Release 22.05 (“Quokka”, 2022.05/30)
Support is planned until the end of December 2022, handing over
to 22.11.
Highlights
In addition to numerous new and upgraded packages, this release
has the following highlights:
Nix has been updated from 2.3 to 2.8. This mainly brings experimental support for Flakes, but also marks the nix command as experimental which now has to be enabled via the configuration explicitly. For more information and instructions for upgrades, see the relase notes for nix-2.4,
nix-2.5, nix-2.6, nix-2.7 and nix-2.8
The firefox browser on
x86_64-linux now makes use of
profile-guided optimisation, resulting in a much more
responsive browsing experience.
GNOME has been upgraded to 42. Please take a look at their
Release
Notes for details. In particular, it replaces gedit
with GNOME Text Editor, GNOME Terminal with GNOME Console
(formerly King’s Cross) and GNOME Screenshot by a tool
integrated into the Shell.
PHP 8.1 is now available.
systemd services can now set
systemd.services.<name>.reloadTriggers
instead of reloadIfChanged for a more
granular distinction between reloads and restarts.
Systemd has been upgraded to the version 250.
Pulseaudio has been updated to version 15.0 and now optionally
supports
additional Bluetooth audio codecs such as aptX or LDAC,
with codec switching available in
pavucontrol. This feature is disabled by
default, but can be enabled with the option
hardware.pulseaudio.package = pkgs.pulseaudioFull;.
Existing third-party modules that offered similar functions,
such as pulseaudio-modules-bt or
pulseaudio-hsphfpd, are obsolete and have
been removed.
PostgreSQL now defaults to major version 14.
Module authors can use
mkRenamedOptionModuleWith to automate the
deprecation cycle without annoying out-of-tree module authors
and their users.
The default GHC version has been updated from 8.10.7 to 9.0.2.
pkgs.haskellPackages and
pkgs.ghc will now use this version by
default.
The GNOME and Plasma installation CDs now use
pkgs.calamares and
pkgs.calamares-nixos-extensions to allow
users to easily install and set up NixOS with a GUI.
security.acme.defaults has been added to
simplify the configuration of settings for many certificates
at once. This also opens up the option to use DNS-01
validation when using enableACME web server
virtual hosts (e.g.
services.nginx.virtualHosts.*.enableACME).
New Services
1password,
command-lines and graphic interface for 1Password. Available
as
programs._1password
and
programs._1password-gui.
aesmd,
the Intel SGX Architectural Enclave Service Manager. Available
as
services.aesmd.
agate,
a very simple server for the Gemini hypertext protocol.
Available as
services.agate.
apfs,
a kernel module for mounting the Apple File System (APFS).
argonone,
a replacement daemon for the Raspberry Pi Argon One power
button and cooler. Available at
services.hardware.argonone.
ArchiSteamFarm,
a C# application with primary purpose of idling Steam cards
from multiple accounts simultaneously. Available as
services.archisteamfarm.
BaGet,
a lightweight NuGet and symbol server. Available at
services.baget.
bird-lg,
a BGP looking glass for Bird Routing. Available as
services.bird-lg.
blocky,
fast and lightweight DNS proxy as ad-blocker for local network
with many features. Available as
services.blocky.
cloudflare-dyndns,
CloudFlare Dynamic DNS client. Available as
services.cloudflare-dyndns.
Corosync
and
Pacemaker,
A open-source high availability resource manager. Available as
services.corosync
and
services.pacemaker.
create_ap,
a module for creating wifi hotspots using the program
linux-wifi-hotspot. Available as
services.create_ap.
Envoy, a
high-performance reverse proxy. Available as
services.envoy.
ergochat, a modern
IRC with IRCv3 features. Available as
services.ergochat.
ethercalc,
an online collaborative spreadsheet. Available as
services.ethercalc.
filebeat,
a lightweight shipper for forwarding and centralizing log
data. Available as
services.filebeat.
FRRouting, a
popular suite of Internet routing protocol daemons (BGP, BFD,
OSPF, IS-IS, VRRP and others). Available as
services.frr.
Grafana
Mimir, an open source, horizontally scalable, highly
available, multi-tenant, long-term storage for Prometheus.
Available as
services.mimir.
Haste,
a pastebin written in node.js. Available as
services.haste.
headscale,
an Open Source implementation of the
Tailscale
Control Server. Available as
services.headscale.
heisenbridge,
a bouncer-style Matrix IRC bridge. Available as
services.heisenbridge.
https-dns-proxy,
DNS to DNS over HTTPS (DoH) proxy. Available as
services.https-dns-proxy.
input-remapper,
an easy to use tool to change the mapping of your input device
buttons. Available at
services.input-remapper.
InvoicePlane,
web application for managing and creating invoices. Available
at
services.invoiceplane.
k3b,
the KDE disk burning application. Available as
programs.k3b.
K40-Whisperer,
a program to control cheap Chinese laser cutters. Available as
programs.k40-whisperer.enable.
Users must add themselves to the k40 group
to be able to access the device.
kanidm,
an identity management server written in Rust. Available as
services.kanidm
Maddy, a free
an open source mail server. Availabe as
services.maddy.
matrix-conduit,
a simple, fast and reliable chat server powered by matrix.
Available as
services.matrix-conduit.
Moosefs, fault
tolerant petabyte distributed file system. Available as
moosefs.
mozillavpn,
the client for the
Mozilla VPN
service. Available as
services.mozillavpn.
mtr-exporter,
a Prometheus exporter for mtr metrics. Available as
services.mtr-exporter.
nbd, a
Network Block Device server. Available as
services.nbd.
netbox,
infrastructure resource modeling (IRM) tool. Available as
services.netbox.
nethoscope,
listen to your network traffic. Available as
programs.nethoscope.
nifi, an
easy to use, powerful, and reliable system to process and
distribute data. Available as
services.nifi.
nix-ld,
Run unpatched dynamic binaries on NixOS. Available as
programs.nix-ld.
NNCP, NNCP
(Node to Node copy) utilities and configuration, Available as
programs.nncp.
pgadmin4,
an admin interface for the PostgreSQL database. Available at
services.pgadmin.
PowerDNS-Admin,
a web interface for the PowerDNS server. Available at
services.powerdns-admin.
prometheus-pve-exporter,
a tool that exposes information from the Proxmox VE API for
use by Prometheus. Available as
services.prometheus.exporters.pve.
prosody-filer,
a server for handling XMPP HTTP Upload requests. Available at
services.prosody-filer.
Public
Inbox, an archives first approach to
mailing lists. Available as
services.public-inbox.
r53-ddns,
a small tool to run your own DDNS service via AWS Route53.
Available as
services.r53-ddns.
rmfakecloud,
a clone of the cloud sync the remarkable tablet. Available as
services.rmfakecloud.
rootless
Docker, a systemd --user Docker
service which runs without root permissions. Available as
virtualisation.docker.rootless.enable.
rstudio-server,
a browser-based version of the RStudio IDE for the R
programming language. Available as
services.rstudio-server.
rtsp-simple-server,
ready-to-use RTSP / RTMP / HLS server and proxy that allows to
read, publish and proxy video and audio streams. Available as
services.rtsp-simple-server.
Snipe-IT, a
free open source IT asset/license management system. Available
as
services.snipe-it.
snowflake-proxy,
a system to defeat internet censorship. Available as
services.snowflake-proxy.
sslmate-agent,
a daemon for managing SSL/TLS certificates on a server.
Available as
services.sslmate-agent.
starship, a
minimal, blazing-fast, and infinitely customizable prompt for
any shell. Available at
programs.startship.
systembus-notify,
allow system level notifications to reach the users. Available
as
services.systembus-notify.
Please keep in mind that this service should only be enabled
on machines with fully trusted users, as any local user is
able to DoS user sessions by spamming notifications.
teleport,
allows engineers and security professionals to unify access
for SSH servers, Kubernetes clusters, web applications, and
databases across all environments. Available at
services.teleport.
tetrd, share your
internet connection from your device to your PC and vice versa
through a USB cable. Available at
services.tetrd.
uptermd, an
open-source solution for sharing terminal sessions instantly
over the public internet via secure tunnels. Available at
services.uptermd.
usbrelayd,
an USB Relay MQTT daemon. Available as
services.usbrelayd.
webdav-server-rs,
Webdav server in rust. Available as
services.webdav-server-rs.
wg-netmanager,
the Wireguard network manager. Available as
services.wg-netmanager.
Zammad, a
web-based, open source user support/ticketing solution.
Available as
services.zammad.
Backward Incompatibilitiespkgs.ghc now refers to
pkgs.targetPackages.haskellPackages.ghc.
This only makes a difference if you are
cross-compiling and will ensure that
pkgs.ghc always runs on the host platform
and compiles for the target platform (similar to
pkgs.gcc for example).
haskellPackages.ghc still behaves as
before, running on the build platform and compiling for the
host platform (similar to stdenv.cc). This
means you don’t have to adjust your derivations if you use
haskellPackages.callPackage, but when using
pkgs.callPackage and taking
ghc as an input, you should now use
buildPackages.ghc instead to ensure cross
compilation keeps working (or switch to
haskellPackages.callPackage).
pkgs.ghc.withPackages as well as
haskellPackages.ghcWithPackages etc. now
needs be overridden directly, as opposed to overriding the
result of calling it. Additionally, the
withLLVM parameter has been renamed to
useLLVM. So instead of
(ghc.withPackages (p: [])).override { withLLVM = true; },
one needs to use
(ghc.withPackages.override { useLLVM = true; }) (p: []).
The update of the haskell package set brings with it a new
version of the xmonad module, which will
break your configuration if you use launch
as entrypoint. The example code the corresponding nixos module
was adjusted, you may want to have a look at it.
The home-assistant module now requires
users that don’t want their configuration to be managed
declaratively to set
services.home-assistant.config = null;.
This is required due to the way default settings are handled
with the new settings style.
Additionally the default list of
extraComponents now includes the minimal
dependencies to successfully complete the
onboarding
procedure.
pkgs.emacsPackages.orgPackages is removed
because org elpa is deprecated. The packages in the top level
of pkgs.emacsPackages, such as org and
org-contrib, refer to the ones in
pkgs.emacsPackages.elpaPackages and
pkgs.emacsPackages.nongnuPackages where the
new versions will release.
The configuration and state directories used by
nixos-containers have been moved from
/etc/containers and
/var/lib/containers to
/etc/nixos-containers and
/var/lib/nixos-containers.
If you are changing system.stateVersion to
"22.05" manually on an existing
system you are responsible for migrating these directories
yourself.
This is to improve compatibility with
libcontainer based software such as Podman
and Skopeo which assumes they have ownership over
/etc/containers.
lib.systems.supported has been removed, as
it was overengineered for determining the systems to support
in the nixpkgs flake. The list of systems exposed by the
nixpkgs flake can now be accessed as
lib.systems.flakeExposed.
For new installations
virtualisation.oci-containers.backend is
now set to podman by default. If you still
want to use Docker on systems where
system.stateVersion is set to to
"22.05" set
virtualisation.oci-containers.backend = "docker";.Old
systems with older stateVersions stay with
docker.
security.klogd was removed. Logging of
kernel messages is handled by systemd since Linux 3.5.
pkgs.ssmtp has been dropped due to the
program being unmaintained. pkgs.msmtp can
be used instead as a substitute sendmail
implementation. The corresponding options
services.ssmtp.* have been removed as well.
programs.msmtp.* can be used instead for an
equivalent setup. For example:
{
# Original ssmtp configuration:
services.ssmtp = {
enable = true;
useTLS = true;
useSTARTTLS = true;
hostName = "smtp.example:587";
authUser = "someone";
authPassFile = "/secrets/password.txt";
};
# Equivalent msmtp configuration:
programs.msmtp = {
enable = true;
accounts.default = {
tls = true;
tls_starttls = true;
auth = true;
host = "smtp.example";
port = 587;
user = "someone";
passwordeval = "cat /secrets/password.txt";
};
};
}
services.kubernetes.addons.dashboard was
removed due to it being an outdated version.
services.kubernetes.scheduler.{port,address}
now set --secure-port and
--bind-address instead of
--port and --address,
since the former have been deprecated and are no longer
functional in kubernetes>=1.23. Ensure that you are not
relying on the insecure behaviour before upgrading.
In the PowerDNS Recursor module
(services.pdns-recursor), default values of
several IP address-related NixOS options have been updated to
match the default upstream behavior. In particular, Recursor
by default will:
listen on (and allows connections from) both IPv4 and IPv6
addresses
(services.pdns-recursor.dns.address,
services.pdns-recursor.dns.allowFrom);
allow only local connections to the REST API server
(services.pdns-recursor.api.allowFrom).
In the ncdns module, the default value of
services.ncdns.address has been changed to
the IPv6 loopback address (::1).
openldap (and therefore the slapd LDAP
server) were updated to version 2.6.2. The project introduced
backwards-incompatible changes, namely the removal of the bdb,
hdb, ndb, and shell backends in slapd. Therefore before
updating, dump your database slapcat -n 1
in LDIF format, and reimport it after updating your
services.openldap.settings, which
represents your cn=config.
Additionally with 2.5 the argon2 module was included in the
standard distrubtion and renamed from
pw-argon2 to argon2.
Remember to update your olcModuleLoad entry
in cn=config.
openssh has been update to 8.9p1, changing
the FIDO security key middleware interface.
git no longer hardcodes the path to
openssh’ ssh binary to reduce the amount of rebuilds. If you
are using git with ssh remotes and do not have a ssh binary in
your enviroment consider adding openssh to
it or switching to gitFull.
services.k3s.enable no longer implies
systemd.enableUnifiedCgroupHierarchy = false,
and will default to the systemd cgroup driver
when using services.k3s.docker = true. This
change may require a reboot to take effect, and k3s may not be
able to run if the boot cgroup hierarchy does not match its
configuration. The previous behavior may be retained by
explicitly setting
systemd.enableUnifiedCgroupHierarchy = false
in your configuration.
fonts.fonts no longer includes ancient
bitmap fonts when both
config.services.xserver.enable and
config.nixpkgs.config.allowUnfree are
enabled. If you still want these fonts, use:
{
fonts.fonts = [
pkgs.xorg.fontbhlucidatypewriter100dpi
pkgs.xorg.fontbhlucidatypewriter75dpi
pkgs.xorg.fontbh100dpi
];
}
services.prometheus.alertManagerTimeout has
been removed as it has been deprecated upstream and has no
effect.
The DHCP server (services.dhcpd4,
services.dhcpd6) has been hardened. The
service is now using the systemd’s
DynamicUser mechanism to run as an
unprivileged dynamically-allocated user with limited
capabilities. The dhcpd state files are now always stored in
/var/lib/dhcpd{4,6} and the
services.dhcpd4.stateDir and
service.dhcpd6.stateDir options have been
removed. If you were depending on root privileges or
set{uid,gid,cap} binaries in dhcpd shell hooks, you may give
dhcpd more capabilities with e.g.
systemd.services.dhcpd6.serviceConfig.AmbientCapabilities.
The mailpile email webclient
(services.mailpile) has been removed due to
its reliance on python2.
services.ipfs.extraFlags is now escaped
with utils.escapeSystemdExecArgs. If you
rely on systemd interpolating extraFlags in
the service ExecStart, this will no longer
work.
hbase version 0.98.24 has been removed. The
package now defaults to version 2.4.11. Versions 1.7.1 and
3.0.0-alpha-2 are also available.
services.paperless-ng was renamed to
services.paperless. Accordingly, the
paperless-ng-manage script (located in
dataDir) was renamed to
paperless-manage.
services.paperless now uses
paperless-ngx.
The matrix-synapse service
(services.matrix-synapse) has been
converted to use the settings option
defined in RFC42. This means that options that are part of
your homeserver.yaml configuration, and
that were specified at the top-level of the module
(services.matrix-synapse) now need to be
moved into
services.matrix-synapse.settings. And while
not all options you may use are defined in there, they are
still supported, because you can set arbitrary values in this
freeform type.
The listeners.*.bind_address option was
renamed to bind_addresses in order to match
the upstream homeserver.yaml option name.
It is now also a list of strings instead of a string.
An example to make the required migration clearer:
Before:
{
services.matrix-synapse = {
enable = true;
server_name = "example.com";
public_baseurl = "https://example.com:8448";
enable_registration = false;
registration_shared_secret = "xohshaeyui8jic7uutuDogahkee3aehuaf6ei3Xouz4iicie5thie6nohNahceut";
macaroon_secret_key = "xoo8eder9seivukaiPh1cheikohquuw8Yooreid0The4aifahth3Ou0aiShaiz4l";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
listeners = [ {
port = 8448;
bind_address = "";
type = "http";
tls = true;
resources = [ {
names = [ "client" ];
compress = true;
} {
names = [ "federation" ];
compress = false;
} ];
} ];
};
}
After:
{
services.matrix-synapse = {
enable = true;
# this attribute set holds all values that go into your homeserver.yaml configuration
# See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
# possible values.
settings = {
server_name = "example.com";
public_baseurl = "https://example.com:8448";
enable_registration = false;
# pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
listeners = [ {
port = 8448;
bind_addresses = [
"::"
"0.0.0.0"
];
type = "http";
tls = true;
resources = [ {
names = [ "client" ];
compress = true;
} {
names = [ "federation" ];
compress = false;
} ];
} ];
};
extraConfigFiles = [
"/run/keys/matrix-synapse/secrets.yaml"
];
};
}
The secrets in your original config should be migrated into a
YAML file that is included via
extraConfigFiles. The filename must be
quoted to prevent nix from copying it to the (world readable)
store.
Additionally a few option defaults have been synced up with
upstream default values, for example the
max_upload_size grew from
10M to 50M. For the same
reason, the default media_store_path was
changed from ${dataDir}/media to
${dataDir}/media_store if
system.stateVersion is at least
22.05. Files will need to be manually moved
to the new location if the stateVersion is
updated.
As of Synapse 1.58.0, the old groups/communities feature has
been disabled by default. It will be completely removed with
Synapse 1.61.0.
The Keycloak package (pkgs.keycloak) has
been switched from the Wildfly version, which will soon be
deprecated, to the Quarkus based version. The Keycloak service
(services.keycloak) has been updated to
accommodate the change and now differs from the previous
version in a few ways:
services.keycloak.extraConfig has been
removed in favor of the new
settings-style
services.keycloak.settings
option. The available options correspond directly to
parameters in conf/keycloak.conf. Some
of the most important parameters are documented as
suboptions, the rest can be found in the
All
configuration section of the Keycloak Server Installation
and Configuration Guide. While the new
configuration is much simpler and cleaner than the old
JBoss CLI one, this unfortunately mean that there’s no
straightforward way to convert an old configuration to the
new format and some settings may not even be available
anymore.
services.keycloak.frontendUrl was
removed and the frontend URL is now configured through the
hostname family of settings in
services.keycloak.settings
instead. See the
Hostname
section of the Keycloak Server Installation and
Configuration Guide for more details. Additionally,
/auth was removed from the default
context path and needs to be added back in
services.keycloak.settings.http-relative-path
if you want to keep compatibility with your current
clients.
services.keycloak.bindAddress,
services.keycloak.forceBackendUrlToFrontendUrl,
services.keycloak.httpPort and
services.keycloak.httpsPort have been
removed in favor of their equivalent options in
services.keycloak.settings.
httpPort and
httpsPort have additionally had their
types changed from str to
port.
The new names are as follows:
bindAddress:
services.keycloak.settings.http-hostforceBackendUrlToFrontendUrl:
services.keycloak.settings.hostname-strict-backchannelhttpPort:
services.keycloak.settings.http-porthttpsPort:
services.keycloak.settings.https-port
For example, when using a reverse proxy the migration could
look like this:
Before:
services.keycloak = {
enable = true;
httpPort = "8080";
frontendUrl = "https://keycloak.example.com/auth";
database.passwordFile = "/run/keys/db_password";
extraConfig = {
"subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
};
};
After:
services.keycloak = {
enable = true;
settings = {
http-port = 8080;
hostname = "keycloak.example.com";
http-relative-path = "/auth";
proxy = "edge";
};
database.passwordFile = "/run/keys/db_password";
};
The MoinMoin wiki engine
(services.moinmoin) has been removed,
because Python 2 is being retired from nixpkgs.
Services in the hadoop module previously
set openFirewall to true by default. This
has now been changed to false. Node definitions for multi-node
clusters would need openFirewall = true; to
be added to to hadoop services when upgrading from NixOS
21.11.
services.hadoop.yarn.nodemanager now uses
cgroup-based CPU limit enforcement by default. Additionally,
the option useCGroups was added to
nodemanagers as an easy way to switch back to the old
behavior.
The wafHook hook now honors
NIX_BUILD_CORES when
enableParallelBuilding is not set
explicitly. Packages can restore the old behaviour by setting
enableParallelBuilding=false.
pkgs.claws-mail-gtk2, representing Claws
Mail’s older release version three, was removed in order to
get rid of Python 2. Please switch to
claws-mail, which is Claws Mail’s latest
release based on GTK+3 and Python 3.
The writers.writePython2 and corresponding
writers.writePython2Bin convenience
functions to create executable Python 2 scripts in the store
were removed in preparation of removal of the Python 2
interpreter. Scripts have to be converted to Python 3 for use
with writers.writePython3 or
writers.writePyPy2 needs to be used.
buildGoModule was updated to use
go_1_17, third party derivations that
specify >= go 1.17 in the main go.mod
will need to regenerate their vendorSha256
hash.
The gnome-passwordsafe package updated to
version
6.x and renamed to gnome-secrets.
services.gnome.experimental-features.realtime-scheduling
option has been removed, as GNOME Shell now
uses
rtkit. Use
security.rtkit.enable = true; instead. As
before, you will need to have it enabled using GSettings.
services.telepathy will no longer be
enabled by default for GNOME desktops, one should enable it in
their configs if using Empathy or Polari.
If you previously used
/etc/docker/daemon.json, you need to
incorporate the changes into the new option
virtualisation.docker.daemon.settings.
Ntopng (services.ntopng) is updated to
5.2.1 and uses a separate Redis instance if
system.stateVersion is at least
22.05. Existing setups shouldn’t be
affected.
The backward compatibility in
services.wordpress to configure sites with
the old interface has been removed. Please use
services.wordpress.sites instead.
The backward compatibility in
services.dokuwiki to configure sites with
the old interface has been removed. Please use
services.dokuwiki.sites instead.
opensmtpd-extras is no longer build with python2 scripting
support due to python2 deprecation in nixpkgs
services.miniflux.adminCredentialFiles is
now required, instead of defaulting to
admin and password.
The taskserver module no longer implicitly
opens ports in the firewall configuration. This is now
controlled through the option
services.taskserver.openFirewall.
The autorestic package has been upgraded
from 1.3.0 to 1.5.0 which introduces breaking changes in
config file, check
their
migration guide for more details.
teleport has been upgraded to major version
9. Please see upstream
upgrade
instructions and
release
notes.
For pkgs.python3.pkgs.ipython, its direct
dependency
pkgs.python3.pkgs.matplotlib-inline (which
is really an adapter to integrate matplotlib in ipython if it
is installed) does not depend on
pkgs.python3.pkgs.matplotlib anymore. This
is closer to a non-Nix install of ipython. This has the added
benefit to reduce the closure size of
ipython from ~400MB to ~160MB (including
~100MB for python itself).
documentation.man has been refactored to
support choosing a man implementation other than GNU’s
man-db. For this,
documentation.man.manualPages has been
renamed to
documentation.man.man-db.manualPages. If
you want to use the new alternative man implementation
mandoc, add
documentation.man = { enable = true; man-db.enable = false; mandoc.enable = true; }
to your configuration.
Normal users (with isNormalUser = true)
which have non-empty subUidRanges or
subGidRanges set no longer have additional
implicit ranges allocated. To enable automatic allocation back
set autoSubUidGidRange = true.
idris2 now requires
--package when using packages
contrib and network,
while previously these idris2 packages were automatically
loaded.
The iputils package, which is installed by default, no longer
provides the legacy tools tftpd and
traceroute6. More tools
(ninfod, rarpd, and
rdisc) are going to be removed in the next
release. See
upstream’s
release notes for more details and available
replacements.
services.thelounge.private was removed in
favor of services.thelounge.public, to
follow with upstream changes.
pkgs.docbookrx was removed since it’s
unmaintained
pkgs._7zz is now correctly licensed as
LGPL3+ and BSD3 with optional unfree unRAR licensed code
The vim.customize function produced by
vimUtils.makeCustomizable now has a
slightly different interface:
The wrapper now includes everything in the given Vim
derivation if name is
"vim" (the default). This
makes the wrapManual argument obsolete,
but this behavior can be overriden by setting the
standalone argument.
All the executables present in the given derivation (or,
in standalone mode, only the
*vim ones) are wrapped. This makes the
wrapGui argument obsolete.
The vimExecutableName and
gvimExecutableName arguments were
replaced by a single executableName
argument in which the shell variable
$exe can be used to refer to the
wrapped executable’s name.
See the comments in
pkgs/applications/editors/vim/plugins/vim-utils.nix
for more details.
vimUtils.vimWithRC was removed. You should
instead use customize on a Vim derivation,
which now accepts vimrcFile and
gvimrcFile arguments.
tilp2 was removed together with its module
The F-PROT antivirus (fprot package) and
its service module were removed because it reached
end-of-life.
bird1 and its modules
services.bird as well as
services.bird6 have been removed. Upgrade
to services.bird2.
The options
networking.interfaces.<name>.ipv4.routes
and
networking.interfaces.<name>.ipv6.routes
are no longer ignored when using networkd instead of the
default scripted network backend by setting
networking.useNetworkd to
true.
The miller package has been upgraded from
5.10.3 to
6.2.0.
See
What’s
new in Miller 6.
MultiMC has been replaced with the fork PrismLauncher due to
upstream developers being hostile to 3rd party package
maintainers. PrismLauncher removes all MultiMC branding and is
aimed at providing proper 3rd party packages like the one
contained in Nixpkgs. This change affects the data folder
where game instances and other save and configuration files
are stored. Users with existing installations should rename
~/.local/share/multimc to
~/.local/share/PrismLauncher. The main
config file’s path has also moved from
~/.local/share/multimc/multimc.cfg to
~/.local/share/PrismLauncher/prismlauncher.cfg.
systemd-nspawn@.service settings have been
reverted to the default systemd behaviour. User namespaces are
now activated by default. If you want to keep running nspawn
containers without user namespaces you need to set
systemd.nspawn.<name>.execConfig.PrivateUsers = falsesystemd-shutdown is now properly linked on
shutdown to unmount all filesystems and device mapper devices
cleanly. This can be disabled using
systemd.shutdownRamfs.enable.
The Tor SOCKS proxy is now actually disabled if
services.tor.client.enable is set to
false (the default). If you are using this
functionality but didn’t change the setting or set it to
false, you now need to set it to
true.
services.github-runner has been hardened.
Notably address families and system calls have been
restricted, which may adversely affect some kinds of testing,
e.g. using AF_BLUETOOTH to test bluetooth
devices.
The terraform 0.12 compatibility has been removed and the
terraform.withPlugins and
terraform-providers.mkProvider
implementations simplified. Providers now need to be stored
under
$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>
(which mkProvider does).
This breaks back-compat so it’s not possible to mix-and-match
with previous versions of nixpkgs. In exchange, it now becomes
possible to use the providers from
nixpkgs-terraform-providers-bin
directly.
The dendrite package has been upgraded from
0.5.1 to
0.6.5.
Instances configured with split sqlite databases, which has
been the default in NixOS, require merging of the federation
sender and signing key databases. See upstream
release
notes on version 0.6.0 for details on database changes.
The existing pkgs.opentelemetry-collector
has been moved to
pkgs.opentelemetry-collector-contrib to
match the actual source being the contrib
edition. pkgs.opentelemetry-collector is
now the actual core release of opentelemetry-collector. If you
use the community contributions you should change the package
you refer to. If you don’t need them update your commands from
otelcontribcol to
otelcorecol and enjoy a 7x smaller binary.
services.zookeeper has a new option
jre for specifying the JRE to start
zookeeper with. It defaults to the JRE that
pkgs.zookeeper was wrapped with, instead of
pkgs.jre. This changes the JRE to
pkgs.jdk11_headless by default.
pkgs.pgadmin now refers to
pkgs.pgadmin4. pgadmin3
has been removed.
pkgs.minetestclient_4 and
pkgs.minetestserver_4 have been removed, as
the last 4.x release was in 2018.
pkgs.minetestclient (equivalent to
pkgs.minetest ) and
pkgs.minetestserver can be used instead.
pkgs.noto-fonts-cjk is now deprecated in
favor of pkgs.noto-fonts-cjk-sans and
pkgs.noto-fonts-cjk-serif because they each
have different release schedules. To maintain compatibility
with prior releases of Nixpkgs,
pkgs.noto-fonts-cjk is currently an alias
of pkgs.noto-fonts-cjk-sans and doesn’t
include serif fonts.
pkgs.epgstation has been upgraded from v1
to v2, resulting in incompatible changes in the database
scheme and configuration format.
Some top-level settings under
services.epgstation
is now deprecated because it was redudant due to the same
options being present in
services.epgstation.settings.
The option services.epgstation.basicAuth
was removed because basic authentication support was dropped
by upstream.
The option
services.epgstation.database.passwordFile
no longer has a default value. Make sure to set this option
explicitly before upgrading. Change the database password if
necessary.
The
services.epgstation.settings
option now expects options for config.yml
in EPGStation v2.
Existing data for the
services.epgstation
module would have to be backed up prior to the upgrade. To
back up exising data to
/tmp/epgstation.bak, run
sudo -u epgstation epgstation run backup /tmp/epgstation.bak.
To import that data after to the upgrade, run
sudo -u epgstation epgstation run v1migrate /tmp/epgstation.bakswitch-to-configuration (the script that is
run when running nixos-rebuild switch for
example) has been reworked
The interface that allows activation scripts to restart
units has been streamlined. Restarting and reloading is
now done by a single file
/run/nixos/activation-restart-list that
honors restartIfChanged and
reloadIfChanged of the units.
Preferring to reload instead of restarting can still
be achieved using
/run/nixos/activation-reload-list.
The script now uses a proper ini-file parser to parse
systemd units. Some values are now only searched in one
section instead of in the entire unit. This is only
relevant for units that don’t use the NixOS systemd moule.
RefuseManualStop,
X-OnlyManualStart,
X-StopOnRemoval,
X-StopOnReconfiguration are only
searched in the [Unit] section
X-ReloadIfChanged,
X-RestartIfChanged,
X-StopIfChanged are only searched
in the [Service] section
The services.bookstack.cacheDir option has
been removed, since the cache directory is now handled by
systemd.
The services.bookstack.extraConfig option
has been replaced by
services.bookstack.config which implements
a
settings-style
configuration.
lib.assertMsg and
lib.assertOneOf no longer return
false if the passed condition is
false, throwing the
given error message instead (which makes the resulting error
message less cluttered). This will not impact the behaviour of
code using these functions as intended, namely as top-level
wrapper for assert conditions.
The vpnc package has been changed to use
GnuTLS instead of OpenSSL by default for licensing reasons.
The default version of nextcloud is
nextcloud24. Please note
that it’s not possible to
upgrade nextcloud across multiple major
versions! This means it’s e.g. not possible to upgrade from
nextcloud22 to
nextcloud24 in a single deploy and most
21.11 users will have to upgrade to
nextcloud23 first.
pkgs.vimPlugins.onedark-nvim now refers to
navarasu/onedark.nvim
(formerly refers to
olimorris/onedarkpro.nvim).
services.pipewire.enable will default to
enabling the WirePlumber session manager instead of
pipewire-media-session. pipewire-media-session is deprecated
by upstream and not recommended, but can still be manually
enabled by setting
services.pipewire.media-session.enable to
true and
services.pipewire.wireplumber.enable to
false.
pkgs.makeDesktopItem has been refactored to
provide a more idiomatic API. Specifically:
All valid options as of FDO Desktop Entry specification
version 1.4 can now be passed in as explicit arguments
exec can now be null, for entries that
are not of type Application
mimeType argument is renamed to
mimeTypes for consistency
mimeTypes,
categories,
implements,
keywords, onlyShowIn
and notShowIn take lists of strings
instead of one string with semicolon separators
extraDesktopEntries renamed to
extraConfig for consistency
Actions should now be provided as an attrset
actions, the Actions
line will be autogenerated.
extraEntries is removed.
Additional validation is added both at eval time and at
build time.
See the vscode package for a more detailed
example.
Existing resholve* functions have been
renamed and nested under pkgs.resholve.
Update uses to:
resholvePackage ->
resholve.mkDerivationresholveScript ->
resholve.writeScriptresholveScriptBin ->
resholve.writeScriptBinpkgs.cosmopolitan no longer provides the
cosmoc command. It has been moved to
pkgs.cosmoc.
pkgs.graalvmXX-ce packages no longer
provide support for Python/Ruby/WASM, instead focusing only in
Java and Native Image Support. If you need to add support
back, please see the
pkgs.graalvmCEPackages.mkGraal function to
create your own customized version of GraalVM with support for
what you need.
Other Notable Changes
The option
services.redis.servers
was added to support per-application
redis-server which is more secure since
Redis databases are only mere key prefixes without any
configuration or ACL of their own. Backward-compatibility is
preserved by mapping old
services.redis.settings to
services.redis.servers."".settings,
but you are strongly encouraged to name each
redis-server instance after the application
using it, instead of keeping that nameless one. Except for the
nameless
services.redis.servers."" still
accessible at 127.0.0.1:6379, and to the
members of the Unix group redis through the
Unix socket /run/redis/redis.sock, all
other services.redis.servers.${serverName}
are only accessible by default to the members of the Unix
group redis-${serverName} through the Unix
socket /run/redis-${serverName}/redis.sock.
The option
virtualisation.vmVariant
was added to allow users to make changes to the
nixos-rebuild build-vm configuration that
do not apply to their normal system.
The config.system.build.vm attribute now
always exists and defaults to the value from
vmVariant. Configurations that import the
virtualisation/qemu-vm.nix module
themselves will override this value, such that
vmVariant is not used.
Similarly
virtualisation.vmVariantWithBootloader
was added.
The configuration portion of the nix-daemon
module has been reworked and exposed as
nix.settings:
Legacy options have been mapped to the corresponding
options under under
nix.settings
and will be deprecated when NixOS 21.11 reaches end of
life.
nix.buildMachines.publicHostKey
has been added.
kops
defaults to 1.23.2, which will enable
Instance
Metadata Service Version 2 and require tokens on new
clusters with Kubernetes >= 1.22. This will increase
security by default, but may break some types of workloads.
The default behaviour for
spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS
has changed from true to
false. Cilium now has
disable-cnp-status-updates: true by
default. Set this to false if you rely on the
CiliumNetworkPolicy status fields. Support for Kubernetes
1.17, the Lyft CNI, Weave CNI on Kubernetes >= 1.23, CentOS
7 and 8, Debian 9, RHEL 7, and Ubuntu 16.05 (Xenial) has been
removed. See the
1.22
release notes and
1.23
release notes for more details, including other
significant changes.
Mattermost has been upgraded to extended support version 6.3
as the previously packaged extended support version 5.37 is
reaching
end of life. Migration may take some time, see the
changelog
and
important
upgrade notes.
The
writers.writePyPy2/writers.writePyPy3
and corresponding
writers.writePyPy2Bin/writers.writePyPy3Bin
convenience functions to create executable Python 2/3 scripts
using the PyPy interpreter were added.
Some improvements have been made to the
hadoop module:
A gatewayRole option has been added,
for deploying hadoop cluster configuration files to a node
that does not have any active services
Support for older versions of hadoop have been added to
the module
Overriding and extending site XML files has been made
easier
The auto-upgrade service now accepts persistent (default:
true) parameter. By default auto-upgrade will now run
immediately if it would have been triggered at least once
during the time when the timer was inactive.
Mastodon now uses services.redis.servers to
start a new redis server, instead of using a global redis
server. This improves compatibility with other services that
use redis.
Note that this will recreate the redis database, although
according to the
Mastodon
docs, this is almost harmless:
Losing the Redis database is almost harmless: The only
irrecoverable data will be the contents of the Sidekiq
queues and scheduled retries of previously failed jobs. The
home and list feeds are stored in Redis, but can be
regenerated with tootctl.
If you do want to save the redis database, you can use the
following commands:
redis-cli save
cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb"
Peertube now uses services.redis.servers to start a new redis
server, instead of using a global redis server. This improves
compatibility with other services that use redis.
Redis database is used for storage only cache and job queue.
More information can be found here -
Peertube
architecture.
If you do want to save the redis database, you can use the
following commands before upgrade OS:
redis-cli save
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
Added the keter NixOS module. Keter reverse
proxies requests to your loaded application based on virtual
hostnames.
If you are using Wayland you can choose to use the Ozone
Wayland support in Chrome and several Electron apps by setting
the environment variable NIXOS_OZONE_WL=1
(for example via
environment.sessionVariables.NIXOS_OZONE_WL = "1").
This is not enabled by default because Ozone Wayland is still
under heavy development and behavior is not always flawless.
Furthermore, not all Electron apps use the latest Electron
versions.
A new option group
systemd.network.wait-online was added, with
options to configure
systemd-networkd-wait-online.service:
anyInterface allows specifying that the
network should be considered online when at
least one interface is online (useful on
laptops)
timeout defines how long to wait for
the network to come online
extraArgs for everything else
The influxdb2 package was split into
influxdb2-server and
influxdb2-cli, matching the split that took
place upstream. A combined influxdb2
package is still provided in this release for backwards
compatibilty, but will be removed at a later date.
The unifi package was switched from
unifi6 to unifi7. Direct
downgrades from Unifi 7 to Unifi 6 are not possible and
require restoring from a backup made by Unifi 6.
programs.zsh.autosuggestions.strategy now
takes a list of strings instead of a string.
The asterisk and
asterisk-stable packages were switched from
asterisk_18 to the newly-packaged
asterisk_19. Asterisk 13 and 17 have been
removed as they have reached their end of life.
The services.unifi.openPorts option default
value of true is now deprecated and will be
changed to false in 22.11. Configurations
using this default will print a warning when rebuilt.
The services.unifi-video.openPorts option
default value of true is now deprecated and
will be changed to false in 22.11.
Configurations using this default will print a warning when
rebuilt.
security.acme certificates will now
correctly check for CA revokation before reaching their
minimum age.
Removing domains from
security.acme.certs._name_.extraDomainNames
will now correctly remove those domains during rebuild/renew.
MariaDB is now offered in several versions, not just the
newest one. So if you have a need for running MariaDB 10.4 for
example, you can now just set
services.mysql.package = pkgs.mariadb_104;.
In general, it is recommended to run the newest version, to
get the newest features, while sticking with an LTS version
will most likely provide a more stable experience. Sometimes
software is also incompatible with the newest version of
MariaDB.
The option
programs.ssh.enableAskPassword
was added, decoupling the setting of
SSH_ASKPASS from
services.xserver.enable. This allows easy
usage in non-X11 environments, e.g. Wayland.
programs.ssh.knownHosts
has gained an extraHostNames option to
augment hostNames. It is now possible to
use the attribute name of a knownHosts
entry as the primary host name and specify secondary host
names using extraHostNames without having
to duplicate the primary host name.
The services.stubby module was converted to
a
settings-style
configuration.
The option
services.xserver.desktopManager.runXdgAutostartIfNone
was added in order to automatically run XDG autostart files
for sessions without a desktop manager. This replaces helpers
like the dex package.
When setting
i18n.inputMethod.enabled
to fcitx5, it no longer creates
corresponding systemd user services. It now relies on XDG
autostart files to start and work properly in your desktop
sessions. If you are using only a window manager without a
desktop manager, you need to enable
services.xserver.desktopManager.runXdgAutostartIfNone
or using the dex package to make
fcitx5 work.
The option services.duplicati.dataDir has
been added to allow changing the location of duplicati’s
files.
The options boot.extraModprobeConfig and
boot.blacklistedKernelModules now also take
effect in the initrd by copying the file
/etc/modprobe.d/nixos.conf into the initrd.
nixos-generate-config now puts the dhcp
configuration in hardware-configuration.nix
instead of configuration.nix.
ORY Kratos was updated to version 0.9.0-alpha.3, which
introduces some breaking changes:
All endpoints at the Admin API are now exposed at
/admin/. For example, endpoint
https://kratos:4434/identities is now
exposed at
https://kratos:4434/admin/identities
Configuration key
selfservice.whitelisted_return_urls has
been renamed to allowed_return_urls
The password_identifier form field of
the password login strategy has been renamed to
identifier to make compatibility with
passwordless flows possible.
Instead of having a global
default_schema_url which developers
used to update their schema, you now need to define the
default_schema_id which must reference
schema ID in your config.
Calling /self-service/recovery without
flow ID or with an invalid flow ID while authenticated
will now respond with an error instead of redirecting to
the default page.
If you are relying on the SQLite images, update your
Docker Pull commands as follows:
docker pull oryd/kratos:{version}
Additionally, all passwords now have to be at least 8
characters long.
For more details, see:
Release
Notes for v0.8.1-alpha-1
Release
Notes for v0.8.2-alpha-1
Release
Notes for v0.9.0-alpha-1
Release
Notes for v0.9.0-alpha-3
fetchFromSourcehut now allows fetching
repositories recursively using fetchgit or
fetchhg if the argument
fetchSubmodules is set to
true.
A module for declarative configuration of openconnect VPN
profiles was added under
networking.openconnect.
The element-desktop package now has an
useKeytar option (defaults to
true), which allows disabling
keytar and in turn
libsecret usage (which binds to native
credential managers / keychain libraries).
The option services.thelounge.plugins has
been added to allow installing plugins for The Lounge. Plugins
can be found in
pkgs.theLoungePlugins.plugins and
pkgs.theLoungePlugins.themes.
The option
services.xserver.videoDriver = [ "nvidia" ];
will now also install
nvidia
VA-API drivers by default.
The firmwareLinuxNonfree package has been
renamed to linux-firmware.
It is now possible to specify wordlists to include as handy to
access environment variables using the
config.environment.wordlist configuration
options.
The services.mbpfan module was converted to
a
RFC
0042 configuration.
The default value for
programs.spacefm.settings.graphical_su got
unset. It previously pointed to gksu which
has been removed.
The Dino XMPP client
was updated to 0.3, adding support for audio and video calls.
services.mattermost.plugins has been added
to allow the declarative installation of Mattermost plugins.
Plugins are automatically repackaged using autoPatchelf.
services.logrotate.enable
now defaults to true if any rotate path has been defined, and
some paths have been added by default.
The logrotate module also has been updated to freeform syntax:
services.logrotate.paths
and
services.logrotate.extraConfig
will work, but issue deprecation warnings and
services.logrotate.settings
should now be used instead.
security.pam.ussh has been added, which
allows authorizing PAM sessions based on SSH
certificates held within an SSH agent,
using
pam-ussh.
The vscode-extensions.ionide.ionide-fsharp
package has been updated to 6.0.0 and now requires .NET 6.0.
The phpPackages.box package has been
updated from 2.7.5 to 3.16.0. See the
upgrade
guide for more details.
The zrepl package has been updated from
0.4.0 to 0.5:
The RPC protocol version was bumped; all zrepl daemons in
a setup must be updated and restarted before replication
can resume.
A bug involving encrypt-on-receive has been fixed. Read
the
zrepl
documentation and check the output of
zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS
on the receiver.
The polybar package has been updated from
3.5.7 to 3.6.2. See
the
changelog for more details.
Breaking changes include changes to escaping rules in
configuration values, changes in behavior when
encountering invalid tag names, and changes to
inter-process-messaging (IPC).
Renamed option
services.openssh.challengeResponseAuthentication
to
services.openssh.kbdInteractiveAuthentication.
Reason is that the old name has been deprecated upstream.
Using the old option name will still work, but produce a
warning.
services.autorandr now allows for adding
hooks and profiles declaratively.
The pomerium-cli command has been moved out
of the pomerium package into the
pomerium-cli package, following upstream’s
repository split. If you are using the
pomerium-cli command, you should now
install the pomerium-cli package.
The option
services.networking.networkmanager.enableFccUnlock
was added to support FCC unlock procedures. Since release
1.18.4, the ModemManager daemon no longer automatically
performs the FCC unlock procedure by default. See
the
docs for more details.
programs.tmux has a new option
plugins that accepts a list of packages
from the tmuxPlugins group. The specified
packages are added to the system and loaded by
tmux.
The polkit service, available at
security.polkit.enable, is now disabled by
default. It will automatically be enabled through services and
desktop environments as needed.
mercury was updated to 22.01.1, which has
some breaking changes
(Mercury
22.01 news).
xfsprogs was update to version 5.15, which enables inobtcount
and bigtime by default on filesystem creation. Support for
these features was added in kernel 5.10 and deemed stable in
kernel 5.15. If you want to be able to mount XFS filesystems
created with this release of xfsprogs on kernel releases older
than 5.10, you need to format them with
mkfs.xfs -m bigtime=0 -m inobtcount=0.
services.xserver.desktopManager.xfce now
includes Xfce’s screen locker,
xfce4-screensaver that is enabled by
default. You can disable it by setting
false to
services.xserver.desktopManager.xfce.enableScreensaver.
The hadoop package has added support for
aarch64-linux and
aarch64-darwin as of 3.3.1
(#158613).
The R package now builds again on
aarch64-darwin
(#158992).
The nss package was split into
nss_esr and nss_latest,
with nss being an alias for
nss_esr. This was done to ease maintenance
of nss and dependent high-profile packages
like firefox.
The default scribus version is now 1.5,
while version 1.4 is still available as
scribus_1_4
(#172700).
The Nextcloud module now supports to create a Mysql database
automatically with
services.nextcloud.database.createLocally
enabled.
The Nextcloud module now allows setting the value of the
max-age directive of the
Strict-Transport-Security HTTP header,
which is now controlled by the
services.nextcloud.https option, rather
than services.nginx.recommendedHttpHeaders.
The spark3 package has been updated from
3.1.2 to 3.2.1
(#160075):
Testing has been enabled for
aarch64-linux in addition to
x86_64-linux.
The spark3 package is now usable on
aarch64-darwin as a result of
#158613
and
#158992.
The option services.snapserver.openFirewall
will no longer default to true starting
with NixOS 22.11. Enable it explicitly if you need to control
Snapserver remotely or connect streamig clients from other
hosts.
The option
networking.useDHCP
isn’t deprecated anymore. When using
systemd-networkd,
a generic .network-unit is added which
enables DHCP for each interface matching
en*, eth* or
wl* with priority 99 (which means that it
doesn’t have any effect if such an interface is matched by a
.network-unit with a lower priority). In
case of scripted networking, no behavior was changed.
The new
postgresqlTestHook
runs a PostgreSQL server for the duration of package checks.
zfs was updated from 2.1.4 to 2.1.5,
enabling it to be used with Linux kernel 5.18.
stdenv.mkDerivation now supports a
self-referencing finalAttrs: parameter
containing the final mkDerivation arguments
including overrides. drv.overrideAttrs now
supports two parameters
finalAttrs: previousAttrs:. This allows
packaging configuration to be overridden in a consistent
manner by providing an alternative to
rec {} syntax.
Additionally, passthru can now reference
finalAttrs.finalPackage containing the
final package, including attributes such as the output paths
and overrideAttrs.
New language integrations can be simplified by overriding a
prototype package containing the
language-specific logic. This removes the need for a extra
layer of overriding for the generic builder
arguments, thus removing a usability problem and source of
error.