Due to the short lifetime of non-LTS kernel releases package attributes like linux_5_1
,
linux_5_2
and linux_5_3
have been removed to discourage dependence
on specific non-LTS kernel versions in stable NixOS releases.
Going forward, versioned attributes like linux_4_9
will exist for LTS versions only.
Please use linux_latest
or linux_testing
if you depend on non-LTS
releases. Keep in mind that linux_latest
and linux_testing
will
change versions under the hood during the lifetime of a stable release and might include breaking changes.
Because of the systemd upgrade, some network interfaces might change their name. For details see upstream docs or our ticket.
The documentation
module gained an option named
documentation.nixos.includeAllModules
which makes the
generated configuration.nix(5) manual page include all options
from all NixOS modules included in a given
configuration.nix
configuration file. Currently, it is
set to false
by default as enabling it frequently
prevents evaluation. But the plan is to eventually have it set to
true
by default. Please set it to
true
now in your configuration.nix
and fix all the bugs it uncovers.
The vlc
package gained support for Chromecast
streaming, enabled by default. TCP port 8010 must be open for it to work,
so something like networking.firewall.allowedTCPPorts = [ 8010
];
may be required in your configuration. Also consider enabling
Accelerated Video Playback for better transcoding performance.
The following changes apply if the stateVersion
is
changed to 19.09 or higher. For stateVersion = "19.03"
or lower the old behavior is preserved.
solr.package
defaults to
pkgs.solr_8
.
The hunspellDicts.fr-any
dictionary now ships with fr_FR.{aff,dic}
which is linked to fr-toutesvariantes.{aff,dic}
.
The mysql
service now runs as mysql
user. Previously, systemd did execute it as root, and mysql dropped privileges
itself.
This includes ExecStartPre=
and
ExecStartPost=
phases.
To accomplish that, runtime and data directory setup was delegated to
RuntimeDirectory and tmpfiles.
With the upgrade to systemd version 242 the systemd-timesyncd
service is no longer using DynamicUser=yes
. In order for the
upgrade to work we rely on an activation script to move the state from the old
to the new directory. The older directory (prior 19.09
) was
/var/lib/private/systemd/timesync
.
As long as the system.config.stateVersion
is below
19.09
the state folder will migrated to its proper location
(/var/lib/systemd/timesync
), if required.
The package avahi
is now built to look up service
definitions from /etc/avahi/services
instead of its
output directory in the nix store. Accordingly the module
avahi
now supports custom service definitions via
services.avahi.extraServiceFiles
, which are then placed
in the aforementioned directory. See avahi.service(5) for more information on custom service definitions.
Since version 0.1.19, cargo-vendor
honors package
includes that are specified in the Cargo.toml
file of Rust crates. rustPlatform.buildRustPackage
uses
cargo-vendor
to collect and build dependent crates.
Since this change in cargo-vendor
changes the set of
vendored files for most Rust packages, the hash that use used to verify
the dependencies, cargoSha256
, also changes.
The cargoSha256
hashes of all in-tree derivations that
use buildRustPackage
have been updated to reflect this
change. However, third-party derivations that use
buildRustPackage
may have to be updated as well.
The consul
package was upgraded past version 1.5
,
so its deprecated legacy UI is no longer available.
The default resample-method for PulseAudio has been changed from the upstream default speex-float-1
to speex-float-5
. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this
so you'll need to set hardware.pulseaudio.daemon.config.resample-method
back to speex-float-1
.
The phabricator
package and associated httpd.extraSubservice
, as well as the
phd
service have been removed from nixpkgs due to lack of maintainer.
The mercurial
httpd.extraSubservice
has been removed from nixpkgs due to lack of maintainer.
The trac
httpd.extraSubservice
has been removed from nixpkgs because it was unmaintained.
The foswiki
package and associated httpd.extraSubservice
have been removed
from nixpkgs due to lack of maintainer.
The tomcat-connector
httpd.extraSubservice
has been removed from nixpkgs.
It's now possible to change configuration in
services.nextcloud after the initial deploy
since all config parameters are persisted in an additional config file generated by the module.
Previously core configuration like database parameters were set using their imperative
installer after creating /var/lib/nextcloud
.
There exists now lib.forEach
, which is like map
, but with
arguments flipped. When mapping function body spans many lines (or has nested
map
s), it is often hard to follow which list is modified.
Previous solution to this problem was either to use lib.flip map
idiom or extract that anonymous mapping function to a named one. Both can still be used
but lib.forEach
is preferred over lib.flip map
.
The /etc/sysctl.d/nixos.conf
file containing all the options set via
boot.kernel.sysctl was moved to
/etc/sysctl.d/60-nixos.conf
, as
sysctl.d(5)
recommends prefixing all filenames in /etc/sysctl.d
with a
two-digit number and a dash to simplify the ordering of the files.
We now install the sysctl snippets shipped with systemd.
This enables:
Loose reverse path filtering
Source route filtering
fq_codel
as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass core dumps to systemd-coredump
,
and restricts the SysRq key combinations to the sync command only.
These sysctl snippets can be found in /etc/sysctl.d/50-*.conf
,
and overridden via boot.kernel.sysctl
(which will place the parameters in /etc/sysctl.d/60-nixos.conf
).
Core dumps are now processed by systemd-coredump
by default. systemd-coredump
behaviour can
still be modified via
systemd.coredump.extraConfig
. To stick to the
old behaviour (having the kernel dump to a file called
core
in the working directory), without piping
it through systemd-coredump
, set
systemd.coredump.enable
to
false
.
systemd.packages
option now also supports generators and
shutdown scripts. Old systemd.generator-packages
option has
been removed.
The rmilter
package was removed with associated module and options due deprecation by upstream developer.
Use rspamd
in proxy mode instead.
systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.
We no longer enable custom font rendering settings with fonts.fontconfig.penultimate.enable
by default.
The defaults from fontconfig are sufficient.
The crashplan
package and the
crashplan
service have been removed from nixpkgs due to
crashplan shutting down the service, while the crashplansb
package and crashplan-small-business
service have been
removed from nixpkgs due to lack of maintainer.
The redis module was hardcoded to use the redis
user,
/run/redis
as runtime directory and
/var/lib/redis
as state directory.
Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP),
because this features causes major performance problems for Redis,
e.g. (https://redis.io/topics/latency).
Using fonts.enableDefaultFonts
adds a default emoji font noto-fonts-emoji
.
Users of the following options will have this enabled by default:
services.xserver.enable
programs.sway.enable
programs.way-cooler.enable
services.xrdp.enable
The altcoins
categorization of packages has
been removed. You now access these packages at the top level,
ie. nix-shell -p dogecoin
instead of
nix-shell -p altcoins.dogecoin
, etc.
Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.
pkgs.weechat
is now compiled against pkgs.python3
.
Weechat also recommends to use Python3
in their docs.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2019, handing over to 19.09.
The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.
Added the Pantheon desktop environment. It can be enabled through
services.xserver.desktopManager.pantheon.enable
.
By default, services.xserver.desktopManager.pantheon
enables LightDM as a display manager, as pantheon's screen locking
implementation relies on it.
Because of that it is recommended to leave LightDM enabled. If you'd like
to disable it anyway, set
services.xserver.displayManager.lightdm.enable
to
false
and enable your preferred display manager.
Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet.
A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: Chapter 39, Kubernetes for details.
There is now a set of confinement
options for
systemd.services
, which allows to restrict services
into a chroot(2)ed environment that only contains the store paths from
the runtime closure of the service.
The following new services were added since the last release:
./programs/nm-applet.nix
There is a new security.googleOsLogin
module for using
OS
Login to manage SSH access to Google Compute Engine instances,
which supersedes the imperative and broken
google-accounts-daemon
used in
nixos/modules/virtualisation/google-compute-config.nix
.
./services/misc/beanstalkd.nix
There is a new services.cockroachdb
module for running
CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well,
available on x86_64-linux
and
aarch64-linux
.
./security/duosec.nix
The PAM module for Duo
Security has been enabled for use. One can configure it using the
security.duosec
options along with the corresponding PAM
option in
security.pam.services.<name?>.duoSecurity.enable
.
When upgrading from a previous release, please be aware of the following incompatible changes:
The minimum version of Nix required to evaluate Nixpkgs is now 2.0.
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix 2.0, but
supports using Nix 1.11 by setting nix.package =
pkgs.nix1;
. If this option is set to a Nix 1.11 package, you
will need to either unset the option or upgrade it to Nix 2.0.
For users of NixOS 17.09, you will first need to upgrade Nix by setting
nix.package = pkgs.nixStable2;
and run
nixos-rebuild switch as the root
user.
For users of a daemon-less Nix installation on Linux or macOS, you can upgrade Nix by running curl https://nixos.org/nix/install | sh, or prior to doing a channel update, running nix-env -iA nix.
If you have already run a channel update and Nix is no longer able to evaluate Nixpkgs, the error message printed should provide adequate directions for upgrading Nix.
For users of the Nix daemon on macOS, you can upgrade Nix by running sudo -i sh -c 'nix-channel --update && nix-env -iA nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl start org.nixos.nix-daemon.
The buildPythonPackage
function now sets
strictDeps = true
to help distinguish between native
and non-native dependencies in order to improve cross-compilation
compatibility. Note however that this may break user expressions.
The buildPythonPackage
function now sets LANG
= C.UTF-8
to enable Unicode support. The
glibcLocales
package is no longer needed as a build
input.
The Syncthing state and configuration data has been moved from
services.syncthing.dataDir
to the newly defined
services.syncthing.configDir
, which default to
/var/lib/syncthing/.config/syncthing
. This change makes
possible to share synced directories using ACLs without Syncthing
resetting the permission on every start.
The ntp
module now has sane default restrictions. If
you're relying on the previous defaults, which permitted all queries and
commands from all firewall-permitted sources, you can set
services.ntp.restrictDefault
and
services.ntp.restrictSource
to []
.
Package rabbitmq_server
is renamed to
rabbitmq-server
.
The light
module no longer uses setuid binaries, but
udev rules. As a consequence users of that module have to belong to the
video
group in order to use the executable (i.e.
users.users.yourusername.extraGroups = ["video"];
).
Buildbot now supports Python 3 and its packages have been moved to
pythonPackages
. The options
services.buildbot-master.package
and
services.buildbot-worker.package
can be used to select
the Python 2 or 3 version of the package.
Options
services.znc.confOptions.networks.
and
name
.userNameservices.znc.confOptions.networks.
were removed. They were never used for anything and can therefore safely
be removed.
name
.modulePackages
Package wasm
has been renamed
proglodyte-wasm
. The package wasm
will be pointed to ocamlPackages.wasm
in 19.09, so make
sure to update your configuration if you want to keep
proglodyte-wasm
When the nixpkgs.pkgs
option is set, NixOS will no
longer ignore the nixpkgs.overlays
option. The old
behavior can be recovered by setting nixpkgs.overlays =
lib.mkForce [];
.
OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See man smtpd.conf for more information on the new file format.
The versioned postgresql
have been renamed to use
underscore number seperators. For example, postgresql96
has been renamed to postgresql_9_6
.
Package consul-ui
and passthrough
consul.ui
have been removed. The package
consul
now uses upstream releases that vendor the UI
into the binary. See
#48714
for details.
Slurm introduces the new option
services.slurm.stateSaveLocation
, which is now set to
/var/spool/slurm
by default (instead of
/var/spool
). Make sure to move all files to the new
directory or to set the option accordingly.
The slurmctld now runs as user slurm
instead of
root
. If you want to keep slurmctld running as
root
, set services.slurm.user =
root
.
The options services.slurm.nodeName
and
services.slurm.partitionName
are now sets of strings to
correctly reflect that fact that each of these options can occour more
than once in the configuration.
The solr
package has been upgraded from 4.10.3 to 7.5.0
and has undergone some major changes. The services.solr
module has been updated to reflect these changes. Please review
http://lucene.apache.org/solr/ carefully before upgrading.
Package ckb
is renamed to ckb-next
,
and options hardware.ckb.*
are renamed to
hardware.ckb-next.*
.
The option
services.xserver.displayManager.job.logToFile
which was
previously set to true
when using the display managers
lightdm
, sddm
or
xpra
has been reset to the default value
(false
).
Network interface indiscriminate NixOS firewall options
(networking.firewall.allow*
) are now preserved when
also setting interface specific rules such as
networking.firewall.interfaces.en0.allow*
. These rules
continue to use the pseudo device "default"
(networking.firewall.interfaces.default.*
), and
assigning to this pseudo device will override the
(networking.firewall.allow*
) options.
The nscd
service now disables all caching of
passwd
and group
databases by
default. This was interferring with the correct functioning of the
libnss_systemd.so
module which is used by
systemd
to manage uids and usernames in the presence of
DynamicUser=
in systemd services. This was already the
default behaviour in presence of services.sssd.enable =
true
because nscd caching would interfere with
sssd
in unpredictable ways as well. Because we're using
nscd not for caching, but for convincing glibc to find NSS modules in the
nix store instead of an absolute path, we have decided to disable caching
globally now, as it's usually not the behaviour the user wants and can
lead to surprising behaviour. Furthermore, negative caching of host
lookups is also disabled now by default. This should fix the issue of dns
lookups failing in the presence of an unreliable network.
If the old behaviour is desired, this can be restored by setting the
services.nscd.config
option with the desired caching
parameters.
services.nscd.config = '' server-user nscd threads 1 paranoia no debug-level 0 enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd no shared passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group no shared group yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 5 suggested-size hosts 211 check-files hosts yes persistent hosts no shared hosts yes '';
See #50316 for details.
GitLab Shell previously used the nix store paths for the
gitlab-shell
command in its
authorized_keys
file, which might stop working after
garbage collection. To circumvent that, we regenerated that file on each
startup. As gitlab-shell
has now been changed to use
/var/run/current-system/sw/bin/gitlab-shell
, this is
not necessary anymore, but there might be leftover lines with a nix store
path. Regenerate the authorized_keys
file via
sudo -u git -H gitlab-rake gitlab:shell:setup in that
case.
The pam_unix
account module is now loaded with its
control field set to required
instead of
sufficient
, so that later PAM account modules that
might do more extensive checks are being executed. Previously, the whole
account module verification was exited prematurely in case a nss module
provided the account name to pam_unix
. The LDAP and
SSSD NixOS modules already add their NSS modules when enabled. In case
your setup breaks due to some later PAM account module previosuly
shadowed, or failing NSS lookups, please file a bug. You can get back the
old behaviour by manually setting
security.pam.services.<name?>.text
.
The pam_unix
password module is now loaded with its
control field set to sufficient
instead of
required
, so that password managed only by later PAM
password modules are being executed. Previously, for example, changing an
LDAP account's password through PAM was not possible: the whole password
module verification was exited prematurely by pam_unix
,
preventing pam_ldap
to manage the password as it
should.
fish
has been upgraded to 3.0. It comes with a number
of improvements and backwards incompatible changes. See the
fish
release
notes for more information.
The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See this commit message for details.
NixOS module system type types.optionSet
and
lib.mkOption
argument options
are
deprecated. Use types.submodule
instead.
(#54637)
matrix-synapse
has been updated to version 0.99. It
will no
longer generate a self-signed certificate on first launch and will
be
the
last version to accept self-signed certificates. As such, it is now
recommended to use a proper certificate verified by a root CA (for example
Let's Encrypt). The new manual
chapter on Matrix contains a working example of using nginx as a
reverse proxy in front of matrix-synapse
, using Let's
Encrypt certificates.
mailutils
now works by default when
sendmail
is not in a setuid wrapper. As a consequence,
the sendmailPath
argument, having lost its main use,
has been removed.
graylog
has been upgraded from version 2.* to 3.*. Some
setups making use of extraConfig (especially those exposing Graylog via
reverse proxies) need to be updated as upstream removed/replaced some
settings. See
Upgrading
Graylog for details.
The option users.ldap.bind.password
was renamed to users.ldap.bind.passwordFile
,
and needs to be readable by the nslcd
user.
Same applies to the new users.ldap.daemon.rootpwmodpwFile
option.
nodejs-6_x
is end-of-life.
nodejs-6_x
, nodejs-slim-6_x
and
nodePackages_6_x
are removed.
The services.matomo
module gained the option
services.matomo.package
which determines the used Matomo
version.
The Matomo module now also comes with the systemd service
matomo-archive-processing.service
and a timer that
automatically triggers archive processing every hour. This means that you
can safely
disable browser triggers for Matomo archiving at
Administration > System > General Settings
.
Additionally, you can enable to
delete old visitor logs at Administration > System >
Privacy
, but make sure that you run systemctl start
matomo-archive-processing.service
at least once without errors
if you have already collected data before, so that the reports get
archived before the source data gets deleted.
composableDerivation
along with supporting library
functions has been removed.
The deprecated truecrypt
package has been removed and
truecrypt
attribute is now an alias for
veracrypt
. VeraCrypt is backward-compatible with
TrueCrypt volumes. Note that cryptsetup
also supports
loading TrueCrypt volumes.
The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This
change is made in accordance with Kubernetes making CoreDNS the official
default starting from
Kubernetes
v1.11. Please beware that upgrading DNS-addon on existing clusters
might induce minor downtime while the DNS-addon terminates and
re-initializes. Also note that the DNS-service now runs with 2 pod
replicas by default. The desired number of replicas can be configured
using: services.kubernetes.addons.dns.replicas
.
The quassel-webserver package and module was removed from nixpkgs due to the lack of maintainers.
The manual gained a new chapter on
self-hosting matrix-synapse
and
riot-web
, the most prevalent server and client
implementations for the
Matrix federated
communication network.
The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
The httpd service now saves log files with a .log file extension by default for easier integration with the logrotate service.
The owncloud server packages and httpd subservice module were removed from nixpkgs due to the lack of maintainers.
It is possible now to uze ZRAM devices as general purpose ephemeral block
devices, not only as swap. Using more than 1 device as ZRAM swap is no
longer recommended, but is still possible by setting
zramSwap.swapDevices
explicitly.
ZRAM algorithm can be changed now.
Changes to ZRAM algorithm are applied during nixos-rebuild
switch
, so make sure you have enough swap space on disk to
survive ZRAM device rebuild. Alternatively, use nixos-rebuild
boot; reboot
.
Flat volumes are now disabled by default in
hardware.pulseaudio
. This has been done to prevent
applications, which are unaware of this feature, setting their volumes to
100% on startup causing harm to your audio hardware and potentially your
ears.
With this change application specific volumes are relative to the master volume which can be adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the device-volume with the volume of the loudest application.
The
ndppd
module now supports all config
options provided by the current upstream version as service
options. Additionally the ndppd
package doesn't contain
the systemd unit configuration from upstream anymore, the unit is
completely configured by the NixOS module now.
New installs of NixOS will default to the Redmine 4.x series unless
otherwise specified in services.redmine.package
while
existing installs of NixOS will default to the Redmine 3.x series.
The Grafana module now supports declarative datasource and dashboard provisioning.
The use of insecure ports on kubernetes has been deprecated. Thus options:
services.kubernetes.apiserver.port
and
services.kubernetes.controllerManager.port
has been
renamed to .insecurePort
, and default of both options
has changed to 0 (disabled).
Note that the default value of
services.kubernetes.apiserver.bindAddress
has changed
from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from
outside the master node itself. If the apiserver insecurePort is enabled,
it is strongly recommended to only bind on the loopback interface. See:
services.kubernetes.apiserver.insecurebindAddress
.
The option
services.kubernetes.apiserver.allowPrivileged
and
services.kubernetes.kubelet.allowPrivileged
now
defaults to false. Disallowing privileged containers on the cluster.
The kubernetes module does no longer add the kubernetes package to
environment.systemPackages
implicitly.
The intel
driver has been removed from the default list
of X.org video
drivers. The modesetting
driver should take over
automatically, it is better maintained upstream and has less problems with
advanced X11 features. This can lead to a change in the output names used
by xrandr
. Some performance regressions on some GPU
models might happen. Some OpenCL and VA-API applications might also break
(Beignet seems to provide OpenCL support with
modesetting
driver, too). Kernel mode setting API does
not support backlight control, so xbacklight
tool will
not work; backlight level can be controlled directly via
/sys/
or with brightnessctl
. Users
who need this functionality more than multi-output XRandR are advised to
add `intel` to `videoDrivers` and report an issue (or provide additional
details in an existing one)
Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols. This may break some older applications that still rely on those symbols. An upgrade guide can be found here.
The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by
default. You can set the protocols used by the nginx service using
services.nginx.sslProtocols
.
A new subcommand nixos-rebuild edit was added.
In addition to numerous new and upgraded packages, this release has the following notable updates:
End of support is planned for end of April 2019, handing over to 19.03.
Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.
Nix has been updated to 2.1; see its release notes.
Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.
Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.
Notable changes and additions for 18.09 include:
Support for wrapping binaries using firejail
has been
added through programs.firejail.wrappedBinaries
.
For example
programs.firejail = { enable = true; wrappedBinaries = { firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; }; };
This will place firefox
and mpv
binaries in the global path wrapped by firejail.
User channels are now in the default NIX_PATH
, allowing
users to use their personal nix-channel defined
channels in nix-build and nix-shell
commands, as well as in imports like import
<mychannel>
.
For example
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable $ nix-channel --update $ nix-build '<nixpkgsunstable>' -A gitFull $ nix run -f '<nixpkgsunstable>' gitFull $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
A curated selection of new services that were added since the last release:
The services.cassandra
module has been reworked and was
rewritten from scratch. The service has succeeding tests for the versions
2.1, 2.2, 3.0 and 3.11 of
Apache
Cassandra.
There is a new services.foundationdb
module for
deploying
FoundationDB
clusters.
When enabled the iproute2
will copy the files expected
by ip route (e.g., rt_tables
) in
/etc/iproute2
. This allows to write aliases for
routing tables for instance.
services.strongswan-swanctl
is a modern replacement for
services.strongswan
. You can use either one of them to
setup IPsec VPNs but not both at the same time.
services.strongswan-swanctl
uses the
swanctl
command which uses the modern
vici
Versatile IKE Configuration Interface. The deprecated
ipsec
command used in
services.strongswan
is using the legacy
stroke
configuration interface.
The new services.elasticsearch-curator
service
periodically curates or manages, your Elasticsearch indices and snapshots.
Every new services:
./config/xdg/autostart.nix
./config/xdg/icons.nix
./config/xdg/menus.nix
./config/xdg/mime.nix
./hardware/brightnessctl.nix
./hardware/onlykey.nix
./hardware/video/uvcvideo/default.nix
./misc/documentation.nix
./programs/firejail.nix
./programs/iftop.nix
./programs/sedutil.nix
./programs/singularity.nix
./programs/xss-lock.nix
./programs/zsh/zsh-autosuggestions.nix
./services/admin/oxidized.nix
./services/backup/duplicati.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/cluster/hadoop/default.nix
./services/databases/aerospike.nix
./services/databases/monetdb.nix
./services/desktops/bamf.nix
./services/desktops/flatpak.nix
./services/desktops/zeitgeist.nix
./services/development/bloop.nix
./services/development/jupyter/default.nix
./services/hardware/lcd.nix
./services/hardware/undervolt.nix
./services/misc/clipmenu.nix
./services/misc/gitweb.nix
./services/misc/serviio.nix
./services/misc/safeeyes.nix
./services/misc/sysprof.nix
./services/misc/weechat.nix
./services/monitoring/datadog-agent.nix
./services/monitoring/incron.nix
./services/networking/dnsdist.nix
./services/networking/freeradius.nix
./services/networking/hans.nix
./services/networking/morty.nix
./services/networking/ndppd.nix
./services/networking/ocserv.nix
./services/networking/owamp.nix
./services/networking/quagga.nix
./services/networking/shadowsocks.nix
./services/networking/stubby.nix
./services/networking/zeronet.nix
./services/security/certmgr.nix
./services/security/cfssl.nix
./services/security/oauth2_proxy_nginx.nix
./services/web-apps/virtlyst.nix
./services/web-apps/youtrack.nix
./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix
./services/web-servers/meguca.nix
./services/web-servers/nginx/gitweb.nix
./virtualisation/kvmgt.nix
./virtualisation/qemu-guest-agent.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
Some licenses that were incorrectly not marked as unfree now are. This is the case for:
cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike 2.0
cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike 2.5
cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike 3.0
cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike 4.0
cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00
msrla: Microsoft Research License Agreement
The deprecated services.cassandra
module has seen a
complete rewrite. (See above.)
lib.strict
is removed. Use
builtins.seq
instead.
The clementine
package points now to the free
derivation. clementineFree
is removed now and
clementineUnfree
points to the package which is bundled
with the unfree libspotify
package.
The netcat
package is now taken directly from OpenBSD's
libressl
, instead of relying on Debian's fork. The new
version should be very close to the old version, but there are some minor
differences. Importantly, flags like -b, -q, -C, and -Z are no longer
accepted by the nc command.
The services.docker-registry.extraConfig
object doesn't
contain environment variables anymore. Instead it needs to provide an
object structure that can be mapped onto the YAML configuration defined in
the
docker/distribution
docs.
gnucash
has changed from version 2.4 to 3.x. If you've
been using gnucash
(version 2.4) instead of
gnucash26
(version 2.6) you must open your Gnucash data
file(s) with gnucash26
and then save them to upgrade
the file format. Then you may use your data file(s) with Gnucash 3.x. See
the upgrade
documentation.
Gnucash 2.4 is still available under the attribute
gnucash24
.
services.munge
now runs as user (and group)
munge
instead of root. Make sure the key file is
accessible to the daemon.
dockerTools.buildImage
now uses null
as default value for tag
, which indicates that the nix
output hash will be used as tag.
The ELK stack: elasticsearch
,
logstash
and kibana
has been
upgraded from 2.* to 6.3.*. The 2.* versions have been
unsupported since
last year so they have been removed. You can still use the 5.*
versions under the names elasticsearch5
,
logstash5
and kibana5
.
The elastic beats: filebeat
,
heartbeat
, metricbeat
and
packetbeat
have had the same treatment: they now target
6.3.* as well. The 5.* versions are available under the names:
filebeat5
, heartbeat5
,
metricbeat5
and packetbeat5
The ELK-6.3 stack now comes with
X-Pack by
default. Since X-Pack is licensed under the
Elastic
License the ELK packages now have an unfree license. To use them
you need to specify allowUnfree = true;
in your nixpkgs
configuration.
Fortunately there is also a free variant of the ELK stack without X-Pack.
The packages are available under the names:
elasticsearch-oss
, logstash-oss
and
kibana-oss
.
Options
boot.initrd.luks.devices.
name
.yubikey.ramfsMountPointboot.initrd.luks.devices.
were removed. name
.yubikey.storage.mountPointluksroot.nix
module never supported more
than one YubiKey at a time anyway, hence those options never had any
effect. You should be able to remove them from your config without any
issues.
stdenv.system
and system
in nixpkgs
now refer to the host platform instead of the build platform. For native
builds this is not change, let alone a breaking one. For cross builds, it
is a breaking change, and stdenv.buildPlatform.system
can be used instead for the old behavior. They should be using that
anyways for clarity.
Groups kvm
and render
are introduced
now, as systemd requires them.
dockerTools.pullImage
relies on image digest instead of
image tag to download the image. The sha256
of a pulled
image has to be updated.
lib.attrNamesToStr
has been deprecated. Use more
specific concatenation (lib.concat(Map)StringsSep
)
instead.
lib.addErrorContextToAttrs
has been deprecated. Use
builtins.addErrorContext
directly.
lib.showVal
has been deprecated. Use
lib.traceSeqN
instead.
lib.traceXMLVal
has been deprecated. Use
lib.traceValFn builtins.toXml
instead.
lib.traceXMLValMarked
has been deprecated. Use
lib.traceValFn (x: str + builtins.toXML x)
instead.
The pkgs
argument to NixOS modules can now be set
directly using nixpkgs.pkgs
. Previously, only the
system
, config
and
overlays
arguments could be used to influence
pkgs
.
A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
inherit (pkgs.nixos { boot.loader.grub.enable = false; fileSystems."/".device = "/dev/xvda1"; }) toplevel kernel initialRamdisk manual;
This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
lib.traceValIfNot
has been deprecated. Use
if/then/else
and lib.traceValSeq
instead.
lib.traceCallXml
has been deprecated. Please complain
if you use the function regularly.
The attribute lib.nixpkgsVersion
has been deprecated in
favor of lib.version
. Please refer to the discussion in
NixOS/nixpkgs#39416
for further reference.
lib.recursiveUpdateUntil
was not acting according to
its specification. It has been fixed to act according to the docstring,
and a test has been added.
The module for security.dhparams
has two new options now:
security.dhparams.stateless
Puts the generated Diffie-Hellman parameters into the Nix store instead
of managing them in a stateful manner in
/var/lib/dhparams
.
security.dhparams.defaultBitSize
The default bit size to use for the generated Diffie-Hellman parameters.
The path to the actual generated parameter files should now be queried
using
config.security.dhparams.params.
because it might be either in the Nix store or in a directory configured
by name
.pathsecurity.dhparams.path
.
Module implementers should not set a specific bit size in order to let users configure it by themselves if they want to have a different bit size than the default (2048).
An example usage of this would be:
{ config, ... }: { security.dhparams.params.myservice = {}; environment.etc."myservice.conf".text = '' dhparams = ${config.security.dhparams.params.myservice.path} ''; }
networking.networkmanager.useDnsmasq
has been
deprecated. Use networking.networkmanager.dns
instead.
The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.
The option
services.kubernetes.apiserver.admissionControl
was
renamed to
services.kubernetes.apiserver.enableAdmissionPlugins
.
Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.
The option services.kubernetes.apiserver.address
was
renamed to services.kubernetes.apiserver.bindAddress
.
Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
The option services.kubernetes.apiserver.publicAddress
was not used and thus has been removed.
The option
services.kubernetes.addons.dashboard.enableRBAC
was
renamed to
services.kubernetes.addons.dashboard.rbac.enable
.
The Kubernetes Dashboard now has only minimal RBAC permissions by default.
If dashboard cluster-admin rights are desired, set
services.kubernetes.addons.dashboard.rbac.clusterAdmin
to true. On existing clusters, in order for the revocation of privileges
to take effect, the current ClusterRoleBinding for kubernetes-dashboard
must be manually removed: kubectl delete clusterrolebinding
kubernetes-dashboard
The programs.screen
module provides allows to configure
/etc/screenrc
, however the module behaved fairly
counterintuitive as the config exists, but the package wasn't available.
Since 18.09 pkgs.screen
will be added to
environment.systemPackages
.
The module services.networking.hostapd
now uses WPA2 by
default.
s6Dns
, s6Networking
,
s6LinuxUtils
and s6PortableUtils
renamed to s6-dns
, s6-networking
,
s6-linux-utils
and s6-portable-utils
respectively.
The module option nix.useSandbox
is now defaulted to
true
.
The config activation script of nixos-rebuild
now
reloads
all user units for each authenticated user.
The default display manager is now LightDM. To use SLiM set
services.xserver.displayManager.slim.enable
to
true
.
NixOS option descriptions are now automatically broken up into individual
paragraphs if the text contains two consecutive newlines, so it's no
longer necessary to use </para><para>
to start a
new paragraph.
Top-level buildPlatform
,
hostPlatform
, and targetPlatform
in
Nixpkgs are deprecated. Please use their equivalents in
stdenv
instead:
stdenv.buildPlatform
,
stdenv.hostPlatform
, and
stdenv.targetPlatform
.
In addition to numerous new and upgraded packages, this release has the following highlights:
End of support is planned for end of October 2018, handing over to 18.09.
Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.
Nix now defaults to 2.0; see its release notes.
Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.
Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.
MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:
libmysql
has been deprecated, please use
mysql.connector-c
instead, a compatibility passthru
has been added to the MySQL packages.
The mysql57
package has a new
static
output containing the static libraries
including libmysqld.a
PHP now defaults to PHP 7.2, updated from 7.1.
The following new services were added since the last release:
./config/krb5/default.nix
./hardware/digitalbitbox.nix
./misc/label.nix
./programs/ccache.nix
./programs/criu.nix
./programs/digitalbitbox/default.nix
./programs/less.nix
./programs/npm.nix
./programs/plotinus.nix
./programs/rootston.nix
./programs/systemtap.nix
./programs/sway.nix
./programs/udevil.nix
./programs/way-cooler.nix
./programs/yabar.nix
./programs/zsh/zsh-autoenv.nix
./services/backup/borgbackup.nix
./services/backup/crashplan-small-business.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/tracker-miners.nix
./services/hardware/fwupd.nix
./services/hardware/interception-tools.nix
./services/hardware/u2f.nix
./services/hardware/usbmuxd.nix
./services/mail/clamsmtp.nix
./services/mail/dkimproxy-out.nix
./services/mail/pfix-srsd.nix
./services/misc/gitea.nix
./services/misc/home-assistant.nix
./services/misc/ihaskell.nix
./services/misc/logkeys.nix
./services/misc/novacomd.nix
./services/misc/osrm.nix
./services/misc/plexpy.nix
./services/misc/pykms.nix
./services/misc/tzupdate.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/prometheus/exporters.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/davfs2.nix
./services/network-filesystems/openafs/client.nix
./services/network-filesystems/openafs/server.nix
./services/network-filesystems/ceph.nix
./services/networking/aria2.nix
./services/networking/monero.nix
./services/networking/nghttpx/default.nix
./services/networking/nixops-dns.nix
./services/networking/rxe.nix
./services/networking/stunnel.nix
./services/web-apps/matomo.nix
./services/web-apps/restya-board.nix
./services/web-servers/mighttpd2.nix
./services/x11/fractalart.nix
./system/boot/binfmt.nix
./system/boot/grow-partition.nix
./tasks/filesystems/ecryptfs.nix
./virtualisation/hyperv-guest.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sound.enable
now defaults to false.
Dollar signs in options under services.postfix
are passed
verbatim to Postfix, which will interpret them as the beginning of a
parameter expression. This was already true for string-valued options in
the previous release, but not for list-valued options. If you need to pass
literal dollar signs through Postfix, double them.
The postage
package (for web-based PostgreSQL
administration) has been renamed to pgmanage
. The
corresponding module has also been renamed. To migrate please rename all
services.postage
options to
services.pgmanage
.
Package attributes starting with a digit have been prefixed with an
underscore sign. This is to avoid quoting in the configuration and other
issues with command-line tools like nix-env
. The change
affects the following packages:
2048-in-terminal
→
_2048-in-terminal
90secondportraits
→
_90secondportraits
2bwm
→ _2bwm
389-ds-base
→ _389-ds-base
The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.
DSA support was
deprecated in
OpenSSH 7.0, due to it being too weak. To re-enable support, add
PubkeyAcceptedKeyTypes +ssh-dss
to the end of your
services.openssh.extraConfig
.
After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.
The openssh
package now includes Kerberos support by
default; the openssh_with_kerberos
package is now a
deprecated alias. If you do not want Kerberos support, you can do
openssh.override { withKerberos = false; }
. Note, this
also applies to the openssh_hpn
package.
cc-wrapper
has been split in two; there is now also a
bintools-wrapper
. The most commonly used files in
nix-support
are now split between the two wrappers.
Some commonly used ones, like
nix-support/dynamic-linker
, are duplicated for
backwards compatability, even though they rightly belong only in
bintools-wrapper
. Other more obscure ones are just
moved.
The propagation logic has been changed. The new logic, along with new
types of dependencies that go with, is thoroughly documented in the
"Specifying dependencies" section of the "Standard Environment" chapter of
the nixpkgs manual.
The old logic isn't but is easy to describe: dependencies were propagated
as the same type of dependency no matter what. In practice, that means
that many propagatedNativeBuildInputs
should instead
be propagatedBuildInputs
. Thankfully, that was and is
the least used type of dependency. Also, it means that some
propagatedBuildInputs
should instead be
depsTargetTargetPropagated
. Other types dependencies
should be unaffected.
lib.addPassthru drv passthru
is removed. Use
lib.extendDerivation true passthru drv
instead.
The memcached
service no longer accept dynamic socket
paths via services.memcached.socket
. Unix sockets can be
still enabled by services.memcached.enableUnixSocket
and
will be accessible at /run/memcached/memcached.sock
.
The hardware.amdHybridGraphics.disable
option was
removed for lack of a maintainer. If you still need this module, you may
wish to include a copy of it from an older version of nixos in your
imports.
The merging of config options for
services.postfix.config
was buggy. Previously, if other
options in the Postfix module like
services.postfix.useSrs
were set and the user set
config options that were also set by such options, the resulting config
wouldn't include all options that were needed. They are now merged
correctly. If config options need to be overridden,
lib.mkForce
or lib.mkOverride
can be
used.
The following changes apply if the stateVersion
is
changed to 18.03 or higher. For stateVersion = "17.09"
or lower the old behavior is preserved.
matrix-synapse
uses postgresql by default instead of
sqlite. Migration instructions can be found
here .
The jid
package has been removed, due to maintenance
overhead of a go package having non-versioned dependencies.
When using services.xserver.libinput
(enabled by default
in GNOME), it now handles all input devices, not just touchpads. As a
result, you might need to re-evaluate any custom Xorg configuration. In
particular, Option "XkbRules" "base"
may result in
broken keyboard layout.
The attic
package was removed. A maintained fork called
Borg should be used
instead. Migration instructions can be found
here.
The Piwik analytics software was renamed to Matomo:
The package pkgs.piwik
was renamed to
pkgs.matomo
.
The service services.piwik
was renamed to
services.matomo
.
The data directory /var/lib/piwik
was renamed to
/var/lib/matomo
. All files will be moved
automatically on first startup, but you might need to adjust your
backup scripts.
The default serverName
for the nginx configuration
changed from piwik.${config.networking.hostName}
to
matomo.${config.networking.hostName}.${config.networking.domain}
if config.networking.domain
is set,
matomo.${config.networking.hostName}
if it is not
set. If you change your serverName
, remember you'll
need to update the trustedHosts[]
array in
/var/lib/matomo/config/config.ini.php
as well.
The piwik
user was renamed to
matomo
. The service will adjust ownership
automatically for files in the data directory. If you use unix socket
authentication, remember to give the new matomo
user
access to the database and to change the username
to
matomo
in the [database]
section
of /var/lib/matomo/config/config.ini.php
.
If you named your database `piwik`, you might want to rename it to `matomo` to keep things clean, but this is neither enforced nor required.
nodejs-4_x
is end-of-life.
nodejs-4_x
, nodejs-slim-4_x
and
nodePackages_4_x
are removed.
The pump.io
NixOS module was removed. It is now
maintained as an
external
module.
The Prosody XMPP server has received a major update. The following modules were renamed:
services.prosody.modules.httpserver
is now
services.prosody.modules.http_files
services.prosody.modules.console
is now
services.prosody.modules.admin_telnet
Many new modules are now core modules, most notably
services.prosody.modules.carbons
and
services.prosody.modules.mam
.
The better-performing libevent
backend is now enabled
by default.
withCommunityModules
now passes through the modules to
services.prosody.extraModules
. Use
withOnlyInstalledCommunityModules
for modules that
should not be enabled directly, e.g lib_ldap
.
All prometheus exporter modules are now defined as submodules. The
exporters are configured using
services.prometheus.exporters
.
ZNC option services.znc.mutable
now defaults to
true
. That means that old configuration is not
overwritten by default when update to the znc options are made.
The option networking.wireless.networks.<name>.auth
has been added for wireless networks with WPA-Enterprise authentication.
There is also a new extraConfig
option to directly
configure wpa_supplicant
and hidden
to
connect to hidden networks.
In the module networking.interfaces.<name>
the
following options have been removed:
ipAddress
ipv6Address
prefixLength
ipv6PrefixLength
subnetMask
To assign static addresses to an interface the options
ipv4.addresses
and ipv6.addresses
should
be used instead. The options ip4
and ip6
have been renamed to ipv4.addresses
ipv6.addresses
respectively. The new options
ipv4.routes
and ipv6.routes
have been
added to set up static routing.
The option services.logstash.listenAddress
is now
127.0.0.1
by default. Previously the default behaviour
was to listen on all interfaces.
services.btrfs.autoScrub
has been added, to
periodically check btrfs filesystems for data corruption. If there's a
correct copy available, it will automatically repair corrupted blocks.
displayManager.lightdm.greeters.gtk.clock-format.
has
been added, the clock format string (as expected by strftime, e.g.
%H:%M
) to use with the lightdm gtk greeter panel.
If set to null the default clock format is used.
displayManager.lightdm.greeters.gtk.indicators
has been
added, a list of allowed indicator modules to use with the lightdm gtk
greeter panel.
Built-in indicators include ~a11y
,
~language
, ~session
,
~power
, ~clock
,
~host
, ~spacer
. Unity indicators can
be represented by short name (e.g. sound
,
power
), service file name, or absolute path.
If set to null
the default indicators are used.
In order to have the previous default configuration add
services.xserver.displayManager.lightdm.greeters.gtk.indicators = [ "~host" "~spacer" "~clock" "~spacer" "~session" "~language" "~a11y" "~power" ];
to your configuration.nix
.
The NixOS test driver supports user services declared by
systemd.user.services
. The methods
waitForUnit
, getUnitInfo
,
startJob
and stopJob
provide an
optional $user
argument for that purpose.
Enabling bash completion on NixOS,
programs.bash.enableCompletion
, will now also enable
completion for the Nix command line tools by installing the
nix-bash-completions
package.
In addition to numerous new and upgraded packages, this release has the following highlights:
The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.
The module option services.xserver.xrandrHeads
now causes
the first head specified in this list to be set as the primary head. Apart
from that, it's now possible to also set additional options by using an
attribute set, for example:
{ services.xserver.xrandrHeads = [ "HDMI-0" { output = "DVI-0"; primary = true; monitorConfig = '' Option "Rotate" "right" ''; } ]; }
This will set the DVI-0
output to be the primary head,
even though HDMI-0
is the first head in the list.
The handling of SSL in the services.nginx
module has
been cleaned up, renaming the misnamed enableSSL
to
onlySSL
which reflects its original intention. This is
not to be used with the already existing forceSSL
which
creates a second non-SSL virtual host redirecting to the SSL virtual host.
This by chance had worked earlier due to specific implementation details.
In case you had specified both please remove the
enableSSL
option to keep the previous behaviour.
Another addSSL
option has been introduced to configure
both a non-SSL virtual host and an SSL virtual host with the same
configuration.
Options to configure resolver
options and
upstream
blocks have been introduced. See their
information for further details.
The port
option has been replaced by a more generic
listen
option which makes it possible to specify
multiple addresses, ports and SSL configs dependant on the new SSL
handling mentioned above.
The following new services were added since the last release:
config/fonts/fontconfig-penultimate.nix
config/fonts/fontconfig-ultimate.nix
config/terminfo.nix
hardware/sensor/iio.nix
hardware/nitrokey.nix
hardware/raid/hpsa.nix
programs/browserpass.nix
programs/gnupg.nix
programs/qt5ct.nix
programs/slock.nix
programs/thefuck.nix
security/auditd.nix
security/lock-kernel-modules.nix
service-managers/docker.nix
service-managers/trivial.nix
services/admin/salt/master.nix
services/admin/salt/minion.nix
services/audio/slimserver.nix
services/cluster/kubernetes/default.nix
services/cluster/kubernetes/dns.nix
services/cluster/kubernetes/dashboard.nix
services/continuous-integration/hail.nix
services/databases/clickhouse.nix
services/databases/postage.nix
services/desktops/gnome3/gnome-disks.nix
services/desktops/gnome3/gpaste.nix
services/logging/SystemdJournal2Gelf.nix
services/logging/heartbeat.nix
services/logging/journalwatch.nix
services/logging/syslogd.nix
services/mail/mailhog.nix
services/mail/nullmailer.nix
services/misc/airsonic.nix
services/misc/autorandr.nix
services/misc/exhibitor.nix
services/misc/fstrim.nix
services/misc/gollum.nix
services/misc/irkerd.nix
services/misc/jackett.nix
services/misc/radarr.nix
services/misc/snapper.nix
services/monitoring/osquery.nix
services/monitoring/prometheus/collectd-exporter.nix
services/monitoring/prometheus/fritzbox-exporter.nix
services/network-filesystems/kbfs.nix
services/networking/dnscache.nix
services/networking/fireqos.nix
services/networking/iwd.nix
services/networking/keepalived/default.nix
services/networking/keybase.nix
services/networking/lldpd.nix
services/networking/matterbridge.nix
services/networking/squid.nix
services/networking/tinydns.nix
services/networking/xrdp.nix
services/security/shibboleth-sp.nix
services/security/sks.nix
services/security/sshguard.nix
services/security/torify.nix
services/security/usbguard.nix
services/security/vault.nix
services/system/earlyoom.nix
services/system/saslauthd.nix
services/web-apps/nexus.nix
services/web-apps/pgpkeyserver-lite.nix
services/web-apps/piwik.nix
services/web-servers/lighttpd/collectd.nix
services/web-servers/minio.nix
services/x11/display-managers/xpra.nix
services/x11/xautolock.nix
tasks/filesystems/bcachefs.nix
tasks/powertop.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
In an Qemu-based virtualization environment, the
network interface names changed from i.e. enp0s3
to
ens3
.
This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.
A machine is affected if the virt-what
tool either
returns qemu
or kvm
and has interface names used in any part of its NixOS
configuration, in particular if a static network configuration with
networking.interfaces
is used.
Before rebooting affected machines, please ensure:
Change the interface names in your NixOS configuration. The first
interface will be called ens3
, the second one
ens8
and starting from there incremented by 1.
After changing the interface names, rebuild your system with
nixos-rebuild boot
to activate the new configuration
after a reboot. If you switch to the new configuration right away you
might lose network connectivity! If using nixops
,
deploy with nixops deploy --force-reboot
.
The following changes apply if the stateVersion
is
changed to 17.09 or higher. For stateVersion = "17.03"
or lower the old behavior is preserved.
The postgres
default version was changed from 9.5 to
9.6.
The postgres
superuser name has changed from
root
to postgres
to more closely
follow what other Linux distributions are doing.
The postgres
default dataDir
has
changed from /var/db/postgres
to
/var/lib/postgresql/$psqlSchema
where $psqlSchema is
9.6 for example.
The mysql
default dataDir
has
changed from /var/mysql
to
/var/lib/mysql
.
Radicale's default package has changed from 1.x to 2.x. Instructions to
migrate can be found here
. It is also possible to use the newer version by setting the
package
to radicale2
, which is
done automatically when stateVersion
is 17.09 or
higher. The extraArgs
option has been added to allow
passing the data migration arguments specified in the instructions; see
the
radicale.nix
NixOS test for an example migration.
The aiccu
package was removed. This is due to SixXS
sunsetting its IPv6
tunnel.
The fanctl
package and fan
module
have been removed due to the developers not upstreaming their iproute2
patches and lagging with compatibility to recent iproute2 versions.
Top-level idea
package collection was renamed. All
JetBrains IDEs are now at jetbrains
.
flexget
's state database cannot be upgraded to its new
internal format, requiring removal of any existing
db-config.sqlite
which will be automatically recreated.
The ipfs
service now doesn't ignore the
dataDir
option anymore. If you've ever set this option
to anything other than the default you'll have to either unset it (so the
default gets used) or migrate the old data manually with
dataDir=<valueOfDataDir> mv /var/lib/ipfs/.ipfs/* $dataDir rmdir /var/lib/ipfs/.ipfs
The caddy
service was previously using an extra
.caddy
directory in the data directory specified with
the dataDir
option. The contents of the
.caddy
directory are now expected to be in the
dataDir
.
The ssh-agent
user service is not started by default
anymore. Use programs.ssh.startAgent
to enable it if
needed. There is also a new programs.gnupg.agent
module
that creates a gpg-agent
user service. It can also
serve as a SSH agent if enableSSHSupport
is set.
The services.tinc.networks.<name>.listenAddress
option had a misleading name that did not correspond to its behavior. It
now correctly defines the ip to listen for incoming connections on. To
keep the previous behaviour, use
services.tinc.networks.<name>.bindToAddress
instead. Refer to the description of the options for more details.
tlsdate
package and module were removed. This is due to
the project being dead and not building with openssl 1.1.
wvdial
package and module were removed. This is due to
the project being dead and not building with openssl 1.1.
cc-wrapper
's setup-hook now exports a number of
environment variables corresponding to binutils binaries, (e.g.
LD
, STRIP
, RANLIB
, etc). This
is done to prevent packages' build systems guessing, which is harder to
predict, especially when cross-compiling. However, some packages have
broken due to this—their build systems either not supporting, or
claiming to support without adequate testing, taking such environment
variables as parameters.
services.firefox.syncserver
now runs by default as a
non-root user. To accomodate this change, the default sqlite database
location has also been changed. Migration should work automatically. Refer
to the description of the options for more details.
The compiz
window manager and package was removed. The
system support had been broken for several years.
Touchpad support should now be enabled through libinput
as synaptics
is now deprecated. See the option
services.xserver.libinput.enable
.
grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.
services.mysql
now has declarative configuration of
databases and users with the ensureDatabases
and
ensureUsers
options.
These options will never delete existing databases and users, especially not when the value of the options are changed.
The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.
If you have previously created a MySQL root
user
with a password, you will need to add
root
user for unix socket authentication before using
the new options. This can be done by running the following SQL script:
CREATE USER 'root'@'%' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; -- Optionally, delete the password-authenticated user: -- DROP USER 'root'@'localhost';
services.mysqlBackup
now works by default without any
user setup, including for users other than mysql
.
By default, the mysql
user is no longer the user which
performs the backup. Instead a system account
mysqlbackup
is used.
The mysqlBackup
service is also now using systemd
timers instead of cron
.
Therefore, the services.mysqlBackup.period
option no
longer exists, and has been replaced with
services.mysqlBackup.calendar
, which is in the format
of
systemd.time(7).
If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.
You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.
Templated systemd services e.g container@name
are now
handled currectly when switching to a new configuration, resulting in them
being reloaded.
Steam: the newStdcpp
parameter was removed and should
not be needed anymore.
Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.
Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.
Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.
ZFS/SPL have been updated to 0.7.0, zfsUnstable,
splUnstable
have therefore been removed.
The time.timeZone
option now allows the value
null
in addition to timezone strings. This value allows
changing the timezone of a system imperatively using timedatectl
set-timezone. The default timezone is still UTC.
Nixpkgs overlays may now be specified with a file as well as a directory.
The value of <nixpkgs-overlays>
may be a file, and
~/.config/nixpkgs/overlays.nix
can be used instead of
the ~/.config/nixpkgs/overlays
directory.
See the overlays chapter of the Nixpkgs manual for more details.
Definitions for /etc/hosts
can now be specified
declaratively with networking.hosts
.
Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.
This therefore leads to adding a new debug
option to
set the log level to the previous verbose mode, to make debugging easier,
but still accessible easily.
Additionally a copytoram
option has been added, which
makes it possible to remove the install medium after booting. This allows
tethering from your phone after booting from it.
services.gitlab-runner.configOptions
has been added to
specify the configuration of gitlab-runners declaratively.
services.jenkins.plugins
has been added to install
plugins easily, this can be generated with jenkinsPlugins2nix.
services.postfix.config
has been added to specify the
main.cf with NixOS options. Additionally other options have been added to
the postfix module and has been improved further.
The GitLab package and module have been updated to the latest 10.0 release.
The systemd-boot
boot loader now lists the NixOS
version, kernel version and build date of all bootable generations.
The dnscrypt-proxy service now defaults to using a random upstream
resolver, selected from the list of public non-logging resolvers with
DNSSEC support. Existing configurations can be migrated to this mode of
operation by omitting the
services.dnscrypt-proxy.resolverName
option or setting it
to "random"
.
In addition to numerous new and upgraded packages, this release has the following highlights:
Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.
This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed
The setuid wrapper functionality now supports setting capabilities.
X.org server uses branch 1.19. Due to ABI incompatibilities,
ati_unfree
keeps forcing 1.17 and
amdgpu-pro
starts forcing 1.18.
Cross compilation has been rewritten. See the nixpkgs manual for details.
The most obvious breaking change is that in derivations there is no
.nativeDrv
nor .crossDrv
are now
cross by default, not native.
The overridePackages
function has been rewritten to be
replaced by
overlays
Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.
PHP now defaults to PHP 7.1
The following new services were added since the last release:
hardware/ckb.nix
hardware/mcelog.nix
hardware/usb-wwan.nix
hardware/video/capture/mwprocapture.nix
programs/adb.nix
programs/chromium.nix
programs/gphoto2.nix
programs/java.nix
programs/mtr.nix
programs/oblogout.nix
programs/vim.nix
programs/wireshark.nix
security/dhparams.nix
services/audio/ympd.nix
services/computing/boinc/client.nix
services/continuous-integration/buildbot/master.nix
services/continuous-integration/buildbot/worker.nix
services/continuous-integration/gitlab-runner.nix
services/databases/riak-cs.nix
services/databases/stanchion.nix
services/desktops/gnome3/gnome-terminal-server.nix
services/editors/infinoted.nix
services/hardware/illum.nix
services/hardware/trezord.nix
services/logging/journalbeat.nix
services/mail/offlineimap.nix
services/mail/postgrey.nix
services/misc/couchpotato.nix
services/misc/docker-registry.nix
services/misc/errbot.nix
services/misc/geoip-updater.nix
services/misc/gogs.nix
services/misc/leaps.nix
services/misc/nix-optimise.nix
services/misc/ssm-agent.nix
services/misc/sssd.nix
services/monitoring/arbtt.nix
services/monitoring/netdata.nix
services/monitoring/prometheus/default.nix
services/monitoring/prometheus/alertmanager.nix
services/monitoring/prometheus/blackbox-exporter.nix
services/monitoring/prometheus/json-exporter.nix
services/monitoring/prometheus/nginx-exporter.nix
services/monitoring/prometheus/node-exporter.nix
services/monitoring/prometheus/snmp-exporter.nix
services/monitoring/prometheus/unifi-exporter.nix
services/monitoring/prometheus/varnish-exporter.nix
services/monitoring/sysstat.nix
services/monitoring/telegraf.nix
services/monitoring/vnstat.nix
services/network-filesystems/cachefilesd.nix
services/network-filesystems/glusterfs.nix
services/network-filesystems/ipfs.nix
services/networking/dante.nix
services/networking/dnscrypt-wrapper.nix
services/networking/fakeroute.nix
services/networking/flannel.nix
services/networking/htpdate.nix
services/networking/miredo.nix
services/networking/nftables.nix
services/networking/powerdns.nix
services/networking/pdns-recursor.nix
services/networking/quagga.nix
services/networking/redsocks.nix
services/networking/wireguard.nix
services/system/cgmanager.nix
services/torrent/opentracker.nix
services/web-apps/atlassian/confluence.nix
services/web-apps/atlassian/crowd.nix
services/web-apps/atlassian/jira.nix
services/web-apps/frab.nix
services/web-apps/nixbot.nix
services/web-apps/selfoss.nix
services/web-apps/quassel-webserver.nix
services/x11/unclutter-xfixes.nix
services/x11/urxvtd.nix
system/boot/systemd-nspawn.nix
virtualisation/ecs-agent.nix
virtualisation/lxcfs.nix
virtualisation/openstack/keystone.nix
virtualisation/openstack/glance.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
Derivations have no .nativeDrv
nor
.crossDrv
and are now cross by default, not native.
stdenv.overrides
is now expected to take
self
and super
arguments. See
lib.trivial.extends
for what those parameters
represent.
ansible
now defaults to ansible version 2 as version 1
has been removed due to a serious
vulnerability unpatched by upstream.
gnome
alias has been removed along with
gtk
, gtkmm
and several others. Now
you need to use versioned attributes, like gnome3
.
The attribute name of the Radicale daemon has been changed from
pythonPackages.radicale
to radicale
.
The stripHash
bash function in
stdenv
changed according to its documentation; it now
outputs the stripped name to stdout
instead of putting
it in the variable strippedName
.
PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.
Two lone top-level dict dbs moved into dictdDBs
. This
affects: dictdWordnet
which is now at
dictdDBs.wordnet
and dictdWiktionary
which is now at dictdDBs.wiktionary
Parsoid service now uses YAML configuration format.
service.parsoid.interwikis
is now called
service.parsoid.wikis
and is a list of either API URLs
or attribute sets as specified in parsoid's documentation.
Ntpd
was replaced by
systemd-timesyncd
as the default service to synchronize
system time with a remote NTP server. The old behavior can be restored by
setting services.ntp.enable
to true
.
Upstream time servers for all NTP implementations are now configured using
networking.timeServers
.
service.nylon
is now declared using named instances. As
an example:
services.nylon = { enable = true; acceptInterface = "br0"; bindInterface = "tun1"; port = 5912; };
should be replaced with:
services.nylon.myvpn = { enable = true; acceptInterface = "br0"; bindInterface = "tun1"; port = 5912; };
this enables you to declare a SOCKS proxy for each uplink.
overridePackages
function no longer exists. It is
replaced by
overlays. For example, the following code:
let pkgs = import <nixpkgs> {}; in pkgs.overridePackages (self: super: ...)
should be replaced by:
let pkgs = import <nixpkgs> {}; in import pkgs.path { overlays = [(self: super: ...)]; }
Autoloading connection tracking helpers is now disabled by default. This
default was also changed in the Linux kernel and is considered insecure if
not configured properly in your firewall. If you need connection tracking
helpers (i.e. for active FTP) please enable
networking.firewall.autoLoadConntrackHelpers
and tune
networking.firewall.connectionTrackingModules
to suit
your needs.
local_recipient_maps
is not set to empty value by
Postfix service. It's an insecure default as stated by Postfix
documentation. Those who want to retain this setting need to set it via
services.postfix.extraConfig
.
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools has been integrated into ping and traceroute respectively. To
enforce an address family the new flags -4
and
-6
have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer
done with the -I
flag, but by encoding the interface
into the address (ping fe80::1%eth0
).
The socket handling of the services.rmilter
module has
been fixed and refactored. As rmilter doesn't support binding to more than
one socket, the options bindUnixSockets
and
bindInetSockets
have been replaced by
services.rmilter.bindSocket.*
. The default is still a
unix socket in /run/rmilter/rmilter.sock
. Refer to the
options documentation for more information.
The fetch*
functions no longer support md5, please use
sha256 instead.
The dnscrypt-proxy module interface has been streamlined around the
extraArgs
option. Where possible, legacy option
declarations are mapped to extraArgs
but will emit
warnings. The resolverList
has been outright removed: to
use an unlisted resolver, use the customResolver
option.
torbrowser now stores local state under
~/.local/share/tor-browser
by default. Any browser
profile data from the old location, ~/.torbrowser4
,
must be migrated manually.
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.
jre
now defaults to GTK UI by default. This improves
visual consistency and makes Java follow system font style, improving the
situation on HighDPI displays. This has a cost of increased closure size;
for server and other headless workloads it's recommended to use
jre_headless
.
Python 2.6 interpreter and package set have been removed.
The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
Minor modifications had to be made to the interpreters in order to
generate deterministic bytecode. This has security implications and is
relevant for those using Python in a nix-shell
. See the
Nixpkgs manual for details.
The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.
The Python function buildPythonPackage
has been
improved and can be used to build from Setuptools source, Flit source, and
precompiled Wheels.
When adding new or updating current Python libraries, the expressions
should be put in separate files in
pkgs/development/python-modules
and called from
python-packages.nix
.
The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.
Containers using bridged networking no longer lose their connection after changes to the host networking.
ZFS supports pool auto scrubbing.
The bind DNS utilities (e.g. dig) have been split into their own output
and are now also available in pkgs.dnsutils
and it is
no longer necessary to pull in all of bind
to use them.
Per-user configuration was moved from ~/.nixpkgs
to
~/.config/nixpkgs
. The former is still valid for
config.nix
for backwards compatibility.
In addition to numerous new and upgraded packages, this release has the following highlights:
Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.
Support for PXE netboot. See Section 2.5.2, “Booting from the “netboot” media (PXE)” for documentation.
X.org server 1.18. If you use the ati_unfree
driver,
1.17 is still used due to an ABI incompatibility.
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.
The following new services were added since the last release:
(this will get automatically generated at release time)
When upgrading from a previous release, please be aware of the following incompatible changes:
A large number of packages have been converted to use the multiple outputs feature of Nix to greatly reduce the amount of required disk space, as mentioned above. This may require changes to any custom packages to make them build again; see the relevant chapter in the Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions related to multiple-output packages were changed late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
Previous versions of Nixpkgs had support for all versions of the LTS
Haskell package set. That support has been dropped. The previously provided
haskell.packages.lts-x_y
package sets still exist in
name to aviod breaking user code, but these package sets don't actually
contain the versions mandated by the corresponding LTS release. Instead,
our package set it loosely based on the latest available LTS release, i.e.
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
drop those old names entirely.
The
motivation for this change has been discussed at length on the
nix-dev
mailing list and in
Github
issue #14897. Development strategies for Haskell hackers who want to
rely on Nix and NixOS have been described in
another
nix-dev article.
Shell aliases for systemd sub-commands were dropped: start, stop, restart, status.
Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default behavior of Redis 3.2
/var/empty
is now immutable. Activation script runs
chattr +i to forbid any modifications inside the folder.
See the
pull request for what bugs this caused.
Gitlab's maintainance script gitlab-runner was removed and split up into the more clearer gitlab-run and gitlab-rake scripts, because gitlab-runner is a component of Gitlab CI.
services.xserver.libinput.accelProfile
default changed
from flat
to adaptive
, as per
official documentation.
fonts.fontconfig.ultimate.rendering
was removed because
our presets were obsolete for some time. New presets are hardcoded into
FreeType; you can select a preset via
fonts.fontconfig.ultimate.preset
. You can customize
those presets via ordinary environment variables, using
environment.variables
.
The audit
service is no longer enabled by default. Use
security.audit.enable = true
to explicitly enable it.
pkgs.linuxPackages.virtualbox
now contains only the
kernel modules instead of the VirtualBox user space binaries. If you want
to reference the user space binaries, you have to use the new
pkgs.virtualbox
instead.
goPackages
was replaced with separated Go applications
in appropriate nixpkgs
categories. Each Go package uses
its own dependency set. There's also a new go2nix
tool
introduced to generate a Go package definition from its Go source
automatically.
services.mongodb.extraConfig
configuration format was
changed to YAML.
PHP has been upgraded to 7.0
Other notable improvements:
Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set
security.grsecurity.enable = true
to get a reasonably secure system without having to sacrifice too much functionality.
Special filesystems, like /proc
, /run
and others, now have the same mount options as recommended by systemd and
are unified across different places in NixOS. Mount options are updated
during nixos-rebuild switch if possible. One benefit
from this is improved security — most such filesystems are now mounted
with noexec
, nodev
and/or
nosuid
options.
The reverse path filter was interfering with DHCPv4 server operation in the
past. An exception for DHCPv4 and a new option to log packets that were
dropped due to the reverse path filter was added
(networking.firewall.logReversePathDrops
) for easier
debugging.
Containers configuration within
containers.<name>.config
is
now
properly typed and checked. In particular, partial configurations
are merged correctly.
The directory container setuid wrapper programs,
/var/setuid-wrappers
,
is now
updated atomically to prevent failures if the switch to a new configuration
is interrupted.
services.xserver.startGnuPGAgent
has been removed due to
GnuPG 2.1.x bump. See
how to achieve similar behavior. You might need to pkill
gpg-agent
after the upgrade to prevent a stale agent being in the
way.
Declarative users could share the uid due to the bug in the script handling conflict resolution.
Gummi boot has been replaced using systemd-boot.
Hydra package and NixOS module were added for convenience.
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd 229, bringing numerous improvements over 217.
Linux 4.4 (was 3.18).
GCC 5.3 (was 4.9). Note that GCC 5 changes the C++ ABI in an incompatible way; this may cause problems if you try to link objects compiled with different versions of GCC.
Glibc 2.23 (was 2.21).
Binutils 2.26 (was 2.23.1). See #909
Improved support for ensuring
bitwise
reproducible builds. For example, stdenv
now sets
the environment variable
SOURCE_DATE_EPOCH
to a deterministic value, and Nix has
gained
an option to repeat a build a number of times to test determinism.
An ongoing project, the goal of exact reproducibility is to allow binaries
to be verified independently (e.g., a user might only trust binaries that
appear in three independent binary caches).
Perl 5.22.
The following new services were added since the last release:
services/monitoring/longview.nix
hardware/video/webcam/facetimehd.nix
i18n/input-method/default.nix
i18n/input-method/fcitx.nix
i18n/input-method/ibus.nix
i18n/input-method/nabi.nix
i18n/input-method/uim.nix
programs/fish.nix
security/acme.nix
security/audit.nix
security/oath.nix
services/hardware/irqbalance.nix
services/mail/dspam.nix
services/mail/opendkim.nix
services/mail/postsrsd.nix
services/mail/rspamd.nix
services/mail/rmilter.nix
services/misc/autofs.nix
services/misc/bepasty.nix
services/misc/calibre-server.nix
services/misc/cfdyndns.nix
services/misc/gammu-smsd.nix
services/misc/mathics.nix
services/misc/matrix-synapse.nix
services/misc/octoprint.nix
services/monitoring/hdaps.nix
services/monitoring/heapster.nix
services/monitoring/longview.nix
services/network-filesystems/netatalk.nix
services/network-filesystems/xtreemfs.nix
services/networking/autossh.nix
services/networking/dnschain.nix
services/networking/gale.nix
services/networking/miniupnpd.nix
services/networking/namecoind.nix
services/networking/ostinato.nix
services/networking/pdnsd.nix
services/networking/shairport-sync.nix
services/networking/supplicant.nix
services/search/kibana.nix
services/security/haka.nix
services/security/physlock.nix
services/web-apps/pump.io.nix
services/x11/hardware/libinput.nix
services/x11/window-managers/windowlab.nix
system/boot/initrd-network.nix
system/boot/initrd-ssh.nix
system/boot/loader/loader.nix
system/boot/networkd.nix
system/boot/resolved.nix
virtualisation/lxd.nix
virtualisation/rkt.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
We no longer produce graphical ISO images and VirtualBox images for
i686-linux
. A minimal ISO image is still provided.
Firefox and similar browsers are now wrapped by
default. The package and attribute names are plain
firefox
or midori
, etc.
Backward-compatibility attributes were set up, but note that
nix-env -u will not update your
current firefox-with-plugins
; you have to uninstall it
and install firefox
instead.
wmiiSnap has been replaced with wmii_hg, but services.xserver.windowManager.wmii.enable has been updated respectively so this only affects you if you have explicitly installed wmiiSnap.
jobs
NixOS option has been removed. It served as
compatibility layer between Upstart jobs and SystemD services. All services
have been rewritten to use systemd.services
wmiimenu is removed, as it has been removed by the developers upstream. Use wimenu from the wmii-hg package.
Gitit is no longer automatically added to the module list in NixOS and as such there will not be any manual entries for it. You will need to add an import statement to your NixOS configuration in order to use it, e.g.
{ imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ]; }
will include the Gitit service configuration options.
nginx does not accept flags for enabling and disabling
modules anymore. Instead it accepts modules
argument,
which is a list of modules to be built in. All modules now reside in
nginxModules
set. Example configuration:
nginx.override { modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ]; }
s3sync is removed, as it hasn't been developed by upstream for 4 years and only runs with ruby 1.8. For an actively-developer alternative look at tarsnap and others.
ruby_1_8 has been removed as it's not supported from upstream anymore and probably contains security issues.
tidy-html5
package is removed. Upstream only provided
(lib)tidy5
during development, and now they went back to
(lib)tidy
to work as a drop-in replacement of the
original package that has been unmaintained for years. You can (still) use
the html-tidy
package, which got updated to a stable
release from this new upstream.
extraDeviceOptions
argument is removed from
bumblebee
package. Instead there are now two separate
arguments: extraNvidiaDeviceOptions
and
extraNouveauDeviceOptions
for setting extra X11 options
for nvidia and nouveau drivers, respectively.
The Ctrl+Alt+Backspace
key combination no longer kills
the X server by default. There's a new option
services.xserver.enableCtrlAltBackspace
allowing to enable
the combination again.
emacsPackagesNg
now contains all packages from the ELPA,
MELPA, and MELPA Stable repositories.
Data directory for Postfix MTA server is moved from
/var/postfix
to /var/lib/postfix
.
Old configurations are migrated automatically.
service.postfix
module has also received many
improvements, such as correct directories' access rights, new
aliasFiles
and mapFiles
options and
more.
Filesystem options should now be configured as a list of strings, not a comma-separated string. The old style will continue to work, but print a warning, until the 16.09 release. An example of the new style:
fileSystems."/example" = { device = "/dev/sdc"; fsType = "btrfs"; options = [ "noatime" "compress=lzo" "space_cache" "autodefrag" ]; };
CUPS, installed by services.printing
module, now has its
data directory in /var/lib/cups
. Old configurations
from /etc/cups
are moved there automatically, but
there might be problems. Also configuration options
services.printing.cupsdConf
and
services.printing.cupsdFilesConf
were removed because
they had been allowing one to override configuration variables required for
CUPS to work at all on NixOS. For most use cases,
services.printing.extraConf
and new option
services.printing.extraFilesConf
should be enough; if
you encounter a situation when they are not, please file a bug.
There are also Gutenprint improvements; in particular, a new option
services.printing.gutenprint
is added to enable
automatic updating of Gutenprint PPMs; it's greatly recommended to enable
it instead of adding gutenprint
to the
drivers
list.
services.xserver.vaapiDrivers
has been removed. Use
hardware.opengl.extraPackages{,32}
instead. You can also
specify VDPAU drivers there.
programs.ibus
moved to
i18n.inputMethod.ibus
. The option
programs.ibus.plugins
changed to
i18n.inputMethod.ibus.engines
and the option to enable
ibus changed from programs.ibus.enable
to
i18n.inputMethod.enabled
.
i18n.inputMethod.enabled
should be set to the used input
method name, "ibus"
for ibus. An example of the new
style:
i18n.inputMethod.enabled = "ibus"; i18n.inputMethod.ibus.engines = with pkgs.ibus-engines; [ anthy mozc ];
That is equivalent to the old version:
programs.ibus.enable = true; programs.ibus.plugins = with pkgs; [ ibus-anthy mozc ];
services.udev.extraRules
option now writes rules to
99-local.rules
instead of
10-local.rules
. This makes all the user rules apply
after others, so their results wouldn't be overriden by anything else.
Large parts of the services.gitlab
module has been been
rewritten. There are new configuration options available. The
stateDir
option was renamned to
statePath
and the satellitesDir
option was removed. Please review the currently available options.
The option services.nsd.zones.<name>.data
no longer
interpret the dollar sign ($) as a shell variable, as such it should not be
escaped anymore. Thus the following zone data:
\$ORIGIN example.com. \$TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. (
Should modified to look like the actual file expected by nsd:
$ORIGIN example.com. $TTL 1800 @ IN SOA ns1.vpn.nbp.name. admin.example.com. (
service.syncthing.dataDir
options now has to point to
exact folder where syncthing is writing to. Example configuration should
look something like:
services.syncthing = { enable = true; dataDir = "/home/somebody/.syncthing"; user = "somebody"; };
networking.firewall.allowPing
is now enabled by default.
Users are encouraged to configure an appropriate rate limit for their
machines using the Kernel interface at
/proc/sys/net/ipv4/icmp_ratelimit
and
/proc/sys/net/ipv6/icmp/ratelimit
or using the
firewall itself, i.e. by setting the NixOS option
networking.firewall.pingLimit
.
Systems with some broadcom cards used to result into a generated config that is no longer accepted. If you get errors like
error: path ‘/nix/store/*-broadcom-sta-*’ does not exist and cannot be created
you should either re-run nixos-generate-config or
manually replace
"${config.boot.kernelPackages.broadcom_sta}"
by
config.boot.kernelPackages.broadcom_sta
in your
/etc/nixos/hardware-configuration.nix
. More discussion
is on the
github issue.
The services.xserver.startGnuPGAgent
option has been
removed. GnuPG 2.1.x changed the way the gpg-agent works, and that new
approach no longer requires (or even supports) the "start everything as a
child of the agent" scheme we've implemented in NixOS for older versions.
To configure the gpg-agent for your X session, add the following code to
~/.bashrc
or some file that’s sourced when your
shell is started:
GPG_TTY=$(tty) export GPG_TTY
If you want to use gpg-agent for SSH, too, add the following to your
session initialization (e.g.
displayManager.sessionCommands
)
gpg-connect-agent /bye unset SSH_AGENT_PID export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
and make sure that
enable-ssh-support
is included in your ~/.gnupg/gpg-agent.conf
. You will
need to use ssh-add to re-add your ssh keys. If gpg’s
automatic transformation of the private keys to the new format fails, you
will need to re-import your private keyring as well:
gpg --import ~/.gnupg/secring.gpg
The gpg-agent(1) man page has more details about this subject, i.e. in the "EXAMPLES" section.
Other notable improvements:
ejabberd
module is brought back and now works on NixOS.
Input method support was improved. New NixOS modules (fcitx, nabi and uim), fcitx engines (chewing, hangul, m17n, mozc and table-other) and ibus engines (hangul and m17n) have been added.
In addition to numerous new and upgraded packages, this release has the following highlights:
The Haskell packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on Hackage -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the User's Guide to the Haskell Infrastructure. Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single LTS Haskell release since version 0.0 as well as the most recent Stackage Nightly snapshot. The announcement "Full Stackage Support in Nixpkgs" gives additional details.
Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.
You can now keep your NixOS system up to date automatically by setting
system.autoUpgrade.enable = true;
This will cause the system to periodically check for updates in your current channel and run nixos-rebuild.
This release is based on Glibc 2.21, GCC 4.9 and Linux 3.18.
GNOME has been upgraded to 3.16.
Xfce has been upgraded to 4.12.
KDE 5 has been upgraded to KDE Frameworks 5.10, Plasma 5.3.2 and Applications 15.04.3. KDE 4 has been updated to kdelibs-4.14.10.
E19 has been upgraded to 0.16.8.15.
The following new services were added since the last release:
services/mail/exim.nix
services/misc/apache-kafka.nix
services/misc/canto-daemon.nix
services/misc/confd.nix
services/misc/devmon.nix
services/misc/gitit.nix
services/misc/ihaskell.nix
services/misc/mbpfan.nix
services/misc/mediatomb.nix
services/misc/mwlib.nix
services/misc/parsoid.nix
services/misc/plex.nix
services/misc/ripple-rest.nix
services/misc/ripple-data-api.nix
services/misc/subsonic.nix
services/misc/sundtek.nix
services/monitoring/cadvisor.nix
services/monitoring/das_watchdog.nix
services/monitoring/grafana.nix
services/monitoring/riemann-tools.nix
services/monitoring/teamviewer.nix
services/network-filesystems/u9fs.nix
services/networking/aiccu.nix
services/networking/asterisk.nix
services/networking/bird.nix
services/networking/charybdis.nix
services/networking/docker-registry-server.nix
services/networking/fan.nix
services/networking/firefox/sync-server.nix
services/networking/gateone.nix
services/networking/heyefi.nix
services/networking/i2p.nix
services/networking/lambdabot.nix
services/networking/mstpd.nix
services/networking/nix-serve.nix
services/networking/nylon.nix
services/networking/racoon.nix
services/networking/skydns.nix
services/networking/shout.nix
services/networking/softether.nix
services/networking/sslh.nix
services/networking/tinc.nix
services/networking/tlsdated.nix
services/networking/tox-bootstrapd.nix
services/networking/tvheadend.nix
services/networking/zerotierone.nix
services/scheduling/marathon.nix
services/security/fprintd.nix
services/security/hologram.nix
services/security/munge.nix
services/system/cloud-init.nix
services/web-servers/shellinabox.nix
services/web-servers/uwsgi.nix
services/x11/unclutter.nix
services/x11/display-managers/sddm.nix
system/boot/coredump.nix
system/boot/loader/loader.nix
system/boot/loader/generic-extlinux-compatible
system/boot/networkd.nix
system/boot/resolved.nix
system/boot/timesyncd.nix
tasks/filesystems/exfat.nix
tasks/filesystems/ntfs.nix
tasks/filesystems/vboxsf.nix
virtualisation/virtualbox-host.nix
virtualisation/vmware-guest.nix
virtualisation/xen-dom0.nix
When upgrading from a previous release, please be aware of the following incompatible changes:
sshd no longer supports DSA and ECDSA host keys by default. If you have existing systems with such host keys and want to continue to use them, please set
system.stateVersion = "14.12";
The new option system.stateVersion
ensures that certain
configuration changes that could break existing systems (such as the
sshd host key setting) will maintain compatibility with
the specified NixOS release. NixOps sets the state version of existing
deployments automatically.
cron is no longer enabled by default, unless you have a
non-empty services.cron.systemCronJobs
. To force
cron to be enabled, set services.cron.enable =
true
.
Nix now requires binary caches to be cryptographically signed. If you have
unsigned binary caches that you want to continue to use, you should set
nix.requireSignedBinaryCaches = false
.
Steam now doesn't need root rights to work. Instead of using
*-steam-chrootenv
, you should now just run
steam
. steamChrootEnv
package was
renamed to steam
, and old steam
package -- to steamOriginal
.
CMPlayer has been renamed to bomi upstream. Package
cmplayer
was accordingly renamed to
bomi
Atom Shell has been renamed to Electron upstream. Package
atom-shell
was accordingly renamed to
electron
Elm is not released on Hackage anymore. You should now use
elmPackages.elm
which contains the latest Elm platform.
The CUPS printing service has been updated to version
2.0.2
. Furthermore its systemd service has been renamed
to cups.service
.
Local printers are no longer shared or advertised by default. This
behavior can be changed by enabling
services.printing.defaultShared
or
services.printing.browsing
respectively.
The VirtualBox host and guest options have been named more consistently.
They can now found in virtualisation.virtualbox.host.*
instead of services.virtualboxHost.*
and
virtualisation.virtualbox.guest.*
instead of
services.virtualboxGuest.*
.
Also, there now is support for the vboxsf
file system
using the fileSystems
configuration attribute. An example
of how this can be used in a configuration:
fileSystems."/shiny" = { device = "myshinysharedfolder"; fsType = "vboxsf"; };
"nix-env -qa
" no longer discovers Haskell
packages by name. The only packages visible in the global scope are
ghc
, cabal-install
, and
stack
, but all other packages are hidden. The reason
for this inconvenience is the sheer size of the Haskell package set.
Name-based lookups are expensive, and most nix-env -qa
operations would become much slower if we'd add the entire Hackage
database into the top level attribute set. Instead, the list of Haskell
packages can be displayed by running:
nix-env -f "<nixpkgs>" -qaP -A haskellPackages
Executable programs written in Haskell can be installed with:
nix-env -f "<nixpkgs>" -iA haskellPackages.pandoc
Installing Haskell libraries this way, however, is no longer supported. See the next item for more details.
Previous versions of NixOS came with a feature called
ghc-wrapper
, a small script that allowed GHC to
transparently pick up on libraries installed in the user's profile. This
feature has been deprecated; ghc-wrapper
was removed
from the distribution. The proper way to register Haskell libraries with
the compiler now is the haskellPackages.ghcWithPackages
function. The
User's
Guide to the Haskell Infrastructure provides more information about
this subject.
All Haskell builds that have been generated with version 1.x of the
cabal2nix
utility are now invalid and need to be
re-generated with a current version of cabal2nix
to
function. The most recent version of this tool can be installed by running
nix-env -i cabal2nix
.
The haskellPackages
set in Nixpkgs used to have a
function attribute called extension
that users could
override in their ~/.nixpkgs/config.nix
files to
configure additional attributes, etc. That function still exists, but it's
now called overrides
.
The OpenBLAS library has been updated to version
0.2.14
. Support for the
x86_64-darwin
platform was added. Dynamic architecture
detection was enabled; OpenBLAS now selects microarchitecture-optimized
routines at runtime, so optimal performance is achieved without the need
to rebuild OpenBLAS locally. OpenBLAS has replaced ATLAS in most packages
which use an optimized BLAS or LAPACK implementation.
The phpfpm
is now using the default PHP version
(pkgs.php
) instead of PHP 5.4
(pkgs.php54
).
The locate
service no longer indexes the Nix store by
default, preventing packages with potentially numerous versions from
cluttering the output. Indexing the store can be activated by setting
services.locate.includeStore = true
.
The Nix expression search path (NIX_PATH
) no longer
contains /etc/nixos/nixpkgs
by default. You can
override NIX_PATH
by setting nix.nixPath
.
Python 2.6 has been marked as broken (as it no longer receives security updates from upstream).
Any use of module arguments such as pkgs
to access
library functions, or to define imports
attributes will
now lead to an infinite loop at the time of the evaluation.
In case of an infinite loop, use the --show-trace command line argument and read the line just above the error message.
$
nixos-rebuild build --show-trace
…
while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
infinite recursion encountered
Any use of pkgs.lib
, should be replaced by
lib
, after adding it as argument of the module. The
following module
{ config, pkgs, ... }: with pkgs.lib; { options = { foo = mkOption { … }; }; config = mkIf config.foo { … }; }
should be modified to look like:
{ config, pkgs, lib, ... }: with lib; { options = { foo = mkOption {option declaration
}; }; config = mkIf config.foo {option definition
}; }
When pkgs
is used to download other projects to import
their modules, and only in such cases, it should be replaced by
(import <nixpkgs> {})
. The following module
{ config, pkgs, ... }: let myProject = pkgs.fetchurl { src =url
; sha256 =hash
; }; in { imports = [ "${myProject}/module.nix" ]; }
should be modified to look like:
{ config, pkgs, ... }: let myProject = (import <nixpkgs> {}).fetchurl { src =url
; sha256 =hash
; }; in { imports = [ "${myProject}/module.nix" ]; }
Other notable improvements:
The nixos and nixpkgs channels were unified, so one
can use nix-env -iA nixos.bash
instead of nix-env -iA nixos.pkgs.bash
. See
the
commit for details.
Users running an SSH server who worry about the quality of their
/etc/ssh/moduli
file with respect to the
vulnerabilities
discovered in the Diffie-Hellman key exchange can now replace
OpenSSH's default version with one they generated themselves using the new
services.openssh.moduliFile
option.
A newly packaged TeX Live 2015 is provided in
pkgs.texlive
, split into 6500 nix packages. For basic
user documentation see
the
source. Beware of
an
issue when installing a too large package set. The plan is to
deprecate and maybe delete the original TeX packages until the next
release.
buildEnv.env
on all Python interpreters is now available
for nix-shell interoperability.
In addition to numerous new and upgraded packages, this release has the following highlights:
Systemd has been updated to version 217, which has numerous improvements.
NixOS is now based on Glibc 2.20.
KDE has been updated to 4.14.
The default Linux kernel has been updated to 3.14.
If users.mutableUsers
is enabled (the default), changes
made to the declaration of a user or group will be correctly realised when
running nixos-rebuild. For instance, removing a user
specification from configuration.nix
will cause the
actual user account to be deleted. If users.mutableUsers
is disabled, it is no longer necessary to specify UIDs or GIDs; if
omitted, they are allocated dynamically.
Following new services were added since the last release:
atftpd
bosun
bspwm
chronos
collectd
consul
cpuminer-cryptonight
crashplan
dnscrypt-proxy
docker-registry
docker
etcd
fail2ban
fcgiwrap
fleet
fluxbox
gdm
geoclue2
gitlab
gitolite
gnome3.gnome-documents
gnome3.gnome-online-miners
gnome3.gvfs
gnome3.seahorse
hbase
i2pd
influxdb
kubernetes
liquidsoap
lxc
mailpile
mesos
mlmmj
monetdb
mopidy
neo4j
nsd
openntpd
opentsdb
openvswitch
parallels-guest
peerflix
phd
polipo
prosody
radicale
redmine
riemann
scollector
seeks
siproxd
strongswan
tcsd
teamspeak3
thermald
torque/mrom
torque/server
uhub
unifi
znc
zookeeper
When upgrading from a previous release, please be aware of the following incompatible changes:
The default version of Apache httpd is now 2.4. If you use the
extraConfig
option to pass literal Apache configuration
text, you may need to update it — see
Apache’s
documentation for details. If you wish to continue to use httpd
2.2, add the following line to your NixOS configuration:
services.httpd.package = pkgs.apacheHttpd_2_2;
PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.
The host side of a container virtual Ethernet pair is now called
ve-
rather
than container-name
c-
.
container-name
GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.
VirtualBox has been upgraded to 4.3.20 release. Users may be required to
run rm -rf /tmp/.vbox*. The line imports = [
<nixpkgs/nixos/modules/programs/virtualbox.nix> ]
is no
longer necessary, use services.virtualboxHost.enable =
true
instead.
Also, hardening mode is now enabled by default, which means that unless
you want to use USB support, you no longer need to be a member of the
vboxusers
group.
Chromium has been updated to 39.0.2171.65.
enablePepperPDF
is now enabled by default.
chromium*Wrapper
packages no longer exist, because
upstream removed NSAPI support. chromium-stable
has
been renamed to chromium
.
Python packaging documentation is now part of nixpkgs manual. To override
the python packages available to a custom python you now use
pkgs.pythonFull.buildEnv.override
instead of
pkgs.pythonFull.override
.
boot.resumeDevice = "8:6"
is no longer supported. Most
users will want to leave it undefined, which takes the swap partitions
automatically. There is an evaluation assertion to ensure that the string
starts with a slash.
The system-wide default timezone for NixOS installations changed from
CET
to UTC
. To choose a different
timezone for your system, configure time.timeZone
in
configuration.nix
. A fairly complete list of possible
values for that setting is available at
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.
The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.
This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:
Installation on UEFI systems is now supported. See Chapter 2, Installing NixOS for details.
Systemd has been updated to version 212, which has
numerous
improvements. NixOS now automatically starts systemd user instances
when you log in. You can define global user units through the
systemd.unit.*
options.
NixOS is now based on Glibc 2.19 and GCC 4.8.
The default Linux kernel has been updated to 3.12.
KDE has been updated to 4.12.
GNOME 3.10 experimental support has been added.
Nix has been updated to 1.7 (details).
NixOS now supports fully declarative management of users and groups. If
you set users.mutableUsers
to false
,
then the contents of /etc/passwd
and
/etc/group
will be
congruent
to your NixOS configuration. For instance, if you remove a user from
users.extraUsers
and run
nixos-rebuild, the user account will cease to exist.
Also, imperative commands for managing users and groups, such as
useradd, are no longer available. If
users.mutableUsers
is true
(the
default), then behaviour is unchanged from NixOS 13.10.
NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 46, Container Management for details.
Systemd units provided by packages can now be overridden from the NixOS
configuration. For instance, if a package foo
provides
systemd units, you can say:
systemd.packages = [ pkgs.foo ];
to enable those units. You can then set or override unit options in the usual way, e.g.
systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M";
When upgrading from a previous release, please be aware of the following incompatible changes:
Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:
nixpkgs.config.allowUnfree = true;
Otherwise, you get an error message such as:
error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ has an unfree license, refusing to evaluate
The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:
nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:
networking.firewall.enable = false;
The option boot.loader.grub.memtest86
has been renamed to
boot.loader.grub.memtest86.enable
.
The mysql55
service has been merged into the
mysql
service, which no longer sets a default for the
option services.mysql.package
.
Package variants are now differentiated by suffixing the name, rather than
the version. For instance, sqlite-3.8.4.3-interactive
is now called sqlite-interactive-3.8.4.3
. This
ensures that nix-env -i sqlite
is unambiguous, and that
nix-env -u
won’t “upgrade”
sqlite
to sqlite-interactive
or vice
versa. Notably, this change affects the Firefox wrapper (which provides
plugins), as it is now called firefox-wrapper
. So when
using nix-env, you should do nix-env -e
firefox; nix-env -i firefox-wrapper
if you want to keep using
the wrapper. This change does not affect declarative package management,
since attribute names like pkgs.firefoxWrapper
were
already unambiguous.
The symlink /etc/ca-bundle.crt
is gone. Programs
should instead use the environment variable
OPENSSL_X509_CERT_FILE
(which points to
/etc/ssl/certs/ca-bundle.crt
).