NixOS Changelog

What's new in NixOS 19.09

Oct 9, 2019
  • Highlights:
  • In addition to numerous new and upgraded packages, this release has the following highlights:
  • End of support is planned for end of April 2020, handing over to 20.03.
  • PHP now defaults to PHP 7.3, updated from 7.2.
  • PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
  • The binfmt module is now easier to use. Additional systems can be added through boot.binfmt.emulatedSystems. For instance, boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]; will set up binfmt interpreters for each of those listed systems.
  • The installer now uses a less privileged nixos user whereas before we logged in as root. To gain root privileges use sudo -i without a password.
  • We've updated to Xfce 4.14, which brings a new module services.xserver.desktopManager.xfce4-14. If you'd like to upgrade, please switch from the services.xserver.desktopManager.xfce module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support thunarPlugins and it isn't recommended to use services.xserver.desktopManager.xfce and services.xserver.desktopManager.xfce4-14 simultaneously or to downgrade from Xfce 4.14 after upgrading.
  • The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.
  • This can be achieved with the following options which the desktop manager default enables, excluding games.
  • services.gnome3.core-os-services.enable
  • services.gnome3.core-shell.enable
  • services.gnome3.core-utilities.enable
  • services.gnome3.games.enable
  • With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use environment.gnome3.excludePackages which only excluded the optional applications. environment.gnome3.excludePackages is now unguarded, it can exclude any package installed with environment.systemPackages in the GNOME 3 module.
  • Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.
  • The following changes were enacted in services.gnome3.core-utilities.enable
  • Applications removed from defaults:
  • accerciser
  • dconf-editor
  • evolution
  • gnome-documents
  • gnome-nettool
  • gnome-power-manager
  • gnome-todo
  • gnome-tweaks
  • gnome-usage
  • gucharmap
  • nautilus-sendto
  • vinagre
  • Applications added to defaults:
  • cheese
  • geary
  • The following changes were enacted in services.gnome3.core-shell.enable
  • Applications added to defaults:
  • gnome-color-manager
  • orca
  • Services enabled:
  • services.avahi.enable
  • New Services:
  • The following new services were added since the last release:
  • ./programs/dwm-status.nix
  • The new hardware.printers module allows to declaratively configure CUPS printers via the ensurePrinters and ensureDefaultPrinter options. ensurePrinters will never delete existing printers, but will make sure that the given printers are configured as declared.
  • There is a new services.system-config-printer.enable and programs.system-config-printer.enable module for the program of the same name. If you previously had system-config-printer enabled through some other means you should migrate to using one of these modules.
  • If you're a user of the following desktopManager modules no action is needed:
  • services.xserver.desktopManager.plasma5
  • services.xserver.desktopManager.gnome3
  • services.xserver.desktopManager.pantheon
  • services.xserver.desktopManager.mate
  • Note Mate uses programs.system-config-printer as it doesn't use it as a service, but its graphical interface directly.
  • Backward Incompatibilities:
  • When upgrading from a previous release, please be aware of the following incompatible changes:
  • Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.
  • PostgreSQL now uses /run/postgresql as its socket directory instead of /tmp. So if you run an application like eg. Nextcloud, where you need to use the Unix socket path as the database host name, you need to change it accordingly.
  • PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.
  • The options services.prometheus.alertmanager.user and services.prometheus.alertmanager.group have been removed because the alertmanager service is now using systemd's DynamicUser mechanism which obviates these options.
  • The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
  • The services.nzbget.configFile and services.nzbget.openFirewall options were removed as they are managed internally by the nzbget. The services.nzbget.dataDir option hadn't actually been used by the module for some time and so was removed as cleanup.
  • The services.mysql.pidDir option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) /run/mysqld/mysql.sock file to appear.
  • The services.emby.enable module has been removed, see services.jellyfin.enable instead for a free software fork of Emby. See the Jellyfin documentation: Migrating from Emby to Jellyfin
  • IPv6 Privacy Extensions are now enabled by default for undeclared interfaces. The previous behaviour was quite misleading — even though the default value for networking.interfaces.*.preferTempAddress was true, undeclared interfaces would not prefer temporary addresses. Now, interfaces not mentioned in the config will prefer temporary addresses. EUI64 addresses can still be set as preferred by explicitly setting the option to false for the interface in question.
  • Since Bittorrent Sync was superseded by Resilio Sync in 2016, the bittorrentSync, bittorrentSync14, and bittorrentSync16 packages have been removed in favor of resilio-sync.
  • The corresponding module, services.btsync has been replaced by the services.resilio module.
  • The httpd service no longer attempts to start the postgresql service. If you have come to depend on this behaviour then you can preserve the behavior with the following configuration: systemd.services.httpd.after = [ "postgresql.service" ];
  • The option services.httpd.extraSubservices has been marked as deprecated. You may still use this feature, but it will be removed in a future release of NixOS. You are encouraged to convert any httpd subservices you may have written to a full NixOS module.
  • Most of the httpd subservices packaged with NixOS have been replaced with full NixOS modules including LimeSurvey, WordPress, and Zabbix. These modules can be enabled using the services.limesurvey.enable, services.mediawiki.enable, services.wordpress.enable, and services.zabbixWeb.enable options.
  • The option systemd.network.networks..routes.*.routeConfig.GatewayOnlink was renamed to systemd.network.networks..routes.*.routeConfig.GatewayOnLink (capital L). This follows upstreams renaming of the setting.
  • As of this release the NixOps feature autoLuks is deprecated. It no longer works with our systemd version without manual intervention.
  • Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.
  • A new knob named nixops.enableDeprecatedAutoLuks has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates.
  • Make sure you set the _netdev option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore.
  • If you are actively using the autoLuks module please let us know in issue #62211.
  • The setopt declarations will be evaluated at the end of /etc/zshrc, so any code in programs.zsh.interactiveShellInit, programs.zsh.loginShellInit and programs.zsh.promptInit may break if it relies on those options being set.
  • The prometheus-nginx-exporter package now uses the offical exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the official repo.
  • The shibboleth-sp package has been updated to version 3. It is largely backward compatible, for further information refer to the release notes and upgrade guide.
  • Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
  • By default, prometheus exporters are now run with DynamicUser enabled. Exporters that need a real user, now run under a seperate user and group which follow the pattern -exporter, instead of the previous default nobody and nogroup. Only some exporters are affected by the latter, namely the exporters dovecot, node, postfix and varnish.
  • The ibus-qt package is not installed by default anymore when i18n.inputMethod.enabled is set to ibus. If IBus support in Qt 4.x applications is required, add the ibus-qt package to your environment.systemPackages manually.
  • The CUPS Printing service now uses socket-based activation by default, only starting when needed. The previous behavior can be restored by setting services.cups.startWhenNeeded to false.
  • The services.systemhealth module has been removed from nixpkgs due to lack of maintainer.
  • The services.mantisbt module has been removed from nixpkgs due to lack of maintainer.
  • Squid 3 has been removed and the squid derivation now refers to Squid 4.
  • The services.pdns-recursor.extraConfig option has been replaced by services.pdns-recursor.settings. The new option allows setting extra configuration while being better type-checked and mergeable.
  • No service depends on keys.target anymore which is a systemd target that indicates if all NixOps keys were successfully uploaded. Instead, -key.service should be used to define a dependency of a key in a service. The full issue behind the keys.target dependency is described at NixOS/nixpkgs#67265.
  • The following services are affected by this:
  • services.dovecot2
  • services.nsd
  • services.softether
  • services.strongswan
  • services.strongswan-swanctl
  • services.httpd
  • The security.acme.directory option has been replaced by a read-only security.acme.certs..directory option for each certificate you define. This will be a subdirectory of /var/lib/acme. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example, the services.nginx.virtualhosts..enableACME option will use this directory option to find the certs for the virtual host.
  • security.acme.preDelay and security.acme.activationDelay options have been removed. To execute a service before certificates are provisioned or renewed add a RequiredBy=acme-${cert}.service to any service.
  • Furthermore, the acme module will not automatically add a dependency on lighttpd.service anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service acme-${cert}.service> manually.
  • For nginx, the dependencies are still automatically managed when services.nginx.virtualhosts..enableACME is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all acme-certificates.target. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at NixOS/nixpkgs#60180.
  • The old deprecated emacs package sets have been dropped. What used to be called emacsPackagesNg is now simply called emacsPackages.
  • services.xserver.desktopManager.xterm is now disabled by default if stateVersion is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default.
  • The WeeChat plugin pkgs.weechatScripts.weechat-xmpp has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules.
  • Old unsupported versions (logstash5, kibana5, filebeat5, heartbeat5, metricbeat5, packetbeat5) of the ELK-stack and Elastic beats have been removed.
  • For NixOS 19.03, both Prometheus 1 and 2 were available to allow for a seamless transition from version 1 to 2 with existing setups. Because Prometheus 1 is no longer developed, it was removed. Prometheus 2 is now configured with services.prometheus.
  • Citrix Receiver (citrix_receiver) has been dropped in favor of Citrix Workspace (citrix_workspace).
  • The services.gitlab module has had its literal secret options (services.gitlab.smtp.password, services.gitlab.databasePassword, services.gitlab.initialRootPassword, services.gitlab.secrets.secret, services.gitlab.secrets.db, services.gitlab.secrets.otp and services.gitlab.secrets.jws) replaced by file-based versions (services.gitlab.smtp.passwordFile, services.gitlab.databasePasswordFile, services.gitlab.initialRootPasswordFile, services.gitlab.secrets.secretFile, services.gitlab.secrets.dbFile, services.gitlab.secrets.otpFile and services.gitlab.secrets.jwsFile). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword" becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the file secret_file contains the string supersecurepassword.
  • The state path (services.gitlab.statePath) now has the following restriction: no parent directory can be owned by any other user than root or the user specified in services.gitlab.user; i.e. if services.gitlab.statePath is set to /var/lib/gitlab/state, gitlab and all parent directories must be owned by either root or the user specified in services.gitlab.user.
  • The networking.useDHCP option is unsupported in combination with networking.useNetworkd in anticipation of defaulting to it by default. It has to be set to false and enabled per interface with networking.interfaces..useDHCP = true;
  • The Twitter client corebird has been dropped as it is discontinued and does not work against the new Twitter API. Please use the fork cawbird instead which has been adapted to the API changes and is still maintained.
  • The nodejs-11_x package has been removed as it's EOLed by upstream.
  • Because of the systemd upgrade, systemd-timesyncd will no longer work if system.stateVersion is not set correctly. When upgrading from NixOS 19.03, please make sure that system.stateVersion is set to "19.03", or lower if the installation dates back to an earlier version of NixOS.
  • Other Notable Changes:
  • The documentation module gained an option named documentation.nixos.includeAllModules which makes the generated configuration.nix(5) manual page include all options from all NixOS modules included in a given configuration.nix configuration file. Currently, it is set to false by default as enabling it frequently prevents evaluation. But the plan is to eventually have it set to true by default. Please set it to true now in your configuration.nix and fix all the bugs it uncovers.
  • The vlc package gained support for Chromecast streaming, enabled by default. TCP port 8010 must be open for it to work, so something like networking.firewall.allowedTCPPorts = [ 8010 ]; may be required in your configuration. Also consider enabling Accelerated Video Playback for better transcoding performance.
  • The following changes apply if the stateVersion is changed to 19.09 or higher. For stateVersion = "19.03" or lower the old behavior is preserved.
  • solr.package defaults to pkgs.solr_8.
  • The hunspellDicts.fr-any dictionary now ships with fr_FR.{aff,dic} which is linked to fr-toutesvariantes.{aff,dic}.
  • The mysql service now runs as mysql user. Previously, systemd did execute it as root, and mysql dropped privileges itself. This includes ExecStartPre= and ExecStartPost= phases. To accomplish that, runtime and data directory setup was delegated to RuntimeDirectory and tmpfiles.
  • With the upgrade to systemd version 242 the systemd-timesyncd service is no longer using DynamicUser=yes. In order for the upgrade to work we rely on an activation script to move the state from the old to the new directory. The older directory (prior 19.09) was /var/lib/private/systemd/timesync.
  • As long as the system.config.stateVersion is below 19.09 the state folder will migrated to its proper location (/var/lib/systemd/timesync), if required.
  • The package avahi is now built to look up service definitions from /etc/avahi/services instead of its output directory in the nix store. Accordingly the module avahi now supports custom service definitions via services.avahi.extraServiceFiles, which are then placed in the aforementioned directory. See avahi.service(5) for more information on custom service definitions.
  • Since version 0.1.19, cargo-vendor honors package includes that are specified in the Cargo.toml file of Rust crates. rustPlatform.buildRustPackage uses cargo-vendor to collect and build dependent crates. Since this change in cargo-vendor changes the set of vendored files for most Rust packages, the hash that use used to verify the dependencies, cargoSha256, also changes.
  • The cargoSha256 hashes of all in-tree derivations that use buildRustPackage have been updated to reflect this change. However, third-party derivations that use buildRustPackage may have to be updated as well.
  • The consul package was upgraded past version 1.5, so its deprecated legacy UI is no longer available.
  • The default resample-method for PulseAudio has been changed from the upstream default speex-float-1 to speex-float-5. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set hardware.pulseaudio.daemon.config.resample-method back to speex-float-1.
  • The phabricator package and associated httpd.extraSubservice, as well as the phd service have been removed from nixpkgs due to lack of maintainer.
  • The mercurial httpd.extraSubservice has been removed from nixpkgs due to lack of maintainer.
  • The trac httpd.extraSubservice has been removed from nixpkgs because it was unmaintained.
  • The foswiki package and associated httpd.extraSubservice have been removed from nixpkgs due to lack of maintainer.
  • The tomcat-connector httpd.extraSubservice has been removed from nixpkgs.
  • It's now possible to change configuration in services.nextcloud after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating /var/lib/nextcloud.
  • There exists now lib.forEach, which is like map, but with arguments flipped. When mapping function body spans many lines (or has nested maps), it is often hard to follow which list is modified.
  • Previous solution to this problem was either to use lib.flip map idiom or extract that anonymous mapping function to a named one. Both can still be used but lib.forEach is preferred over lib.flip map.
  • The /etc/sysctl.d/nixos.conf file containing all the options set via boot.kernel.sysctl was moved to /etc/sysctl.d/60-nixos.conf, as sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a two-digit number and a dash to simplify the ordering of the files.
  • We now install the sysctl snippets shipped with systemd.
  • This enables:
  • Loose reverse path filtering
  • Source route filtering
  • fq_codel as a packet scheduler (this helps to fight bufferbloat)
  • This also configures the kernel to pass core dumps to systemd-coredump, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in /etc/sysctl.d/50-*.conf, and overridden via boot.kernel.sysctl (which will place the parameters in /etc/sysctl.d/60-nixos.conf).
  • Core dumps are now processed by systemd-coredump by default. systemd-coredump behaviour can still be modified via systemd.coredump.extraConfig. To stick to the old behaviour (having the kernel dump to a file called core in the working directory), without piping it through systemd-coredump, set systemd.coredump.enable to false.
  • systemd.packages option now also supports generators and shutdown scripts. Old systemd.generator-packages option has been removed.
  • The rmilter package was removed with associated module and options due deprecation by upstream developer. Use rspamd in proxy mode instead.
  • systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.
  • We no longer enable custom font rendering settings with fonts.fontconfig.penultimate.enable by default. The defaults from fontconfig are sufficient.
  • The crashplan package and the crashplan service have been removed from nixpkgs due to crashplan shutting down the service, while the crashplansb package and crashplan-small-business service have been removed from nixpkgs due to lack of maintainer.
  • The redis module was hardcoded to use the redis user, /run/redis as runtime directory and /var/lib/redis as state directory. Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).
  • Using fonts.enableDefaultFonts adds a default emoji font noto-fonts-emoji.
  • Users of the following options will have this enabled by default:
  • services.xserver.enable
  • programs.sway.enable
  • programs.way-cooler.enable
  • services.xrdp.enable
  • The altcoins categorization of packages has been removed. You now access these packages at the top level, ie. nix-shell -p dogecoin instead of nix-shell -p altcoins.dogecoin, etc.
  • Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.
  • pkgs.weechat is now compiled against pkgs.python3. Weechat also recommends to use Python3 in their docs.

New in NixOS 17.09 (Oct 25, 2017)

  • Highlights:
  • The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
  • The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.
  • The module option services.xserver.xrandrHeads now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example:
  • { services.xserver.xrandrHeads = [
  • "HDMI-0"
  • output = "DVI-0";
  • primary = true;
  • monitorConfig = ''
  • Option "Rotate" "right"
  • '';
  • This will set the DVI-0 output to be the primary head, even though HDMI-0 is the first head in the list.
  • The handling of SSL in the services.nginx module has been cleaned up, renaming the misnamed enableSSL to onlySSL which reflects its original intention. This is not to be used with the already existing forceSSL which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove the enableSSL option to keep the previous behaviour.
  • Another addSSL option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.
  • Options to configure resolver options and upstream blocks have been introduced. See their information for further details.
  • The port option has been replaced by a more generic listen option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.
  • New Services:
  • The following new services were added since the last release:
  • config/fonts/fontconfig-penultimate.nix
  • config/fonts/fontconfig-ultimate.nix
  • config/terminfo.nix
  • hardware/sensor/iio.nix
  • hardware/nitrokey.nix
  • hardware/raid/hpsa.nix
  • programs/browserpass.nix
  • programs/gnupg.nix
  • programs/qt5ct.nix
  • programs/slock.nix
  • programs/thefuck.nix
  • security/auditd.nix
  • security/lock-kernel-modules.nix
  • service-managers/docker.nix
  • service-managers/trivial.nix
  • services/admin/salt/master.nix
  • services/admin/salt/minion.nix
  • services/audio/slimserver.nix
  • services/cluster/kubernetes/default.nix
  • services/cluster/kubernetes/dns.nix
  • services/cluster/kubernetes/dashboard.nix
  • services/continuous-integration/hail.nix
  • services/databases/clickhouse.nix
  • services/databases/postage.nix
  • services/desktops/gnome3/gnome-disks.nix
  • services/desktops/gnome3/gpaste.nix
  • services/logging/SystemdJournal2Gelf.nix
  • services/logging/heartbeat.nix
  • services/logging/journalwatch.nix
  • services/logging/syslogd.nix
  • services/mail/mailhog.nix
  • services/mail/nullmailer.nix
  • services/misc/airsonic.nix
  • services/misc/autorandr.nix
  • services/misc/exhibitor.nix
  • services/misc/fstrim.nix
  • services/misc/gollum.nix
  • services/misc/irkerd.nix
  • services/misc/jackett.nix
  • services/misc/radarr.nix
  • services/misc/snapper.nix
  • services/monitoring/osquery.nix
  • services/monitoring/prometheus/collectd-exporter.nix
  • services/monitoring/prometheus/fritzbox-exporter.nix
  • services/network-filesystems/kbfs.nix
  • services/networking/dnscache.nix
  • services/networking/fireqos.nix
  • services/networking/iwd.nix
  • services/networking/keepalived/default.nix
  • services/networking/keybase.nix
  • services/networking/lldpd.nix
  • services/networking/matterbridge.nix
  • services/networking/squid.nix
  • services/networking/tinydns.nix
  • services/networking/xrdp.nix
  • services/security/shibboleth-sp.nix
  • services/security/sks.nix
  • services/security/sshguard.nix
  • services/security/torify.nix
  • services/security/usbguard.nix
  • services/security/vault.nix
  • services/system/earlyoom.nix
  • services/system/saslauthd.nix
  • services/web-apps/nexus.nix
  • services/web-apps/pgpkeyserver-lite.nix
  • services/web-apps/piwik.nix
  • services/web-servers/lighttpd/collectd.nix
  • services/web-servers/minio.nix
  • services/x11/display-managers/xpra.nix
  • services/x11/xautolock.nix
  • tasks/filesystems/bcachefs.nix
  • tasks/powertop.nix
  • Backward Incompatibilities:
  • When upgrading from a previous release, please be aware of the following incompatible changes:
  • In an Qemu-based virtualization environment, the network interface names changed from i.e. enp0s3 to ens3.
  • This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.
  • A machine is affected if the virt-what tool either returns qemu or kvm and has interface names used in any part of its NixOS configuration, in particular if a static network configuration with networking.interfaces is used.
  • Before rebooting affected machines, please ensure:
  • Change the interface names in your NixOS configuration. The first interface will be called ens3, the second one ens8 and starting from there incremented by 1.
  • After changing the interface names, rebuild your system with nixos-rebuild boot to activate the new configuration after a reboot. If you switch to the new configuration right away you might lose network connectivity! If using nixops, deploy with nixops deploy --force-reboot.
  • The following changes apply if the stateVersion is changed to 17.09 or higher. For stateVersion = "17.03" or lower the old behavior is preserved.
  • The postgres default version was changed from 9.5 to 9.6.
  • The postgres superuser name has changed from root to postgres to more closely follow what other Linux distributions are doing.
  • The postgres default dataDir has changed from /var/db/postgres to /var/lib/postgresql/$psqlSchema where $psqlSchema is 9.6 for example.
  • The mysql default dataDir has changed from /var/mysql to /var/lib/mysql.
  • Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found here . It is also possible to use the newer version by setting the package to radicale2, which is done automatically when stateVersion is 17.09 or higher. The extraArgs option has been added to allow passing the data migration arguments specified in the instructions; see the radicale.nix NixOS test for an example migration.
  • The aiccu package was removed. This is due to SixXS sunsetting its IPv6 tunnel.
  • The fanctl package and fan module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.
  • Top-level idea package collection was renamed. All JetBrains IDEs are now at jetbrains.
  • flexget's state database cannot be upgraded to its new internal format, requiring removal of any existing db-config.sqlite which will be automatically recreated.
  • The ipfs service now doesn't ignore the dataDir option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
  • dataDir=< valueOfDataDir >
  • mv /var/lib/ipfs/.ipfs/* $dataDir
  • rmdir /var/lib/ipfs/.ipfs
  • The caddy service was previously using an extra .caddy directory in the data directory specified with the dataDir option. The contents of the .caddy directory are now expected to be in the dataDir.
  • The ssh-agent user service is not started by default anymore. Use programs.ssh.startAgent to enable it if needed. There is also a new programs.gnupg.agent module that creates a gpg-agent user service. It can also serve as a SSH agent if enableSSHSupport is set.
  • The services.tinc.networks.< name >.listenAddress option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, use services.tinc.networks.< name >.bindToAddress instead. Refer to the description of the options for more details.
  • tlsdate package and module were removed. This is due to the project being dead and not building with openssl 1.1.
  • wvdial package and module were removed. This is due to the project being dead and not building with openssl 1.1.
  • cc-wrapper's setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. LD, STRIP, RANLIB, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.
  • services.firefox.syncserver now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.
  • The compiz window manager and package was removed. The system support had been broken for several years.
  • Touchpad support should now be enabled through libinput as synaptics is now deprecated. See the option services.xserver.libinput.enable.
  • grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.
  • services.mysql now has declarative configuration of databases and users with the ensureDatabases and ensureUsers options.
  • These options will never delete existing databases and users, especially not when the value of the options are changed.
  • The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.
  • If you have previously created a MySQL root user with a password, you will need to add root user for unix socket authentication before using the new options. This can be done by running the following SQL script:
  • CREATE USER 'root'@'%' IDENTIFIED BY '';
  • GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
  • FLUSH PRIVILEGES;
  • -- Optionally, delete the password-authenticated user:
  • -- DROP USER 'root'@'localhost';
  • sha256 argument value of dockerTools.pullImage expression must be updated since the mechanism to download the image has been changed. Skopeo is now used to pull the image instead of the Docker daemon.
  • services.mysqlBackup now works by default without any user setup, including for users other than mysql.
  • By default, the mysql user is no longer the user which performs the backup. Instead a system account mysqlbackup is used.
  • The mysqlBackup service is also now using systemd timers instead of cron.
  • Therefore, the services.mysqlBackup.period option no longer exists, and has been replaced with services.mysqlBackup.calendar, which is in the format of systemd.time(7).
  • If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.
  • You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.
  • Templated systemd services e.g container@name are now handled currectly when switching to a new configuration, resulting in them being reloaded.
  • Steam: the newStdcpp parameter was removed and should not be needed anymore.
  • Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.
  • Other Notable Changes:
  • Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.
  • Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.
  • ZFS/SPL have been updated to 0.7.0, zfsUnstable, splUnstable have therefore been removed.
  • The time.timeZone option now allows the value null in addition to timezone strings. This value allows changing the timezone of a system imperatively using timedatectl set-timezone. The default timezone is still UTC.
  • Nixpkgs overlays may now be specified with a file as well as a directory. The value of < nixpkgs-overlays > may be a file, and ~/.config/nixpkgs/overlays.nix can be used instead of the ~/.config/nixpkgs/overlays directory.
  • See the overlays chapter of the Nixpkgs manual for more details.
  • Definitions for /etc/hosts can now be specified declaratively with networking.hosts.
  • Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.
  • This therefore leads to adding a new debug option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.
  • Additionally a copytoram option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.
  • services.gitlab-runner.configOptions has been added to specify the configuration of gitlab-runners declaratively.
  • services.jenkins.plugins has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.
  • services.postfix.config has been added to specify the main.cf with NixOS options. Additionally other options have been added to the postfix module and has been improved further.
  • The GitLab package and module have been updated to the latest 10.0 release.
  • The systemd-boot boot loader now lists the NixOS version, kernel version and build date of all bootable generations.
  • The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the services.dnscrypt-proxy.resolverName option or setting it to "random".

New in NixOS 17.03 (Mar 31, 2017)

  • Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.
  • This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.
  • The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed
  • The setuid wrapper functionality now supports setting capabilities.
  • X.org server uses branch 1.19. Due to ABI incompatibilities, ati_unfree keeps forcing 1.17 and amdgpu-pro starts forcing 1.18.
  • Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv nor .crossDrv are now cross by default, not native.
  • The overridePackages function has been rewritten to be replaced by overlays
  • Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.
  • PHP now defaults to PHP 7.1
  • The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.

New in NixOS 16.09 (Oct 3, 2016)

  • Many NixOS configurations and Nix packages now use significantly less disk space, thanks to the extensive work on closure size reduction. For example, the closure size of a minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
  • To improve security, packages are now built using various hardening features. See the Nixpkgs manual for more information.
  • Support for PXE netboot. See Section 2.3, “Booting from the “netboot” media (PXE)” for documentation.
  • X.org server 1.18. If you use the ati_unfree driver, 1.17 is still used due to an ABI incompatibility.
  • This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default Linux kernel remains 4.4.
  • The following new services were added since the last release:
  • hardware/video/amdgpu.nix
  • hardware/video/displaylink.nix
  • programs/info.nix
  • programs/mosh.nix
  • programs/spacefm.nix
  • programs/tmux.nix
  • programs/xonsh.nix
  • security/chromium-suid-sandbox.nix
  • security/hidepid.nix
  • services/audio/squeezelite.nix
  • services/backup/znapzend.nix
  • services/continuous-integration/buildkite-agent.nix
  • services/continuous-integration/hydra/default.nix
  • services/continuous-integration/gocd-agent/default.nix
  • services/continuous-integration/gocd-server/default.nix
  • services/development/hoogle.nix
  • services/editors/emacs.nix
  • services/games/factorio.nix
  • services/games/terraria.nix
  • services/logging/awstats.nix
  • services/logging/graylog.nix
  • services/misc/emby.nix
  • services/misc/mantisbt.nix
  • services/misc/nzbget.nix
  • services/misc/packagekit.nix
  • services/misc/sonarr.nix
  • services/misc/spice-vdagentd.nix
  • services/misc/taskserver
  • services/network-filesystems/tahoe.nix
  • services/networking/coturn.nix
  • services/networking/ferm.nix
  • services/networking/gdomap.nix
  • services/networking/libreswan.nix
  • services/networking/logmein-hamachi.nix
  • services/networking/mfi.nix
  • services/networking/mjpg-streamer.nix
  • services/networking/mosquitto.nix
  • services/networking/nntp-proxy.nix
  • services/networking/offlineimap.nix
  • services/networking/pptpd.nix
  • services/networking/sniproxy.nix
  • services/networking/smokeping.nix
  • services/networking/toxvpn.nix
  • services/networking/xl2tpd.nix
  • services/networking/zerobin.nix
  • services/security/oauth2_proxy.nix
  • services/torrent/flexget.nix
  • services/web-apps/mattermost.nix
  • services/web-apps/tt-rss.nix
  • services/web-servers/caddy.nix
  • services/web-servers/lighttpd/inginious.nix
  • services/x11/compton.nix
  • services/x11/xbanish.nix
  • system/boot/loader/systemd-boot/systemd-boot.nix
  • system/boot/plymouth.nix
  • virtualisation/xe-guest-utilities.nix
  • Other notable improvements:
  • Revamped grsecurity/PaX support. There is now only a single general-purpose distribution kernel and the configuration interface has been streamlined. Desktop users should be able to simply set
  • security.grsecurity.enable = true
  • to get a reasonably secure system without having to sacrifice too much functionality. See Chapter 17, Grsecurity/PaX for documentation
  • Special filesystems, like /proc, /run and others, now have the same mount options as recommended by systemd and are unified across different places in NixOS. Mount options are updated during nixos-rebuild switch if possible. One benefit from this is improved security — most such filesystems are now mounted with noexec, nodev and/or nosuid options.
  • The reverse path filter was interfering with DHCPv4 server operation in the past. An exception for DHCPv4 and a new option to log packets that were dropped due to the reverse path filter was added (networking.firewall.logReversePathDrops) for easier debugging.
  • Containers configuration within containers..config is now properly typed and checked. In particular, partial configurations are merged correctly.
  • The directory container setuid wrapper programs, /var/setuid-wrappers, is now updated atomically to prevent failures if the switch to a new configuration is interrupted.
  • services.xserver.startGnuPGAgent has been removed due to GnuPG 2.1.x bump. See how to achieve similar behavior. You might need to pkill gpg-agent after the upgrade to prevent a stale agent being in the way.
  • Declarative users could share the uid due to the bug in the script handling conflict resolution.
  • Gummi boot has been replaced using systemd-boot.
  • Hydra package and NixOS module were added for convenience.

New in NixOS 16.03 (Apr 2, 2016)

  • The release brings many improvements including Nix 1.12.2, sysyemd 229, Kernel 4.4 and many packages updates.

New in NixOS 14.12 (Dec 31, 2014)

  • In addition to numerous new and upgraded packages, this release has the following highlights:
  • Systemd has been updated to version 217, which has numerous improvements.
  • Nix has been updated to 1.8.
  • NixOS is now based on Glibc 2.20.
  • KDE has been updated to 4.14.
  • The default Linux kernel has been updated to 3.14.
  • If users.mutableUsers is enabled (the default), changes made to the declaration of a user or group will be correctly realised when running nixos-rebuild. For instance, removing a user specification from configuration.nix will cause the actual user account to be deleted. If users.mutableUsers is disabled, it is no longer necessary to specify UIDs or GIDs; if omitted, they are allocated dynamically.
  • Following new services were added since the last release:
  • atftpd
  • bosun
  • bspwm
  • chronos
  • collectd
  • consul
  • cpuminer-cryptonight
  • crashplan
  • dnscrypt-proxy
  • docker-registry
  • docker
  • etcd
  • fail2ban
  • fcgiwrap
  • fleet
  • fluxbox
  • gdm
  • geoclue2
  • gitlab
  • gitolite
  • gnome3.gnome-documents
  • gnome3.gnome-online-miners
  • gnome3.gvfs
  • gnome3.seahorse
  • hbase
  • i2pd
  • influxdb
  • kubernetes
  • liquidsoap
  • lxc
  • mailpile
  • mesos
  • mlmmj
  • monetdb
  • mopidy
  • neo4j
  • nsd
  • openntpd
  • opentsdb
  • openvswitch
  • parallels-guest
  • peerflix
  • phd
  • polipo
  • prosody
  • radicale
  • redmine
  • riemann
  • scollector
  • seeks
  • siproxd
  • strongswan
  • tcsd
  • teamspeak3
  • thermald
  • torque/mrom
  • torque/server
  • uhub
  • unifi
  • znc
  • zookeeper
  • When upgrading from a previous release, please be aware of the following incompatible changes:
  • The default version of Apache httpd is now 2.4. If you use the extraConfig option to pass literal Apache configuration text, you may need to update it — see Apache’s documentation for details. If you wish to continue to use httpd 2.2, add the following line to your NixOS configuration: rogramlisting> rvices.httpd.package = pkgs.apacheHttpd_2_2; programlisting>
  • PHP 5.3 has been removed because it is no longer supported by the PHP project. A migration guide is available.
  • The host side of a container virtual Ethernet pair is now called ve-container-name rather than c-container-name.
  • GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.
  • VirtualBox has been upgraded to 4.3.20 release. Users may be required to run rm -rf /tmp/.vbox*. The line imports = [ ] is no longer necessary, use services.virtualboxHost.enable = true instead.
  • Also, hardening mode is now enabled by default, which means that unless you want to use USB support, you no longer need to be a member of the vboxusers group.
  • Chromium has been updated to 39.0.2171.65. enablePepperPDF is now enabled by default. chromium*Wrapper packages no longer exist, because upstream removed NSAPI support. chromium-stable has been renamed to chromium.
  • Python packaging documentation is now part of nixpkgs manual. To override the python packages available to a custom python you now use pkgs.pythonFull.buildEnv.override instead of pkgs.pythonFull.override.
  • boot.resumeDevice = "8:6" is no longer supported. Most users will want to leave it undefined, which takes the swap partitions automatically. There is an evaluation assertion to ensure that the string starts with a slash.
  • The system-wide default timezone for NixOS installations changed from CET to UTC. To choose a different timezone for your system, configure time.timeZone in configuration.nix. A fairly complete list of possible values for that setting is available at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
  • GNU screen has been updated to 4.2.1, which breaks the ability to connect to sessions created by older versions of screen.
  • The Intel GPU driver was updated to the 3.x prerelease version (used by most distributions) and supports DRI3 now.

New in NixOS 14.04 (May 1, 2014)

  • Installation on UEFI systems is now supported. See Section 1.2.1, “UEFI Installation” for details.
  • Systemd has been updated to version 212, which has numerous improvements. NixOS now automatically starts systemd user instances when you log in. You can define global user units through the systemd.unit.* options.
  • NixOS is now based on Glibc 2.19 and GCC 4.8.
  • The default Linux kernel has been updated to 3.12.
  • KDE has been updated to 4.12.
  • Nix has been updated to 1.7.
  • NixOS now supports fully declarative management of users and groups. If you set users.mutableUsers to false, then the contents of /etc/passwd and /etc/group will be congruent to your NixOS configuration. For instance, if you remove a user from users.extraUsers and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. If users.mutableUsers is true (the default), then behaviour is unchanged from NixOS 13.10.
  • NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 5, Containers for details.
  • Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package foo provides systemd units, you can say:
  • systemd.packages = [ pkgs.foo ];
  • to enable those units. You can then set or override unit options in the usual way, e.g.
  • systemd.services.foo.wantedBy = [ "multi-user.target" ];
  • systemd.services.foo.serviceConfig.MemoryLimit = "512M";
  • When upgrading from a previous release, please be aware of the following incompatible changes:
  • Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:
  • nixpkgs.config.allowUnfree = true;
  • Otherwise, you get an error message such as:
  • error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
  • has an unfree license, refusing to evaluate
  • The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:
  • nixpkgs.config.allowUnfree = true;
  • nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
  • nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
  • The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:
  • networking.firewall.enable = false;
  • The option boot.loader.grub.memtest86 has been renamed to boot.loader.grub.memtest86.enable.
  • The mysql55 service has been merged into the mysql service, which no longer sets a default for the option services.mysql.package.
  • Package variants are now differentiated by suffixing the name, rather than the version. For instance, sqlite-3.8.4.3-interactive is now called sqlite-interactive-3.8.4.3. This ensures that nix-env -i sqlite is unambiguous, and that nix-env -u won’t “upgrade” sqlite to sqlite-interactive or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now called firefox-wrapper. So when using nix-env, you should do nix-env -e firefox; nix-env -i firefox-wrapper if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names like pkgs.firefoxWrapper were already unambiguous.
  • The symlink /etc/ca-bundle.crt is gone. Programs should instead use the environment variable OPENSSL_X509_CERT_FILE (which points to /etc/ssl/certs/ca-bundle.crt).