https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module
PAM support has to be enabled at compile time and upstream considers it
opt-in.
Official upstream binaries have it disabled.
We enabled it by default because we simply inherited most of it from
Gitea when the split in nixpkgs happened.
Reasons why it had been enabled in nixpkgs for Gitea are unknown.
See 9406f240a7
.
There is reason to believe not a single Forgejo instance running on
NixOS uses this feature because it literally segfaults due to our
sandboxing.
29 KiB
Release 24.11 (“Vicuña”, 2024.11/??)
Highlights
-
Convenience options for
amdgpu
, open source driver for Radeon cards, is now available underhardware.amdgpu
. -
AMDVLK, AMD's open source Vulkan driver, is now available to be configured as
hardware.amdgpu.amdvlk
option. This also allows configuring runtime settings of AMDVLK and enabling experimental features. -
The
moonlight-qt
package (Moonlight game streaming) now has HDR support on Linux systems. -
PostgreSQL now defaults to major version 16.
-
authelia
has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the release blog post. This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version. -
compressDrv
can compress selected files in a derivation.compressDrvWeb
compresses files for common web server usage (.gz
withzopfli
,.br
withbrotli
). -
hardware.display
is a new module implementing workarounds for misbehaving monitors through setting up custom EDID files and forcing kernel/framebuffer modes. -
A new display-manager
services.displayManager.ly
was added. It is a tui based replacement of sddm and lightdm for window manager users. Users can use it byservices.displayManager.ly.enable
and config it byservices.displayManager.ly.settings
to generate/etc/ly/config.ini
New Services
-
TaskChampion Sync-Server, a Taskwariror 3 sync server, replacing Taskwarrior 2's sync server named
taskserver
. -
FlareSolverr, proxy server to bypass Cloudflare protection. Available as services.flaresolverr service.
-
Goatcounter, Easy web analytics. No tracking of personal data. Available as services.goatcounter.
-
Open-WebUI, a user-friendly WebUI for LLMs. Available as services.open-webui service.
-
Quickwit, sub-second search & analytics engine on cloud storage. Available as services.quickwit.
-
Flood, a beautiful WebUI for various torrent clients. Available as services.flood.
-
[QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as programs.qgroundcontrol.
-
Eintopf, community event and calendar web application. Available as services.eintopf.
-
Radicle, an open source, peer-to-peer code collaboration stack built on Git. Available as services.radicle.
-
ddns-updater, a service to update DNS records periodically with WebUI for many DNS providers. Available as services.ddns-updater.
-
Immersed VR, a closed-source coworking platform. Available as programs.immersed-vr.
-
Renovate, a dependency updating tool for various git forges and language ecosystems. Available as services.renovate.
-
Music Assistant, a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as services.music-assistant.
-
zeronsd, a DNS server for ZeroTier users. Available with services.zeronsd.servedNetworks.
-
wg-access-server, an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at services.wg-access-server.
-
Envision, a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as programs.envision.
-
Localsend, an open source cross-platform alternative to AirDrop. Available as programs.localsend.
-
cryptpad, a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as services.cryptpad.
-
realm, a simple, high performance relay server written in rust. Available as services.realm.enable.
-
Gotenberg, an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as services.gotenberg.
-
Playerctld, a daemon to track media player activity. Available as services.playerctld.
-
Glance, a self-hosted dashboard that puts all your feeds in one place. Available as services.glance.
-
Apache Tika, a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as services.tika.
-
Misskey, an interplanetary microblogging platform. Available as services.misskey.
-
Improved File Manager, or IFM, a single-file web-based file manager.
-
OpenGFW, an implementation of the Great Firewall on Linux. Available as services.opengfw.
-
Rathole, a lightweight and high-performance reverse proxy for NAT traversal. Available as services.rathole.
-
Proton Mail bridge, a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. It lets you add your Proton Mail account to your favorite email client via IMAP/SMTP by creating a local email server on your computer.
Backward Incompatibilities
-
transmission
package has been aliased with atrace
warning totransmission_3
. Since Transmission 4 has been released last year, and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. Theservices.transmission.package
defaults totransmission_3
as well because the upgrade can cause data loss in certain specific usage patterns (examples: #5153, #6796). Please make sure to back up to your data directory per your usage:transmission-gtk
:~/.config/transmission
transmission-daemon
using NixOS module:${config.services.transmission.home}/.config/transmission-daemon
(defaults to/var/lib/transmission/.config/transmission-daemon
)
-
androidenv.androidPkgs_9_0
has been removed, and replaced withandroidenv.androidPkgs
for a more complete Android SDK including support for Android 9 and later. -
grafana
has been updated to version 11.1. This version doesn't support settinghttp_addr
to a hostname anymore, an IP address is expected. -
wstunnel
has had a major version upgrade that entailed rewriting the program in Rust. The module was updated to accommodate for breaking changes. Breaking changes to the module API were minimised as much as possible, but some were nonetheless inevitable due to changes in the upstream CLI. Certain options were moved from separate CLI arguments into the forward specifications, and those options were also removed from the module's API, please consult the wstunnel man page for more detail. Also be aware that if you have set additional options inservices.wstunnel.{clients,servers}.<name>.extraArgs
, that those might have been removed or modified upstream. -
clang-tools_<version>
packages have been moved intollvmPackages_<version>
(i.e.clang-tools_18
is nowllvmPackages_18.clang-tools
).- For convenience, the top-level
clang-tools
attribute remains and is now bound tollvmPackages.clang-tools
. - Top-level
clang_tools_<version>
attributes are now aliases; these will be removed in a future release.
- For convenience, the top-level
-
buildbot
was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the upstream release notes. -
nginx
package no longer includesgd
andgeoip
dependencies. For enabling it, overridenginx
package with the optionalswithImageFilter
andwithGeoIP
. -
systemd.enableUnifiedCgroupHierarchy
option has been removed. In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it. To forcibly reenable cgroup v1 support, you canset boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]
. NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own. -
openssh
andopenssh_hpn
are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the newopensshWithKerberos
andopenssh_hpnWithKerberos
flavors (e.g.programs.ssh.package = pkgs.openssh_gssapi
). -
security.ipa.ipaHostname
now defaults to the value ofnetworking.fqdn
if it is set, instead of the previous hardcoded default of${networking.hostName}.${security.ipa.domain}
. -
The
MSMTP_QUEUE
andMSMTP_LOG
environment variables accepted bymsmtpq
have now been renamed toMSMTPQ_Q
andMSMTPQ_LOG
respectively. -
The fcgiwrap module now allows multiple instances running as distinct users. The option
services.fgciwrap
now takes an attribute set of the configuration of each individual instance. This requires migrating any previous configuration keys fromservices.fcgiwrap.*
toservices.fcgiwrap.instances.some-instance.*
. The ownership and mode of the UNIX sockets created by this service are now configurable and private by default. Processes also now run as a dynamically allocated user by default instead of root. -
singularity-tools
have thestoreDir
argument removed from its override interface and usebuiltins.storeDir
instead. -
Two build helpers in
singularity-tools
, i.e.,mkLayer
andshellScript
, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases. -
The
budgie
andbudgiePlugins
scope have been removed and their packages moved into the top level scope (i.e.,budgie.budgie-desktop
is nowbudgie-desktop
) -
All Cinnamon and XApp packages have been moved to top-level (i.e.,
cinnamon.nemo
is nownemo
). -
services.cgit
now runs as the cgit user by default instead of root. This change requires granting access to the repositories to this user or setting the appropriate one throughservices.cgit.some-instance.user
. -
nvimpager
was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in-c
and--cmd
now override the respective default settings because they are executed later. -
Kubernetes
featureGates
have changed from alistOf str
toattrsOf bool
. This refactor makes it possible to also disable feature gates, without having to useextraOpts
flags.A previous configuration may have looked like this:
featureGates = [ "EphemeralContainers" ]; extraOpts = pkgs.lib.concatStringsSep " " ( [ ''--feature-gates="CSIMigration=false"'' });
Using an AttrSet instead, the new configuration would be:
featureGates = {EphemeralContainers = true; CSIMigration=false;};
-
pkgs.nextcloud27
has been removed since it's EOL. -
services.forgejo.mailerPasswordFile
has been deprecated by the drop-in replacementservices.forgejo.secrets.mailer.PASSWD
, which is part of the new free-formservices.forgejo.secrets
option.services.forgejo.secrets
is a small wrapper over systemd'sLoadCredential=
. It has the same structure (sections/keys) asservices.forgejo.settings
but takes file paths that will be read before service startup instead of some plaintext value. -
forgejo
andforgejo-lts
no longer support the opt-in feature PAM (Pluggable Authentication Module). -
services.ddclient.use
has been deprecated:ddclient
now supports separate IPv4 and IPv6 configuration. Useservices.ddclient.usev4
andservices.ddclient.usev6
instead. -
teleport
has been upgraded from major version 15 to major version 16. Refer to upstream upgrade instructions and release notes for v16. -
tests.overriding
has itspassthru.tests
restructured as an attribute set instead of a list, making individual tests accessible by their names. -
vaultwarden
lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allowCAP_NET_BIND_SERVICE
in your local configuration. -
The Invoiceplane module now only accepts the structured
settings
option.extraConfig
is now removed. -
The
ollama
services replaces itssandbox
toggle with options to configure a staticuser
andgroup
. ThewritablePaths
option has been removed and the models directory is now always exempt from sandboxing. -
Legacy package
stalwart-mail_0_6
was dropped, please note the manual upgrade process before changing the package topkgs.stalwart-mail
inservices.stalwart-mail.package
. -
The
nomad_1_5
package was dropped, as it has reached end-of-life upstream. Evaluating it will throw an error. -
androidndkPkgs
has been updated toandroidndkPkgs_26
. -
Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
-
nodePackages.vscode-css-languageserver-bin
,nodePackages.vscode-html-languageserver-bin
, andnodePackages.vscode-json-languageserver-bin
were dropped due to an unmaintained upstream. Thevscode-langservers-extracted
package is a maintained drop-in replacement. -
fetchNextcloudApp
has been rewritten to usefetchurl
rather thanfetchzip
. This invalidates all existing hashes but you can restore the old behavior by passing itunpack = true
. -
haskell.lib.compose.justStaticExecutables
now disallows references to GHC in the output by default, to alert users to closure size issues caused by #164630. See "Packaging Helpers" in the Haskell section of the Nixpkgs manual for information on working aroundoutput '...' is not allowed to refer to the following paths
errors caused by this change. -
The
stalwart-mail
service now runs under thestalwart-mail
system user instead of a dynamically created one viaDynamicUser
, to avoid automatic ownership changes on its large file store each time the service was started. This change requires to manually move the state directory from/var/lib/private/stalwart-mail
to/var/lib/stalwart-mail
and to change the ownership of the directory and its content tostalwart-mail
. -
The
stalwart-mail
module now uses RocksDB as the default storage backend forstateVersion
≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs). -
The
shiori
service now requires an HTTP secret valueSHIORI_HTTP_SECRET_KEY
to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:# This is how a environment file can be generated: # $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file services.shiori.environmentFile = "/path/to/env-file";
-
/share/nano
is now only linked whenprograms.nano.enable
is enabled. -
libe57format
has been updated to>= 3.0.0
, which contains some backward-incompatible API changes. See the release note for more details. -
gitlab
deprecated support for runner registration tokens in GitLab 16.0, disabled their support in GitLab 17.0 and will ultimately remove it in GitLab 18.0, as outlined in the documentation. After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on using registration tokens after GitLab 17.0. GitLab administrators should migrate to the new runner registration workflow with runner authentication tokens until the release of GitLab 18.0. -
gitlab
has been updated from 16.x to 17.x and requires at leastpostgresql
14.9, as stated in the documentation. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation. -
gitaly
(part ofgitlab
) is now using the bundledgit
package instead ofpkgs.git
to maintain compatibility with GitLab. -
nixos/gitlab
no longer addspkgs.git
toenvironment.systemPackages
by default. -
The
replay-sorcery
package and module was removed as it unmaintained upstream. Consider usinggpu-screen-recorder
orobs-studio
instead. -
zx
was updated to v8, which introduces several breaking changes. See the v8 changelog for more information. -
The
portunus
package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; }; services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
-
The default value of
services.kubernetes.kubelet.hostname
is now lowercased. Explicitly setkubelet.hostname
tonetworking.fqdnOrHostName
to get back the old default behavior. -
Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after February 1, 2024.
-
keycloak
was updated to version 25, which introduces new hostname related options. See Upgrading Guide for instructions. -
programs.vim.defaultEditor
now only works ifprograms.vim.enable
is enabled. -
/share/vim-plugins
now only gets linked ifprograms.vim.enable
is enabled -
The
tracy
package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new packagetracy-x11
. -
The
services.prometheus.exporters.minio
option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in Prometheus metrics exposure, which can be used instead. -
The
services.patroni.raft
option has been removed, as Raft has been deprecated by upstream since 3.0.0 -
services.roundcube.maxAttachmentSize
will multiply the value set with1.37
to offset overhead introduced by the base64 encoding applied to attachments. -
The
sound
options have been removed or renamed, as they had a lot of unintended side effects. See below for details. -
The
services.mxisd
module has been removed as both mxisd and ma1sd are not maintained any longer. Consequently the packagepkgs.ma1sd
has also been removed. -
ffmpeg_5
has been removed. Please use the unversionedffmpeg
, pin a newer version, or if necessary pinffmpeg_4
for compatibility. -
The
xdg.portal.gtkUsePortal
option has been removed, as it had been deprecated for over 2 years. Using theGTK_USE_PORTAL
environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually viaenvironment.sessionVariables
. -
The
services.trust-dns
module has been renamed toservices.hickory-dns
.
Other Notable Changes
-
The
zerocallusedregs
hardening flag is enabled by default on compilers that support it. -
The
stackclashprotection
hardening flag has been added, though disabled by default. -
The
pacret
hardening flag has been added, though disabled by default. -
cargoSha256
inrustPlatform.buildRustPackage
has been deprecated in favor ofcargoHash
which supports SRI hashes. See buildRustPackage: Compiling Rust applications with Cargo for more information. -
hareHook
has been added as the language framework for Hare. From now on, it, not thehare
package, should be added tonativeBuildInputs
when building Hare programs. -
lib.options.mkPackageOptionMD
is now obsolete; use the identicallib.options.mkPackageOption
instead. -
lib.misc.mapAttrsFlatten
is now formally deprecated and will be removed in future releases; use the identicallib.attrsets.mapAttrsToList
instead. -
nixosTests
now provide a working IPv6 setup for VLAN 1 by default. -
Kanidm can now be provisioned using the new [
services.kanidm.provision
] option, but requires using a patched version available viapkgs.kanidm.withSecretProvisioning
. -
To facilitate dependency injection, the
imgui
package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Useimgui.src
if you just want to access the unpacked sources. -
Unprivileged access to the kernel syslog via
dmesg
is now restricted by default. Users wanting to keep an unrestricted access to it can setboot.kernel.sysctl."kernel.dmesg_restrict" = false
. -
The
i18n.inputMethod
module introduces two new properties:enable
andtype
, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available intype
are the same as the existingenabled
option.enabled
is now deprecated, and will be removed in a future release. -
security.pam.u2f
now follows RFC42. All module options are now settable through the freeform.settings
. -
Gollum was upgraded to major version 6. Read their migration notes.
-
The hooks
yarnConfigHook
andyarnBuildHook
were added. These should replaceyarn2nix.mkYarnPackage
and otheryarn2nix
related tools. The motivation to get rid ofyarn2nix
tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at #296856. The transition frommkYarnPackage
toyarn{Config,Build}Hook
is tracked at #324246. -
Cinnamon has been updated to 6.2.
- Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop listed as a regular entry in Cinnamon Wayland session's window list applet.
-
The
shadowstack
hardening flag has been added, though disabled by default. -
restic
module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available asservices.restic.backups.<name>.inhibitsSleep
. -
Support for runner registration tokens has been deprecated in
gitlab-runner
15.6 and is expected to be removed ingitlab-runner
18.0. Configuration of existing runners should be changed to using runner authentication tokens by configuring {option}services.gitlab-runner.services.<name>.authenticationTokenConfigFile
instead of the former {option}services.gitlab-runner.services.<name>.registrationConfigFile
option. -
iproute2
now has libbpf support. -
nix.channel.enable = false
no longer impliesnix.settings.nix-path = []
. Since Nix 2.13, anix-path
set innix.conf
cannot be overriden by theNIX_PATH
configuration variable. -
Buildkite Agents are now each running in their own private
/tmp
. To return to the old behaviour, setsystemd.services.buildkite-agent-${name}.serviceConfig.PrivateTmp = false;
.
Detailed migration information
sound
options removal
The sound
options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled.
If you set sound.enable
in your configuration:
- If you are using Pulseaudio or PipeWire, simply remove that option
- If you are not using an external sound server, and want volumes to be persisted across shutdowns, set
hardware.alsa.enablePersistence = true
instead
If you set sound.enableOSSEmulation
in your configuration:
- Make sure it is still necessary, as very few applications actually use OSS
- If necessary, set
boot.kernelModules = [ "snd_pcm_oss" ]
If you set sound.extraConfig
in your configuration:
- If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that
- If you are not using an external sound server, set
environment.etc."asound.conf".text = yourExtraConfig
instead
If you set sound.mediaKeys
in your configuration:
- Preferably switch to handling media keys in your desktop environment/compositor
- If you want to maintain the exact behavior of the option, use the following snippet
services.actkbd = let
volumeStep = "1%";
in {
enable = true;
bindings = [
# "Mute" media key
{ keys = [ 113 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Master toggle"; }
# "Lower Volume" media key
{ keys = [ 114 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute"; }
# "Raise Volume" media key
{ keys = [ 115 ]; events = [ "key" "rep" ]; command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute"; }
# "Mic Mute" media key
{ keys = [ 190 ]; events = [ "key" ]; command = "${alsa-utils}/bin/amixer -q set Capture toggle"; }
];
};