Support is planned until the end of October 2020, handing over to 20.09.

Core version changes:

gcc: 8.3.0 -> 9.2.0

glibc: 2.27 -> 2.30

linux: 4.19 -> 5.4

mesa: 19.1.5 -> 19.3.3

openssl: 1.0.2u -> 1.1.1d

Desktop version changes:

plasma5: 5.16.5 -> 5.17.5

kdeApplications: 19.08.2 -> 19.12.3

gnome3: 3.32 -> 3.34

pantheon: 5.0 -> 5.1.3

Linux kernel is updated to branch 5.4 by default (from 4.19).

Postgresql for NixOS service now defaults to v11.

The graphical installer image starts the graphical session automatically. Before you'd be greeted by a tty and asked to enter systemctl start display-manager. It is now possible to disable the display-manager from running by selecting the Disable display-manager quirk in the boot menu.

GNOME 3 has been upgraded to 3.34. Please take a look at their Release Notes for details.

If you enable the Pantheon Desktop Manager via services.xserver.desktopManager.pantheon.enable, we now default to also use Pantheon's newly designed greeter . Contrary to NixOS's usual update policy, Pantheon will receive updates during the cycle of NixOS 20.03 when backwards compatible.

By default zfs pools will now be trimmed on a weekly basis. Trimming is only done on supported devices (i.e. NVME or SSDs) and should improve throughput and lifetime of these devices. It is controlled by the services.zfs.trim.enable varname. The zfs scrub service (services.zfs.autoScrub.enable) and the zfs autosnapshot service (services.zfs.autoSnapshot.enable) are now only enabled if zfs is set in config.boot.initrd.supportedFilesystems or config.boot.supportedFilesystems. These lists will automatically contain zfs as soon as any zfs mountpoint is configured in fileSystems.

nixos-option has been rewritten in C++, speeding it up, improving correctness, and adding a -r option which prints all options and their values recursively.

services.xserver.desktopManager.default and services.xserver.windowManager.default options were replaced by a single services.xserver.displayManager.defaultSession option to improve support for upstream session files. If you used something like:

services.xserver.desktopManager.default = "xfce";
services.xserver.windowManager.default = "icewm";

you should change it to:

services.xserver.displayManager.defaultSession = "xfce+icewm";

The testing driver implementation in NixOS is now in Python make-test-python.nix. This was done by Jacek Galowicz (@tfc), and with the collaboration of Julian Stecklina (@blitz) and Jana Traue (@jtraue). All documentation has been updated to use this testing driver, and a vast majority of the 286 tests in NixOS were ported to python driver. In 20.09 the Perl driver implementation, make-test.nix, is slated for removal. This should give users of the NixOS integration framework a transitory period to rewrite their tests to use the Python implementation. Users of the Perl driver will see this warning everytime they use it:

$ warning: Perl VM tests are deprecated and will be removed for 20.09.
Please update your tests to use the python test driver.
See https://github.com/NixOS/nixpkgs/pull/71684 for details.

API compatibility is planned to be kept for at least the next release with the perl driver.

The kubernetes kube-proxy now supports a new hostname configuration services.kubernetes.proxy.hostname which has to be set if the hostname of the node should be non default.

UPower's configuration is now managed by NixOS and can be customized via services.upower.

To use Geary you should enable programs.geary.enable instead of just adding it to environment.systemPackages. It was created so Geary could function properly outside of GNOME.

./config/console.nix

./hardware/brillo.nix

./hardware/tuxedo-keyboard.nix

./programs/bandwhich.nix

./programs/bash-my-aws.nix

./programs/liboping.nix

./programs/traceroute.nix

./services/backup/sanoid.nix

./services/backup/syncoid.nix

./services/backup/zfs-replication.nix

./services/continuous-integration/buildkite-agents.nix

./services/databases/victoriametrics.nix

./services/desktops/gnome3/gnome-initial-setup.nix

./services/desktops/neard.nix

./services/games/openarena.nix

./services/hardware/fancontrol.nix

./services/mail/sympa.nix

./services/misc/freeswitch.nix

./services/misc/mame.nix

./services/monitoring/do-agent.nix

./services/monitoring/prometheus/xmpp-alerts.nix

./services/network-filesystems/orangefs/server.nix

./services/network-filesystems/orangefs/client.nix

./services/networking/3proxy.nix

./services/networking/corerad.nix

./services/networking/go-shadowsocks2.nix

./services/networking/ntp/openntpd.nix

./services/networking/shorewall.nix

./services/networking/shorewall6.nix

./services/networking/spacecookie.nix

./services/networking/trickster.nix

./services/networking/v2ray.nix

./services/networking/xandikos.nix

./services/networking/yggdrasil.nix

./services/web-apps/dokuwiki.nix

./services/web-apps/gotify-server.nix

./services/web-apps/grocy.nix

./services/web-apps/ihatemoney

./services/web-apps/moinmoin.nix

./services/web-apps/trac.nix

./services/web-apps/trilium.nix

./services/web-apps/shiori.nix

./services/web-servers/ttyd.nix

./services/x11/picom.nix

./services/x11/hardware/digimend.nix

./services/x11/imwheel.nix

./virtualisation/cri-o.nix

The dhcpcd package does not request IPv4 addresses for tap and bridge interfaces anymore by default. In order to still get an address on a bridge interface, one has to disable networking.useDHCP and explicitly enable networking.interfaces.<name>.useDHCP on every interface, that should get an address via DHCP. This way, dhcpcd is configured in an explicit way about which interface to run on.

GnuPG is now built without support for a graphical passphrase entry by default. Please enable the gpg-agent user service via the NixOS option programs.gnupg.agent.enable. Note that upstream recommends using gpg-agent and will spawn a gpg-agent on the first invocation of GnuPG anyway.

The dynamicHosts option has been removed from the NetworkManager module. Allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. Consider setting system-wide host entries using networking.hosts, provide them via the DNS server in your network, or use environment.etc to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.

The 99-main.network file was removed. Matching all network interfaces caused many breakages, see #18962 and #71106.

We already don't support the global networking.useDHCP, networking.defaultGateway and networking.defaultGateway6 options if networking.useNetworkd is enabled, but direct users to configure the per-device networking.interfaces.<name>.… options.

The stdenv now runs all bash with set -u, to catch the use of undefined variables. Before, it itself used set -u but was careful to unset it so other packages' code ran as before. Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.

The SLIM Display Manager has been removed, as it has been unmaintained since 2013. Consider migrating to a different display manager such as LightDM (current default in NixOS), SDDM, GDM, or using the startx module which uses Xinitrc.

The Way Cooler wayland compositor has been removed, as the project has been officially canceled. There are no more way-cooler attribute and programs.way-cooler options.

The BEAM package set has been deleted. You will only find there the different interpreters. You should now use the different build tools coming with the languages with sandbox mode disabled.

There is now only one Xfce package-set and module. This means that attributes xfce4-14 and xfceUnstable all now point to the latest Xfce 4.14 packages. And in the future NixOS releases will be the latest released version of Xfce available at the time of the release's development (if viable).

The phpfpm module now sets PrivateTmp=true in its systemd units for better process isolation. If you rely on /tmp being shared with other services, explicitly override this by setting serviceConfig.PrivateTmp to false for each phpfpm unit.

KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have enableQt4Support option any more.

The BeeGFS module has been removed.

The osquery module has been removed.

Going forward, ~/bin in the users home directory will no longer be in PATH by default. If you depend on this you should set the option environment.homeBinInPath to true. The aforementioned option was added this release.

The buildRustCrate infrastructure now produces lib outputs in addition to the out output. This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the lib output.

Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1 and bitmap fonts are no longer supported in applications relying on Pango for font rendering (notably, GTK application). See upstream issue for more information.

The roundcube module has been hardened.

The packages openobex and obexftp are no longer installed when enabling Bluetooth via hardware.bluetooth.enable.

The dump1090 derivation has been changed to use FlightAware's dump1090 as its upstream. However, this version does not have an internal webserver anymore. The assets in the share/dump1090 directory of the derivation can be used in conjunction with an external webserver to replace this functionality.

The fourStore and fourStoreEndpoint modules have been removed.

Polkit no longer has the user of uid 0 (root) as an admin identity. We now follow the upstream default of only having every member of the wheel group admin privileged. Before it was root and members of wheel. The positive outcome of this is pkexec GUI popups or terminal prompts will no longer require the user to choose between two essentially equivalent choices (whether to perform the action as themselves with wheel permissions, or as the root user).

NixOS containers no longer build NixOS manual by default. This saves evaluation time, especially if there are many declarative containers defined. Note that this is already done when <nixos/modules/profiles/minimal.nix> module is included in container config.

The kresd services deprecates the interfaces option in favor of the listenPlain option which requires full systemd.socket compatible declaration which always include a port.

Virtual console options have been reorganized and can be found under a single top-level attribute: console. The full set of changes is as follows:

The awstats module has been rewritten to serve stats via static html pages, updated on a timer, over nginx, instead of dynamic cgi pages over apache.

Minor changes will be required to migrate existing configurations. Details of the required changes can seen by looking through the awstats module.

The httpd module no longer provides options to support serving web content without defining a virtual host. As a result of this the services.httpd.logPerVirtualHost option now defaults to true instead of false. Please update your configuration to make use of services.httpd.virtualHosts.

The services.httpd.virtualHosts.<name> option has changed type from a list of submodules to an attribute set of submodules, better matching services.nginx.virtualHosts.<name>.

This change comes with the addition of the following options which mimic the functionality of their nginx counterparts: services.httpd.virtualHosts.<name>.addSSL, services.httpd.virtualHosts.<name>.forceSSL, services.httpd.virtualHosts.<name>.onlySSL, services.httpd.virtualHosts.<name>.enableACME, services.httpd.virtualHosts.<name>.acmeRoot, and services.httpd.virtualHosts.<name>.useACMEHost.

For NixOS configuration options, the loaOf type has been deprecated and will be removed in a future release. In nixpkgs, options of this type will be changed to attrsOf instead. If you were using one of these in your configuration, you will see a warning suggesting what changes will be required.

For example, users.users is a loaOf option that is commonly used as follows:

users.users =
  [ { name = "me";
      description = "My personal user.";
      isNormalUser = true;
    }
  ];
     

This should be rewritten by removing the list and using the value of name as the name of the attribute set:

users.users.me =
  { description = "My personal user.";
    isNormalUser = true;
  };
     

For more information on this change have look at these links: issue #1800, PR #63103.

For NixOS modules, the types types.submodule and types.submoduleWith now support paths as allowed values, similar to how imports supports paths. Because of this, if you have a module that defines an option of type either (submodule ...) path, it will break since a path is now treated as the first type instead of the second. To fix this, change the type to either path (submodule ...).

The Buildkite Agent module and corresponding packages have been updated to 3.x, and to support multiple instances of the agent running at the same time. This means you will have to rename services.buildkite-agent to services.buildkite-agents.<name>. Furthermore, the following options have been changed:

The citrix_workspace_19_3_0 package has been removed as it will be EOLed within the lifespan of 20.03. For further information, please refer to the support and maintenance information from upstream.

The gcc5 and gfortran5 packages have been removed.

The services.xserver.displayManager.auto module has been removed. It was only intended for use in internal NixOS tests, and gave the false impression of it being a special display manager when it's actually LightDM. Please use the services.xserver.displayManager.lightdm.autoLogin options instead, or any other display manager in NixOS as they all support auto-login. If you used this module specifically because it permitted root auto-login you can override the lightdm-autologin pam module like:

security.pam.services.lightdm-autologin.text = lib.mkForce ''
    auth     requisite pam_nologin.so
    auth     required  pam_succeed_if.so quiet
    auth     required  pam_permit.so

    account  include   lightdm

    password include   lightdm

    session  include   lightdm
'';

The difference is the:

auth required pam_succeed_if.so quiet

line, where default it's:

auth required pam_succeed_if.so uid >= 1000 quiet

not permitting users with uid's below 1000 (like root). All other display managers in NixOS are configured like this.

There have been lots of improvements to the Mailman module. As a result,

The LLVM versions 3.5, 3.9 and 4 (including the corresponding CLang versions) have been dropped.

The networking.interfaces.*.preferTempAddress option has been replaced by networking.interfaces.*.tempAddress. The new option allows better control of the IPv6 temporary addresses, including completely disabling them for interfaces where they are not needed.

Rspamd was updated to version 2.2. Read the upstream migration notes carefully. Please be especially aware that some modules were removed and the default Bayes backend is now Redis.

The *psu versions of oraclejdk8 have been removed as they aren't provided by upstream anymore.

The services.dnscrypt-proxy module has been removed as it used the deprecated version of dnscrypt-proxy. We've added services.dnscrypt-proxy2.enable to use the supported version. This module supports configuration via the Nix attribute set services.dnscrypt-proxy2.settings, or by passing a TOML configuration file via services.dnscrypt-proxy2.configFile.

# Example configuration:
services.dnscrypt-proxy2.enable = true;
services.dnscrypt-proxy2.settings = {
  listen_addresses = [ "127.0.0.1:43" ];
  sources.public-resolvers = {
    urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
    cache_file = "public-resolvers.md";
    minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    refresh_delay = 72;
  };
};

services.dnsmasq.enable = true;
services.dnsmasq.servers = [ "127.0.0.1#43" ];

qesteidutil has been deprecated in favor of qdigidoc.

sqldeveloper_18 has been removed as it's not maintained anymore, sqldeveloper has been updated to version 19.4. Please note that this means that this means that the oraclejdk is now required. For further information please read the release notes.

Haskell env and shellFor dev shell environments now organized dependencies the same way as regular builds. In particular, rather than receiving all the different lists of dependencies master together as one big lists, and then partitioning into Haskell and non-Hakell dependencies, they work from the original many different dependency parameters and don't need to algorithmically partition anything.

This means that if you incorrectly categorize a dependency, e.g. non-Haskell library dependency as a buildDepends or run-time Haskell dependency as a setupDepends, whereas things would have worked before they may not work now.

The gcc-snapshot-package has been removed. It's marked as broken for >2 years and used to point to a fairly old snapshot from the gcc7-branch.

The nixos-build-vms(8)-script now uses the python test-driver.

The riot-web package now accepts configuration overrides as an attribute set instead of a string. A formerly used JSON configuration can be converted to an attribute set with builtins.fromJSON.

The new default configuration also disables automatic guest account registration and analytics to improve privacy. The previous behavior can be restored by setting config.riot-web.conf = { disable_guests = false; piwik = true; }.

Stand-alone usage of Upower now requires services.upower.enable instead of just installing into environment.systemPackages.

nextcloud has been updated to v18.0.2. This means that users from NixOS 19.09 can't upgrade directly since you can only move one version forward and 19.09 uses v16.0.8.

To provide a safe upgrade-path and to circumvent similar issues in the future, the following measures were taken:

Hydra has gained a massive performance improvement due to some database schema changes by adding several IDs and better indexing. However, it's necessary to upgrade Hydra in multiple steps:

The TokuDB storage engine will be disabled in mariadb 10.5. It is recommended to switch to RocksDB. See also TokuDB.

Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. When updating Graylog from a version before 3.3.3 make sure to check the Graylog release info for information on how to avoid the issue.

SD images are now compressed by default using bzip2.

The nginx web server previously started its master process as root privileged, then ran worker processes as a less privileged identity user (the nginx user). This was changed to start all of nginx as a less privileged user (defined by services.nginx.user and services.nginx.group). As a consequence, all files that are needed for nginx to run (included configuration fragments, SSL certificates and keys, etc.) must now be readable by this less privileged user/group.

To continue to use the old approach, you can configure:

services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};'';
systemd.services.nginx.serviceConfig.User = lib.mkForce "root";
      

OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features but with potential incompatibilities. Consult the release announcement for more information.

PRETTY_NAME in /etc/os-release now uses the short rather than full version string.

The ACME module has switched from simp-le to lego which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added: security.acme.acceptTerms, security.acme.certs.<name>.dnsProvider, security.acme.certs.<name>.credentialsFile, security.acme.certs.<name>.dnsPropagationCheck. As well as this, the options security.acme.acceptTerms and either security.acme.email or security.acme.certs.<name>.email must be set in order to use the ACME module. Certificates will be regenerated on activation, no account or certificate will be migrated from simp-le. In particular private keys will not be preserved. However, the credentials for simp-le are preserved and thus it is possible to roll back to previous versions without breaking certificate generation. Note also that in contrary to simp-le a new private key is recreated at each renewal by default, which can have consequences if you embed your public key in apps.

It is now possible to unlock LUKS-Encrypted file systems using a FIDO2 token via boot.initrd.luks.fido2Support.

Predictably named network interfaces get renamed in stage-1. This means that it is possible to use the proper interface name for e.g. Dropbear setups.

For further reference, please read #68953 or the corresponding discourse thread.

The matrix-synapse-package has been updated to v1.11.1. Due to stricter requirements for database configuration when using postgresql, the automated database setup of the module has been removed to avoid any further edge-cases.

matrix-synapse expects postgresql-databases to have the options LC_COLLATE and LC_CTYPE set to 'C' which basically instructs postgresql to ignore any locale-based preferences.

Depending on your setup, you need to incorporate one of the following changes in your setup to upgrade to 20.03:

The systemd.network.links option is now respected even when systemd-networkd is disabled. This mirrors the behaviour of systemd - It's udev that parses .link files, not systemd-networkd.

mongodb has been updated to version 3.4.24.

End of support is planned for end of April 2020, handing over to 20.03.

Nix has been updated to 2.3; see its release notes.

Core version changes:

systemd: 239 -> 243

gcc: 7 -> 8

glibc: 2.27 (unchanged)

linux: 4.19 LTS (unchanged)

openssl: 1.0 -> 1.1

Desktop version changes:

plasma5: 5.14 -> 5.16

gnome3: 3.30 -> 3.32

PHP now defaults to PHP 7.3, updated from 7.2.

PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.

The binfmt module is now easier to use. Additional systems can be added through boot.binfmt.emulatedSystems. For instance, boot.binfmt.emulatedSystems = [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]; will set up binfmt interpreters for each of those listed systems.

The installer now uses a less privileged nixos user whereas before we logged in as root. To gain root privileges use sudo -i without a password.

We've updated to Xfce 4.14, which brings a new module services.xserver.desktopManager.xfce4-14. If you'd like to upgrade, please switch from the services.xserver.desktopManager.xfce module as it will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support thunarPlugins and it isn't recommended to use services.xserver.desktopManager.xfce and services.xserver.desktopManager.xfce4-14 simultaneously or to downgrade from Xfce 4.14 after upgrading.

The GNOME 3 desktop manager module sports an interface to enable/disable core services, applications, and optional GNOME packages like games.

With these options we hope to give users finer grained control over their systems. Prior to this change you'd either have to manually disable options or use environment.gnome3.excludePackages which only excluded the optional applications. environment.gnome3.excludePackages is now unguarded, it can exclude any package installed with environment.systemPackages in the GNOME 3 module.

Orthogonal to the previous changes to the GNOME 3 desktop manager module, we've updated all default services and applications to match as close as possible to a default reference GNOME 3 experience.

The following changes were enacted in services.gnome3.core-utilities.enable

The following changes were enacted in services.gnome3.core-shell.enable

./programs/dwm-status.nix

The new hardware.printers module allows to declaratively configure CUPS printers via the ensurePrinters and ensureDefaultPrinter options. ensurePrinters will never delete existing printers, but will make sure that the given printers are configured as declared.

There is a new services.system-config-printer.enable and programs.system-config-printer.enable module for the program of the same name. If you previously had system-config-printer enabled through some other means you should migrate to using one of these modules.

services.blueman.enable has been added. If you previously had blueman installed via environment.systemPackages please migrate to using the NixOS module, as this would result in an insufficiently configured blueman.

Buildbot no longer supports Python 2, as support was dropped upstream in version 2.0.0. Configurations may need to be modified to make them compatible with Python 3.

PostgreSQL now uses /run/postgresql as its socket directory instead of /tmp. So if you run an application like eg. Nextcloud, where you need to use the Unix socket path as the database host name, you need to change it accordingly.

PostgreSQL 9.4 is scheduled EOL during the 19.09 life cycle and has been removed.

The options services.prometheus.alertmanager.user and services.prometheus.alertmanager.group have been removed because the alertmanager service is now using systemd's DynamicUser mechanism which obviates these options.

The NetworkManager systemd unit was renamed back from network-manager.service to NetworkManager.service for better compatibility with other applications expecting this name. The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.

The services.nzbget.configFile and services.nzbget.openFirewall options were removed as they are managed internally by the nzbget. The services.nzbget.dataDir option hadn't actually been used by the module for some time and so was removed as cleanup.

The services.mysql.pidDir option was removed, as it was only used by the wordpress apache-httpd service to wait for mysql to have started up. This can be accomplished by either describing a dependency on mysql.service (preferred) or waiting for the (hardcoded) /run/mysqld/mysql.sock file to appear.

The services.emby.enable module has been removed, see services.jellyfin.enable instead for a free software fork of Emby. See the Jellyfin documentation: Migrating from Emby to Jellyfin

IPv6 Privacy Extensions are now enabled by default for undeclared interfaces. The previous behaviour was quite misleading — even though the default value for networking.interfaces.*.preferTempAddress was true, undeclared interfaces would not prefer temporary addresses. Now, interfaces not mentioned in the config will prefer temporary addresses. EUI64 addresses can still be set as preferred by explicitly setting the option to false for the interface in question.

Since Bittorrent Sync was superseded by Resilio Sync in 2016, the bittorrentSync, bittorrentSync14, and bittorrentSync16 packages have been removed in favor of resilio-sync.

The corresponding module, services.btsync has been replaced by the services.resilio module.

The httpd service no longer attempts to start the postgresql service. If you have come to depend on this behaviour then you can preserve the behavior with the following configuration: systemd.services.httpd.after = [ "postgresql.service" ];

The option services.httpd.extraSubservices has been marked as deprecated. You may still use this feature, but it will be removed in a future release of NixOS. You are encouraged to convert any httpd subservices you may have written to a full NixOS module.

Most of the httpd subservices packaged with NixOS have been replaced with full NixOS modules including LimeSurvey, WordPress, and Zabbix. These modules can be enabled using the services.limesurvey.enable, services.mediawiki.enable, services.wordpress.enable, and services.zabbixWeb.enable options.

The option systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink was renamed to systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink (capital L). This follows upstreams renaming of the setting.

As of this release the NixOps feature autoLuks is deprecated. It no longer works with our systemd version without manual intervention.

Whenever the usage of the module is detected the evaluation will fail with a message explaining why and how to deal with the situation.

A new knob named nixops.enableDeprecatedAutoLuks has been introduced to disable the eval failure and to acknowledge the notice was received and read. If you plan on using the feature please note that it might break with subsequent updates.

Make sure you set the _netdev option for each of the file systems referring to block devices provided by the autoLuks module. Not doing this might render the system in a state where it doesn't boot anymore.

If you are actively using the autoLuks module please let us know in issue #62211.

The setopt declarations will be evaluated at the end of /etc/zshrc, so any code in programs.zsh.interactiveShellInit, programs.zsh.loginShellInit and programs.zsh.promptInit may break if it relies on those options being set.

The prometheus-nginx-exporter package now uses the offical exporter provided by NGINX Inc. Its metrics are differently structured and are incompatible to the old ones. For information about the metrics, have a look at the official repo.

The shibboleth-sp package has been updated to version 3. It is largely backward compatible, for further information refer to the release notes and upgrade guide.

Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.

By default, prometheus exporters are now run with DynamicUser enabled. Exporters that need a real user, now run under a seperate user and group which follow the pattern <exporter-name>-exporter, instead of the previous default nobody and nogroup. Only some exporters are affected by the latter, namely the exporters dovecot, node, postfix and varnish.

The ibus-qt package is not installed by default anymore when i18n.inputMethod.enabled is set to ibus. If IBus support in Qt 4.x applications is required, add the ibus-qt package to your environment.systemPackages manually.

The CUPS Printing service now uses socket-based activation by default, only starting when needed. The previous behavior can be restored by setting services.cups.startWhenNeeded to false.

The services.systemhealth module has been removed from nixpkgs due to lack of maintainer.

The services.mantisbt module has been removed from nixpkgs due to lack of maintainer.

Squid 3 has been removed and the squid derivation now refers to Squid 4.

The services.pdns-recursor.extraConfig option has been replaced by services.pdns-recursor.settings. The new option allows setting extra configuration while being better type-checked and mergeable.

No service depends on keys.target anymore which is a systemd target that indicates if all NixOps keys were successfully uploaded. Instead, <key-name>-key.service should be used to define a dependency of a key in a service. The full issue behind the keys.target dependency is described at NixOS/nixpkgs#67265.

The following services are affected by this:

The security.acme.directory option has been replaced by a read-only security.acme.certs.<cert>.directory option for each certificate you define. This will be a subdirectory of /var/lib/acme. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example, the services.nginx.virtualhosts.<name>.enableACME option will use this directory option to find the certs for the virtual host.

security.acme.preDelay and security.acme.activationDelay options have been removed. To execute a service before certificates are provisioned or renewed add a RequiredBy=acme-${cert}.service to any service.

Furthermore, the acme module will not automatically add a dependency on lighttpd.service anymore. If you are using certficates provided by letsencrypt for lighttpd, then you should depend on the certificate service acme-${cert}.service> manually.

For nginx, the dependencies are still automatically managed when services.nginx.virtualhosts.<name>.enableACME is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs, instead of depending on the catch-all acme-certificates.target. This target unit was also removed from the codebase. This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at NixOS/nixpkgs#60180.

The old deprecated emacs package sets have been dropped. What used to be called emacsPackagesNg is now simply called emacsPackages.

services.xserver.desktopManager.xterm is now disabled by default if stateVersion is 19.09 or higher. Previously the xterm desktopManager was enabled when xserver was enabled, but it isn't useful for all people so it didn't make sense to have any desktopManager enabled default.

The WeeChat plugin pkgs.weechatScripts.weechat-xmpp has been removed as it doesn't receive any updates from upstream and depends on outdated Python2-based modules.

Old unsupported versions (logstash5, kibana5, filebeat5, heartbeat5, metricbeat5, packetbeat5) of the ELK-stack and Elastic beats have been removed.

For NixOS 19.03, both Prometheus 1 and 2 were available to allow for a seamless transition from version 1 to 2 with existing setups. Because Prometheus 1 is no longer developed, it was removed. Prometheus 2 is now configured with services.prometheus.

Citrix Receiver (citrix_receiver) has been dropped in favor of Citrix Workspace (citrix_workspace).

The services.gitlab module has had its literal secret options (services.gitlab.smtp.password, services.gitlab.databasePassword, services.gitlab.initialRootPassword, services.gitlab.secrets.secret, services.gitlab.secrets.db, services.gitlab.secrets.otp and services.gitlab.secrets.jws) replaced by file-based versions (services.gitlab.smtp.passwordFile, services.gitlab.databasePasswordFile, services.gitlab.initialRootPasswordFile, services.gitlab.secrets.secretFile, services.gitlab.secrets.dbFile, services.gitlab.secrets.otpFile and services.gitlab.secrets.jwsFile). This was done so that secrets aren't stored in the world-readable nix store, but means that for each option you'll have to create a file with the same exact string, add "File" to the end of the option name, and change the definition to a string pointing to the corresponding file; e.g. services.gitlab.databasePassword = "supersecurepassword" becomes services.gitlab.databasePasswordFile = "/path/to/secret_file" where the file secret_file contains the string supersecurepassword.

The state path (services.gitlab.statePath) now has the following restriction: no parent directory can be owned by any other user than root or the user specified in services.gitlab.user; i.e. if services.gitlab.statePath is set to /var/lib/gitlab/state, gitlab and all parent directories must be owned by either root or the user specified in services.gitlab.user.

The networking.useDHCP option is unsupported in combination with networking.useNetworkd in anticipation of defaulting to it. It has to be set to false and enabled per interface with networking.interfaces.<name>.useDHCP = true;

The Twitter client corebird has been dropped as it is discontinued and does not work against the new Twitter API. Please use the fork cawbird instead which has been adapted to the API changes and is still maintained.

The nodejs-11_x package has been removed as it's EOLed by upstream.

Because of the systemd upgrade, systemd-timesyncd will no longer work if system.stateVersion is not set correctly. When upgrading from NixOS 19.03, please make sure that system.stateVersion is set to "19.03", or lower if the installation dates back to an earlier version of NixOS.

Due to the short lifetime of non-LTS kernel releases package attributes like linux_5_1, linux_5_2 and linux_5_3 have been removed to discourage dependence on specific non-LTS kernel versions in stable NixOS releases. Going forward, versioned attributes like linux_4_9 will exist for LTS versions only. Please use linux_latest or linux_testing if you depend on non-LTS releases. Keep in mind that linux_latest and linux_testing will change versions under the hood during the lifetime of a stable release and might include breaking changes.

Because of the systemd upgrade, some network interfaces might change their name. For details see upstream docs or our ticket.

The documentation module gained an option named documentation.nixos.includeAllModules which makes the generated configuration.nix(5) manual page include all options from all NixOS modules included in a given configuration.nix configuration file. Currently, it is set to false by default as enabling it frequently prevents evaluation. But the plan is to eventually have it set to true by default. Please set it to true now in your configuration.nix and fix all the bugs it uncovers.

The vlc package gained support for Chromecast streaming, enabled by default. TCP port 8010 must be open for it to work, so something like networking.firewall.allowedTCPPorts = [ 8010 ]; may be required in your configuration. Also consider enabling Accelerated Video Playback for better transcoding performance.

The following changes apply if the stateVersion is changed to 19.09 or higher. For stateVersion = "19.03" or lower the old behavior is preserved.

The hunspellDicts.fr-any dictionary now ships with fr_FR.{aff,dic} which is linked to fr-toutesvariantes.{aff,dic}.

The mysql service now runs as mysql user. Previously, systemd did execute it as root, and mysql dropped privileges itself. This includes ExecStartPre= and ExecStartPost= phases. To accomplish that, runtime and data directory setup was delegated to RuntimeDirectory and tmpfiles.

With the upgrade to systemd version 242 the systemd-timesyncd service is no longer using DynamicUser=yes. In order for the upgrade to work we rely on an activation script to move the state from the old to the new directory. The older directory (prior 19.09) was /var/lib/private/systemd/timesync.

As long as the system.config.stateVersion is below 19.09 the state folder will migrated to its proper location (/var/lib/systemd/timesync), if required.

The package avahi is now built to look up service definitions from /etc/avahi/services instead of its output directory in the nix store. Accordingly the module avahi now supports custom service definitions via services.avahi.extraServiceFiles, which are then placed in the aforementioned directory. See avahi.service(5) for more information on custom service definitions.

Since version 0.1.19, cargo-vendor honors package includes that are specified in the Cargo.toml file of Rust crates. rustPlatform.buildRustPackage uses cargo-vendor to collect and build dependent crates. Since this change in cargo-vendor changes the set of vendored files for most Rust packages, the hash that use used to verify the dependencies, cargoSha256, also changes.

The cargoSha256 hashes of all in-tree derivations that use buildRustPackage have been updated to reflect this change. However, third-party derivations that use buildRustPackage may have to be updated as well.

The consul package was upgraded past version 1.5, so its deprecated legacy UI is no longer available.

The default resample-method for PulseAudio has been changed from the upstream default speex-float-1 to speex-float-5. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this so you'll need to set hardware.pulseaudio.daemon.config.resample-method back to speex-float-1.

The phabricator package and associated httpd.extraSubservice, as well as the phd service have been removed from nixpkgs due to lack of maintainer.

The mercurial httpd.extraSubservice has been removed from nixpkgs due to lack of maintainer.

The trac httpd.extraSubservice has been removed from nixpkgs because it was unmaintained.

The foswiki package and associated httpd.extraSubservice have been removed from nixpkgs due to lack of maintainer.

The tomcat-connector httpd.extraSubservice has been removed from nixpkgs.

It's now possible to change configuration in services.nextcloud after the initial deploy since all config parameters are persisted in an additional config file generated by the module. Previously core configuration like database parameters were set using their imperative installer after creating /var/lib/nextcloud.

There exists now lib.forEach, which is like map, but with arguments flipped. When mapping function body spans many lines (or has nested maps), it is often hard to follow which list is modified.

Previous solution to this problem was either to use lib.flip map idiom or extract that anonymous mapping function to a named one. Both can still be used but lib.forEach is preferred over lib.flip map.

The /etc/sysctl.d/nixos.conf file containing all the options set via boot.kernel.sysctl was moved to /etc/sysctl.d/60-nixos.conf, as sysctl.d(5) recommends prefixing all filenames in /etc/sysctl.d with a two-digit number and a dash to simplify the ordering of the files.

We now install the sysctl snippets shipped with systemd.

This also configures the kernel to pass core dumps to systemd-coredump, and restricts the SysRq key combinations to the sync command only. These sysctl snippets can be found in /etc/sysctl.d/50-*.conf, and overridden via boot.kernel.sysctl (which will place the parameters in /etc/sysctl.d/60-nixos.conf).

Core dumps are now processed by systemd-coredump by default. systemd-coredump behaviour can still be modified via systemd.coredump.extraConfig. To stick to the old behaviour (having the kernel dump to a file called core in the working directory), without piping it through systemd-coredump, set systemd.coredump.enable to false.

systemd.packages option now also supports generators and shutdown scripts. Old systemd.generator-packages option has been removed.

The rmilter package was removed with associated module and options due deprecation by upstream developer. Use rspamd in proxy mode instead.

systemd cgroup accounting via the systemd.enableCgroupAccounting option is now enabled by default. It now also enables the more recent Block IO and IP accounting features.

We no longer enable custom font rendering settings with fonts.fontconfig.penultimate.enable by default. The defaults from fontconfig are sufficient.

The crashplan package and the crashplan service have been removed from nixpkgs due to crashplan shutting down the service, while the crashplansb package and crashplan-small-business service have been removed from nixpkgs due to lack of maintainer.

The redis module was hardcoded to use the redis user, /run/redis as runtime directory and /var/lib/redis as state directory. Note that the NixOS module for Redis now disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).

Using fonts.enableDefaultFonts adds a default emoji font noto-fonts-emoji.

The altcoins categorization of packages has been removed. You now access these packages at the top level, ie. nix-shell -p dogecoin instead of nix-shell -p altcoins.dogecoin, etc.

Ceph has been upgraded to v14.2.1. See the release notes for details. The mgr dashboard as well as osds backed by loop-devices is no longer explicitly supported by the package and module. Note: There's been some issues with python-cherrypy, which is used by the dashboard and prometheus mgr modules (and possibly others), hence 0000-dont-check-cherrypy-version.patch.

pkgs.weechat is now compiled against pkgs.python3. Weechat also recommends to use Python3 in their docs.

End of support is planned for end of October 2019, handing over to 19.09.

The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.

Added the Pantheon desktop environment. It can be enabled through services.xserver.desktopManager.pantheon.enable.

Also note that Pantheon's LightDM greeter is not enabled by default, because it has numerous issues in NixOS and isn't optimal for use here yet.

A major refactoring of the Kubernetes module has been completed. Refactorings primarily focus on decoupling components and enhancing security. Two-way TLS and RBAC has been enabled by default for all components, which slightly changes the way the module is configured. See: Chapter 34, Kubernetes for details.

There is now a set of confinement options for systemd.services, which allows to restrict services into a chroot(2)ed environment that only contains the store paths from the runtime closure of the service.

./programs/nm-applet.nix

There is a new security.googleOsLogin module for using OS Login to manage SSH access to Google Compute Engine instances, which supersedes the imperative and broken google-accounts-daemon used in nixos/modules/virtualisation/google-compute-config.nix.

./services/misc/beanstalkd.nix

There is a new services.cockroachdb module for running CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available on x86_64-linux and aarch64-linux.

./security/duosec.nix

The PAM module for Duo Security has been enabled for use. One can configure it using the security.duosec options along with the corresponding PAM option in security.pam.services.<name?>.duoSecurity.enable.

The minimum version of Nix required to evaluate Nixpkgs is now 2.0.

The buildPythonPackage function now sets strictDeps = true to help distinguish between native and non-native dependencies in order to improve cross-compilation compatibility. Note however that this may break user expressions.

The buildPythonPackage function now sets LANG = C.UTF-8 to enable Unicode support. The glibcLocales package is no longer needed as a build input.

The Syncthing state and configuration data has been moved from services.syncthing.dataDir to the newly defined services.syncthing.configDir, which default to /var/lib/syncthing/.config/syncthing. This change makes possible to share synced directories using ACLs without Syncthing resetting the permission on every start.

The ntp module now has sane default restrictions. If you're relying on the previous defaults, which permitted all queries and commands from all firewall-permitted sources, you can set services.ntp.restrictDefault and services.ntp.restrictSource to [].

Package rabbitmq_server is renamed to rabbitmq-server.

The light module no longer uses setuid binaries, but udev rules. As a consequence users of that module have to belong to the video group in order to use the executable (i.e. users.users.yourusername.extraGroups = ["video"];).

Buildbot now supports Python 3 and its packages have been moved to pythonPackages. The options services.buildbot-master.package and services.buildbot-worker.package can be used to select the Python 2 or 3 version of the package.

Options services.znc.confOptions.networks.name.userName and services.znc.confOptions.networks.name.modulePackages were removed. They were never used for anything and can therefore safely be removed.

Package wasm has been renamed proglodyte-wasm. The package wasm will be pointed to ocamlPackages.wasm in 19.09, so make sure to update your configuration if you want to keep proglodyte-wasm

When the nixpkgs.pkgs option is set, NixOS will no longer ignore the nixpkgs.overlays option. The old behavior can be recovered by setting nixpkgs.overlays = lib.mkForce [];.

OpenSMTPD has been upgraded to version 6.4.0p1. This release makes backwards-incompatible changes to the configuration file format. See man smtpd.conf for more information on the new file format.

The versioned postgresql have been renamed to use underscore number seperators. For example, postgresql96 has been renamed to postgresql_9_6.

Package consul-ui and passthrough consul.ui have been removed. The package consul now uses upstream releases that vendor the UI into the binary. See #48714 for details.

Slurm introduces the new option services.slurm.stateSaveLocation, which is now set to /var/spool/slurm by default (instead of /var/spool). Make sure to move all files to the new directory or to set the option accordingly.

The slurmctld now runs as user slurm instead of root. If you want to keep slurmctld running as root, set services.slurm.user = root.

The options services.slurm.nodeName and services.slurm.partitionName are now sets of strings to correctly reflect that fact that each of these options can occour more than once in the configuration.

The solr package has been upgraded from 4.10.3 to 7.5.0 and has undergone some major changes. The services.solr module has been updated to reflect these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.

Package ckb is renamed to ckb-next, and options hardware.ckb.* are renamed to hardware.ckb-next.*.

The option services.xserver.displayManager.job.logToFile which was previously set to true when using the display managers lightdm, sddm or xpra has been reset to the default value (false).

Network interface indiscriminate NixOS firewall options (networking.firewall.allow*) are now preserved when also setting interface specific rules such as networking.firewall.interfaces.en0.allow*. These rules continue to use the pseudo device "default" (networking.firewall.interfaces.default.*), and assigning to this pseudo device will override the (networking.firewall.allow*) options.

The nscd service now disables all caching of passwd and group databases by default. This was interferring with the correct functioning of the libnss_systemd.so module which is used by systemd to manage uids and usernames in the presence of DynamicUser= in systemd services. This was already the default behaviour in presence of services.sssd.enable = true because nscd caching would interfere with sssd in unpredictable ways as well. Because we're using nscd not for caching, but for convincing glibc to find NSS modules in the nix store instead of an absolute path, we have decided to disable caching globally now, as it's usually not the behaviour the user wants and can lead to surprising behaviour. Furthermore, negative caching of host lookups is also disabled now by default. This should fix the issue of dns lookups failing in the presence of an unreliable network.

If the old behaviour is desired, this can be restored by setting the services.nscd.config option with the desired caching parameters.

     services.nscd.config =
     ''
     server-user             nscd
     threads                 1
     paranoia                no
     debug-level             0

     enable-cache            passwd          yes
     positive-time-to-live   passwd          600
     negative-time-to-live   passwd          20
     suggested-size          passwd          211
     check-files             passwd          yes
     persistent              passwd          no
     shared                  passwd          yes

     enable-cache            group           yes
     positive-time-to-live   group           3600
     negative-time-to-live   group           60
     suggested-size          group           211
     check-files             group           yes
     persistent              group           no
     shared                  group           yes

     enable-cache            hosts           yes
     positive-time-to-live   hosts           600
     negative-time-to-live   hosts           5
     suggested-size          hosts           211
     check-files             hosts           yes
     persistent              hosts           no
     shared                  hosts           yes
     '';
     

See #50316 for details.

GitLab Shell previously used the nix store paths for the gitlab-shell command in its authorized_keys file, which might stop working after garbage collection. To circumvent that, we regenerated that file on each startup. As gitlab-shell has now been changed to use /var/run/current-system/sw/bin/gitlab-shell, this is not necessary anymore, but there might be leftover lines with a nix store path. Regenerate the authorized_keys file via sudo -u git -H gitlab-rake gitlab:shell:setup in that case.

The pam_unix account module is now loaded with its control field set to required instead of sufficient, so that later PAM account modules that might do more extensive checks are being executed. Previously, the whole account module verification was exited prematurely in case a nss module provided the account name to pam_unix. The LDAP and SSSD NixOS modules already add their NSS modules when enabled. In case your setup breaks due to some later PAM account module previosuly shadowed, or failing NSS lookups, please file a bug. You can get back the old behaviour by manually setting security.pam.services.<name?>.text .

The pam_unix password module is now loaded with its control field set to sufficient instead of required, so that password managed only by later PAM password modules are being executed. Previously, for example, changing an LDAP account's password through PAM was not possible: the whole password module verification was exited prematurely by pam_unix, preventing pam_ldap to manage the password as it should.

fish has been upgraded to 3.0. It comes with a number of improvements and backwards incompatible changes. See the fish release notes for more information.

The ibus-table input method has had a change in config format, which causes all previous settings to be lost. See this commit message for details.

NixOS module system type types.optionSet and lib.mkOption argument options are deprecated. Use types.submodule instead. (#54637)

matrix-synapse has been updated to version 0.99. It will no longer generate a self-signed certificate on first launch and will be the last version to accept self-signed certificates. As such, it is now recommended to use a proper certificate verified by a root CA (for example Let's Encrypt). The new manual chapter on Matrix contains a working example of using nginx as a reverse proxy in front of matrix-synapse, using Let's Encrypt certificates.

mailutils now works by default when sendmail is not in a setuid wrapper. As a consequence, the sendmailPath argument, having lost its main use, has been removed.

graylog has been upgraded from version 2.* to 3.*. Some setups making use of extraConfig (especially those exposing Graylog via reverse proxies) need to be updated as upstream removed/replaced some settings. See Upgrading Graylog for details.

The option users.ldap.bind.password was renamed to users.ldap.bind.passwordFile, and needs to be readable by the nslcd user. Same applies to the new users.ldap.daemon.rootpwmodpwFile option.

nodejs-6_x is end-of-life. nodejs-6_x, nodejs-slim-6_x and nodePackages_6_x are removed.

The services.matomo module gained the option services.matomo.package which determines the used Matomo version.

The Matomo module now also comes with the systemd service matomo-archive-processing.service and a timer that automatically triggers archive processing every hour. This means that you can safely disable browser triggers for Matomo archiving at Administration > System > General Settings.

Additionally, you can enable to delete old visitor logs at Administration > System > Privacy, but make sure that you run systemctl start matomo-archive-processing.service at least once without errors if you have already collected data before, so that the reports get archived before the source data gets deleted.

composableDerivation along with supporting library functions has been removed.

The deprecated truecrypt package has been removed and truecrypt attribute is now an alias for veracrypt. VeraCrypt is backward-compatible with TrueCrypt volumes. Note that cryptsetup also supports loading TrueCrypt volumes.

The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This change is made in accordance with Kubernetes making CoreDNS the official default starting from Kubernetes v1.11. Please beware that upgrading DNS-addon on existing clusters might induce minor downtime while the DNS-addon terminates and re-initializes. Also note that the DNS-service now runs with 2 pod replicas by default. The desired number of replicas can be configured using: services.kubernetes.addons.dns.replicas.

The quassel-webserver package and module was removed from nixpkgs due to the lack of maintainers.

The manual gained a new chapter on self-hosting matrix-synapse and riot-web , the most prevalent server and client implementations for the Matrix federated communication network.

The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.

The httpd service now saves log files with a .log file extension by default for easier integration with the logrotate service.

The owncloud server packages and httpd subservice module were removed from nixpkgs due to the lack of maintainers.

It is possible now to uze ZRAM devices as general purpose ephemeral block devices, not only as swap. Using more than 1 device as ZRAM swap is no longer recommended, but is still possible by setting zramSwap.swapDevices explicitly.

ZRAM algorithm can be changed now.

Changes to ZRAM algorithm are applied during nixos-rebuild switch, so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively, use nixos-rebuild boot; reboot.

Flat volumes are now disabled by default in hardware.pulseaudio. This has been done to prevent applications, which are unaware of this feature, setting their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.

The ndppd module now supports all config options provided by the current upstream version as service options. Additionally the ndppd package doesn't contain the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.

New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in services.redmine.package while existing installs of NixOS will default to the Redmine 3.x series.

The Grafana module now supports declarative datasource and dashboard provisioning.

The use of insecure ports on kubernetes has been deprecated. Thus options: services.kubernetes.apiserver.port and services.kubernetes.controllerManager.port has been renamed to .insecurePort, and default of both options has changed to 0 (disabled).

Note that the default value of services.kubernetes.apiserver.bindAddress has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from outside the master node itself. If the apiserver insecurePort is enabled, it is strongly recommended to only bind on the loopback interface. See: services.kubernetes.apiserver.insecurebindAddress.

The option services.kubernetes.apiserver.allowPrivileged and services.kubernetes.kubelet.allowPrivileged now defaults to false. Disallowing privileged containers on the cluster.

The kubernetes module does no longer add the kubernetes package to environment.systemPackages implicitly.

The intel driver has been removed from the default list of X.org video drivers. The modesetting driver should take over automatically, it is better maintained upstream and has less problems with advanced X11 features. This can lead to a change in the output names used by xrandr. Some performance regressions on some GPU models might happen. Some OpenCL and VA-API applications might also break (Beignet seems to provide OpenCL support with modesetting driver, too). Kernel mode setting API does not support backlight control, so xbacklight tool will not work; backlight level can be controlled directly via /sys/ or with brightnessctl. Users who need this functionality more than multi-output XRandR are advised to add `intel` to `videoDrivers` and report an issue (or provide additional details in an existing one)

Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols. This may break some older applications that still rely on those symbols. An upgrade guide can be found here.

The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by default. You can set the protocols used by the nginx service using services.nginx.sslProtocols.

A new subcommand nixos-rebuild edit was added.

End of support is planned for end of April 2019, handing over to 19.03.

Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity.

Nix has been updated to 2.1; see its release notes.

Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239.

Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13.

Support for wrapping binaries using firejail has been added through programs.firejail.wrappedBinaries.

For example

programs.firejail = {
  enable = true;
  wrappedBinaries = {
    firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
    mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
  };
};

This will place firefox and mpv binaries in the global path wrapped by firejail.

User channels are now in the default NIX_PATH, allowing users to use their personal nix-channel defined channels in nix-build and nix-shell commands, as well as in imports like import <mychannel>.

For example

$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
$ nix-channel --update
$ nix-build '<nixpkgsunstable>' -A gitFull
$ nix run -f '<nixpkgsunstable>' gitFull
$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'

The services.cassandra module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of Apache Cassandra.

There is a new services.foundationdb module for deploying FoundationDB clusters.

When enabled the iproute2 will copy the files expected by ip route (e.g., rt_tables) in /etc/iproute2. This allows to write aliases for routing tables for instance.

services.strongswan-swanctl is a modern replacement for services.strongswan. You can use either one of them to setup IPsec VPNs but not both at the same time.

services.strongswan-swanctl uses the swanctl command which uses the modern vici Versatile IKE Configuration Interface. The deprecated ipsec command used in services.strongswan is using the legacy stroke configuration interface.

The new services.elasticsearch-curator service periodically curates or manages, your Elasticsearch indices and snapshots.

./config/xdg/autostart.nix

./config/xdg/icons.nix

./config/xdg/menus.nix

./config/xdg/mime.nix

./hardware/brightnessctl.nix

./hardware/onlykey.nix

./hardware/video/uvcvideo/default.nix

./misc/documentation.nix

./programs/firejail.nix

./programs/iftop.nix

./programs/sedutil.nix

./programs/singularity.nix

./programs/xss-lock.nix

./programs/zsh/zsh-autosuggestions.nix

./services/admin/oxidized.nix

./services/backup/duplicati.nix

./services/backup/restic.nix

./services/backup/restic-rest-server.nix

./services/cluster/hadoop/default.nix

./services/databases/aerospike.nix

./services/databases/monetdb.nix

./services/desktops/bamf.nix

./services/desktops/flatpak.nix

./services/desktops/zeitgeist.nix

./services/development/bloop.nix

./services/development/jupyter/default.nix

./services/hardware/lcd.nix

./services/hardware/undervolt.nix

./services/misc/clipmenu.nix

./services/misc/gitweb.nix

./services/misc/serviio.nix

./services/misc/safeeyes.nix

./services/misc/sysprof.nix

./services/misc/weechat.nix

./services/monitoring/datadog-agent.nix

./services/monitoring/incron.nix

./services/networking/dnsdist.nix

./services/networking/freeradius.nix

./services/networking/hans.nix

./services/networking/morty.nix

./services/networking/ndppd.nix

./services/networking/ocserv.nix

./services/networking/owamp.nix

./services/networking/quagga.nix

./services/networking/shadowsocks.nix

./services/networking/stubby.nix

./services/networking/zeronet.nix

./services/security/certmgr.nix

./services/security/cfssl.nix

./services/security/oauth2_proxy_nginx.nix

./services/web-apps/virtlyst.nix

./services/web-apps/youtrack.nix

./services/web-servers/hitch/default.nix

./services/web-servers/hydron.nix

./services/web-servers/meguca.nix

./services/web-servers/nginx/gitweb.nix

./virtualisation/kvmgt.nix

./virtualisation/qemu-guest-agent.nix

Some licenses that were incorrectly not marked as unfree now are. This is the case for:

The deprecated services.cassandra module has seen a complete rewrite. (See above.)

lib.strict is removed. Use builtins.seq instead.

The clementine package points now to the free derivation. clementineFree is removed now and clementineUnfree points to the package which is bundled with the unfree libspotify package.

The netcat package is now taken directly from OpenBSD's libressl, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command.

The services.docker-registry.extraConfig object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in the docker/distribution docs.

gnucash has changed from version 2.4 to 3.x. If you've been using gnucash (version 2.4) instead of gnucash26 (version 2.6) you must open your Gnucash data file(s) with gnucash26 and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade documentation. Gnucash 2.4 is still available under the attribute gnucash24.

services.munge now runs as user (and group) munge instead of root. Make sure the key file is accessible to the daemon.

dockerTools.buildImage now uses null as default value for tag, which indicates that the nix output hash will be used as tag.

The ELK stack: elasticsearch, logstash and kibana has been upgraded from 2.* to 6.3.*. The 2.* versions have been unsupported since last year so they have been removed. You can still use the 5.* versions under the names elasticsearch5, logstash5 and kibana5.

The elastic beats: filebeat, heartbeat, metricbeat and packetbeat have had the same treatment: they now target 6.3.* as well. The 5.* versions are available under the names: filebeat5, heartbeat5, metricbeat5 and packetbeat5

The ELK-6.3 stack now comes with X-Pack by default. Since X-Pack is licensed under the Elastic License the ELK packages now have an unfree license. To use them you need to specify allowUnfree = true; in your nixpkgs configuration.

Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names: elasticsearch-oss, logstash-oss and kibana-oss.

Options boot.initrd.luks.devices.name.yubikey.ramfsMountPoint boot.initrd.luks.devices.name.yubikey.storage.mountPoint were removed. luksroot.nix module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues.

stdenv.system and system in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, and stdenv.buildPlatform.system can be used instead for the old behavior. They should be using that anyways for clarity.

Groups kvm and render are introduced now, as systemd requires them.

dockerTools.pullImage relies on image digest instead of image tag to download the image. The sha256 of a pulled image has to be updated.

lib.attrNamesToStr has been deprecated. Use more specific concatenation (lib.concat(Map)StringsSep) instead.

lib.addErrorContextToAttrs has been deprecated. Use builtins.addErrorContext directly.

lib.showVal has been deprecated. Use lib.traceSeqN instead.

lib.traceXMLVal has been deprecated. Use lib.traceValFn builtins.toXml instead.

lib.traceXMLValMarked has been deprecated. Use lib.traceValFn (x: str + builtins.toXML x) instead.

The pkgs argument to NixOS modules can now be set directly using nixpkgs.pkgs. Previously, only the system, config and overlays arguments could be used to influence pkgs.

A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:

inherit (pkgs.nixos {
  boot.loader.grub.enable = false;
  fileSystems."/".device = "/dev/xvda1";
}) toplevel kernel initialRamdisk manual;
      

This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.

lib.traceValIfNot has been deprecated. Use if/then/else and lib.traceValSeq instead.

lib.traceCallXml has been deprecated. Please complain if you use the function regularly.

The attribute lib.nixpkgsVersion has been deprecated in favor of lib.version. Please refer to the discussion in NixOS/nixpkgs#39416 for further reference.

lib.recursiveUpdateUntil was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added.

The module for security.dhparams has two new options now:

{ config, ... }:

{
  security.dhparams.params.myservice = {};
  environment.etc."myservice.conf".text = ''
    dhparams = ${config.security.dhparams.params.myservice.path}
  '';
}

networking.networkmanager.useDnsmasq has been deprecated. Use networking.networkmanager.dns instead.

The Kubernetes package has been bumped to major version 1.11. Please consult the release notes for details on new features and api changes.

The option services.kubernetes.apiserver.admissionControl was renamed to services.kubernetes.apiserver.enableAdmissionPlugins.

Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https.

The option services.kubernetes.apiserver.address was renamed to services.kubernetes.apiserver.bindAddress. Note that the default value has changed from 127.0.0.1 to 0.0.0.0.

The option services.kubernetes.apiserver.publicAddress was not used and thus has been removed.

The option services.kubernetes.addons.dashboard.enableRBAC was renamed to services.kubernetes.addons.dashboard.rbac.enable.

The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set services.kubernetes.addons.dashboard.rbac.clusterAdmin to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: kubectl delete clusterrolebinding kubernetes-dashboard

The programs.screen module provides allows to configure /etc/screenrc, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 pkgs.screen will be added to environment.systemPackages.

The module services.networking.hostapd now uses WPA2 by default.

s6Dns, s6Networking, s6LinuxUtils and s6PortableUtils renamed to s6-dns, s6-networking, s6-linux-utils and s6-portable-utils respectively.

The module option nix.useSandbox is now defaulted to true.

The config activation script of nixos-rebuild now reloads all user units for each authenticated user.

The default display manager is now LightDM. To use SLiM set services.xserver.displayManager.slim.enable to true.

NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use </para><para> to start a new paragraph.

Top-level buildPlatform, hostPlatform, and targetPlatform in Nixpkgs are deprecated. Please use their equivalents in stdenv instead: stdenv.buildPlatform, stdenv.hostPlatform, and stdenv.targetPlatform.

End of support is planned for end of October 2018, handing over to 18.09.

Platform support: x86_64-linux and x86_64-darwin since release time (the latter isn't NixOS, really). Binaries for aarch64-linux are available, but no channel exists yet, as it's waiting for some test fixes, etc.

Nix now defaults to 2.0; see its release notes.

Core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237.

Desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12.

MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes have been made to the infrastructure involved:

PHP now defaults to PHP 7.2, updated from 7.1.

./config/krb5/default.nix

./hardware/digitalbitbox.nix

./misc/label.nix

./programs/ccache.nix

./programs/criu.nix

./programs/digitalbitbox/default.nix

./programs/less.nix

./programs/npm.nix

./programs/plotinus.nix

./programs/rootston.nix

./programs/systemtap.nix

./programs/sway.nix

./programs/udevil.nix

./programs/way-cooler.nix

./programs/yabar.nix

./programs/zsh/zsh-autoenv.nix

./services/backup/borgbackup.nix

./services/backup/crashplan-small-business.nix

./services/desktops/dleyna-renderer.nix

./services/desktops/dleyna-server.nix

./services/desktops/pipewire.nix

./services/desktops/gnome3/chrome-gnome-shell.nix

./services/desktops/gnome3/tracker-miners.nix

./services/hardware/fwupd.nix

./services/hardware/interception-tools.nix

./services/hardware/u2f.nix

./services/hardware/usbmuxd.nix

./services/mail/clamsmtp.nix

./services/mail/dkimproxy-out.nix

./services/mail/pfix-srsd.nix

./services/misc/gitea.nix

./services/misc/home-assistant.nix

./services/misc/ihaskell.nix

./services/misc/logkeys.nix

./services/misc/novacomd.nix

./services/misc/osrm.nix

./services/misc/plexpy.nix

./services/misc/pykms.nix

./services/misc/tzupdate.nix

./services/monitoring/fusion-inventory.nix

./services/monitoring/prometheus/exporters.nix

./services/network-filesystems/beegfs.nix

./services/network-filesystems/davfs2.nix

./services/network-filesystems/openafs/client.nix

./services/network-filesystems/openafs/server.nix

./services/network-filesystems/ceph.nix

./services/networking/aria2.nix

./services/networking/monero.nix

./services/networking/nghttpx/default.nix

./services/networking/nixops-dns.nix

./services/networking/rxe.nix

./services/networking/stunnel.nix

./services/web-apps/matomo.nix

./services/web-apps/restya-board.nix

./services/web-servers/mighttpd2.nix

./services/x11/fractalart.nix

./system/boot/binfmt.nix

./system/boot/grow-partition.nix

./tasks/filesystems/ecryptfs.nix

./virtualisation/hyperv-guest.nix

sound.enable now defaults to false.

Dollar signs in options under services.postfix are passed verbatim to Postfix, which will interpret them as the beginning of a parameter expression. This was already true for string-valued options in the previous release, but not for list-valued options. If you need to pass literal dollar signs through Postfix, double them.

The postage package (for web-based PostgreSQL administration) has been renamed to pgmanage. The corresponding module has also been renamed. To migrate please rename all services.postage options to services.pgmanage.

Package attributes starting with a digit have been prefixed with an underscore sign. This is to avoid quoting in the configuration and other issues with command-line tools like nix-env. The change affects the following packages:

The OpenSSH service no longer enables support for DSA keys by default, which could cause a system lock out. Update your keys or, unfavorably, re-enable DSA support manually.

DSA support was deprecated in OpenSSH 7.0, due to it being too weak. To re-enable support, add PubkeyAcceptedKeyTypes +ssh-dss to the end of your services.openssh.extraConfig.

After updating the keys to be stronger, anyone still on a pre-17.03 version is safe to jump to 17.03, as vetted here.

The openssh package now includes Kerberos support by default; the openssh_with_kerberos package is now a deprecated alias. If you do not want Kerberos support, you can do openssh.override { withKerberos = false; }. Note, this also applies to the openssh_hpn package.

cc-wrapper has been split in two; there is now also a bintools-wrapper. The most commonly used files in nix-support are now split between the two wrappers. Some commonly used ones, like nix-support/dynamic-linker, are duplicated for backwards compatability, even though they rightly belong only in bintools-wrapper. Other more obscure ones are just moved.

The propagation logic has been changed. The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual. The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what. In practice, that means that many propagatedNativeBuildInputs should instead be propagatedBuildInputs. Thankfully, that was and is the least used type of dependency. Also, it means that some propagatedBuildInputs should instead be depsTargetTargetPropagated. Other types dependencies should be unaffected.

lib.addPassthru drv passthru is removed. Use lib.extendDerivation true passthru drv instead.

The memcached service no longer accept dynamic socket paths via services.memcached.socket. Unix sockets can be still enabled by services.memcached.enableUnixSocket and will be accessible at /run/memcached/memcached.sock.

The hardware.amdHybridGraphics.disable option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.

The merging of config options for services.postfix.config was buggy. Previously, if other options in the Postfix module like services.postfix.useSrs were set and the user set config options that were also set by such options, the resulting config wouldn't include all options that were needed. They are now merged correctly. If config options need to be overridden, lib.mkForce or lib.mkOverride can be used.

The following changes apply if the stateVersion is changed to 18.03 or higher. For stateVersion = "17.09" or lower the old behavior is preserved.

The jid package has been removed, due to maintenance overhead of a go package having non-versioned dependencies.

When using services.xserver.libinput (enabled by default in GNOME), it now handles all input devices, not just touchpads. As a result, you might need to re-evaluate any custom Xorg configuration. In particular, Option "XkbRules" "base" may result in broken keyboard layout.

The attic package was removed. A maintained fork called Borg should be used instead. Migration instructions can be found here.

The Piwik analytics software was renamed to Matomo:

nodejs-4_x is end-of-life. nodejs-4_x, nodejs-slim-4_x and nodePackages_4_x are removed.

The pump.io NixOS module was removed. It is now maintained as an external module.

The Prosody XMPP server has received a major update. The following modules were renamed:

Many new modules are now core modules, most notably services.prosody.modules.carbons and services.prosody.modules.mam.

The better-performing libevent backend is now enabled by default.

withCommunityModules now passes through the modules to services.prosody.extraModules. Use withOnlyInstalledCommunityModules for modules that should not be enabled directly, e.g lib_ldap.

All prometheus exporter modules are now defined as submodules. The exporters are configured using services.prometheus.exporters.

ZNC option services.znc.mutable now defaults to true. That means that old configuration is not overwritten by default when update to the znc options are made.

The option networking.wireless.networks.<name>.auth has been added for wireless networks with WPA-Enterprise authentication. There is also a new extraConfig option to directly configure wpa_supplicant and hidden to connect to hidden networks.

In the module networking.interfaces.<name> the following options have been removed:

To assign static addresses to an interface the options ipv4.addresses and ipv6.addresses should be used instead. The options ip4 and ip6 have been renamed to ipv4.addresses ipv6.addresses respectively. The new options ipv4.routes and ipv6.routes have been added to set up static routing.

The option services.logstash.listenAddress is now 127.0.0.1 by default. Previously the default behaviour was to listen on all interfaces.

services.btrfs.autoScrub has been added, to periodically check btrfs filesystems for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

displayManager.lightdm.greeters.gtk.clock-format. has been added, the clock format string (as expected by strftime, e.g. %H:%M) to use with the lightdm gtk greeter panel.

If set to null the default clock format is used.

displayManager.lightdm.greeters.gtk.indicators has been added, a list of allowed indicator modules to use with the lightdm gtk greeter panel.

Built-in indicators include ~a11y, ~language, ~session, ~power, ~clock, ~host, ~spacer. Unity indicators can be represented by short name (e.g. sound, power), service file name, or absolute path.

If set to null the default indicators are used.

In order to have the previous default configuration add

  services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
    "~host" "~spacer"
    "~clock" "~spacer"
    "~session"
    "~language"
    "~a11y"
    "~power"
  ];

to your configuration.nix.

The NixOS test driver supports user services declared by systemd.user.services. The methods waitForUnit, getUnitInfo, startJob and stopJob provide an optional $user argument for that purpose.

Enabling bash completion on NixOS, programs.bash.enableCompletion, will now also enable completion for the Nix command line tools by installing the nix-bash-completions package.

The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10, KDE Applications to 17.08.1 and KDE Frameworks to 5.37.

The user handling now keeps track of deallocated UIDs/GIDs. When a user or group is revived, this allows it to be allocated the UID/GID it had before. A consequence is that UIDs and GIDs are no longer reused.

The module option services.xserver.xrandrHeads now causes the first head specified in this list to be set as the primary head. Apart from that, it's now possible to also set additional options by using an attribute set, for example:

{ services.xserver.xrandrHeads = [
    "HDMI-0"
    {
      output = "DVI-0";
      primary = true;
      monitorConfig = ''
        Option "Rotate" "right"
      '';
    }
  ];
}

This will set the DVI-0 output to be the primary head, even though HDMI-0 is the first head in the list.

The handling of SSL in the services.nginx module has been cleaned up, renaming the misnamed enableSSL to onlySSL which reflects its original intention. This is not to be used with the already existing forceSSL which creates a second non-SSL virtual host redirecting to the SSL virtual host. This by chance had worked earlier due to specific implementation details. In case you had specified both please remove the enableSSL option to keep the previous behaviour.

Another addSSL option has been introduced to configure both a non-SSL virtual host and an SSL virtual host with the same configuration.

Options to configure resolver options and upstream blocks have been introduced. See their information for further details.

The port option has been replaced by a more generic listen option which makes it possible to specify multiple addresses, ports and SSL configs dependant on the new SSL handling mentioned above.

config/fonts/fontconfig-penultimate.nix

config/fonts/fontconfig-ultimate.nix

config/terminfo.nix

hardware/sensor/iio.nix

hardware/nitrokey.nix

hardware/raid/hpsa.nix

programs/browserpass.nix

programs/gnupg.nix

programs/qt5ct.nix

programs/slock.nix

programs/thefuck.nix

security/auditd.nix

security/lock-kernel-modules.nix

service-managers/docker.nix

service-managers/trivial.nix

services/admin/salt/master.nix

services/admin/salt/minion.nix

services/audio/slimserver.nix

services/cluster/kubernetes/default.nix

services/cluster/kubernetes/dns.nix

services/cluster/kubernetes/dashboard.nix

services/continuous-integration/hail.nix

services/databases/clickhouse.nix

services/databases/postage.nix

services/desktops/gnome3/gnome-disks.nix

services/desktops/gnome3/gpaste.nix

services/logging/SystemdJournal2Gelf.nix

services/logging/heartbeat.nix

services/logging/journalwatch.nix

services/logging/syslogd.nix

services/mail/mailhog.nix

services/mail/nullmailer.nix

services/misc/airsonic.nix

services/misc/autorandr.nix

services/misc/exhibitor.nix

services/misc/fstrim.nix

services/misc/gollum.nix

services/misc/irkerd.nix

services/misc/jackett.nix

services/misc/radarr.nix

services/misc/snapper.nix

services/monitoring/osquery.nix

services/monitoring/prometheus/collectd-exporter.nix

services/monitoring/prometheus/fritzbox-exporter.nix

services/network-filesystems/kbfs.nix

services/networking/dnscache.nix

services/networking/fireqos.nix

services/networking/iwd.nix

services/networking/keepalived/default.nix

services/networking/keybase.nix

services/networking/lldpd.nix

services/networking/matterbridge.nix

services/networking/squid.nix

services/networking/tinydns.nix

services/networking/xrdp.nix

services/security/shibboleth-sp.nix

services/security/sks.nix

services/security/sshguard.nix

services/security/torify.nix

services/security/usbguard.nix

services/security/vault.nix

services/system/earlyoom.nix

services/system/saslauthd.nix

services/web-apps/nexus.nix

services/web-apps/pgpkeyserver-lite.nix

services/web-apps/piwik.nix

services/web-servers/lighttpd/collectd.nix

services/web-servers/minio.nix

services/x11/display-managers/xpra.nix

services/x11/xautolock.nix

tasks/filesystems/bcachefs.nix

tasks/powertop.nix

In an Qemu-based virtualization environment, the network interface names changed from i.e. enp0s3 to ens3.

This is due to a kernel configuration change. The new naming is consistent with those of other Linux distributions with systemd. See #29197 for more information.

A machine is affected if the virt-what tool either returns qemu or kvm and has interface names used in any part of its NixOS configuration, in particular if a static network configuration with networking.interfaces is used.

Before rebooting affected machines, please ensure:

The following changes apply if the stateVersion is changed to 17.09 or higher. For stateVersion = "17.03" or lower the old behavior is preserved.

The aiccu package was removed. This is due to SixXS sunsetting its IPv6 tunnel.

The fanctl package and fan module have been removed due to the developers not upstreaming their iproute2 patches and lagging with compatibility to recent iproute2 versions.

Top-level idea package collection was renamed. All JetBrains IDEs are now at jetbrains.

flexget's state database cannot be upgraded to its new internal format, requiring removal of any existing db-config.sqlite which will be automatically recreated.

The ipfs service now doesn't ignore the dataDir option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with

dataDir=<valueOfDataDir>
mv /var/lib/ipfs/.ipfs/* $dataDir
rmdir /var/lib/ipfs/.ipfs

The caddy service was previously using an extra .caddy directory in the data directory specified with the dataDir option. The contents of the .caddy directory are now expected to be in the dataDir.

The ssh-agent user service is not started by default anymore. Use programs.ssh.startAgent to enable it if needed. There is also a new programs.gnupg.agent module that creates a gpg-agent user service. It can also serve as a SSH agent if enableSSHSupport is set.

The services.tinc.networks.<name>.listenAddress option had a misleading name that did not correspond to its behavior. It now correctly defines the ip to listen for incoming connections on. To keep the previous behaviour, use services.tinc.networks.<name>.bindToAddress instead. Refer to the description of the options for more details.

tlsdate package and module were removed. This is due to the project being dead and not building with openssl 1.1.

wvdial package and module were removed. This is due to the project being dead and not building with openssl 1.1.

cc-wrapper's setup-hook now exports a number of environment variables corresponding to binutils binaries, (e.g. LD, STRIP, RANLIB, etc). This is done to prevent packages' build systems guessing, which is harder to predict, especially when cross-compiling. However, some packages have broken due to this—their build systems either not supporting, or claiming to support without adequate testing, taking such environment variables as parameters.

services.firefox.syncserver now runs by default as a non-root user. To accomodate this change, the default sqlite database location has also been changed. Migration should work automatically. Refer to the description of the options for more details.

The compiz window manager and package was removed. The system support had been broken for several years.

Touchpad support should now be enabled through libinput as synaptics is now deprecated. See the option services.xserver.libinput.enable.

grsecurity/PaX support has been dropped, following upstream's decision to cease free support. See upstream's announcement for more information. No complete replacement for grsecurity/PaX is available presently.

services.mysql now has declarative configuration of databases and users with the ensureDatabases and ensureUsers options.

These options will never delete existing databases and users, especially not when the value of the options are changed.

The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password.

If you have previously created a MySQL root user with a password, you will need to add root user for unix socket authentication before using the new options. This can be done by running the following SQL script:

CREATE USER 'root'@'%' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

-- Optionally, delete the password-authenticated user:
-- DROP USER 'root'@'localhost';

services.mysqlBackup now works by default without any user setup, including for users other than mysql.

By default, the mysql user is no longer the user which performs the backup. Instead a system account mysqlbackup is used.

The mysqlBackup service is also now using systemd timers instead of cron.

Therefore, the services.mysqlBackup.period option no longer exists, and has been replaced with services.mysqlBackup.calendar, which is in the format of systemd.time(7).

If you expect to be sent an e-mail when the backup fails, consider using a script which monitors the systemd journal for errors. Regretfully, at present there is no built-in functionality for this.

You can check that backups still work by running systemctl start mysql-backup then systemctl status mysql-backup.

Templated systemd services e.g container@name are now handled currectly when switching to a new configuration, resulting in them being reloaded.

Steam: the newStdcpp parameter was removed and should not be needed anymore.

Redis has been updated to version 4 which mandates a cluster mass-restart, due to changes in the network handling, in order to ensure compatibility with networks NATing traffic.

Modules can now be disabled by using disabledModules, allowing another to take it's place. This can be used to import a set of modules from another channel while keeping the rest of the system on a stable release.

Updated to FreeType 2.7.1, including a new TrueType engine. The new engine replaces the Infinality engine which was the default in NixOS. The default font rendering settings are now provided by fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults are less invasive and provide rendering that is more consistent with other systems and hopefully with each font designer's intent. Some system-wide configuration has been removed from the Fontconfig NixOS module where user Fontconfig settings are available.

ZFS/SPL have been updated to 0.7.0, zfsUnstable, splUnstable have therefore been removed.

The time.timeZone option now allows the value null in addition to timezone strings. This value allows changing the timezone of a system imperatively using timedatectl set-timezone. The default timezone is still UTC.

Nixpkgs overlays may now be specified with a file as well as a directory. The value of <nixpkgs-overlays> may be a file, and ~/.config/nixpkgs/overlays.nix can be used instead of the ~/.config/nixpkgs/overlays directory.

See the overlays chapter of the Nixpkgs manual for more details.

Definitions for /etc/hosts can now be specified declaratively with networking.hosts.

Two new options have been added to the installer loader, in addition to the default having changed. The kernel log verbosity has been lowered to the upstream default for the default options, in order to not spam the console when e.g. joining a network.

This therefore leads to adding a new debug option to set the log level to the previous verbose mode, to make debugging easier, but still accessible easily.

Additionally a copytoram option has been added, which makes it possible to remove the install medium after booting. This allows tethering from your phone after booting from it.

services.gitlab-runner.configOptions has been added to specify the configuration of gitlab-runners declaratively.

services.jenkins.plugins has been added to install plugins easily, this can be generated with jenkinsPlugins2nix.

services.postfix.config has been added to specify the main.cf with NixOS options. Additionally other options have been added to the postfix module and has been improved further.

The GitLab package and module have been updated to the latest 10.0 release.

The systemd-boot boot loader now lists the NixOS version, kernel version and build date of all bootable generations.

The dnscrypt-proxy service now defaults to using a random upstream resolver, selected from the list of public non-logging resolvers with DNSSEC support. Existing configurations can be migrated to this mode of operation by omitting the services.dnscrypt-proxy.resolverName option or setting it to "random".

Nixpkgs is now extensible through overlays. See the Nixpkgs manual for more information.

This release is based on Glibc 2.25, GCC 5.4.0 and systemd 232. The default Linux kernel is 4.9 and Nix is at 1.11.8.

The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed

The setuid wrapper functionality now supports setting capabilities.

X.org server uses branch 1.19. Due to ABI incompatibilities, ati_unfree keeps forcing 1.17 and amdgpu-pro starts forcing 1.18.

Cross compilation has been rewritten. See the nixpkgs manual for details. The most obvious breaking change is that in derivations there is no .nativeDrv nor .crossDrv are now cross by default, not native.

The overridePackages function has been rewritten to be replaced by overlays

Packages in nixpkgs can be marked as insecure through listed vulnerabilities. See the Nixpkgs manual for more information.

PHP now defaults to PHP 7.1

hardware/ckb.nix

hardware/mcelog.nix

hardware/usb-wwan.nix

hardware/video/capture/mwprocapture.nix

programs/adb.nix

programs/chromium.nix

programs/gphoto2.nix

programs/java.nix

programs/mtr.nix

programs/oblogout.nix

programs/vim.nix

programs/wireshark.nix

security/dhparams.nix

services/audio/ympd.nix

services/computing/boinc/client.nix

services/continuous-integration/buildbot/master.nix

services/continuous-integration/buildbot/worker.nix

services/continuous-integration/gitlab-runner.nix

services/databases/riak-cs.nix

services/databases/stanchion.nix

services/desktops/gnome3/gnome-terminal-server.nix

services/editors/infinoted.nix

services/hardware/illum.nix

services/hardware/trezord.nix

services/logging/journalbeat.nix

services/mail/offlineimap.nix

services/mail/postgrey.nix

services/misc/couchpotato.nix

services/misc/docker-registry.nix

services/misc/errbot.nix

services/misc/geoip-updater.nix

services/misc/gogs.nix

services/misc/leaps.nix

services/misc/nix-optimise.nix

services/misc/ssm-agent.nix

services/misc/sssd.nix

services/monitoring/arbtt.nix

services/monitoring/netdata.nix

services/monitoring/prometheus/default.nix

services/monitoring/prometheus/alertmanager.nix

services/monitoring/prometheus/blackbox-exporter.nix

services/monitoring/prometheus/json-exporter.nix

services/monitoring/prometheus/nginx-exporter.nix

services/monitoring/prometheus/node-exporter.nix

services/monitoring/prometheus/snmp-exporter.nix

services/monitoring/prometheus/unifi-exporter.nix

services/monitoring/prometheus/varnish-exporter.nix

services/monitoring/sysstat.nix

services/monitoring/telegraf.nix

services/monitoring/vnstat.nix

services/network-filesystems/cachefilesd.nix

services/network-filesystems/glusterfs.nix

services/network-filesystems/ipfs.nix

services/networking/dante.nix

services/networking/dnscrypt-wrapper.nix

services/networking/fakeroute.nix

services/networking/flannel.nix

services/networking/htpdate.nix

services/networking/miredo.nix

services/networking/nftables.nix

services/networking/powerdns.nix

services/networking/pdns-recursor.nix

services/networking/quagga.nix

services/networking/redsocks.nix

services/networking/wireguard.nix

services/system/cgmanager.nix

services/torrent/opentracker.nix

services/web-apps/atlassian/confluence.nix

services/web-apps/atlassian/crowd.nix

services/web-apps/atlassian/jira.nix

services/web-apps/frab.nix

services/web-apps/nixbot.nix

services/web-apps/selfoss.nix

services/web-apps/quassel-webserver.nix

services/x11/unclutter-xfixes.nix

services/x11/urxvtd.nix

system/boot/systemd-nspawn.nix

virtualisation/ecs-agent.nix

virtualisation/lxcfs.nix

virtualisation/openstack/keystone.nix

virtualisation/openstack/glance.nix

Derivations have no .nativeDrv nor .crossDrv and are now cross by default, not native.

stdenv.overrides is now expected to take self and super arguments. See lib.trivial.extends for what those parameters represent.

ansible now defaults to ansible version 2 as version 1 has been removed due to a serious vulnerability unpatched by upstream.

gnome alias has been removed along with gtk, gtkmm and several others. Now you need to use versioned attributes, like gnome3.

The attribute name of the Radicale daemon has been changed from pythonPackages.radicale to radicale.

The stripHash bash function in stdenv changed according to its documentation; it now outputs the stripped name to stdout instead of putting it in the variable strippedName.

PHP now scans for extra configuration .ini files in /etc/php.d instead of /etc. This prevents accidentally loading non-PHP .ini files that may be in /etc.

Two lone top-level dict dbs moved into dictdDBs. This affects: dictdWordnet which is now at dictdDBs.wordnet and dictdWiktionary which is now at dictdDBs.wiktionary

Parsoid service now uses YAML configuration format. service.parsoid.interwikis is now called service.parsoid.wikis and is a list of either API URLs or attribute sets as specified in parsoid's documentation.

Ntpd was replaced by systemd-timesyncd as the default service to synchronize system time with a remote NTP server. The old behavior can be restored by setting services.ntp.enable to true. Upstream time servers for all NTP implementations are now configured using networking.timeServers.

service.nylon is now declared using named instances. As an example:

  services.nylon = {
    enable = true;
    acceptInterface = "br0";
    bindInterface = "tun1";
    port = 5912;
  };

should be replaced with:

  services.nylon.myvpn = {
    enable = true;
    acceptInterface = "br0";
    bindInterface = "tun1";
    port = 5912;
  };

this enables you to declare a SOCKS proxy for each uplink.

overridePackages function no longer exists. It is replaced by overlays. For example, the following code:

let
  pkgs = import <nixpkgs> {};
in
  pkgs.overridePackages (self: super: ...)

should be replaced by:

let
  pkgs = import <nixpkgs> {};
in
  import pkgs.path { overlays = [(self: super: ...)]; }

Autoloading connection tracking helpers is now disabled by default. This default was also changed in the Linux kernel and is considered insecure if not configured properly in your firewall. If you need connection tracking helpers (i.e. for active FTP) please enable networking.firewall.autoLoadConntrackHelpers and tune networking.firewall.connectionTrackingModules to suit your needs.

local_recipient_maps is not set to empty value by Postfix service. It's an insecure default as stated by Postfix documentation. Those who want to retain this setting need to set it via services.postfix.extraConfig.

Iputils no longer provide ping6 and traceroute6. The functionality of these tools has been integrated into ping and traceroute respectively. To enforce an address family the new flags -4 and -6 have been added. One notable incompatibility is that specifying an interface (for link-local IPv6 for instance) is no longer done with the -I flag, but by encoding the interface into the address (ping fe80::1%eth0).

The socket handling of the services.rmilter module has been fixed and refactored. As rmilter doesn't support binding to more than one socket, the options bindUnixSockets and bindInetSockets have been replaced by services.rmilter.bindSocket.*. The default is still a unix socket in /run/rmilter/rmilter.sock. Refer to the options documentation for more information.

The fetch* functions no longer support md5, please use sha256 instead.

The dnscrypt-proxy module interface has been streamlined around the extraArgs option. Where possible, legacy option declarations are mapped to extraArgs but will emit warnings. The resolverList has been outright removed: to use an unlisted resolver, use the customResolver option.

torbrowser now stores local state under ~/.local/share/tor-browser by default. Any browser profile data from the old location, ~/.torbrowser4, must be migrated manually.

The ihaskell, monetdb, offlineimap and sitecopy services have been removed.

Module type system have a new extensible option types feature that allow to extend certain types, such as enum, through multiple option declarations of the same option across multiple modules.

jre now defaults to GTK UI by default. This improves visual consistency and makes Java follow system font style, improving the situation on HighDPI displays. This has a cost of increased closure size; for server and other headless workloads it's recommended to use jre_headless.

Python 2.6 interpreter and package set have been removed.

The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.

Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a nix-shell. See the Nixpkgs manual for details.

The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.

The Python function buildPythonPackage has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.

When adding new or updating current Python libraries, the expressions should be put in separate files in pkgs/development/python-modules and called from python-packages.nix.

The dnscrypt-proxy service supports synchronizing the list of public resolvers without working DNS resolution. This fixes issues caused by the resolver list becoming outdated. It also improves the viability of DNSCrypt only configurations.

Containers using bridged networking no longer lose their connection after changes to the host networking.

ZFS supports pool auto scrubbing.

The bind DNS utilities (e.g. dig) have been split into their own output and are now also available in pkgs.dnsutils and it is no longer necessary to pull in all of bind to use them.

Per-user configuration was moved from ~/.nixpkgs to ~/.config/nixpkgs. The former is still valid for config.nix for backwards compatibility.