Skip to content

Latest commit

 

History

History
507 lines (316 loc) · 47.3 KB

rl-2505.section.md

File metadata and controls

507 lines (316 loc) · 47.3 KB

Nixos 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}

Highlights {#sec-release-25.05-highlights}

  • Initial support for the COSMIC DE, a Rust-based desktop environment by System76, makers of Pop!_OS. Toggle the greeter (login manager) using services.displayManager.cosmic-greeter.enable and the DE itself with services.desktopManager.cosmic.enable. Mostly stable but still experimental. Please report any issues to the COSMIC DE tracker in Nixpkgs instead of upstream.

  • services.dex now restarts upon changes to the .environmentFile or entries in .settings.staticClients[].secretFile when the entry is a path type.

  • nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is available for testing. You can enable it by setting system.rebuild.enableNg in your configuration (this will replace the old nixos-rebuild), or by adding nixos-rebuild-ng to your environment.systemPackages (in this case, it will live side-by-side with nixos-rebuild as nixos-rebuild-ng). It is expected that the next major version of NixOS (25.11) will enable system.rebuild.enableNg by default.

  • The nixos-generate-config command now supports a optional --flake option, which will generate a flake.nix file alongside the configuration.nix and hardware-configuration.nix, providing an easy instroduction into flake-based system configurations.

  • A nixos-rebuild build-image sub-command has been added. It allows users to build platform-specific (disk) images from their NixOS configurations. nixos-rebuild build-image works similar to the popular nix-community/nixos-generators project. See new section on image building in the NixOS manual. It is also available for nixos-rebuild-ng.

  • nixos-option has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into attrsOf and listOf submodule options, and --show-trace.

  • The intel video driver for X.org (from the xf86-video-intel package) which was previously removed because it was non-functional has been fixed and the driver has been re-introduced.

  • The Mattermost module ({option}services.mattermost) and packages (mattermost and mmctl) have been substantially updated:

    • {option}services.mattermost.preferNixConfig now defaults to true if you advance {option}system.stateVersion to 25.05. This means that if you have {option}services.mattermost.mutableConfig set, NixOS will override your settings to those that you define in the module. It is recommended to leave this at the default, even if you used a mutable config before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading.
    • Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at {option}services.mattermost.telemetry for options to control this behavior.
    • pkgs.mattermost has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
    • pkgs.mattermostLatest is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (pkgs.mattermost) to pkgs.mattermostLatest.
    • The Mattermost frontend is now built from source and can be overridden.
      • Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; }) now.
    • services.mattermost.listenAddress has been split into {option}services.mattermost.host and {option}services.mattermost.port. If your listenAddress contained a port, you will need to edit your configuration.
    • Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating {option}system.stateVersion to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration.
    • The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
    • Mattermost's entire test suite is now enabled by default, which will extend build time from sources by up to an hour. A withoutTests passthru has been added in case you want to skip it.
    • We now support mmctl for Mattermost administration if both {option}services.mattermost.socket.enable and {option}services.mattermost.socket.export are set, which export the Mattermost control socket path into the system environment.
    • A new pkgs.mattermost.buildPlugin function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and manual for an example.
    • Note that the Mattermost module will create an account without a well-known UID if the username differs from the default (mattermost). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading.

  • androidenv has been updated:

    • All versions specified in composeAndroidPackages now track latest. Android packages are automatically updated on unstable, and run the androidenv test suite on every update.
    • Some androidenv packages are now searchable on search.nixos.org.
    • We now use the latest Google repositories, which should improve aarch64-darwin compatibility. The SDK now additionally evaluates on aarch64-linux, though not all packages are functional.

New Modules {#sec-release-25.05-new-modules}

Backward Incompatibilities {#sec-release-25.05-incompatibilities}

  • services.rippled has been removed, as rippled was broken and had not been updated since 2022.

  • services.rippleDataApi has been removed, as ripple-data-api was broken and had not been updated since 2022.

  • The nixos/modules/virtualisation/amazon-ec2-amis.nix file is not supported anymore since 24.05. It will throw and error starting 25.05 with instructions the following instructions: The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or https://nixos.github.io/amis/ for instructions.

  • The udev rules of the libjaylink package require users to be in the jlink instead of plugdev group now, since the plugdev group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.

  • The latest available version of Nextcloud is v31 (available as pkgs.nextcloud31). The installation logic is as follows:

  • services.cloudflare-dyndns.apiTokenFile now must be just your Cloudflare api token. Previously it was supposed to be a file of the form CLOUDFLARE_API_TOKEN=....

  • is unset by default, the previous default was sqlite. This was done because sqlite is not a reasonable default since it's not recommended by upstream and thus doesn't qualify as default.

  • Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised to review the new defaults and description of .

  • The services.locate module does no longer support findutil's locate due to its inferior performance compared to mlocate and plocate. The new default is plocate. As the service.locate.localuser option only applied when using findutil's locate, it has also been removed.

  • services.paperless now installs paperless-manage as a normal system package instead of creating a symlink in /var/lib/paperless. paperless-manage now also changes to the appropriate user when being executed.

  • asusd has been upgraded to version 6 which supports multiple aura devices. To account for this, the single auraConfig configuration option has been replaced with auraConfigs which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that text is used for your existing configs, e.g.:

    -services.asusd.asusdConfig = '''file contents'''
+services.asusd.asusdConfig.text = '''file contents'''

  • linuxPackages.nvidiaPackages.stable now defaults to the production variant instead of latest.

  • timescaledb requires manual upgrade steps. After you run ALTER EXTENSION, you must run this SQL script. For more details, see the following pull requests #6797. PostgreSQL 13 is no longer supported in TimescaleDB v2.16.

  • virtualisation/azure-common.nix's filesystem and grub configurations have been moved to virtualisation/azure-image.nix. This makes azure-common.nix more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import azure-image.nix.

  • zammad has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the migration guide for how to convert your database to PostgreSQL.

  • tauon 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up ~/.local/share/TauonMusicBox.

  • aws-workspaces has dropped support for PCoiP networking.

  • The earlyoom service is now using upstream systemd service, which enables hardening and filesystem isolation by default. If you need filesystem write access or want to access home directory via killHook, hardening setting can be changed via, e.g. systemd.services.earlyoom.serviceConfig.ProtectSystem.

    services.earlyoom.extraArgs is now shell-escaped for each element without word-breaking. So you want to write extraArgs = [ "--prefer" "spaced pat" ] rather than previous extraArgs = [ "--prefer 'spaced pat'" ].

  • programs.less.lessopen is now null by default. To restore the previous behaviour, set it to ''|${lib.getExe' pkgs.lesspipe "lesspipe.sh"} %s''.

  • hardware.pulseaudio has been renamed to services.pulseaudio. The deprecated option names will continue to work, but causes a warning.

  • services.nextcloud now uses systemd's credential mechanism to read in secret files. The nextcloud-occ wrapper script implements this using systemd-run, as such it now also requires root privileges or $CREDENTIALS_DIRECTORY set where running it as user nextcloud was enough previously.

  • services.mongodb.initialRootPassword has been replaced with the more secure option services.mongodb.initialRootPasswordFile

  • services.bird2 has been renamed to services.bird and the default bird package has been switched to bird3. bird2 can still be chosen via the services.bird.package option.

  • DokuWiki with the Caddy webserver (services.dokuwiki.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a DokuWiki site, migrate these options by removing http:// from services.caddy.virtualHosts."http://example.com".

  • Wordpress with the Caddy webserver (services.wordpress.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. Given a site example.com, http://example.com now 301 redirects to https://example.com. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com".

  • slskd has been updated to v0.22.3, which includes breaking changes to script integrations. Please review the changelog and the accompanying pull request.

  • The behavior of services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers was changed to not include CCMP-256 anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.

  • The conduwuit matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.

  • gkraken software and hardware.gkraken.enable option have been removed, use coolercontrol via programs.coolercontrol.enable option instead.

  • To avoid delaying user logins unnecessarily the multi-user.target is no longer ordered after network-online.target. System services requiring a connection to start correctly must explicitly state so, i.e.

    systemd.services.<name> = {
  wants = [ "network-online.target" ];
  after = [ "network-online.target" ];
};

    This changed follows a deprecation period of one year started in NixOS 24.05 (see PR #283818).

  • The values of services.borgbackup.jobs.*.extraArgs and other extra*Args options are now represented as Bash arrays. If these arguments were modified using services.borgbackup.jobs.*.preHook, they will need to be adjusted to append to these arrays, i.e.

    -extraCreateArgs="$extraCreateArgs --exclude /some/path"
+extraCreateArgs+=("--exclude" "/some/path")

  • programs.xonsh.package now gets overrided internally with extraPackages to support programs.xonsh.extraPackages. See programs.xonsh.extraPackages for more details.

  • services.nitter.guestAccounts has been renamed to services.nitter.sessionsFile, for consistency with upstream. The file format is unchanged.

  • virtualisation.azure.agent option provided by azure-agent.nix is replaced by services.waagent, and will be removed in a future release.

  • The ZFS import service now respects fileSystems.*.options = [ "noauto" ]; and does not add that pool's import service to zfs-import.target, meaning it will not be automatically imported at boot.

  • Default file names of images generated by several builders in system.build have been changed as outlined in the table below.

    Names are now known at evaluation time and customizable via the new options image.baseName, image.extension, image.fileName and image.filePath with the latter returning a path relative to the derivations out path (e.g. iso/${image.fileName for iso images).

    | system.build Option | Old Filename | New Filename | |--------------------------+------------------------------------------------------------+-----------------------------------------------------------------| | amazonImage | nixos-amazon-image-25.05pre-git-x86_64-linux.vhd | nixos-image-amazon-25.05pre-git-x86_64-linux.vhd | | azureImage | disk.vhd | nixos-image-azure-25.05pre-git-x86_64-linux.vhd | | digitalOceanImage | nixos.qcow2.gz | nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz | | googleComputeImage | nixos-image-25.05pre-git-x86_64-linux.raw.tar.gz | nixos-image-google-compute-25.05pre-git-x86_64-linux.raw.tar.gz | | hypervImage | nixos-25.05pre-git-x86_64-linux.vhdx | nixos-image-hyperv-25.05pre-git-x86_64-linux.vhdx | | isoImage (installer) | nixos-25.05pre-git-x86_64-linux.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | isoImage | nixos.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | kubevirtImage | nixos.qcow2 | nixos-image-kubevirt-25.05pre-git-x86_64-linux.qcow2 | | linodeImage | nixos-image-25.05pre-git-x86_64-linux.img.gz | nixos-image-linode-25.05pre-git-x86_64-linux.img.gz | | metadata (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-metadata-25.05pre-git-x86_64-linux.tar.xz | | OCIImage | nixos.qcow2 | nixos-image-oci-25.05pre-git-x86_64-linux.qcow2 | | openstackImage (zfs) | nixos-openstack-image-25.05pre-git-x86_64-linux.root.qcow2 | nixos-image-openstack-zfs-25.05pre-git-x86_64-linux.root.qcow2 | | openstackImage | nixos.qcow2 | nixos-image-openstack-25.05pre-git-x86_64-linux.qcow2 | | sdImage | nixos-sd-image-25.05pre-git-x86_64-linux.img.zst | nixos-image-sd-card-25.05pre-git-x86_64-linux.img.zst | | tarball (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-25.05pre-git-x86_64-linux.tar.xz | | tarball (proxmox-lxc) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-proxmox-25.05pre-git-x86_64-linux.tar.xz | | vagrantVirtualbox | nixos-25.05pre-git-x86_64-linux.ova | nixos-image-virtualbox-25.05pre-git-x86_64-linux.ova | | virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova | | vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk |

  • security.apparmor.policies.<name>.enforce and security.apparmor.policies.<name>.enable were removed. Configuring the state of apparmor policies must now be done using security.apparmor.policies.<name>.state tristate option.

  • services.graylog.package now defaults to graylog-6_0 as previous default graylog-5_1 is EOL and therefore removed. Check the migration guides on 5.1→5.2 and 5.2→6.0 for breaking changes.

  • programs.clash-verge.tunMode was deprecated and removed because now service mode is necessary to start program. Without programs.clash-verge.enable, clash-verge-rev will refuse to start.

  • services.netbird.tunnels was renamed to services.netbird.clients, hardened (using dedicated less-privileged users) and significantly extended.

Other Notable Changes {#sec-release-25.05-notable-changes}

  • virtualisation.containers with backend "podman" now supports rootless containers and sd_notify(3)-integration based on container healthchecks.

  • Cinnamon has been updated to 6.4, please check the upstream announcement for more details.

    • Following changes in Mint 22 we are no longer overriding Qt application styles. You can still restore the previous default with qt.style = "gtk2" and qt.platformTheme = "gtk2".
    • Following changes in Mint 20 we are replacing xplayer with celluloid since xplayer is no longer maintained.

  • Pantheon has been updated to 8, please check the upstream announcement for more details.

    • Same as elementary OS, the X11 session is named "Classic Session" and the Wayland session is named "Secure Session".
    • The dock has been rewritten, you need to manually migrate the dock items on update. You can check ~/.config/plank/dock1/launchers/ for your previous settings.

  • Xfce has been updated to 4.20, please check the upstream feature tour for more details.

  • system.stateVersion is now validated and must be in the "YY.MM" format, ideally corresponding to a prior NixOS release.

  • services.mysql now supports easy cluster setup via services.mysql.galeraCluster option.

    Example:

    services.mysql = {
  enable = true;
  galeraCluster = {
    enable = true;
    localName = "Node 1";
    localAddress = "galera_01";
    nodeAddresses = [ "galera_01" "galera_02" "galera_03"];
  };
};

  • services.geoclue2 now has an enableStatic option, which allows the NixOS configuration to specify a fixed location for GeoClue to use.

  • services.mongodb is now compatible with the mongodb-ce binary package. To make use of it, set services.mongodb.package to pkgs.mongodb-ce.

  • services.jupyter is now compatible with Jupyter Notebook 7. See the migration guide for details.

  • networking.wireguard now has an optional networkd backend. It is enabled by default when networking.useNetworkd is enabled, and it can be enabled alongside scripted networking with networking.wireguard.useNetworkd. Some networking.wireguard options have slightly different behavior with the networkd and script-based backends, documented in each option.

  • The stackclashprotection hardening flag has been enabled by default on compilers that support it.

  • services.rss-bridge now has a package option as well as support for caddy as reverse proxy.

  • services.avahi.ipv6 now defaults to true.

  • In the services.xserver.displayManager.startx module, two new options generateScript and extraCommands have been added to to declaratively configure the .xinitrc script.

  • All services that require a root certificate bundle now use the value of a new read-only option, security.pki.caBundle.

  • hddfancontrol has been updated to major release 2. See the migration guide, as there are breaking changes.

  • nextcloud-news-updater is unmaintained and was removed from nixpkgs.

  • services.cloudflared now uses a dynamic user, and its user and group options have been removed. If the user or group is still necessary, they can be created manually.

  • The Home Assistant module has new options {option}services.home-assistant.blueprints.automation, services.home-assistant.blueprints.script, and {option}services.home-assistant.blueprints.template that allow for the declarative installation of blueprints into the appropriate configuration directories.

  • services.dovecot2.modules have been removed, now need to use environment.systemPackages to load additional Dovecot modules.

  • services.kmonad now creates a determinate symlink (in /dev/input/by-id/) to each of KMonad virtual devices.

  • services.searx now supports configuration of the favicons cache and other options available in SearXNG's favicons.toml file

  • services.gitea now supports CAPTCHA usage through the services.gitea.captcha variable.

  • services.soft-serve now restarts upon config change.

  • services.keycloak now provides a realmFiles option that allows to import realms during startup. See https://www.keycloak.org/server/importExport

  • bind.cacheNetworks now only controls access for recursive queries, where it previously controlled access for all queries.

  • services.mongodb.enableAuth now uses the newer mongosh shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the services.mongodb.mongoshPackage option.

  • The paperless module now has an option for regular automatic export of documents data using the integrated document exporter.

  • New options for the declarative configuration of the user space part of ALSA have been introduced under hardware.alsa, including setting the default capture and playback device, defining sound card aliases and volume controls. Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.

  • services.k3s now provides the autoDeployCharts option that allows to automatically deploy Helm charts via the k3s Helm controller.

  • Caddy can now be built with plugins by using caddy.withPlugins, a passthru function that accepts an attribute set as a parameter. The plugins argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The hash argument represents the vendorHash of the resulting Caddy source code with the plugins added.

    Example:

    services.caddy = {
  enable = true;
  package = pkgs.caddy.withPlugins {
    plugins = [
      # tagged upstream
      "github.com/caddy-dns/[email protected]"
      # pseudo-version number generated by Go
      "github.com/caddy-dns/[email protected]"
      "github.com/mholt/[email protected]"
    ];
    hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
  };
};

    To get the necessary hash of the vendored dependencies, omit hash. The build will fail and tell you the correct value.

    Note that all provided plugins must have versions/tags (string after @), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run go get <plugin> and see changes in go.mod to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.

  • KDE Partition Manager partitionmanager's support for ReiserFS is removed. ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and is removed in Linux 6.13.

  • authelia version 4.39.0 has made some changes which deprecate older configurations. They are still expected to be working until future version 5.0.0, but will generate warnings in logs. Read the release notes for human readable summaries of the changes.

  • programs.fzf.keybindings now supports the fish shell.

  • A toggle has been added under users.users.<name>.enable to allow toggling individual users conditionally. If set to false, the user account will not be created.

../release-notes-nixpkgs/rl-2505.section.md