pyrox.dev / nixpkgs
lol
fork atom

doc/release-notes: initial cleanup for 24.11 (#346059)

authored by

Tristan Ross and committed by
GitHub 7aaa361a 5ed245d6

+176 -172
unified split
+176 -172
nixos/doc/manual/release-notes/rl-2411.section.md
··· 7 - **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.** 8 Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS. 9 Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS. 10 - If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports back to Mac OS X Snow Leopard 10.6. 11 - Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for 12 [2.19](https://nix.dev/manual/nix/latest/release-notes/rl-2.19), 13 [2.20](https://nix.dev/manual/nix/latest/release-notes/rl-2.20), ··· 15 [2.22](https://nix.dev/manual/nix/latest/release-notes/rl-2.22), 16 [2.23](https://nix.dev/manual/nix/latest/release-notes/rl-2.23), 17 [2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24). 18 - Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life improvements. 19 20 - This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0. 21 These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release. 22 - In future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows. 23 24 - - Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`. 25 26 - - [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option. 27 - This also allows configuring runtime settings of AMDVLK and enabling experimental features. 28 - - The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems. 29 30 - PostgreSQL now defaults to major version 16. 31 32 - GNOME has been updated to version 47. Refer to the [release notes](https://release.gnome.org/47/) for more details. 33 34 - `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/). 35 - This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version. 36 37 - `compressDrv` can compress selected files in a derivation. `compressDrvWeb` compresses files for common web server usage (`.gz` with `zopfli`, `.br` with `brotli`). 38 39 - - `hardware.display` is a new module implementing workarounds for misbehaving monitors 40 - through setting up custom EDID files and forcing kernel/framebuffer modes. 41 42 - - A new display-manager `services.displayManager.ly` was added. 43 - It is a tui based replacement of sddm and lightdm for window manager users. 44 - Users can use it by `services.displayManager.ly.enable` and config it by 45 - `services.displayManager.ly.settings` to generate `/etc/ly/config.ini` 46 47 - `srcOnly` was rewritten to be more readable, have additional warnings in the event that something is probably wrong, use the `stdenv` provided by the derivation, and Noogle-compatible documentation was added. 48 49 - The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire. 50 - Users that want to keep PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`. 51 There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs. 52 53 - The Rust rewrite of the `switch-to-configuration` program is now used for system activation by default. ··· 55 The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`. 56 57 - Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) 58 - was added through the `boot.initrd.systemd.dmVerity` option. 59 60 - The [Xen Project Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable). 61 - This release includes Xen [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes) and support for booting the hypervisor on EFI systems. ··· 79 80 - [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service. 81 82 - - [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwarrior 3](https://taskwarrior.org/docs/upgrade-3/) sync server, replacing Taskwarrior 2's sync server named [`taskserver`](https://github.com/GothenburgBitFactory/taskserver). 83 84 - - [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr), proxy server to bypass Cloudflare protection. Available as [services.flaresolverr](#opt-services.flaresolverr.enable) service. 85 86 - [Gancio](https://gancio.org/), a shared agenda for local communities. Available as [services.gancio](#opt-services.gancio.enable). 87 88 - - [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable). 89 90 - - [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable) 91 92 - - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable). 93 94 - - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI 95 - for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable) 96 - service. 97 98 - - [Quickwit](https://quickwit.io), sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit). 99 100 - [Userborn](https://github.com/nikstur/userborn), a service for declarative 101 user management. This can be used instead of the `update-users-groups.pl` 102 - Perl script and instead of systemd-sysusers. To achieve a system without 103 - Perl, this is the now recommended tool over systemd-sysusers because it can 104 - also create normal users and change passwords. Available as 105 - [services.userborn](#opt-services.userborn.enable) 106 107 - - [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu). 108 109 - - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood). 110 111 - [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable). 112 113 - - [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer) 114 115 - [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable). 116 117 - - [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf). 118 119 - [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable). 120 121 - - [ddns-updater](https://github.com/qdm12/ddns-updater), a service to update DNS records periodically with WebUI for many DNS providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable). 122 123 - [Immersed](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed](#opt-programs.immersed.enable). 124 125 - - [HomeBox](https://github.com/sysadminsmedia/homebox): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable). 126 127 - [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable). 128 129 - - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). 130 131 - - [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable). 132 133 - [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks). 134 135 - [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable). 136 137 - - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable). 138 139 - [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable). 140 ··· 144 145 - [Gatus](https://github.com/TwiN/gatus), an automated developer-oriented status page. Available as [services.gatus](#opt-services.gatus.enable). 146 147 - - [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable). 148 149 - - [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable). 150 151 - - [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg). 152 153 - - [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata). 154 - 155 - - [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld). 156 157 - - [MenhirLib](https://gitlab.inria.fr/fpottier/menhir/-/tree/master/coq-menhirlib) A support library for verified Coq parsers produced by Menhir. 158 159 - - [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance). 160 161 - - [Apache Tika](https://github.com/apache/tika), a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as [services.tika](option.html#opt-services.tika). 162 163 - - [Misskey](https://misskey-hub.net/en/), an interplanetary microblogging platform. Available as [services.misskey](options.html#opt-services.misskey). 164 165 - - [Improved File Manager](https://github.com/misterunknown/ifm), or IFM, a single-file web-based file manager. Available as [services.ifm](options.html#opt-services.ifm.enable) 166 167 - [OpenGFW](https://github.com/apernet/OpenGFW), an implementation of the Great Firewall on Linux. Available as [services.opengfw](#opt-services.opengfw.enable). 168 169 - [Rathole](https://github.com/rapiz1/rathole), a lightweight and high-performance reverse proxy for NAT traversal. Available as [services.rathole](#opt-services.rathole.enable). 170 171 - - [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. It lets you add your Proton Mail account to your favorite email client via IMAP/SMTP by creating a local email server on your computer. 172 173 - - [chromadb](https://www.trychroma.com/), an open-source AI application 174 - database. Batteries included. Available as [services.chromadb](options.html#opt-services.chromadb.enable). 175 176 - - [bitmagnet](https://bitmagnet.io/), A self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with web UI, GraphQL API and Servarr stack integration. 177 - Available as [services.bitmagnet](options.html#opt-services.bitmagnet.enable). 178 179 - [Wakapi](https://wakapi.dev/), a time tracking software for programmers. Available as [services.wakapi](#opt-services.wakapi.enable). 180 181 - [foot](https://codeberg.org/dnkl/foot), a fast, lightweight and minimalistic Wayland terminal emulator. Available as [programs.foot](#opt-programs.foot.enable). 182 183 - - [ToDesk](https://www.todesk.com/linux.html), a remote desktop applicaton. Available as [services.todesk.enable](#opt-services.todesk.enable). 184 185 - - [Dependency Track](https://dependencytrack.org/), an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as [services.dependency-track](option.html#opt-services.dependency-track). 186 187 - [Immich](https://github.com/immich-app/immich), a self-hosted photo and video backup solution. Available as [services.immich](#opt-services.immich.enable). 188 189 - - [saunafs](https://saunafs.com) Distributed POSIX file system. Available as [services.saunafs](options.html#opt-services.saunafs). 190 191 - - [obs-studio](https://obsproject.com/), Free and open source software for video recording and live streaming. Available as [programs.obs-studio.enable](#opt-programs.obs-studio.enable). 192 193 - - [Veilid](https://veilid.com), a headless server that enables privacy-focused data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable). 194 195 - [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd). 196 197 - - [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](options.html#opt-services.zapret). 198 199 - - [tiny-dfr](https://github.com/WhatAmISupposedToPutHere/tiny-dfr), a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as [hardware.apple.touchBar.enable](options.html#opt-hardware.apple.touchBar.enable). 200 201 - - [Swapspace](https://github.com/Tookmund/Swapspace), a dynamic swap space manager, turns your unused free space into swap automatically. Available as [services.swapspace](#opt-services.swapspace.enable). 202 203 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities} 204 205 - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details. 206 207 - - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. 208 209 - The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`. 210 This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute. ··· 213 214 - All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`). 215 216 - - `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage: 217 - `transmission-gtk`: `~/.config/transmission` 218 - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`) 219 ··· 223 - `unifi` has been updated to UniFi 8. 224 `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life. 225 226 - - `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later. 227 228 - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. 229 ··· 241 - `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`). 242 243 - `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust. 244 - The module was updated to accommodate for breaking changes. 245 - Breaking changes to the module API were minimised as much as possible, 246 - but some were nonetheless inevitable due to changes in the upstream CLI. 247 - Certain options were moved from separate CLI arguments into the forward specifications, 248 - and those options were also removed from the module's API, 249 - please consult the wstunnel man page for more detail. 250 Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`, 251 - that those might have been removed or modified upstream. 252 253 - `percona-server_8_4` and `mysql84` now have password authentication via the deprecated `mysql_native_password` disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods [see upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html). The config file directive `default_authentication_plugin` has been removed. 254 ··· 259 - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`. 260 - Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release. 261 262 - - `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html). 263 264 - - `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details. 265 266 - - `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`. 267 268 - - `systemd.enableUnifiedCgroupHierarchy` option has been removed. 269 - In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. 270 - To forcibly reenable cgroup v1 support, you can `set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`. 271 - NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. 272 273 - - `nrfutil` which previously pointed to the now-deprecated `pc-nrfutil` python package, has been repackaged under the same name with the new nrfutil tool. 274 275 - - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can 276 - use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). 277 278 - `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if 279 it is set, instead of the previous hardcoded default of 280 `${networking.hostName}.${security.ipa.domain}`. 281 282 - - The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. 283 284 - - The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network. 285 286 - `mautrix-whatsapp` has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required. 287 ··· 298 Processes also now run as a dynamically allocated user by default instead of 299 root. 300 301 - - The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. 302 - In case you want to update your configuration make sure to check the NixOS manual. 303 304 - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. 305 ··· 312 313 - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead. 314 315 - - Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. 316 317 - The `rust.toTargetArch`, `rust.toTargetOs`, `rust.toTargetFamily`, `rust.toTargetVendor`, `rust.toRustTarget`, `rust.toRustTargetSpec`, `rust.toRustTargetSpecShort`, and `rust.IsNoStdTarget` functions are deprecated in favour of the `rust.platform.arch`, `rust.platform.os`, `rust.platform.target-family`, `rust.platform.vendor`, `rust.rustcTarget`, `rust.rustcTargetSpec`, `rust.cargoShortTarget`, `rust.cargoEnvVarTarget`, and `rust.isNoStdTarget` platform attributes respectively. 318 319 - - The `budgie` and `budgiePlugins` scope have been removed and their packages 320 - moved into the top level scope (i.e., `budgie.budgie-desktop` is now 321 - `budgie-desktop`) 322 323 - - The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant. 324 The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade. 325 326 - NetBox was updated to `>= 4.1.0`. ··· 357 to use `extraOpts` flags. 358 359 A previous configuration may have looked like this: 360 ```nix 361 - featureGates = [ "EphemeralContainers" ]; 362 - extraOpts = pkgs.lib.concatStringsSep " " ( 363 - [ 364 - ''--feature-gates="CSIMigration=false"'' 365 - }); 366 ``` 367 368 - Using an AttrSet instead, the new configuration would be: 369 ```nix 370 - featureGates = {EphemeralContainers = true; CSIMigration=false;}; 371 ``` 372 373 - - `pkgs.nextcloud27` has been removed since it's EOL. 374 375 - The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose. 376 If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about. 377 378 - - `frigate` was updated past 0.14.0. This release includes various breaking changes, so please go read the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0). 379 - Most prominently access to the webinterface and API are now protected by authentication. Retrieve the auto-created 380 admin account from the `frigate.service` journal after upgrading. 381 382 - `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped. ··· 396 397 - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead. 398 399 - - `services.pgbouncer` systemd service is configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings) according to the NixOS RFC 0042. 400 401 - Docear was removed because it was unmaintained upstream. 402 JabRef, Zotero, or Mendeley are potential replacements. ··· 417 Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) 418 and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324). 419 420 - - `tests.overriding` has its `passthru.tests` restructured as an attribute set instead of a list, making individual tests accessible by their names. 421 422 - - Package `skk-dict` was split into multiple packages under `skkDictionaries`. 423 - If in doubt, try `skkDictionaries.l`. As part of this change, the dictionaries 424 - were moved from `$out/share` to `$out/share/skk`. Also, the dictionaries won't 425 - be converted to UTF-8 unless the `useUtf8` package option is enabled. UTF-8 426 converted dictionaries will have the .utf8 suffix appended to its filename. 427 428 - `vaultwarden` lost the capability to bind to privileged ports. If you rely on 429 this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in 430 - your local configuration. 431 432 - - The Invoiceplane module now only accepts the structured `settings` option. 433 - `extraConfig` is now removed. 434 435 - - The `ollama` services replaces its `sandbox` toggle with options to configure 436 - a static `user` and `group`. The `writablePaths` option has been removed and 437 the models directory is now always exempt from sandboxing. 438 439 - The `gns3-server` service now runs under the `gns3` system user ··· 450 before changing the package to `pkgs.stalwart-mail` in 451 [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package). 452 453 - - The `nomad_1_5` and `nomad_1_6` package were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error. 454 455 - The default `nomad` package has been updated to 1.8.x. For more information, see [breaking changes for Nomad 1.8](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#nomad-1-8-0) 456 ··· 458 459 - Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android. 460 461 - - the `ankisyncd` package and its `services.ankisyncd` have been removed, use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead. 462 463 - `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`, 464 and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream. ··· 467 - `nodePackages.prisma` has been replaced by `prisma`. 468 469 - `fetchNextcloudApp` has been rewritten to use `fetchurl` rather than 470 - `fetchzip`. This invalidates all existing hashes but you can restore the old 471 behavior by passing it `unpack = true`. 472 473 - - `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the 474 - output by default, to alert users to closure size issues caused by 475 [#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging 476 Helpers" in the Haskell section of the Nixpkgs 477 manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers) 478 for information on working around `output '...' is not allowed to refer to 479 the following paths` errors caused by this change. 480 481 - - The `stalwart-mail` service now runs under the `stalwart-mail` system user 482 - instead of a dynamically created one via `DynamicUser`, to avoid automatic 483 - ownership changes on its large file store each time the service was started. 484 This change requires to manually move the state directory from 485 - `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to 486 change the ownership of the directory and its content to `stalwart-mail`. 487 488 - - The `stalwart-mail` module now uses RocksDB as the default storage backend 489 - for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured 490 - data and the filesystem for blobs). 491 492 - - The `stargazer` service has been hardened to improve security, but these 493 changes make break certain setups, particularly around traditional CGI. 494 495 - - The `stargazer.allowCgiUser` option has been added, enabling 496 Stargazer's `cgi-user` option to work, which was previously broken. 497 498 - - The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option: 499 500 ``` 501 # This is how a environment file can be generated: ··· 505 506 - `/share/nano` is now only linked when `programs.nano.enable` is enabled. 507 508 - - PPD files for Utax printers got renamed (spaces replaced by underscores) in newest `foomatic-db` package; users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value. 509 510 - `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on 511 JavaFX for Java 8, which we do not support. 512 513 - - The `kvdo` kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is called `dm-vdo`. 514 515 - `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details. 516 517 - `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will 518 - ultimately remove it in GitLab 18.0, as outlined in the 519 - [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes). 520 After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. 521 Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170). 522 GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170) 523 with *runner authentication tokens* until the release of GitLab 18.0. 524 525 - - `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. 526 527 - - `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git` to maintain compatibility with GitLab. 528 529 - `nixos/gitlab` no longer adds `pkgs.git` to `environment.systemPackages` by default. 530 531 - The `replay-sorcery` package and module was removed as it unmaintained upstream. Consider using `gpu-screen-recorder` or `obs-studio` instead. 532 533 - - To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `samba` have been moved from `extraConfig` and `configText` to the new freeform option `settings` and renamed, e.g.: 534 - `services.samba.invalidUsers` to `services.samba.settings.global."invalid users"` 535 - `services.samba.securityType` to `services.samba.settings.global."security type"` 536 - `services.samba.shares` to `services.samba.settings` ··· 540 - `zx` was updated to v8, which introduces several breaking changes. 541 See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information. 542 543 - - `feishin` removed support for Navidrome `< v0.53.2` due to an API change; more information in the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0). 544 545 - - The `dnscrypt-wrapper` module was removed since the project has been effectively unmaintained since 2018; moreover the NixOS module had to rely on an abandoned version of dnscrypt-proxy v1 for the rotation of keys. 546 - To wrap a resolver with DNSCrypt you can instead use `dnsdist`. See options `services.dnsdist.dnscrypt.*` 547 548 - The `portunus` package and service do not support weak password hashes anymore. 549 If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. ··· 558 Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back 559 the old default behavior. 560 561 - - Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084). 562 563 - `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected. 564 ··· 573 The `shout` top-level attribute was an alias to this package. 574 The associated `services.shout` module has also been removed. 575 576 - The `indi-full` package no longer contains non-free drivers. 577 To get the old collection of drivers use `indi-full-nonfree` or create your own collection of drivers by overriding indi-with-drivers. 578 E.g.: `pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}` ··· 588 support, which is the intended default behavior by Tracy maintainers. 589 X11 users have to switch to the new package `tracy-x11`. 590 591 - - The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. 592 Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead. 593 594 - The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained. 595 596 - - The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300) 597 598 - The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down 599 JCenter JAR repository. ··· 604 605 - `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments. 606 607 - - The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer. 608 - Consequently the package `pkgs.ma1sd` has also been removed. 609 610 - The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`. 611 Consider using the `services.rss-bridge.config` option instead. 612 613 - - The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`. 614 615 - Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed. 616 617 - - The `services.trust-dns` module has been renamed to `services.hickory-dns`. 618 619 - - The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since 620 it leaked the connection string (and thus potentially the DB password) into the cmdline 621 of process making it effectively world-readable. 622 623 Use [`services.prometheus.exporters.pgbouncer.connectionEnvFile`](#opt-services.prometheus.exporters.pgbouncer.connectionEnvFile) instead. 624 625 - - The `lsh` package and the `services.lshd` module have been removed as they had no maintainer in Nixpkgs and hadn’t seen an upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`. 626 627 - `ceph` has been upgraded to v19. See the [Ceph "squid" release notes](https://docs.ceph.com/en/latest/releases/squid/#v19-2-0-squid) for details and recommended upgrade procedure. 628 ··· 636 were not used by any other package. External users are encouraged to 637 migrate to OpenCV 4. 638 639 - - The `tvheadend` package and the `services.tvheadend` module have been 640 - removed as nobody was willing to maintain them and they were stuck on 641 - an unmaintained version that required FFmpeg 4; please see [pull 642 request #332259](https://github.com/NixOS/nixpkgs/pull/332259) if you 643 are interested in maintaining a newer version. 644 645 - - The `antennas` package and the `services.antennas` module have been 646 - removed as they only work with `tvheadend` (see above). 647 648 - - The `system.build.brightboxImage` image has been removed as It did not build anymore and has not seen any maintenance in over 7 years (excluding tree-wide changes). 649 650 - - The `services.syncplay` module now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup. 651 The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated. 652 653 - - The `openlens` package got removed, suggested replacement `lens-desktop` 654 655 - - The `services.dnsmasq.extraConfig` option has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`. 656 657 - The NixOS installation media no longer support the ReiserFS or JFS file systems by default. 658 ··· 669 670 - `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/). 671 672 - - The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details. 673 674 - Legacy package `globalprotect-openconnect` 1.x and related module 675 - `globalprotect-vpn` were dropped. Two new packages `gpauth` and `gpclient` 676 - from the 2.x version of the GlobalProtect-openconnect project are added in its 677 place. The GUI components related to the project are non-free and not 678 packaged. 679 680 - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details. 681 682 - - The `rustic` package was upgrade to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0). 683 684 - `pkgs.formats.ini` and `pkgs.formats.iniWithGlobalSection` with 685 `listsAsDuplicateKeys` or `listToValue` no longer merge non-list values into ··· 764 The derivation now installs "impl" headers selectively instead of by a wildcard. 765 Use `imgui.src` if you just want to access the unpacked sources. 766 767 - - The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier 768 769 - - Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11 770 771 - Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an 772 unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`. ··· 774 - The `i18n.inputMethod` module introduces two new properties: 775 `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release. 776 777 - - `security.pam.u2f` now follows RFC42. 778 - All module options are now settable through the freeform `.settings`. 779 780 - - Mikutter was removed because the package was broken and had no maintainers. 781 782 - - The new option `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only. 783 When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected. 784 785 - Gollum was upgraded to major version 6. Read their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes). ··· 790 791 - `services.timesyncd.fallbackServers` was added and defaults to `networking.timeServers`. 792 793 - - Cinnamon has been updated to 6.2, please check [upstream announcement](https://www.linuxmint.com/rel_wilma_whatsnew.php) for more details. 794 - Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default. 795 796 - `zfs.latestCompatibleLinuxPackages` is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (default `linuxPackages` is not possible then you must explicitly pin a specific kernel release. For example, `boot.kernelPackages = pkgs.linuxPackages_6_6`. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention. 797 798 - The `shadowstack` hardening flag has been added, though disabled by default. 799 800 - - `xxd` is now provided by the `tinyxxd` package, rather than `vim.xxd`, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package. 801 802 - - `prometheus-openldap-exporter` was removed since it was unmaintained upstream and had no nixpkgs maintainers. 803 - 804 - - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep). 805 806 - The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped. 807 ··· 842 843 - `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`. 844 845 - ## Detailed migration information {#sec-release-24.11-migration} 846 847 ### `sound` options removal {#sec-release-24.11-migration-sound} 848
··· 7 - **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.** 8 Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS. 9 Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS. 10 + If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports versions back to Mac OS X Snow Leopard 10.6. 11 + 12 - Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for 13 [2.19](https://nix.dev/manual/nix/latest/release-notes/rl-2.19), 14 [2.20](https://nix.dev/manual/nix/latest/release-notes/rl-2.20), ··· 16 [2.22](https://nix.dev/manual/nix/latest/release-notes/rl-2.22), 17 [2.23](https://nix.dev/manual/nix/latest/release-notes/rl-2.23), 18 [2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24). 19 + Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life additions. 20 21 - This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0. 22 These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release. 23 + In the future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows. 24 25 + - Convenience options for `amdgpu`, the open source driver for Radeon cards, are now available under [`hardware.amdgpu`](#opt-hardware.amdgpu.initrd.enable). 26 27 + - [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured under the [`hardware.amdgpu.amdvlk`](#opt-hardware.amdgpu.amdvlk.enable) option. 28 + This also allows configuring runtime settings for AMDVLK, including enabling experimental features. 29 + 30 + - The `moonlight-qt` package (for [Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems. 31 32 - PostgreSQL now defaults to major version 16. 33 34 - GNOME has been updated to version 47. Refer to the [release notes](https://release.gnome.org/47/) for more details. 35 36 - `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/). 37 + This release also deprecates some configuration keys which are likely to be removed in version 5.0.0. 38 39 - `compressDrv` can compress selected files in a derivation. `compressDrvWeb` compresses files for common web server usage (`.gz` with `zopfli`, `.br` with `brotli`). 40 41 + - [`hardware.display`](#opt-hardware.display.edid.enable) is a new module implementing workarounds for misbehaving monitors 42 + by setting up custom EDID files and forcing kernel/framebuffer modes. 43 44 + - [`services.displayManager.ly`](#opt-services.displayManager.ly.enable) is a new module for configuring the display manager [ly](https://github.com/fairyglade/ly), 45 + a TUI-based replacement for SDDM and LightDM meant for window manager users. 46 47 - `srcOnly` was rewritten to be more readable, have additional warnings in the event that something is probably wrong, use the `stdenv` provided by the derivation, and Noogle-compatible documentation was added. 48 49 - The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire. 50 + Users that want to keep using PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`. 51 There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs. 52 53 - The Rust rewrite of the `switch-to-configuration` program is now used for system activation by default. ··· 55 The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`. 56 57 - Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html) 58 + was added through the [`boot.initrd.systemd.dmVerity`](#opt-boot.initrd.systemd.dmVerity.enable) option. 59 60 - The [Xen Project Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable). 61 - This release includes Xen [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes) and support for booting the hypervisor on EFI systems. ··· 79 80 - [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service. 81 82 + - [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwarrior 3](https://taskwarrior.org/docs/upgrade-3/) sync server. Available as [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable). 83 84 + - [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr), a proxy server to bypass Cloudflare protection. Available as [services.flaresolverr](#opt-services.flaresolverr.enable). 85 86 - [Gancio](https://gancio.org/), a shared agenda for local communities. Available as [services.gancio](#opt-services.gancio.enable). 87 88 + - [Goatcounter](https://www.goatcounter.com/), an easy web analytics platform with no tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable). 89 90 + - [Privatebin](https://github.com/PrivateBin/PrivateBin/), a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable). 91 92 + - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable). 93 94 + - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable). 95 96 + - [Quickwit](https://quickwit.io), a sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit.enable). 97 98 - [Userborn](https://github.com/nikstur/userborn), a service for declarative 99 user management. This can be used instead of the `update-users-groups.pl` 100 + Perl script and/or systemd-sysusers. This is now recommended over 101 + systemd-sysusers to achieve a system without Perl, as it can create normal 102 + users and change passwords. Available as [services.userborn](#opt-services.userborn.enable). 103 104 + - [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable). 105 106 + - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable). 107 108 - [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable). 109 110 + - [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer.enable). 111 112 - [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable). 113 114 + - [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable). 115 116 - [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable). 117 118 + - [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable). 119 120 - [Immersed](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed](#opt-programs.immersed.enable). 121 122 + - [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable). 123 124 - [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable). 125 126 + - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). 127 128 + - [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources that can stream to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable). 129 130 - [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks). 131 132 - [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable). 133 134 + - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable). 135 136 - [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable). 137 ··· 141 142 - [Gatus](https://github.com/TwiN/gatus), an automated developer-oriented status page. Available as [services.gatus](#opt-services.gatus.enable). 143 144 + - [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative office suite, has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable). 145 146 + - [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in Rust. Available as [services.realm](#opt-services.realm.enable). 147 148 + - [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg.enable). 149 150 + - [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata.enable). 151 152 + - [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld.enable). 153 154 + - [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance.enable). 155 156 + - [Apache Tika](https://github.com/apache/tika), a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as [services.tika](option.html#opt-services.tika.enable). 157 158 + - [Misskey](https://misskey-hub.net/en/), an interplanetary microblogging platform. Available as [services.misskey](options.html#opt-services.misskey.enable). 159 160 + - [Improved File Manager (IFM)](https://github.com/misterunknown/ifm), a single-file web-based file manager. Available as [services.ifm](options.html#opt-services.ifm.enable). 161 162 - [OpenGFW](https://github.com/apernet/OpenGFW), an implementation of the Great Firewall on Linux. Available as [services.opengfw](#opt-services.opengfw.enable). 163 164 - [Rathole](https://github.com/rapiz1/rathole), a lightweight and high-performance reverse proxy for NAT traversal. Available as [services.rathole](#opt-services.rathole.enable). 165 166 + - [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. Available as [services.protonmail-bridge](#opt-services.protonmail-bridge.enable). 167 168 + - [chromadb](https://www.trychroma.com/), an open-source AI application database with batteries included. Available as [services.chromadb](options.html#opt-services.chromadb.enable). 169 170 + - [bitmagnet](https://bitmagnet.io/), a self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with WebUI, GraphQL API and Servarr stack integration. Available as [services.bitmagnet](options.html#opt-services.bitmagnet.enable). 171 172 - [Wakapi](https://wakapi.dev/), a time tracking software for programmers. Available as [services.wakapi](#opt-services.wakapi.enable). 173 174 - [foot](https://codeberg.org/dnkl/foot), a fast, lightweight and minimalistic Wayland terminal emulator. Available as [programs.foot](#opt-programs.foot.enable). 175 176 + - [ToDesk](https://www.todesk.com/linux.html), a remote desktop application. Available as [services.todesk](#opt-services.todesk.enable). 177 178 + - [Dependency Track](https://dependencytrack.org/), an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as [services.dependency-track](option.html#opt-services.dependency-track.enable). 179 180 - [Immich](https://github.com/immich-app/immich), a self-hosted photo and video backup solution. Available as [services.immich](#opt-services.immich.enable). 181 182 + - [saunafs](https://saunafs.com), a distributed POSIX file system. Available as [services.saunafs](options.html#opt-services.saunafs.enable). 183 184 + - [obs-studio](https://obsproject.com/), a free and open source software for video recording and live streaming. Available as [programs.obs-studio](#opt-programs.obs-studio.enable). 185 186 + - [Veilid](https://veilid.com), a privacy-focused, headless server for data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable). 187 188 - [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd). 189 190 + - [tiny-dfr](https://github.com/WhatAmISupposedToPutHere/tiny-dfr), a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as [hardware.apple.touchBar.enable](options.html#opt-hardware.apple.touchBar.enable). 191 192 + - [Swapspace](https://github.com/Tookmund/Swapspace), a dynamic swap space manager that turns your unused free space into swap automatically. Available as [services.swapspace](#opt-services.swapspace.enable). 193 194 + - [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable). 195 196 ## Backward Incompatibilities {#sec-release-24.11-incompatibilities} 197 198 - The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details. 199 200 + - The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules. 201 202 - The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`. 203 This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute. ··· 206 207 - All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`). 208 209 + - `transmission` has been aliased with a `trace` warning to `transmission_3`, since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0) and Transmission 3 will eventually go away -- this is meant to make people aware of the new version. `services.transmission.package` now also defaults to `transmission_3`, as the upgrade can cause data loss in some cases (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory if you may be affected: 210 - `transmission-gtk`: `~/.config/transmission` 211 - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`) 212 ··· 216 - `unifi` has been updated to UniFi 8. 217 `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life. 218 219 + - `androidenv.androidPkgs_9_0` has been removed. It is replaced with `androidenv.androidPkgs` for a more complete Android SDK, including support for Android 9 and later. 220 221 - `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. 222 ··· 234 - `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`). 235 236 - `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust. 237 + The module was updated to accommodate for breaking changes and breaking changes to the 238 + module options were minimised as much as possible. Nonetheless, some were inevitable due 239 + to changes in the upstream CLI. Certain options were moved from separate CLI arguments into 240 + the forward specifications, and those options were also removed from the module's options. 241 + Please consult the wstunnel man page for more details. 242 Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`, 243 + they may have been modified or removed upstream. 244 245 - `percona-server_8_4` and `mysql84` now have password authentication via the deprecated `mysql_native_password` disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods [see upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html). The config file directive `default_authentication_plugin` has been removed. 246 ··· 251 - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`. 252 - Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release. 253 254 + - `buildbot` was updated to 4.0 and the AngularJS frontend replaced by a React frontend. See the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html). 255 256 + - `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration, including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details. 257 258 + - `nginx` package no longer includes the `gd` and `geoip` dependencies. To re-enable them, override `nginx` with the options `withImageFilter = true;` and `withGeoIP = true;`. 259 260 + - `systemd.enableUnifiedCgroupHierarchy` has been removed. 261 + In systemd 256, support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd will refuse to boot under it by default. 262 + To forcibly re-enable cgroup v1 support, you can set `boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`. 263 + This is not an officially supported configuration and might cause your system to become unbootable in future versions. You are on your own. 264 265 + - `nrfutil` -- which previously pointed to the now-deprecated `pc-nrfutil` Python package -- has been repackaged under the same name with the new nrfutil tool. 266 267 + - `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components. Users needing this support can 268 + use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` package flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`). 269 270 - `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if 271 it is set, instead of the previous hardcoded default of 272 `${networking.hostName}.${security.ipa.domain}`. 273 274 + - The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively. 275 276 + - The logrotate service has been hardened and now requires enabling `allowNetworking` if network access is required. 277 278 - `mautrix-whatsapp` has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required. 279 ··· 290 Processes also now run as a dynamically allocated user by default instead of 291 root. 292 293 + - The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. 294 + In case you want to update your configuration, make sure to check the NixOS manual. 295 296 - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. 297 ··· 304 305 - `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead. 306 307 + - The `mkLayer` and `shellScript` build helpers in `singularity-tools` are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. 308 309 - The `rust.toTargetArch`, `rust.toTargetOs`, `rust.toTargetFamily`, `rust.toTargetVendor`, `rust.toRustTarget`, `rust.toRustTargetSpec`, `rust.toRustTargetSpecShort`, and `rust.IsNoStdTarget` functions are deprecated in favour of the `rust.platform.arch`, `rust.platform.os`, `rust.platform.target-family`, `rust.platform.vendor`, `rust.rustcTarget`, `rust.rustcTargetSpec`, `rust.cargoShortTarget`, `rust.cargoEnvVarTarget`, and `rust.isNoStdTarget` platform attributes respectively. 310 311 + - All Budgie and `budgiePlugins` packages have been moved to top-level (i.e., 312 + `budgie.budgie-desktop` is now `budgie-desktop` and `budgiePlugins.budgie-media-player-applet` 313 + is now `budgie-media-player-applet`). 314 315 + - The method of safely handling secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of `wpa_supplicant`. 316 The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade. 317 318 - NetBox was updated to `>= 4.1.0`. ··· 349 to use `extraOpts` flags. 350 351 A previous configuration may have looked like this: 352 + 353 ```nix 354 + { 355 + featureGates = [ "EphemeralContainers" ]; 356 + extraOpts = pkgs.lib.concatStringsSep " " ( 357 + [ 358 + ''--feature-gates="CSIMigration=false"'' 359 + ] 360 + ); 361 + } 362 ``` 363 364 + Using an attribute set instead, the new configuration would be: 365 + 366 ```nix 367 + { 368 + featureGates = { 369 + EphemeralContainers = true; 370 + CSIMigration=false; 371 + }; 372 + } 373 ``` 374 375 + - `pkgs.nextcloud27` has been removed as it has reached EOL. 376 377 - The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose. 378 If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about. 379 380 + - `frigate` was updated past 0.14.0. This release includes various breaking changes, so please review the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0). 381 + Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created 382 admin account from the `frigate.service` journal after upgrading. 383 384 - `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped. ··· 398 399 - `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead. 400 401 + - `services.pgbouncer` systemd service is now configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings). 402 403 - Docear was removed because it was unmaintained upstream. 404 JabRef, Zotero, or Mendeley are potential replacements. ··· 419 Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/) 420 and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324). 421 422 + - `tests.overriding`'s `passthru.tests` has been restructured as an attribute set instead of a list, making individual tests accessible by their names. 423 424 + - `skk-dict` was split into multiple packages under `skkDictionaries`. 425 + If in doubt of what to use, try `skkDictionaries.l`. As part of this change, the dictionaries 426 + were moved from `$out/share` to `$out/share/skk`. The dictionaries also won't 427 + be converted to UTF-8 unless the `useUtf8` package option is enabled; UTF-8 428 converted dictionaries will have the .utf8 suffix appended to its filename. 429 430 - `vaultwarden` lost the capability to bind to privileged ports. If you rely on 431 this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in 432 + your configuration. 433 434 + - `services.invoiceplane.sites.<name>.extraConfig` was removed. Configuration must now be done 435 + through the structured `services.invoiceplane.sites.<name>.settings` option. 436 437 + - `services.ollama.sandbox` has been replaced with options to configure 438 + a static `user` and `group`. The `writablePaths` option has also been removed and 439 the models directory is now always exempt from sandboxing. 440 441 - The `gns3-server` service now runs under the `gns3` system user ··· 452 before changing the package to `pkgs.stalwart-mail` in 453 [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package). 454 455 + - `nomad_1_5` and `nomad_1_6` were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error. 456 457 - The default `nomad` package has been updated to 1.8.x. For more information, see [breaking changes for Nomad 1.8](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#nomad-1-8-0) 458 ··· 460 461 - Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android. 462 463 + - `ankisyncd` package and its `services.ankisyncd` have been removed. Use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead. 464 465 - `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`, 466 and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream. ··· 469 - `nodePackages.prisma` has been replaced by `prisma`. 470 471 - `fetchNextcloudApp` has been rewritten to use `fetchurl` rather than 472 + `fetchzip`. This invalidates all existing hashes, but you can restore the old 473 behavior by passing it `unpack = true`. 474 475 + - `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in its 476 + output by default to alert users to closure size issues caused by 477 [#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging 478 Helpers" in the Haskell section of the Nixpkgs 479 manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers) 480 for information on working around `output '...' is not allowed to refer to 481 the following paths` errors caused by this change. 482 483 + - `services.stalwart-mail` now runs under the `stalwart-mail` system user 484 + instead of a dynamic one via `DynamicUser` in order to avoid automatic 485 + ownership changes on its large file store on service restart. 486 This change requires to manually move the state directory from 487 + `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail`, and to 488 change the ownership of the directory and its content to `stalwart-mail`. 489 490 + - `services.stalwart-mail` now uses RocksDB as the default storage backend 491 + for `stateVersion` ≥ 24.11. It was previously using SQLite for structured 492 + data and the filesystem for blobs. 493 494 + - `services.stargazer` has been hardened to improve security, but these 495 changes make break certain setups, particularly around traditional CGI. 496 497 + - `services.stargazer.allowCgiUser` has been added, enabling 498 Stargazer's `cgi-user` option to work, which was previously broken. 499 500 + - `services.shiori` now requires the HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided as an environment variable. `services.shiori.environmentFile` has been introduced to handle this: 501 502 ``` 503 # This is how a environment file can be generated: ··· 507 508 - `/share/nano` is now only linked when `programs.nano.enable` is enabled. 509 510 + - PPD files for Utax printers were renamed (spaces replaced by underscores) in the newest `foomatic-db` package. Users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value to account for this. 511 512 - `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on 513 JavaFX for Java 8, which we do not support. 514 515 + - The `kvdo` kernel module package was removed as it was upstreamed in kernel version 6.9, where it is now called `dm-vdo`. 516 517 - `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details. 518 519 - `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will 520 + ultimately remove it in GitLab 18.0 (as outlined in the 521 + [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes)). 522 After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. 523 Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170). 524 GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170) 525 with *runner authentication tokens* until the release of GitLab 18.0. 526 527 + - `gitlab` has been updated from 16.x to 17.x and requires `postgresql` >= 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. 528 529 + - `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git`, to maintain compatibility with GitLab. 530 531 - `nixos/gitlab` no longer adds `pkgs.git` to `environment.systemPackages` by default. 532 533 - The `replay-sorcery` package and module was removed as it unmaintained upstream. Consider using `gpu-screen-recorder` or `obs-studio` instead. 534 535 + - A few options of `services.samba` have been moved from `extraConfig` and `configText` to the new freeform option `settings` and renamed, e.g.: 536 - `services.samba.invalidUsers` to `services.samba.settings.global."invalid users"` 537 - `services.samba.securityType` to `services.samba.settings.global."security type"` 538 - `services.samba.shares` to `services.samba.settings` ··· 542 - `zx` was updated to v8, which introduces several breaking changes. 543 See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information. 544 545 + - `feishin` removed support for Navidrome `< v0.53.2` due to an API change. See the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0) for more information. 546 547 + - `services.dnscrypt-wrapper` was removed, as the project has been effectively unmaintained since 2018. Moreover, the NixOS module had to rely on an abandoned version of `dnscrypt-proxy` v1 for the rotation of keys. 548 + To wrap a resolver with DNSCrypt, you can instead use `dnsdist`. See `services.dnsdist.dnscrypt` 549 550 - The `portunus` package and service do not support weak password hashes anymore. 551 If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. ··· 560 Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back 561 the old default behavior. 562 563 + - Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084). 564 565 - `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected. 566 ··· 575 The `shout` top-level attribute was an alias to this package. 576 The associated `services.shout` module has also been removed. 577 578 + - `prometheus-openldap-exporter` was removed, as it was unmaintained both upstream and in nixpkgs. 579 + 580 - The `indi-full` package no longer contains non-free drivers. 581 To get the old collection of drivers use `indi-full-nonfree` or create your own collection of drivers by overriding indi-with-drivers. 582 E.g.: `pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}` ··· 592 support, which is the intended default behavior by Tracy maintainers. 593 X11 users have to switch to the new package `tracy-x11`. 594 595 + - `gollum` has been upgraded to major version 6. Please review their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes). 596 + 597 + - `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained. 598 Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead. 599 600 - The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained. 601 602 + - `services.patroni.raft` has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300). 603 604 - The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down 605 JCenter JAR repository. ··· 610 611 - `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments. 612 613 + - `services.mxisd` has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are no longer maintained. 614 + Consequently, the package `ma1sd` has also been removed. 615 616 - The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`. 617 Consider using the `services.rss-bridge.config` option instead. 618 619 + - `mikutter` has been removed, as the package was broken and had no maintainers in nixpkgs. 620 + 621 + - `xdg.portal.gtkUsePortal` has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`. 622 623 - Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed. 624 625 + - `services.trust-dns` has been renamed to `services.hickory-dns`. 626 627 + - `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since 628 it leaked the connection string (and thus potentially the DB password) into the cmdline 629 of process making it effectively world-readable. 630 631 Use [`services.prometheus.exporters.pgbouncer.connectionEnvFile`](#opt-services.prometheus.exporters.pgbouncer.connectionEnvFile) instead. 632 633 + - `lsh` and `services.lshd` have been removed as they had no maintainer in Nixpkgs and no upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`. 634 635 - `ceph` has been upgraded to v19. See the [Ceph "squid" release notes](https://docs.ceph.com/en/latest/releases/squid/#v19-2-0-squid) for details and recommended upgrade procedure. 636 ··· 644 were not used by any other package. External users are encouraged to 645 migrate to OpenCV 4. 646 647 + - `tvheadend` package and the `services.tvheadend` module have been 648 + removed due to lack of maintenance in Nixpkgs and being stuck on 649 + an unmaintained version that required FFmpeg 4. Please see the related [pull 650 request #332259](https://github.com/NixOS/nixpkgs/pull/332259) if you 651 are interested in maintaining a newer version. 652 653 + - `antennas` and `services.antennas` have been removed as they only work with `tvheadend` (see above). 654 655 + - `system.build.brightboxImage` has been removed as it no longer built and has not seen any maintenance in over 7 years (excluding tree-wide changes). 656 657 + - `services.syncplay` now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup. 658 The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated. 659 660 + - `openlens` was removed. It is recommended to use `lens-desktop` instead. 661 662 + - `services.dnsmasq.extraConfig` has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`. 663 664 - The NixOS installation media no longer support the ReiserFS or JFS file systems by default. 665 ··· 676 677 - `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/). 678 679 + - `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details. 680 681 - Legacy package `globalprotect-openconnect` 1.x and related module 682 + `services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient` 683 + from the 2.x version of the GlobalProtect-openconnect project -- are added in its 684 place. The GUI components related to the project are non-free and not 685 packaged. 686 687 - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details. 688 689 + - `rustic` was upgraded to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0). 690 691 - `pkgs.formats.ini` and `pkgs.formats.iniWithGlobalSection` with 692 `listsAsDuplicateKeys` or `listToValue` no longer merge non-list values into ··· 771 The derivation now installs "impl" headers selectively instead of by a wildcard. 772 Use `imgui.src` if you just want to access the unpacked sources. 773 774 + - The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier. 775 776 + - Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11. 777 778 - Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an 779 unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`. ··· 781 - The `i18n.inputMethod` module introduces two new properties: 782 `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release. 783 784 + - `security.pam.u2f` now uses freeform options; all module options are now configurable through `security.pam.u2f.settings`. 785 786 + - `mikutter` was removed as the package was broken and had no maintainers. 787 788 + - `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only. 789 When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected. 790 791 - Gollum was upgraded to major version 6. Read their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes). ··· 796 797 - `services.timesyncd.fallbackServers` was added and defaults to `networking.timeServers`. 798 799 + - Cinnamon has been updated to 6.2. Please check [upstream announcement](https://www.linuxmint.com/rel_wilma_whatsnew.php) for more details. 800 + Following Mint 22 defaults, the Cinnamon module no longer ships `geary` and `hexchat` by default. 801 802 - `zfs.latestCompatibleLinuxPackages` is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (default `linuxPackages` is not possible then you must explicitly pin a specific kernel release. For example, `boot.kernelPackages = pkgs.linuxPackages_6_6`. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention. 803 804 - The `shadowstack` hardening flag has been added, though disabled by default. 805 806 + - `xxd` is now provided by the `tinyxxd` package rather than `vim.xxd` to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package. 807 808 + - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep). 809 810 - The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped. 811 ··· 846 847 - `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`. 848 849 + ## Detailed Migration Information {#sec-release-24.11-migration} 850 851 ### `sound` options removal {#sec-release-24.11-migration-sound} 852