Support is planned until the end of December 2024, handing over to 24.11.
In addition to numerous new and upgraded packages, this release has the following highlights:
-
screen's module has been cleaned, and will now require you to setprograms.screen.enablein order to populatescreenrcand add the program to the environment. -
linuxPackages_testing_bcachefsis now fully deprecated bylinuxPackages_testing, and is therefore no longer available. -
NixOS now installs a stub ELF loader that prints an informative error message when users attempt to run binaries not made for NixOS.
- This can be disabled through the
environment.stub-ld.enableoption. - If you use
programs.nix-ld.enable, no changes are needed. The stub will be disabled automatically.
- This can be disabled through the
-
Julia environments can now be built with arbitrary packages from the ecosystem using the
.withPackagesfunction. For example:julia.withPackages ["Plots"].
-
Guix, a functional package manager inspired by Nix. Available as services.guix.
-
maubot, a plugin-based Matrix bot framework. Available as services.maubot.
-
systemd's gateway, upload, and remote services, which provides ways of sending journals across the network. Enable using services.journald.gateway, services.journald.upload, and services.journald.remote.
-
GNS3, a network software emulator. Available as services.gns3-server.
-
rspamd-trainer, script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.
-
ollama, server for running large language models locally.
-
Anki Sync Server, the official sync server built into recent versions of Anki. Available as services.anki-sync-server. The pre-existing services.ankisyncd has been marked deprecated and will be dropped after 24.05 due to lack of maintenance of the anki-sync-server softwares.
-
Suwayomi Server, a free and open source manga reader server that runs extensions built for Tachiyomi. Available as services.suwayomi-server.
-
ping_exporter, a Prometheus exporter for ICMP echo requests. Available as services.prometheus.exporters.ping.
-
Clevis, a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as boot.initrd.clevis.enable.
-
TuxClocker, a hardware control and monitoring program. Available as programs.tuxclocker.
-
himalayawas updated to v1.0.0-beta, which introduces breaking changes. Check out the release note for details. -
The
power.upsmodule now generatesupsd.conf,upsd.usersandupsmon.confautomatically from a set of new configuration options. This breaks compatibility with existingpower.upssetups where these files were created manually. Back up these files before upgrading NixOS. -
k9swas updated to v0.31. There have been various breaking changes in the config file format, check out the changelog of v0.29, v0.30 and v0.31 for details. It is recommended to back up your current configuration and let k9s recreate the new base configuration. -
idris2was updated to v0.7.0. This version introduces breaking changes. Check out the changelog for details. -
nitterrequires aguest_accounts.jsonlto be provided as a path or loaded into the default location at/var/lib/nitter/guest_accounts.jsonl. See Guest Account Branch Deployment for details. -
Invidious has changed its default database username from
kemaltoinvidious. Setups involving an externally provisioned database (i.e.services.invidious.database.createLocally == false) should adjust their configuration accordingly. The oldkemaluser will not be removed automatically even when the database is provisioned automatically.(NixOS#265857) -
paperless'services.paperless.extraConfigsetting has been removed and converted to the freeform type and option namedservices.paperless.settings. -
The legacy and long deprecated systemd target
network-interfaces.targethas been removed. Usenetwork.targetinstead. -
services.frp.settingsnow generates the frp configuration file in TOML format as recommended by upstream, instead of the legacy INI format. This has also introduced other changes in the configuration file structure and options.- The
settings.commonsection in the configuration is no longer valid and all the options form inside it now goes directly undersettings. - The
_separating words in the configuration options is removed so the options are now in camel case. For example:server_addrbecomesserverAddr,server_portbecomesserverPortetc. - Proxies are now defined with a new option
settings.proxieswhich takes a list of proxies. - Consult the upstream documentation for more details on the changes.
- The
-
mkosiwas updated to v20. Parts of the user interface have changed. Consult the release notes of v19 and v20 for a list of changes. -
services.nginxwill no longer advertise HTTP/3 availability automatically. This must now be manually added, preferably to each location block. Example:locations."/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; ''; locations."^~ /assets/".extraConfig = '' add_header Alt-Svc 'h3=":$server_port"; ma=86400'; '';
-
The
kanatapackage has been updated to v1.5.0, which includes breaking changes. -
The
craftos-pcpackage has been updated to v2.8, which includes breaking changes.- Files are now handled in binary mode; this could break programs with embedded UTF-8 characters.
- The ROM was updated to match ComputerCraft version v1.109.2.
- The bundled Lua was updated to Lua v5.2, which includes breaking changes. See the Lua manual for more information.
- The WebSocket API was rewritten, which introduced breaking changes.
-
The latest available version of Nextcloud is v28 (available as
pkgs.nextcloud28). The installation logic is as follows:- If
services.nextcloud.packageis specified explicitly, this package will be installed (recommended) - If
system.stateVersionis >=24.05,pkgs.nextcloud28will be installed by default. - If
system.stateVersionis >=23.11,pkgs.nextcloud27will be installed by default. - Please note that an upgrade from v26 (or older) to v28 directly is not possible. Please upgrade to
nextcloud27(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud27;.
- If
-
The vendored third party libraries have been mostly removed from
cudaPackages.nsight_systems, which we now only ship forcudaPackages_11_8and later due to outdated dependencies. Users comfortable with the vendored dependencies may useoverrideAttrsto amend thepostPatchphase and themeta.brokencorrespondingly. Alternatively, one could package the deprecatedboost170locally, as required forcudaPackages_11_4.nsight_systems. -
The
cudaPackagespackage scope has been updated tocudaPackages_12. -
services.resolved.fallbackDnscan now be used to disable the upstream fallback servers entirely by setting it to an empty list. To get the previous behaviour of the upstream defaults set it to null, the new default, instead. -
services.avahi.nssmdnsgot split intoservices.avahi.nssmdns4andservices.avahi.nssmdns6which enable the mDNS NSS switch for IPv4 and IPv6 respectively. Since most mDNS responders only register IPv4 addresses, most users want to keep the IPv6 support disabled to avoid long timeouts. -
multi-user.targetno longer depends onnetwork-online.target. This will potentially break services that assumed this was the case in the past. This was changed for consistency with other distributions as well as improved boot times.We have added a warning for services that are
after = [ "network-online.target" ]but do not depend on it (e.g. usingwants). -
networking.iproute2.enablenow does not setenvironment.etc."iproute2/rt_tables".text.Setting
environment.etc."iproute2/{CONFIG_FILE_NAME}".textwill override the whole configuration file instead of appending it to the upstream configuration file.CONFIG_FILE_NAMEincludesbpf_pinning,ematch_map,group,nl_protos,rt_dsfield,rt_protos,rt_realms,rt_scopes, andrt_tables. -
The executable file names for
firefox-devedition,firefox-beta,firefox-esrnow matches their package names, which is consistent with thefirefox-*-binpackages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. -
switch-to-configuration does not directly call systemd-tmpfiles anymore. Instead, the new artificial sysinit-reactivation.target is introduced which allows to restart multiple services that are ordered before sysinit.target and respect the ordering between the services.
-
The
systemd.oomdmodule behavior is changed as:-
Raise ManagedOOMMemoryPressureLimit from 50% to 80%. This should make systemd-oomd kill things less often, and fix issues like this. Reference: commit
-
Remove swap policy. This helps prevent killing processes when user's swap is small.
-
Expand the memory pressure policy to system.slice, user-.slice, and all user owned slices. Reference: commit
-
systemd.oomd.enableUserServicesis renamed tosystemd.oomd.enableUserSlices.
-
-
security.pam.enableSSHAgentAuthnow requiresservices.openssh.authorizedKeysFilesto be non-empty, which is the case whenservices.openssh.enableis true. Previously,pam_ssh_agent_authsilently failed to work. -
The configuration format for
services.prometheus.exporters.snmpchanged with release 0.23.0. The module now includes an optional config check, that is enabled by default, to make the change obvious before any deployment. More information about the configuration syntax change is available in the upstream repository. -
watchdogd, a system and process supervisor using watchdog timers. Available as services.watchdogd.
-
addDriverRunpathhas been added to facilitate the deprecation of the oldaddOpenGLRunpathsetuphook. This change is motivated by the evolution of the setuphook to include all hardware acceleration. -
Cinnamon has been updated to 6.0. Please beware that the Wayland session is still experimental in this release.
-
services.postgresql.extraPluginschanged its type from just a list of packages to also a function that returns such a list. For example a config line likeservices.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];is recommended to be changed toservices.postgresql.extraPlugins = ps: with ps; [ postgis ];; -
Programs written in Nim are built with libraries selected by lockfiles. The
nimPackagesandnim2Packagessets have been removed. See https://nixos.org/manual/nixpkgs/unstable#nim for more information. -
Portunus has been updated to major version 2. This version of Portunus supports strong password hashes, but the legacy hash SHA-256 is also still supported to ensure a smooth migration of existing user accounts. After upgrading, follow the instructions on the upstream release notes to upgrade all user accounts to strong password hashes. Support for weak password hashes will be removed in NixOS 24.11.
-
libassnow uses the native CoreText backend on Darwin, which may fix subtitle rendering issues withmpv,ffmpeg, etc. -
The following options of the Nextcloud module were moved into
services.nextcloud.extraOptionsand renamed to match the name from Nextcloud'sconfig.php:logLevel->loglevel,logType->log_type,defaultPhoneRegion->default_phone_region,overwriteProtocol->overwriteprotocol,skeletonDirectory->skeletondirectory,globalProfiles->profile.enabled,extraTrustedDomains->trusted_domainsandtrustedProxies->trusted_proxies.
-
The option [
services.nextcloud.config.dbport] of the Nextcloud module was removed to match upstream. The port can be specified inservices.nextcloud.config.dbhost. -
The Yama LSM is now enabled by default in the kernel, which prevents ptracing non-child processes. This means you will not be able to attach gdb to an existing process, but will need to start that process from gdb (so it is a child). Or you can set
boot.kernel.sysctl."kernel.yama.ptrace_scope"to 0. -
Nginx virtual hosts using
forceSSLorglobalRedirectcan now have redirect codes other than 301 throughredirectCode. -
The source of the
mockgenpackage has changed to the go.uber.org/mock fork because the original repository is no longer maintained. -
security.pam.enableSSHAgentAuthwas renamed tosecurity.pam.sshAgentAuth.enableand anauthorizedKeysFilesoption was added, to control whichauthorized_keysfiles are trusted. It defaults to the previous behaviour, which is insecure: see #31611. -
changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as since 22.11.
-
services.zfs.zed.enableMailnow uses the globalsendmailwrapper defined by an email module (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support. -
nextcloud-setup.serviceno longer changes the group of each file & directory inside/var/lib/nextcloud/{config,data,store-apps}if one of these directories has the wrong owner group. This was part of transitioning the group used for/var/lib/nextcloud, but isn't necessary anymore. -
The
krb5module has been rewritten and moved tosecurity.krb5, moving all options butsecurity.krb5.enableandsecurity.krb5.packageintosecurity.krb5.settings. -
Gitea 1.21 upgrade has several breaking changes, including:
- Custom themes and other assets that were previously stored in
custom/public/*now belong incustom/public/assets/* - New instances of Gitea using MySQL now ignore the
[database].CHARSETconfig option and always use theutf8mb4charset, existing instances should migrate via thegitea doctor convertCLI command.
- Custom themes and other assets that were previously stored in
-
The
hardware.pulseaudiomodule now sets permission of pulse user home directory to 755 when running in "systemWide" mode. It fixes issue 114399. -
The
btrbkmodule now automatically selects and provides required compression program depending on the configuredstream_compressoption. Since this replaces the need for theextraPackagesoption, this option will be deprecated in future releases. -
The
mpichpackage expression now requireswithPmto be a list, e.g."hydra:gforker"becomes[ "hydra" "gforker" ]. -
QtMultimedia has changed its default backend to
QT_MEDIA_BACKEND=ffmpeg(previouslygstreameron Linux ordarwinon MacOS). The previous native backends remain available but are now minimally maintained. Refer to upstream documentation for further details about each platform.