pyrox.dev
1# Release 24.11 (“Vicuña”, 2024.11/28) {#sec-release-24.11}
2
3<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
4
5## Highlights {#sec-release-24.11-highlights}
6
7- Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for
8 [2.19](https://nix.dev/manual/nix/latest/release-notes/rl-2.19),
9 [2.20](https://nix.dev/manual/nix/latest/release-notes/rl-2.20),
10 [2.21](https://nix.dev/manual/nix/latest/release-notes/rl-2.21),
11 [2.22](https://nix.dev/manual/nix/latest/release-notes/rl-2.22),
12 [2.23](https://nix.dev/manual/nix/latest/release-notes/rl-2.23),
13 [2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24).
14 Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life additions.
15
16- There have been significant changes to macOS support.
17 - The build environment has been redesigned to be closer to a native Xcode toolchain, enabling us to provide all SDKs from macOS Sierra 10.12 to macOS Sequoia 15, simplify build definitions, and build more software without hacks or patching.
18 Although compatibility shims for the old SDK scheme are provided, some builds may break, and the old mechanisms will be removed by 25.11 at the latest.
19 See the [Darwin section](https://nixos.org/manual/nixpkgs/stable/#sec-darwin) of the Nixpkgs manual for details of the new scheme and how to use it, and [the announcement on Discourse](https://discourse.nixos.org/t/the-darwin-sdks-have-been-updated/55295) for more information on the changes and benefits.
20
21 - **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.**
22 Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS.
23 Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS.
24 If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports versions back to Mac OS X Snow Leopard 10.6.
25
26- This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0.
27 These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release.
28 In the future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
29
30- Convenience options for `amdgpu`, the open source driver for Radeon cards, are now available under [`hardware.amdgpu`](#opt-hardware.amdgpu.initrd.enable).
31
32- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured under the {option}`hardware.amdgpu.amdvlk` option.
33 This also allows configuring runtime settings for AMDVLK, including enabling experimental features.
34
35- The `moonlight-qt` package (for [Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
36
37- [Sched-ext](https://github.com/sched-ext/scx), a Linux kernel feature to run schedulers in userspace, is now available [`services.scx`](options.html#opt-services.scx.enable).
38 Requires Linux kernel version 6.12 or later.
39
40- PostgreSQL now defaults to major version 16.
41
42- GNOME has been updated to version 47. Refer to the [release notes](https://release.gnome.org/47/) for more details.
43
44- `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/).
45 This release also deprecates some configuration keys which are likely to be removed in version 5.0.0.
46
47- `netbird` has been updated to 0.31.1. This adds a built-in relay server which is not yet supported by the NixOS module, as well as a metrics endpoint for both the management and signal services. The default metrics port for the `signal` service has been changed from `9090` to `9091` to prevent a port conflict with the management server. This can be changed with their respective `metricsPort` as needed. Refer to the [release notes](https://github.com/netbirdio/netbird/releases/tag/v0.31.1) and [this pull request](https://github.com/NixOS/nixpkgs/pull/354032#issuecomment-2480925927) for more information.
48
49- `compressDrv` can compress selected files in a derivation. `compressDrvWeb` compresses files for common web server usage (`.gz` with `zopfli`, `.br` with `brotli`).
50
51- [`hardware.display`](#opt-hardware.display.edid.enable) is a new module implementing workarounds for misbehaving monitors
52 by setting up custom EDID files and forcing kernel/framebuffer modes.
53
54- [`services.displayManager.ly`](#opt-services.displayManager.ly.enable) is a new module for configuring the display manager [ly](https://github.com/fairyglade/ly),
55 a TUI-based replacement for SDDM and LightDM meant for window manager users.
56
57- `srcOnly` was rewritten to be more readable, have additional warnings in the event that something is probably wrong, use the `stdenv` provided by the derivation, and Noogle-compatible documentation was added.
58
59- The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire.
60 Users that want to keep using PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`.
61 There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.
62
63- The Rust rewrite of the `switch-to-configuration` program is now used for system activation by default.
64 If you experience any issues, please report them.
65 The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`.
66
67- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
68 was added through the [`boot.initrd.systemd.dmVerity`](#opt-boot.initrd.systemd.dmVerity.enable) option.
69
70- The [Xen Project Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
71 - This release includes Xen [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes) and support for booting the hypervisor on EFI systems.
72 ::: {.warning}
73 Booting into the Xen Project Hypervisor through a legacy BIOS bootloader or with the legacy script-based Stage 1 initrd have been **deprecated**. Only EFI booting and the new systemd-based Stage 1 initrd are supported.
74 :::
75 - The `qemu-xen-traditional` component has been deprecated by the upstream Xen Project, and is no longer included in the Xen build.
76 - The OCaml-based Xen Store can now be configured using [`virtualisation.xen.store.settings`](#opt-virtualisation.xen.store.settings).
77 - The `virtualisation.xen.bridge` options have been deprecated in this release cycle. Users who need network bridges are encouraged to set up their own networking configurations.
78
79- A new option [`systemd.enableStrictShellChecks`](#opt-systemd.enableStrictShellChecks) has been added. When enabled, all systemd scripts generated by NixOS will
80 be checked with [shellcheck](https://www.shellcheck.net) and any errors or warnings will cause the build to fail.
81 This affects all scripts that have been created through the `script`, `reload`, `preStart`, `postStart`, `preStop` and `postStop` options for systemd services.
82 This does not affect commandlines passed directly to `ExecStart`, `ExecReload`, `ExecStartPre`, `ExecStartPost`, `ExecStop` or `ExecStopPost`.
83 It therefore also does not affect systemd units that are coming from packages and that are not defined through the NixOS config.
84 This option is disabled by default, and although some services have already been fixed, it is still likely that you will encounter build failures when enabling this.
85 We encourage people to enable this option when they are willing and able to submit fixes for potential build failures to nixpkgs.
86 The option can also be enabled or disabled for individual services using the `enableStrictShellChecks` option on the service itself, which will take precedence over the global setting.
87
88## New Modules {#sec-release-24.11-new-modules}
89
90- [hardware.block](options.html#hardware-block.defaultScheduler) allows configuration of I/O schedulers for block devices.
91
92- [KMonad](https://github.com/kmonad/kmonad), an advanced keyboard remapping utility. Available as [services.kmonad](#opt-services.kmonad.enable).
93
94- [Coral](https://coral.ai/), hardware support for Coral.ai Edge TPU devices. Available as [hardware.coral.usb.enable](#opt-hardware.coral.usb.enable) and [hardware.coral.pcie.enable](#opt-hardware.coral.pcie.enable).
95
96- [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service.
97
98- [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwarrior 3](https://taskwarrior.org/docs/upgrade-3/) sync server. Available as [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable).
99
100- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr), a proxy server to bypass Cloudflare protection. Available as [services.flaresolverr](#opt-services.flaresolverr.enable).
101
102- [Whisparr](https://wiki.servarr.com/en/whisparr), an adult movie collection manager for Usenet and BitTorrent users. Available as [services.whisparr](#opt-services.whisparr.enable).
103
104- [Gancio](https://gancio.org/), a shared agenda for local communities. Available as [services.gancio](#opt-services.gancio.enable).
105
106- [Goatcounter](https://www.goatcounter.com/), an easy web analytics platform with no tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcounter.enable).
107
108- [Privatebin](https://github.com/PrivateBin/PrivateBin/), a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable).
109
110- [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
111
112- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable).
113
114- [Quickwit](https://quickwit.io), a sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit.enable).
115
116- [Userborn](https://github.com/nikstur/userborn), a service for declarative
117 user management. This can be used instead of the `update-users-groups.pl`
118 Perl script and/or systemd-sysusers. This is now recommended over
119 systemd-sysusers to achieve a system without Perl, as it can create normal
120 users and change passwords. Available as [services.userborn](#opt-services.userborn.enable).
121
122- [g810-led](https://github.com/MatMoul/g810-led), a LED controller for Logitech G keyboards. Available as [services.g810-led](options.html#opt-services.g810-led.enable).
123
124- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable).
125
126- [Soteria](https://github.com/ImVaskel/soteria), a polkit authentication agent to handle elevated prompts for any desktop environment. Normally this should only be used on DEs or WMs that do not provide a graphical polkit frontend on their own. Available as [`security.soteria`](#opt-security.soteria.enable).
127
128- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable).
129
130- [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable).
131
132- [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer.enable).
133
134- [Dashy](https://dashy.to), an open source, highly customizable, easy to use, privacy-respecting dashboard app. Available as [services.dashy](options.html#opt-services.dashy).
135
136- [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable).
137
138- [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable).
139
140- [`pay-respects`](https://codeberg.org/iff/pay-respects), a terminal command correction program, alternative to `thefuck`, written in Rust. Available as [programs.pay-respects](options.html#opt-programs.pay-respects).
141
142- [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable).
143
144- [Ordinal](https://github.com/snu-sf/Ordinal), A library for ordinal numbers in the Coq proof assistant.
145
146- [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable).
147
148- [Immersed](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed](#opt-programs.immersed.enable).
149
150- [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable).
151
152- [evremap](https://github.com/wez/evremap), a keyboard input remapper for Linux/Wayland systems. Available as [services.evremap](options.html#opt-services.evremap).
153
154- [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable).
155
156- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
157
158- [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources that can stream to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).
159
160- [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks).
161
162- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).
163
164- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable).
165
166- [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable).
167
168- [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).
169
170- [Localsend](https://localsend.org/), an open source cross-platform alternative to AirDrop. Available as [programs.localsend](#opt-programs.localsend.enable).
171
172- [Gatus](https://github.com/TwiN/gatus), an automated developer-oriented status page. Available as [services.gatus](#opt-services.gatus.enable).
173
174- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative office suite, has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).
175
176- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in Rust. Available as [services.realm](#opt-services.realm.enable).
177
178- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg.enable).
179
180- [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata.enable).
181
182- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](options.html#opt-services.playerctld.enable).
183
184- [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](options.html#opt-services.glance.enable).
185
186- [Apache Tika](https://github.com/apache/tika), a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as [services.tika](options.html#opt-services.tika.enable).
187
188- [Misskey](https://misskey-hub.net/en/), an interplanetary microblogging platform. Available as [services.misskey](options.html#opt-services.misskey.enable).
189
190- [Improved File Manager (IFM)](https://github.com/misterunknown/ifm), a single-file web-based file manager. Available as [services.ifm](options.html#opt-services.ifm.enable).
191
192- [OpenGFW](https://github.com/apernet/OpenGFW), an implementation of the Great Firewall on Linux. Available as [services.opengfw](#opt-services.opengfw.enable).
193
194- [Rathole](https://github.com/rapiz1/rathole), a lightweight and high-performance reverse proxy for NAT traversal. Available as [services.rathole](#opt-services.rathole.enable).
195
196- [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. Available as [services.protonmail-bridge](#opt-services.protonmail-bridge.enable).
197
198- [chromadb](https://www.trychroma.com/), an open-source AI application database with batteries included. Available as [services.chromadb](options.html#opt-services.chromadb.enable).
199
200- [bitmagnet](https://bitmagnet.io/), a self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with WebUI, GraphQL API and Servarr stack integration. Available as [services.bitmagnet](options.html#opt-services.bitmagnet.enable).
201
202- [Wakapi](https://wakapi.dev/), a time tracking software for programmers. Available as [services.wakapi](#opt-services.wakapi.enable).
203
204- [foot](https://codeberg.org/dnkl/foot), a fast, lightweight and minimalistic Wayland terminal emulator. Available as [programs.foot](#opt-programs.foot.enable).
205
206- [ToDesk](https://www.todesk.com/linux.html), a remote desktop application. Available as [services.todesk](#opt-services.todesk.enable).
207
208- [Dependency Track](https://dependencytrack.org/), an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as [services.dependency-track](options.html#opt-services.dependency-track.enable).
209
210- [Immich](https://github.com/immich-app/immich), a self-hosted photo and video backup solution. Available as [services.immich](#opt-services.immich.enable).
211
212- [saunafs](https://saunafs.com), a distributed POSIX file system. Available as [services.saunafs](options.html#opt-services.saunafs.enable).
213
214- [obs-studio](https://obsproject.com/), a free and open source software for video recording and live streaming. Available as [programs.obs-studio](#opt-programs.obs-studio.enable).
215
216- [Veilid](https://veilid.com), a privacy-focused, headless server for data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable).
217
218- [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd).
219
220- [tiny-dfr](https://github.com/WhatAmISupposedToPutHere/tiny-dfr), a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as [hardware.apple.touchBar.enable](options.html#opt-hardware.apple.touchBar.enable).
221
222- [Swapspace](https://github.com/Tookmund/Swapspace), a dynamic swap space manager that turns your unused free space into swap automatically. Available as [services.swapspace](#opt-services.swapspace.enable).
223
224- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](options.html#opt-services.zapret.enable).
225
226- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](options.html#opt-services.glances).
227
228## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
229
230- Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.
231
232- The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.
233
234- The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules.
235
236- The `intel` driver for the X server (`services.xserver.videoDrives = [ "intel" ]`) is no longer functional due to incompatibilities with the latest Mesa version.
237 All users are strongly encouraged to switch to the generic `modesetting` driver (the default one) whenever possible, for more information see the manual chapter on [Intel Graphics](#sec-x11--graphics-cards-intel) and issue [#342763](https://github.com/NixOS/nixpkgs/issues/342763).
238
239- The `intel-compute-runtime` package dropped support for older GPUs, and only supports 12th Gen and newer from now on.
240 Intel GPUs from Gen 8,9 and 11 need to use the `intel-compute-runtime-legacy1` package in `hardware.graphics.extraPackages`.
241
242- The `(buildPythonPackage { ... }).override` and `(buildPythonPackage { ... }).overrideDerivation` attributes is now deprecated and removed in favour of `overridePythonAttrs` and `lib.overrideDerivation`.
243 This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute.
244 The `<pkg>.overrideDerivation` attribute of Python packages called with `callPackage` will also remain available after this change.
245
246- All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
247
248- All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`).
249
250- `transmission` has been aliased with a `trace` warning to `transmission_3`, since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0) and Transmission 3 will eventually go away -- this is meant to make people aware of the new version. `services.transmission.package` now also defaults to `transmission_3`, as the upgrade can cause data loss in some cases (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory if you may be affected:
251 - `transmission-gtk`: `~/.config/transmission`
252 - `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
253
254- The default `mongodb` version has been updated from 5.0 to 7.0.
255 For more information, see the compatibility changes for MongoDB [6.0](https://www.mongodb.com/docs/manual/release-notes/6.0-compatibility/) and [7.0](https://www.mongodb.com/docs/manual/release-notes/7.0-compatibility/).
256
257- `unifi` has been updated to UniFi 8.
258 `unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life.
259
260- `androidenv.androidPkgs_9_0` has been removed. It is replaced with `androidenv.androidPkgs` for a more complete Android SDK, including support for Android 9 and later.
261
262- The VirtualBox demo installer appliance has been removed.
263 Please use the standard installer ISOs instead.
264
265- `grafana` has been updated to version 11.3. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
266
267- `deno` has been updated to Deno 2, which has breaking changes.
268 See the [migration guide](https://docs.deno.com/runtime/reference/migration_guide/) for details.
269
270- `gogs` has been removed. Upstream development has stalled and it has several
271 [critical vulnerabilities](https://github.com/gogs/gogs/issues/7777) that weren't addressed
272 within a year. Consider migrating to `forgejo` or `gitea`.
273
274- `knot-dns` has been updated to version 3.4.x. Check the [migration guide](https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-4-x) for breaking changes.
275
276- `mutmut` has been updated to version 3.0.5.
277
278- `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
279
280- `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`).
281
282- `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
283 The module was updated to accommodate for breaking changes and breaking changes to the
284 module options were minimised as much as possible. Nonetheless, some were inevitable due
285 to changes in the upstream CLI. Certain options were moved from separate CLI arguments into
286 the forward specifications, and those options were also removed from the module's options.
287 Please consult the wstunnel man page for more details.
288 Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`,
289 they may have been modified or removed upstream.
290
291- `gnat` and `gnatPackages` now use GNAT 13 instead of GNAT 12. This matches
292 the default `gcc` version.
293
294- `percona-server_8_4` and `mysql84` now have password authentication via the deprecated `mysql_native_password` disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods [see upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html). The config file directive `default_authentication_plugin` has been removed.
295
296- Percona has decided not to follow the LTS/ Innovation release scheme of upstream MySQL and thus [will only create releases for MySQL LTS versions](https://www.percona.com/blog/no-mysql-9-x-innovation-releases-from-percona/). Hence, the package names `percona-server_lts`, `percona-server_innovation`, `percona-xtrabackup_lts` and `percona-xtrabackup_innovation` are deprecated.
297 - `percona-server` and `percona-server_lts` now point towards the new LTS release `percona-server_8_4`. The previous LTS continues to be supported and is available as `percona-server_8_0`. The same is true for the supporting `percona-xtrabackup` tooling.
298
299- `clang-tools_<version>` packages have been moved into `llvmPackages_<version>` (i.e. `clang-tools_18` is now `llvmPackages_18.clang-tools`).
300 - For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`.
301 - Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release.
302
303- `buildbot` was updated to 4.0 and the AngularJS frontend replaced by a React frontend. See the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html).
304
305- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration, including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details.
306
307- `nginx` package no longer includes the `gd` and `geoip` dependencies. To re-enable them, override `nginx` with the options `withImageFilter = true;` and `withGeoIP = true;`.
308
309- `systemd.enableUnifiedCgroupHierarchy` has been removed.
310 In systemd 256, support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd will refuse to boot under it by default.
311 To forcibly re-enable cgroup v1 support, you can set `boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`.
312 This is not an officially supported configuration and might cause your system to become unbootable in future versions. You are on your own.
313
314- `nrfutil` -- which previously pointed to the now-deprecated `pc-nrfutil` Python package -- has been repackaged under the same name with the new nrfutil tool.
315
316- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components. Users needing this support can
317 use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` package flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
318
319- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
320 it is set, instead of the previous hardcoded default of
321 `${networking.hostName}.${security.ipa.domain}`.
322
323- The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively.
324
325- The logrotate service has been hardened and now requires enabling `allowNetworking` if network access is required.
326
327- `mautrix-whatsapp` has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required.
328
329- qBittorrent has been updated to major version 5, which drops support for Qt 5.
330 The `qbittorrent-qt5` package has been removed.
331
332- The fcgiwrap module now allows multiple instances running as distinct users.
333 The option `services.fgciwrap` now takes an attribute set of the
334 configuration of each individual instance.
335 This requires migrating any previous configuration keys from
336 `services.fcgiwrap.*` to `services.fcgiwrap.instances.some-instance.*`.
337 The ownership and mode of the UNIX sockets created by this service are now
338 configurable and private by default.
339 Processes also now run as a dynamically allocated user by default instead of
340 root.
341
342- The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
343 In case you want to update your configuration, make sure to check the NixOS manual.
344
345- `cargo-tauri` has been updated to major version 2. Please review [the migration guide](https://tauri.app/start/migrate/from-tauri-1/).
346 v1 of `cargo-tauri` is still available as `cargo-tauri_1`, but will be removed in future releases.
347
348- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
349
350- `postgresql_12` has been removed since it reached its end of life.
351
352- `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead.
353
354- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
355
356- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
357
358- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
359
360- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
361 Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
362
363 As part of these changes, the DHCP lease files directory has also been moved from `/var/db/dhcpcd` to `/var/lib/dhcpcd`. This migration is performed automatically, but users may have to update their backup configuration.
364
365- `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
366
367- The `mkLayer` and `shellScript` build helpers in `singularity-tools` are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
368
369- The `rust.toTargetArch`, `rust.toTargetOs`, `rust.toTargetFamily`, `rust.toTargetVendor`, `rust.toRustTarget`, `rust.toRustTargetSpec`, `rust.toRustTargetSpecShort`, and `rust.IsNoStdTarget` functions are deprecated in favour of the `rust.platform.arch`, `rust.platform.os`, `rust.platform.target-family`, `rust.platform.vendor`, `rust.rustcTarget`, `rust.rustcTargetSpec`, `rust.cargoShortTarget`, `rust.cargoEnvVarTarget`, and `rust.isNoStdTarget` platform attributes respectively.
370
371- All Budgie and `budgiePlugins` packages have been moved to top-level (i.e.,
372 `budgie.budgie-desktop` is now `budgie-desktop` and `budgiePlugins.budgie-media-player-applet`
373 is now `budgie-media-player-applet`).
374
375- The method of safely handling secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of `wpa_supplicant`.
376 The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
377
378- NetBox was updated to `>= 4.1.0`.
379 Have a look at the breaking changes
380 of the [4.0 release](https://github.com/netbox-community/netbox/releases/tag/v4.0.0)
381 and the [4.1 release](https://github.com/netbox-community/netbox/releases/tag/v4.1.0),
382 make the required changes to your database, if needed,
383 then upgrade by setting `services.netbox.package = pkgs.netbox_4_1;`
384 in your configuration.
385
386- `services.cgit` now runs as the cgit user by default instead of root.
387 This change requires granting access to the repositories to this user or
388 setting the appropriate one through `services.cgit.some-instance.user`.
389
390- All Oracle JDKs and JREs (`oraclejdk`, `oraclejdk8`, `oraclejre`, `oraclejre8`,
391 `jrePlugin`, `jre8Plugin`, `jdkdistro`, `oraclejdk8distro`, and `oraclejdk11`)
392 were dropped due to being unmaintained and heavily insecure. OpenJDK provides
393 compatible replacements for JDKs and JREs.
394
395- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
396 Additionally, it had numerous security vulnerabilities that were only patched
397 in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
398 [CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).
399
400- `nvimpager` was updated to version 0.13.0, which changes the order of user and
401 nvimpager settings: user commands in `-c` and `--cmd` now override the
402 respective default settings because they are executed later.
403
404- `javacard-devkit` was dropped due to having a dependency on the Oracle JDK,
405 as well as being several years out-of-date.
406
407- Kubernetes `featureGates` have changed from a `listOf str` to `attrsOf bool`.
408 This refactor makes it possible to also disable feature gates, without having
409 to use `extraOpts` flags.
410
411 A previous configuration may have looked like this:
412
413 ```nix
414 {
415 featureGates = [ "EphemeralContainers" ];
416 extraOpts = pkgs.lib.concatStringsSep " " ([ ''--feature-gates="CSIMigration=false"'' ]);
417 }
418 ```
419
420 Using an attribute set instead, the new configuration would be:
421
422 ```nix
423 {
424 featureGates = {
425 EphemeralContainers = true;
426 CSIMigration = false;
427 };
428 }
429 ```
430
431- `pkgs.nextcloud27` has been removed as it has reached EOL.
432
433- The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose.
434 If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about.
435
436- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please review the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0).
437 Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created
438 admin account from the `frigate.service` journal after upgrading.
439
440- `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped.
441 The upstream project recommends using `coc-pyright` or `coc-jedi` as replacements.
442
443- `forgejo` has been upgraded from version 7.0 to version 9.0, see the release notes for [8.0](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0) and [9.0](https://codeberg.org/forgejo/forgejo/milestone/7235).
444
445- `services.forgejo.mailerPasswordFile` has been deprecated by the drop-in replacement `services.forgejo.secrets.mailer.PASSWD`,
446 which is part of the new free-form `services.forgejo.secrets` option.
447 `services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
448 `services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
449 `services.forgejo.package` now defaults to `forgejo-lts`, the Long Term Support version of Forgejo.
450
451- `forgejo` and `forgejo-lts` no longer support the opt-in feature [PAM (Pluggable Authentication Module)](https://forgejo.org/docs/latest/user/authentication/#pam-pluggable-authentication-module).
452
453- `gitea` no longer supports the opt-in feature [PAM (Pluggable Authentication Module)](https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module).
454
455- `vuze` was removed because it is unmaintained upstream and insecure (CVE-2018-13417).
456 BiglyBT is a maintained fork.
457
458- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
459
460- `services.pgbouncer` systemd service is now configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings).
461
462- Docear was removed because it was unmaintained upstream.
463 JabRef, Zotero, or Mendeley are potential replacements.
464
465- `nodePackages.coc-metals` was removed due to being deprecated upstream.
466 `vimPlugins.nvim-metals` is its official replacement.
467
468- `matrix-sliding-sync` was removed because it has been replaced by the simplified sliding sync functionality introduced in matrix-synapse 114.0.
469
470- `nodePackages.coc-tslint`, `vimPlugins.coc-tslint`, `nodePackages.coc-tslint-plugin`,
471 and `vimPlugins.coc-tslint-plugin` were removed due to being deprecated upstream. The
472 `nodePackages.coc-eslint` and `vimPlugins.coc-eslint` packages offer comparable
473 features for `eslint`, which replaced `tslint`.
474
475- Tcl packages have been moved into the `tclPackages` scope.
476
477- `teleport` has been upgraded from major version 15 to major version 16.
478 Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
479 and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
480
481- `tests.overriding`'s `passthru.tests` has been restructured as an attribute set instead of a list, making individual tests accessible by their names.
482
483- `skk-dict` was split into multiple packages under `skkDictionaries`.
484 If in doubt of what to use, try `skkDictionaries.l`. As part of this change, the dictionaries
485 were moved from `$out/share` to `$out/share/skk`. The dictionaries also won't
486 be converted to UTF-8 unless the `useUtf8` package option is enabled; UTF-8
487 converted dictionaries will have the .utf8 suffix appended to its filename.
488
489- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
490 this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
491 your configuration.
492
493- `services.invoiceplane.sites.<name>.extraConfig` was removed. Configuration must now be done
494 through the structured `services.invoiceplane.sites.<name>.settings` option.
495
496- `services.ollama.sandbox` has been replaced with options to configure
497 a static `user` and `group`. The `writablePaths` option has also been removed and
498 the models directory is now always exempt from sandboxing.
499
500- The `gns3-server` service now runs under the `gns3` system user
501 instead of a dynamically created one via `DynamicUser`.
502 The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
503 and GNS3 requires calling ubridge through its SUID wrapper to function properly.
504 This change requires to manually move the following directories:
505 * from `/var/lib/private/gns3` to `/var/lib/gns3`
506 * from `/var/log/private/gns3` to `/var/log/gns3`
507 and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
508
509- Legacy package `stalwart-mail_0_6` was dropped, please note the
510 [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
511 before changing the package to `pkgs.stalwart-mail` in
512 [`services.stalwart-mail.package`](#opt-services.stalwart-mail.package).
513
514- `nomad_1_5` and `nomad_1_6` were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error.
515
516- The default `nomad` package has been updated to 1.8.x. For more information, see [breaking changes for Nomad 1.8](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#nomad-1-8-0)
517
518- `androidndkPkgs` has been updated to `androidndkPkgs_26`.
519
520- Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
521
522- `ankisyncd` package and its `services.ankisyncd` have been removed. Use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead.
523
524- `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`,
525 and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream.
526 The `vscode-langservers-extracted` package is a maintained drop-in replacement.
527
528- `nodePackages.prisma` has been replaced by `prisma`.
529
530- `fetchNextcloudApp` has been rewritten to use `fetchurl` rather than
531 `fetchzip`. This invalidates all existing hashes, but you can restore the old
532 behavior by passing it `unpack = true`.
533
534- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in its
535 output by default to alert users to closure size issues caused by
536 [#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging
537 Helpers" in the Haskell section of the Nixpkgs
538 manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers)
539 for information on working around `output '...' is not allowed to refer to
540 the following paths` errors caused by this change.
541
542- `services.stalwart-mail` now runs under the `stalwart-mail` system user
543 instead of a dynamic one via `DynamicUser` in order to avoid automatic
544 ownership changes on its large file store on service restart.
545 This change requires to manually move the state directory from
546 `/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail`, and to
547 change the ownership of the directory and its content to `stalwart-mail`.
548
549- `services.stalwart-mail` now uses RocksDB as the default storage backend
550 for `stateVersion` ≥ 24.11. It was previously using SQLite for structured
551 data and the filesystem for blobs.
552
553- `services.stargazer` has been hardened to improve security, but these
554 changes make break certain setups, particularly around traditional CGI.
555
556 - `services.stargazer.allowCgiUser` has been added, enabling
557 Stargazer's `cgi-user` option to work, which was previously broken.
558
559- `services.shiori` now requires the HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided as an environment variable. `services.shiori.environmentFile` has been introduced to handle this:
560
561 ```
562 # This is how a environment file can be generated:
563 # $ printf "SHIORI_HTTP_SECRET_KEY=%s\n" "$(openssl rand -hex 16)" > /path/to/env-file
564 services.shiori.environmentFile = "/path/to/env-file";
565 ```
566
567- `/share/nano` is now only linked when `programs.nano.enable` is enabled.
568
569- PPD files for Utax printers were renamed (spaces replaced by underscores) in the newest `foomatic-db` package. Users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value to account for this.
570
571- `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on
572 JavaFX for Java 8, which we do not support.
573
574- The `kvdo` kernel module package was removed as it was upstreamed in kernel version 6.9, where it is now called `dm-vdo`.
575
576- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
577
578- `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will
579 ultimately remove it in GitLab 18.0 (as outlined in the
580 [documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes)).
581 After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0.
582 Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170).
583 GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170)
584 with *runner authentication tokens* until the release of GitLab 18.0.
585
586- `gitlab` has been updated from 16.x to 17.x and requires `postgresql` >= 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
587
588- `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git`, to maintain compatibility with GitLab.
589
590- `nixos/gitlab` no longer adds `pkgs.git` to `environment.systemPackages` by default.
591
592- The `replay-sorcery` package and module was removed as it unmaintained upstream. Consider using `gpu-screen-recorder` or `obs-studio` instead.
593
594- A few options of `services.samba` have been moved from `extraConfig` and `configText` to the new freeform option `settings` and renamed, e.g.:
595 - `services.samba.invalidUsers` to `services.samba.settings.global."invalid users"`
596 - `services.samba.securityType` to `services.samba.settings.global."security type"`
597 - `services.samba.shares` to `services.samba.settings`
598 - `services.samba.enableWinbindd` to `services.samba.winbindd.enable`
599 - `services.samba.enableNmbd` to `services.samba.nmbd.enable`
600
601- `zx` was updated to v8, which introduces several breaking changes.
602 See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
603
604- `feishin` removed support for Navidrome `< v0.53.2` due to an API change. See the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0) for more information.
605
606- `services.dnscrypt-wrapper` was removed, as the project has been effectively unmaintained since 2018. Moreover, the NixOS module had to rely on an abandoned version of `dnscrypt-proxy` v1 for the rotation of keys.
607 To wrap a resolver with DNSCrypt, you can instead use `dnsdist`. See `services.dnsdist.dnscrypt`
608
609- The `portunus` package and service do not support weak password hashes anymore.
610 If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
611 Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
612 If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
613 ```nix
614 {
615 services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
616 services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
617 }
618 ```
619
620- The default value of `services.kubernetes.kubelet.hostname` is now lowercased.
621 Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back
622 the old default behavior.
623
624- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
625
626- `keycloak` was updated to version 25, which introduces new hostname related options.
627 See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
628
629- `programs.vim.defaultEditor` now only works if `programs.vim.enable` is enabled.
630
631- `services.mautrix-meta` was updated to [0.4](https://github.com/mautrix/meta/releases/tag/v0.4.0). This release makes significant changes to the settings format. If you have custom settings you should migrate them to the new format. Unfortunately upstream provides little guidance for how to do this, but [the auto-migration code](https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L23) may serve as a useful reference. The NixOS module should warn you if you still have any old settings configured.
632
633- The `nodePackages.shout` package has been removed because it was deprecated upstream in favor of `thelounge`.
634 The `shout` top-level attribute was an alias to this package.
635 The associated `services.shout` module has also been removed.
636
637- `prometheus-openldap-exporter` was removed, as it was unmaintained both upstream and in nixpkgs.
638
639- The `indi-full` package no longer contains non-free drivers.
640 To get the old collection of drivers use `indi-full-nonfree` or create your own collection of drivers by overriding indi-with-drivers.
641 E.g.: `pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}`
642
643- `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled
644
645- The `services.guix` module now manages trusted substitute servers
646 declaratively. Instead of `guix archive --authorize`, list keys with
647 `services.guix.substituters.authorizedKeys`. Default substitute servers can be
648 set via `services.guix.substituters.urls`.
649
650- The `tracy` package no longer works on X11, since it's moved to Wayland
651 support, which is the intended default behavior by Tracy maintainers.
652 X11 users have to switch to the new package `tracy-x11`.
653
654- `gollum` has been upgraded to major version 6. Please review their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes).
655
656- `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
657 Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
658
659- The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained.
660
661- `services.patroni.raft` has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300).
662
663- The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down
664 JCenter JAR repository.
665 Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
666
667- The `jd-gui` package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
668 Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
669
670- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
671
672- `services.mxisd` has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are no longer maintained.
673 Consequently, the package `ma1sd` has also been removed.
674
675- The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`.
676 Consider using the `services.rss-bridge.config` option instead.
677
678- `mikutter` has been removed, as the package was broken and had no maintainers in nixpkgs.
679
680- `xdg.portal.gtkUsePortal` has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
681
682- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.
683
684- `services.trust-dns` has been renamed to `services.hickory-dns`.
685
686- `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
687 it leaked the connection string (and thus potentially the DB password) into the cmdline
688 of process making it effectively world-readable.
689
690 Use [`services.prometheus.exporters.pgbouncer.connectionEnvFile`](#opt-services.prometheus.exporters.pgbouncer.connectionEnvFile) instead.
691
692- `lsh` and `services.lshd` have been removed as they had no maintainer in Nixpkgs and no upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`.
693
694- `ceph` has been upgraded to v19. See the [Ceph "squid" release notes](https://docs.ceph.com/en/latest/releases/squid/#v19-2-0-squid) for details and recommended upgrade procedure.
695
696- `services.frr` has been refactored to use upstream service scripts. The per-daemon configurations
697 have been removed in favour of an `integrated-vtysh-config` style config. The daemon submodules
698 now use the daemon name (e.g. `ospfd`) instead of the protocol name (`ospf`). The daemons `zebra`,
699 `mgmtd` and `staticd` are always enabled if a config is present. The `vtyListenAddress` and
700 `vtyListenPort` options have been removed; use `options` or `extraOptions` instead, respectively.
701
702- `opencv2` and `opencv3` have been removed, as they are obsolete and
703 were not used by any other package. External users are encouraged to
704 migrate to OpenCV 4.
705
706- `tvheadend` package and the `services.tvheadend` module have been
707 removed due to lack of maintenance in Nixpkgs and being stuck on
708 an unmaintained version that required FFmpeg 4. Please see the related [pull
709 request #332259](https://github.com/NixOS/nixpkgs/pull/332259) if you
710 are interested in maintaining a newer version.
711
712- `antennas` and `services.antennas` have been removed as they only work with `tvheadend` (see above).
713
714- `system.build.brightboxImage` has been removed as it no longer built and has not seen any maintenance in over 7 years (excluding tree-wide changes).
715
716- `services.syncplay` now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup.
717 The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated.
718
719- `openlens` was removed. It is recommended to use `lens-desktop` instead.
720
721- `services.dnsmasq.extraConfig` has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`.
722
723- The NixOS installation media no longer support the ReiserFS or JFS file systems by default.
724
725- Minimal installer ISOs are no longer built on the small channel.
726 Please obtain installer images from the full release channels.
727
728- The default FFmpeg version is now 7.1, and FFmpeg 5 has been removed.
729 Please prefer using the package variants without a version suffix,
730 or pin FFmpeg 6 or 4 if necessary for compatibility.
731 Note that we keep old versions around only as required
732 to support packages in the tree,
733 and FFmpeg 4 especially should be avoided in favour of newer versions
734 as it may be removed soon.
735
736- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/).
737
738- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
739
740- Two new packages -- `gpauth` and `gpclient` from the 2.x version of the
741 GlobalProtect-openconnect project -- are added in parallel to
742 `globalprotect-openconnect`. The GUI components related to the project are
743 non-free and not packaged.
744
745- Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.
746
747- `rustic` was upgraded to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0).
748
749- `pkgs.formats.ini` and `pkgs.formats.iniWithGlobalSection` with
750 `listsAsDuplicateKeys` or `listToValue` no longer merge non-list values into
751 lists by default. Backwards-compatible behavior can be enabled with
752 `atomsCoercedToLists`.
753
754- Atlassian Server products have been removed, as support for the Atlassian Server
755 products ended in February 2024 and there was insufficient interest in
756 maintaining the Atlassian Data Center replacements:
757 - The `atlassian-bamboo` package
758 - The `atlassian-confluence` package and its `services.confluence` NixOS module
759 - The `atlassian-crowd` package and its `services.crowd` NixOS module
760 - The `atlassian-jira` package and its `services.jira` NixOS module
761
762- `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
763 Please switch to `pytest` or another test runner/framework.
764
765- `dotnet-sdk`, `dotnet-runtime`, and all other dotnet packages now use a
766 wrapper package containing `bin/dotnet`, build hooks, etc. If you need to
767 reference the underlying dotnet distribution (DOTNET_ROOT) you should use e.g.
768 `dotnet-runtime.unwrapped`.
769
770- The root of dotnet distribution packages (DOTNET_ROOT) is now under e.g.
771 `${dotnet-sdk.unwrapped}/share/dotnet` instead of directly in the package
772 root. This is consistent with packaging guidelines and more friendly for FHS
773 environments.
774
775- `dotnet-sdk`, `dotnet-runtime`, and `dotnet-aspnetcore` now point to dotnet 8
776 rather than dotnet 6. For packages that still need dotnet 6, use
777 `dotnet-sdk_6`, etc.
778
779- torq has been removed because upstreamed went closed source.
780
781## Other Notable Changes {#sec-release-24.11-notable-changes}
782
783<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
784
785- The `zerocallusedregs` hardening flag is enabled by default on compilers that support it.
786
787- The `stackclashprotection` hardening flag has been added, though disabled by default.
788
789- The `pacret` hardening flag has been added, though disabled by default.
790
791- `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor
792 of `cargoHash` which supports SRI hashes. See
793 [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)
794 for more information.
795
796- The `vendorHash` of Go packages built with `buildGoModule` can now be overridden with `overrideAttrs`.
797 `goModules`, `modRoot`, `vendorHash`, `deleteVendor`, and `proxyVendor` are now passed as derivation attributes.
798 `goModules` and `vendorHash` are no longer placed under `passthru`.
799
800- `buildFlags`/`buildFlagsArray` on `buildGoModule` have been deprecated. 24.11 is the last release where `buildGoModule` accepts these flags (while throwing a warning).
801 Use the [`ldflags`](https://nixos.org/manual/nixpkgs/unstable/#var-go-ldflags) and/or [`tags`](https://nixos.org/manual/nixpkgs/unstable/#var-go-tags) attributes or
802 [the environment](https://nixos.org/manual/nixpkgs/unstable/#ssec-go-environment) instead.
803
804- `buildGoPackage` has been deprecated. 24.11 is the last release with `buildGoPackage` available.
805
806- `hareHook` has been added as the language framework for Hare. From now on, it,
807 not the `hare` package, should be added to `nativeBuildInputs` when building
808 Hare programs.
809
810- `virtualisation.docker.liveRestore` has been renamed to `virtualisation.docker.daemon.settings."live-restore"` and turned off by default for state versions of at least 24.11.
811
812- Tailscale's `authKeyFile` can now have its corresponding parameters set through `config.services.tailscale.authKeyParameters`, allowing for non-ephemeral unsupervised deployment and more.
813 See [Registering new nodes using OAuth credentials](https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials) for the supported options.
814
815- `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.
816
817- Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.
818
819- Kanidm previously had an incorrect systemd service type, causing dependent units with an `after` and `requires` directive to start before `kanidm*` finished startup. The module has now been updated in line with upstream recommendations.
820
821- [`services.jupyter`](#opt-services.jupyter.enable) is now compatible with `Jupyter Notebook 7`. See [the migration guide](https://jupyter-notebook.readthedocs.io/en/latest/migrate_to_notebook7.html) for details.
822
823- The kubelet configuration file can now be amended with arbitrary additional content using the `services.kubernetes.kubelet.extraConfig` option.
824
825- The `services.seafile` module was updated to major version 11.
826 - As part of this upgrade, the database backend will be migrated to MySQL.
827 This process should be automatic, but in case of a botched migration,
828 old sqlite files are not removed and can be used to manually migrate the database.
829 - Additionally, the updated CSRF protection may prevent some users from logging in.
830 Specific origin addresses can be whitelisted using the `services.seafile.seahubExtraConf` option
831 (e.g. `services.seafile.seahubExtraConf = ''CSRF_TRUSTED_ORIGINS = ["https://example.com"]'';`).
832 Note that first solution of the [official FAQ answer](https://cloud.seatable.io/dtable/external-links/7b976c85f504491cbe8e/?tid=0000&vid=0000&row-id=BQhH-2HSQs68Nq2EW91DBA)
833 is not allowed by the `services.nginx` module's config-checker.
834
835- The new option `boot.binfmt.addEmulatedSystemsToNixSandbox` allows you to skip adding the emulated systems to `nix.settings.extra-platforms`. Now you can emulate foreign binaries locally while only building them on native remote builders.
836
837- The latest available version of Nextcloud is v30 (available as `pkgs.nextcloud30`). The installation logic is as follows:
838 - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
839 - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default.
840 - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
841 - Please note that an upgrade from v28 (or older) to v30 directly is not possible. Please upgrade to `nextcloud29` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud29;`](options.html#opt-services.nextcloud.package).
842
843- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
844 The derivation now installs "impl" headers selectively instead of by a wildcard.
845 Use `imgui.src` if you just want to access the unpacked sources.
846
847- The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier.
848
849- The `boot.loader.raspberryPi` options were marked as deprecated in 23.11 and have now been removed.
850
851- Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11.
852
853- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
854 unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
855
856- The `i18n.inputMethod` module introduces two new properties:
857 `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.
858
859- `security.pam.u2f` now uses freeform options; all module options are now configurable through `security.pam.u2f.settings`.
860
861- `mikutter` was removed as the package was broken and had no maintainers.
862
863- `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only.
864 When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected.
865
866- Gollum was upgraded to major version 6. Read their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes).
867
868- The hooks `yarnConfigHook` and `yarnBuildHook` were added. These should replace `yarn2nix.mkYarnPackage` and other `yarn2nix` related tools. The motivation to get rid of `yarn2nix` tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at [#296856](https://github.com/NixOS/nixpkgs/issues/296856). The transition from `mkYarnPackage` to `yarn{Config,Build}Hook` is tracked at [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
869
870- `services.timesyncd.servers` now defaults to `null`, allowing systemd-timesyncd to use NTP servers advertised by DHCP.
871
872- `services.timesyncd.fallbackServers` was added and defaults to `networking.timeServers`.
873
874- Cinnamon has been updated to 6.2. Please check [upstream announcement](https://www.linuxmint.com/rel_wilma_whatsnew.php) for more details.
875 Following Mint 22 defaults, the Cinnamon module no longer ships `geary` and `hexchat` by default.
876
877- `zfs.latestCompatibleLinuxPackages` is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (default `linuxPackages` is not possible then you must explicitly pin a specific kernel release. For example, `boot.kernelPackages = pkgs.linuxPackages_6_6`. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention.
878
879- The `shadowstack` hardening flag has been added, though disabled by default.
880
881- `writeReferencesToFile` has been removed after its deprecation in 24.05. Use the trivial build helper `writeClosure` instead.
882
883- `xxd` is now provided by the `tinyxxd` package rather than `vim.xxd` to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.
884
885- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
886
887- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.
888
889- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
890 `rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`
891
892- `power.ups` now powers off UPSs during a power outage event.
893 This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
894 If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.
895
896- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.
897
898- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
899 in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
900 should be changed to using *runner authentication tokens* by configuring
901 {option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile` instead of the former
902 {option}`services.gitlab-runner.services.<name>.registrationConfigFile` option.
903
904- `iproute2` now has libbpf support.
905
906 If you use extensions that are not packaged in nixpkgs, please review whether it still works
907 with the current settings and adjust accordingly if needed.
908
909- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
910 Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overridden by the `NIX_PATH` configuration variable.
911
912- ZFS now imports its pools in `postResumeCommands` rather than `postDeviceCommands`. If you had `postDeviceCommands` scripts that depended on ZFS pools being imported, those now need to be in `postResumeCommands`.
913
914- `services.automatic-timezoned.enable = true` will now set `time.timeZone = null`.
915 This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.
916
917- `services.localtimed.enable = true` will now set `time.timeZone = null`.
918 This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.
919
920- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.
921
922- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.
923
924- `buildDotnetModule` now uses JSON-based instead of nix-based lockfiles.
925 Support for nix-based lockfiles has been deprecated and will be dropped on release 25.11.
926
927- `buildDotnetModule.fetch-deps` now generates a JSON lockfile by default.
928 A nix-based lockfile will be generated if one existed before for compatibility, however it has been deprecated and will be dropped on release 25.11.
929
930- `freecad` now supports addons and custom configuration in nix-way, which can be used by calling `freecad.customize`.
931
932- `buildNimSbom` was added as an alternative to `buildNimPackage`. `buildNimSbom` uses [SBOMs](https://cyclonedx.org/) to generate packages whereas `buildNimPackage` uses a custom JSON lockfile format.
933
934## Detailed Migration Information {#sec-release-24.11-migration}
935
936### `sound` options removal {#sec-release-24.11-migration-sound}
937
938The `sound` options have been largely removed, as they are unnecessary for most modern setups, and cause issues when enabled.
939
940If you set `sound.enable` in your configuration:
941 - If you are using Pulseaudio or PipeWire, simply remove that option
942 - If you are not using an external sound server, and want volumes to be persisted across shutdowns, set `hardware.alsa.enablePersistence = true` instead
943
944If you set `sound.enableOSSEmulation` in your configuration:
945 - Make sure it is still necessary, as very few applications actually use OSS
946 - If necessary, set `boot.kernelModules = [ "snd_pcm_oss" ]`
947
948If you set `sound.extraConfig` in your configuration:
949 - If you are using another sound server, like Pulseaudio, JACK or PipeWire, migrate your configuration to that
950 - If you are not using an external sound server, set `environment.etc."asound.conf".text = yourExtraConfig` instead
951
952If you set `sound.mediaKeys` in your configuration:
953 - Preferably switch to handling media keys in your desktop environment/compositor
954 - If you want to maintain the exact behavior of the option, use the following snippet
955
956```nix
957{
958 services.actkbd =
959 let
960 volumeStep = "1%";
961 in
962 {
963 enable = true;
964 bindings = [
965 # "Mute" media key
966 {
967 keys = [ 113 ];
968 events = [ "key" ];
969 command = "${alsa-utils}/bin/amixer -q set Master toggle";
970 }
971
972 # "Lower Volume" media key
973 {
974 keys = [ 114 ];
975 events = [
976 "key"
977 "rep"
978 ];
979 command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}- unmute";
980 }
981
982 # "Raise Volume" media key
983 {
984 keys = [ 115 ];
985 events = [
986 "key"
987 "rep"
988 ];
989 command = "${alsa-utils}/bin/amixer -q set Master ${volumeStep}+ unmute";
990 }
991
992 # "Mic Mute" media key
993 {
994 keys = [ 190 ];
995 events = [ "key" ];
996 command = "${alsa-utils}/bin/amixer -q set Capture toggle";
997 }
998 ];
999 };
1000}
1001```
1002
1003### `hardware.deviceTree.overlays` compatible string matching {#sec-release-24.11-migration-dto-compatible}
1004
1005The original compatible string implementation in older NixOS versions relied on substring matching,
1006which is incorrect for overlays with multiple compatible strings and other cases.
1007
1008The new behavior is consistent with what other tools already do - the overlay is considered applicable if,
1009and only if, _any_ of the compatible strings in the overlay match _any_ of the compatible strings in the DT.
1010
1011To provide some examples:
1012
1013| Overlay `compatible` | DT `compatible` | Pre-24.11 behavior | Correct behavior | Notes |
1014|----------------------|-----------------|--------------------|------------------|--------------------------------------------|
1015| `"foo"` | `"foo", "bar"` | match | match | Most common use case does not change |
1016| `"foo"` | `"foobar"` | match | no match | Substrings should not be matched |
1017| `"foo bar"` | `"foo", "bar"` | match | no match | Separators should not be matched to spaces |
1018| `"foo", "bar"` | `"baz", "bar"` | no match | match | One compatible string matching is enough |
1019
1020Note that this also allows writing overlays that explicitly apply to multiple boards.
1021
1022## Nixpkgs Library {#sec-release-24.11-lib}
1023
1024### Breaking changes {#sec-release-24.11-lib-breaking}
1025
1026- [`lib.escapeShellArg`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.strings.escapeShellArg) and [`lib.escapeShellArgs`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.strings.escapeShellArgs): Arguments that don't need to be escaped won't be anymore, which is not breaking according to the functions documentation, but it can cause breakages if used for the non-intended use cases.
1027- [`lib.warn msg val`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.warn) (and its relatives [`lib.warnIf`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.warnIf) and [`lib.warnIfNot`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.warnIfNot)) now require `msg` to be a string to match the behavior of the new [`builtins.warn`](https://nix.dev/manual/nix/2.25/language/builtins.html?highlight=warn#builtins-warn).
1028- `lib.mdDoc`: Removed after deprecation in the previous release.
1029
1030### Additions and Improvements {#sec-release-24.11-lib-additions-improvements}
1031
1032New and extended interfaces:
1033- [`lib.fromHexString`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.fromHexString): Convert a hexadecimal string to it's integer representation.
1034- `lib.network.ipv6.fromString`: Parse an IPv6 address.
1035- [`lib.getLicenseFromSpdxIdOr`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.meta.getLicenseFromSpdxIdOr): Get the corresponding attribute in `lib.licenses` from an SPDX ID or fall back to the given default value.
1036- [`lib.licensesSpdx`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.meta.licensesSpdx): Mapping of SPDX ID to the attributes in `lib.licenses`.
1037- [`lib.getFirstOutput`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.attrsets.getFirstOutput): Like `getOutput` but with a list of fallback output names.
1038- [`lib.getInclude`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.attrsets.getInclude) and [`lib.getStatic`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.attrsets.getStatic): Get a package’s `include`/`static` output.
1039- [`lib.trim`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.strings.trim) and [`lib.trimWith`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.strings.trimWith): Remove leading and trailing whitespace from a string.
1040- [`lib.meta.defaultPriority`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.meta.defaultPriority): The default priority of packages in Nix.
1041- [`lib.toExtension`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.fixedPoints.toExtension): Convert to an extending function (overlay).
1042- `lib.fetchers.normalizeHash`: Convert an attrset containing one of `hash`, `sha256` or `sha512` into one containing `outputHash{,Algo}` as accepted by `mkDerivation`.
1043- `lib.fetchers.withNormalizedHash`: Wraps a function which accepts `outputHash{,Algo}` into one which accepts `hash`, `sha256` or `sha512`.
1044- Various builtins are now reexported in a more standard way:
1045 - `lib.map` -> `lib.lists.map` -> `builtins.map`
1046 - `lib.intersectAttrs` -> `lib.attrsets.intersectAttrs` -> `builtins.intersectAttrs`
1047 - `lib.removeAttrs` -> `lib.attrsets.removeAttrs` -> `builtins.removeAttrs`
1048 - `lib.match` -> `lib.strings.match` -> `builtins.match`
1049 - `lib.split` -> `lib.strings.split` -> `builtins.split`
1050 - `lib.typeOf` -> `builtins.typeOf`
1051 - `lib.unsafeGetAttrPos` -> `builtins.unsafeGetAttrPos`
1052- [`lib.cli.toGNUCommandLine`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.cli.toGNUCommandLine) now supports the `optionValueSeparator` argument attribute to control the key-value separator for arguments.
1053
1054Documentation improvements:
1055- Much of the documentation has been migrated to the [standard doc-comment format](https://github.com/NixOS/rfcs/pull/145), including [`lib.derivations`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-derivations), [`lib.fixedPoints`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-fixedPoints), [`lib.gvariant`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-gvariant), [`lib.filesystem`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-filesystem), [`lib.strings`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-strings), [`lib.meta`](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-meta).
1056- [`lib.generators` documentation](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-generators) is now improved and rendered in the manual.
1057- [`lib.cli` documentation](https://nixos.org/manual/nixpkgs/unstable/#sec-functions-library-cli) is now improved and rendered in the manual.
1058- [`lib.composeExtensions`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.fixedPoints.composeExtensions) and [`lib.composeManyExtensions`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.fixedPoints.composeManyExtensions) documentation is now improved.
1059- [`lib.importTOML`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.importTOML) and [`lib.importJSON`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.importJSON)'s documentation now have an example.
1060
1061Module System:
1062- `lib.importApply`: New function, imports a Nix expression file much like the module system would, after passing an extra positional argument to the function in the file.
1063- Improve error message when accessing an option that isn't defined.
1064- `lib.types.anything`: Don't fail to merge when specifying the same list multiple times.
1065- Improve error when loading a flake as a module.
1066
1067### Deprecations {#sec-release-24.11-lib-deprecations}
1068
1069- [`lib.options.mkPackageOptionMD`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOptionMD) is now obsolete; use the identical [`lib.options.mkPackageOption`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.options.mkPackageOption) instead.
1070- `lib.misc.mapAttrsFlatten` is now formally deprecated and will be removed in future releases; use the identical [`lib.attrsets.mapAttrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.mapAttrsToList) instead.
1071- `lib.isInOldestRelease`: Renamed to [`oldestSupportedReleaseIsAtLeast`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.trivial.oldestSupportedReleaseIsAtLeast) and deprecated.
1072
1073## NixOS Wiki {#sec-release-24.11-wiki}
1074
1075The official NixOS Wiki at [wiki.nixos.org](https://wiki.nixos.org/) was launched in April 2024, featuring
1076content initially copied from the community wiki. The wiki enhances the official documentation, linking to
1077existing resources and providing a categorization system for easy navigation, and is guided by a new "Manual
1078of Style" — a contribution guide and enhanced templates. It offers a wealth of new information, including
1079articles on applications, desktop environments, and a growing number of translations in multiple languages.