NixOS/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 09:36:20 +09:00
Code Activity
nixpkgs/nixos/doc/manual/release-notes/rl-2505.section.md
Leona Maroni 8c727b2986
Release NixOS 25.05
2025-05-23 20:53:53 +02:00

53 KiB
Raw Blame History

Release 25.05 (“Warbler”, 2025.05/23)

Highlights

Alongside many enhancements to NixOS modules and general system improvements, this release features the following highlights:

  • NixOS now has initial support for the COSMIC DE which is currently at Alpha 7. COSMIC is a Rust-based Desktop Environment by System76, makers of Pop!_OS. You can use COSMIC by enabling the greeter (login manager) with , and the DE itself by enabling . The support in NixOS/Nixpkgs is stable but still considered experimental because of the recent the addition. The COSMIC maintainers will be waiting for one more release of NixOS to determine if the experimental tag should be removed or not. Until then, please report any issues to the COSMIC DE tracker in Nixpkgs instead of upstream.

  • nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is available for testing. You can enable it by setting in your configuration (this will replace the old nixos-rebuild), or by adding nixos-rebuild-ng to your environment.systemPackages (in this case, it will live side-by-side with nixos-rebuild as nixos-rebuild-ng). It is expected that the next major version of NixOS (25.11) will enable system.rebuild.enableNg by default.

  • A nixos-rebuild build-image sub-command has been added. It allows users to build platform-specific (disk) images from their NixOS configurations. nixos-rebuild build-image works similar to the popular nix-community/nixos-generators project. See new section on image building in the NixOS manual. It is also available for nixos-rebuild-ng.

  • nixos-option has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into attrsOf and listOf submodule options, and --show-trace.

  • The global Mesa version can now be managed without a mass rebuild by setting .

  • GNOME has been updated to version 48.

    • decibels music player is now installed by default. You can disable it using .
    • gnome-shell-extensions extension collection (which included GNOME Classic extensions, Apps Menu, and User Themes, among others) are no longer installed by default. You can install them again with .
    • Option now also installs sysprof and d-spy.
    • Option services.gnome.core-utilities.enable has been renamed to .
    • cantarell-fonts, source-code-pro and source-sans fonts are no longer installed by default. They have been replaced by adwaita-fonts.

    Refer to the GNOME release notes for more details.

  • channels.nixos.org now supports the Lockable HTTP Tarball Protocol. This allows using the channel nixexprs.tar as Nix Flake input, e.g.:

    inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz";

New Modules

Backward Incompatibilities

  • services.rippled has been removed, as rippled was broken and had not been updated since 2022.

  • services.rippleDataApi has been removed, as ripple-data-api was broken and had not been updated since 2022.

  • The nixos/modules/virtualisation/amazon-ec2-amis.nix file is not supported anymore since 24.05. It will throw and error starting 25.05 with instructions the following instructions: The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or https://nixos.github.io/amis/ for instructions.

  • The latest available version of Nextcloud is v31 (available as pkgs.nextcloud31). The installation logic is as follows:

  • services.cloudflare-dyndns.apiTokenFile now must be just your Cloudflare api token. Previously it was supposed to be a file of the form CLOUDFLARE_API_TOKEN=....

  • is unset by default, the previous default was sqlite. This was done because sqlite is not a reasonable default since it's not recommended by upstream and thus doesn't qualify as default.

  • PowerDNS Recursor has been updated to version 5.1.2, which comes with a new YAML configuration format (recursor.yml) and deprecates the previous format (recursor.conf). Accordingly, the NixOS option services.pdns-recursor.settings has been renamed to old-settings and will be provided for backward compatibility until the next NixOS release. Users are asked to migrate their settings to the new yaml-settings option following this guide. Note that options other than services.pdns-recursor.settings are unaffacted by this change.

  • The virtualisation.hypervGuest.videoMode option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.

  • Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised to review the new defaults and description of .

  • In users.users subuid allocation on systems with multiple users it could happen that some users' allocated subuid ranges collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.

  • The services.locate module does no longer support findutil's locate due to its inferior performance compared to mlocate and plocate. The new default is plocate. As the service.locate.localuser option only applied when using findutil's locate, it has also been removed.

  • services.paperless now installs paperless-manage as a normal system package instead of creating a symlink in /var/lib/paperless. paperless-manage now also changes to the appropriate user when being executed.

  • asusd has been upgraded to version 6 which supports multiple aura devices. To account for this, the single auraConfig configuration option has been replaced with auraConfigs which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that text is used for your existing configs, e.g.:

    -services.asusd.asusdConfig = '''file contents'''
+services.asusd.asusdConfig.text = '''file contents'''

  • linuxPackages.nvidiaPackages.stable now defaults to the production variant instead of latest.

  • services.paperless.address no longer accepts a domain name or Unix domain socket.

  • networking.wireguard.enable = true does not always add wireguard-tools to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH.

  • virtualisation/azure-common.nix's filesystem and grub configurations have been moved to virtualisation/azure-image.nix. This makes azure-common.nix more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import azure-image.nix.

  • services.signald has been removed as signald is unmaintained upstream and has been incompatible to official Signal servers for a long while.

  • The earlyoom service is now using upstream systemd service, which enables hardening and filesystem isolation by default. If you need filesystem write access or want to access home directory via killHook, hardening setting can be changed via, e.g. systemd.services.earlyoom.serviceConfig.ProtectSystem.

    services.earlyoom.extraArgs is now shell-escaped for each element without word-breaking. So you want to write extraArgs = [ "--prefer" "spaced pat" ] rather than previous extraArgs = [ "--prefer 'spaced pat'" ].

  • programs.less.lessopen is now null by default. To restore the previous behaviour, set it to ''|${lib.getExe' pkgs.lesspipe "lesspipe.sh"} %s''.

  • hardware.pulseaudio has been renamed to services.pulseaudio. The deprecated option names will continue to work, but causes a warning.

  • services.nextcloud now uses systemd's credential mechanism to read in secret files. The nextcloud-occ wrapper script implements this using systemd-run, as such it now also requires root privileges or $CREDENTIALS_DIRECTORY set where running it as user nextcloud was enough previously.

  • services.mongodb.initialRootPassword has been replaced with the more secure option services.mongodb.initialRootPasswordFile

  • services.bird2 has been renamed to services.bird and the default bird package has been switched to bird3. bird2 can still be chosen via the services.bird.package option.

  • The behavior of the networking.nat.externalIP and networking.nat.externalIPv6 options has been changed. networking.nat.forwardPorts now only forwards packets destined for the specified IP addresses.

  • gitlab has been updated from 17.x to 18.x and requires postgresql >= 16, as stated in the documentation. Check the upgrade guide in the NixOS manual on how to upgrade your PostgreSQL installation.

  • services.gitlab now requires the setting of activeRecordPrimaryKeyFile, activeRecordDeterministicKeyFile, activeRecordSaltFile as GitLab introduced Rails ActiveRecord encryption.

  • The Mattermost module (services.mattermost) and packages (mattermost and mmctl) have been substantially updated:

    • services.mattermost.listenAddress has been split into and . If your listenAddress contained a port, you will need to edit your configuration. This will be the only truly breaking change in this release for most configurations.
    • now defaults to true if you advance to 25.05. This means that if you have set, NixOS will override settings set in the Admin Console to those that you define in the module configuration. It is recommended to leave this at the default, even if you used a fully mutable configuration before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading.
    • Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration.
    • Note that the Mattermost module will create an account without a well-known UID if the username differs from the default (mattermost). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading.

  • DokuWiki with the Caddy webserver (services.dokuwiki.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a DokuWiki site, migrate these options by removing http:// from services.caddy.virtualHosts."http://example.com".

  • Wordpress with the Caddy webserver (services.wordpress.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. Given a site example.com, http://example.com now 301 redirects to https://example.com. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com".

  • The behavior of services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers was changed to not include CCMP-256 anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.

  • The hardware.gkraken module has been removed. The recommended alternative is programs.coolercontrol.

  • To avoid delaying user logins unnecessarily the multi-user.target is no longer ordered after network-online.target. System services requiring a connection to start correctly must explicitly state so, i.e.

    systemd.services.<name> = {
  wants = [ "network-online.target" ];
  after = [ "network-online.target" ];
};

    This changed follows a deprecation period of one year started in NixOS 24.05 (see PR #283818).

  • The values of services.borgbackup.jobs.*.extraArgs and other extra*Args options are now represented as Bash arrays. If these arguments were modified using services.borgbackup.jobs.*.preHook, they will need to be adjusted to append to these arrays, i.e.

    -extraCreateArgs="$extraCreateArgs --exclude /some/path"
+extraCreateArgs+=("--exclude" "/some/path")

  • programs.xonsh.package now gets overridden internally with extraPackages to support programs.xonsh.extraPackages. See programs.xonsh.extraPackages for more details.

  • services.nitter.guestAccounts has been renamed to services.nitter.sessionsFile, for consistency with upstream. The file format is unchanged.

  • virtualisation.azure.agent option provided by azure-agent.nix is replaced by services.waagent, and will be removed in a future release.

  • The ZFS import service now respects fileSystems.*.options = [ "noauto" ]; and does not add that pool's import service to zfs-import.target, meaning it will not be automatically imported at boot.

  • Default file names of images generated by several builders in system.build have been changed as outlined in the table below.

    Names are now known at evaluation time and customizable via the new options image.baseName, image.extension, image.fileName and image.filePath with the latter returning a path relative to the derivations out path (e.g. iso/${image.fileName for iso images).

    system.build Option Old Filename New Filename
    amazonImage nixos-amazon-image-25.05pre-git-x86_64-linux.vhd nixos-image-amazon-25.05pre-git-x86_64-linux.vhd
    azureImage disk.vhd nixos-image-azure-25.05pre-git-x86_64-linux.vhd
    digitalOceanImage nixos.qcow2.gz nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz
    googleComputeImage nixos-image-25.05pre-git-x86_64-linux.raw.tar.gz nixos-image-google-compute-25.05pre-git-x86_64-linux.raw.tar.gz
    hypervImage nixos-25.05pre-git-x86_64-linux.vhdx nixos-image-hyperv-25.05pre-git-x86_64-linux.vhdx
    isoImage (installer) nixos-25.05pre-git-x86_64-linux.iso nixos-image-25.05pre-git-x86_64-linux.iso
    isoImage nixos.iso nixos-image-25.05pre-git-x86_64-linux.iso
    kubevirtImage nixos.qcow2 nixos-image-kubevirt-25.05pre-git-x86_64-linux.qcow2
    linodeImage nixos-image-25.05pre-git-x86_64-linux.img.gz nixos-image-linode-25.05pre-git-x86_64-linux.img.gz
    metadata (lxc-container) nixos-system-x86_64-linux.tar.xz nixos-image-lxc-metadata-25.05pre-git-x86_64-linux.tar.xz
    OCIImage nixos.qcow2 nixos-image-oci-25.05pre-git-x86_64-linux.qcow2
    openstackImage (zfs) nixos-openstack-image-25.05pre-git-x86_64-linux.root.qcow2 nixos-image-openstack-zfs-25.05pre-git-x86_64-linux.root.qcow2
    openstackImage nixos.qcow2 nixos-image-openstack-25.05pre-git-x86_64-linux.qcow2
    sdImage nixos-sd-image-25.05pre-git-x86_64-linux.img.zst nixos-image-sd-card-25.05pre-git-x86_64-linux.img.zst
    tarball (lxc-container) nixos-system-x86_64-linux.tar.xz nixos-image-lxc-25.05pre-git-x86_64-linux.tar.xz
    tarball (proxmox-lxc) nixos-system-x86_64-linux.tar.xz nixos-image-lxc-proxmox-25.05pre-git-x86_64-linux.tar.xz
    vagrantVirtualbox nixos-25.05pre-git-x86_64-linux.ova nixos-image-virtualbox-25.05pre-git-x86_64-linux.ova
    virtualBoxOVA virtualbox-vagrant.box nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova
    vmwareImage nixos-25.05pre-git-x86_64-linux.vmdk nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk

  • security.apparmor.policies.<name>.enforce and security.apparmor.policies.<name>.enable were removed. Configuring the state of apparmor policies must now be done using security.apparmor.policies.<name>.state tristate option.

  • services.graylog.package now defaults to graylog-6_0 as previous default graylog-5_1 is EOL and therefore removed. Check the migration guides on 5.1→5.2 and 5.2→6.0 for breaking changes.

  • programs.clash-verge.tunMode was deprecated and removed because now service mode is necessary to start program. Without programs.clash-verge.enable, clash-verge-rev will refuse to start.

  • services.discourse now requires PostgreSQL 15 per default. Please update before upgrading.

  • services.homepage-dashboard now requires the allowedHosts option to be set in accordance with the documentation.

  • luakit has been updated to 2.4.0. If you use any website which uses IndexedDB or local storage and wish to retain the saved information, some manual intervention may be required

  • services.netbird.tunnels was renamed to services.netbird.clients, hardened (using dedicated less-privileged users) and significantly extended.

  • services.rsyncd.settings now supports only two attributes sections and globalSection. As a result, all sections previously defined under services.rsyncd.settings must now be put in services.rsyncd.settings.sections. Global settings must now be placed in services.rsyncd.settings.globalSection instead of services.rsyncd.settings.global.

Other Notable Changes

  • virtualisation.containers with backend "podman" now supports rootless containers and sd_notify(3)-integration based on container healthchecks.

  • Cinnamon has been updated to 6.4, please check the upstream announcement for more details.

    • Following changes in Mint 22 we are no longer overriding Qt application styles. You can still restore the previous default with qt.style = "gtk2" and qt.platformTheme = "gtk2".
    • Following changes in Mint 20 we are replacing xplayer with celluloid since xplayer is no longer maintained.

  • Pantheon has been updated to 8, please check the upstream announcement for more details.

    • Same as elementary OS, the X11 session is named "Classic Session" and the Wayland session is named "Secure Session".
    • The dock has been rewritten, you need to manually migrate the dock items on update. You can check ~/.config/plank/dock1/launchers/ for your previous settings.

  • Xfce has been updated to 4.20, please check the upstream feature tour for more details.

  • PAM services for i3lock/i3lock-color, vlock, xlock, and xscreensaver now default to disabled unless other corresponding NixOS options are set (programs.i3lock.enable, console.enable, services.xserver.enable, and services.xscreensaver.enable, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., security.pam.services.xlock.enable = true.

  • The nixos-generate-config command now supports a optional --flake option, which will generate a flake.nix file alongside the configuration.nix and hardware-configuration.nix, providing an easy introduction into flake-based system configurations.

  • system.stateVersion is now validated and must be in the "YY.MM" format, ideally corresponding to a prior NixOS release.

  • hardware.xone will also enable hardware.xpad-noone to provide Xbox 360 driver by default.

  • services.mysql now supports easy cluster setup via services.mysql.galeraCluster option.

    Example:

    services.mysql = {
  enable = true;
  galeraCluster = {
    enable = true;
    localName = "Node 1";
    localAddress = "galera_01";
    nodeAddresses = [ "galera_01" "galera_02" "galera_03"];
  };
};

  • systemd's {manpage}systemd-ssh-generator(8) now works out of the box on NixOS.

    • You can ssh into VMs without any networking configuration if your hypervisor configures the vm to support AF_VSOCK. It still requires the usual ssh authentication methods.
    • An SSH key for the root user can be provisioned using the ssh.authorized_keys.root systemd credential. This can be useful for booting an installation image and providing the SSH key with an smbios string.
    • SSH can be used for suid-less privilege escalation on the local system without having to rely on networking: 
      ssh root@.host
    • systemd's {manpage}systemd-ssh-proxy(1) is enabled by default. It can be disabled using programs.ssh.systemd-ssh-proxy.enable.

  • SSH host key generation has been separated into the dedicated systemd service sshd-keygen.service.

  • services.dex now restarts upon changes to the .environmentFile option or path type entries in .settings.staticClients[].secretFile.

  • services.geoclue2 now has an enableStatic option, which allows the NixOS configuration to specify a fixed location for GeoClue to use.

  • services.mongodb is now compatible with the mongodb-ce binary package. To make use of it, set services.mongodb.package to pkgs.mongodb-ce.

  • services.jupyter is now compatible with Jupyter Notebook 7. See the migration guide for details.

  • networking.wireguard now has an optional networkd backend. It is enabled by default when networking.useNetworkd is enabled, and it can be enabled alongside scripted networking with networking.wireguard.useNetworkd. Some networking.wireguard options have slightly different behavior with the networkd and script-based backends, documented in each option.

  • services.rss-bridge now has a package option as well as support for caddy as reverse proxy.

  • services.avahi.ipv6 now defaults to true.

  • In the services.xserver.displayManager.startx module, two new options generateScript and extraCommands have been added to to declaratively configure the .xinitrc script.

  • All services that require a root certificate bundle now use the value of a new read-only option, security.pki.caBundle.

  • services.hddfancontrol has been modified to use an attribute set for settings, enabling configurations with multiple instances of the daemon running at once (e.g., for two separate drive bays).

  • services.cloudflared now uses a dynamic user, and its user and group options have been removed. If the user or group is still necessary, they can be created manually.

  • The Home Assistant module has new options {option}services.home-assistant.blueprints.automation, services.home-assistant.blueprints.script, and {option}services.home-assistant.blueprints.template that allow for the declarative installation of blueprints into the appropriate configuration directories.

  • services.dovecot2.modules have been removed, now need to use environment.systemPackages to load additional Dovecot modules.

  • services.kmonad now creates a determinate symlink (in /dev/input/by-id/) to each of KMonad virtual devices.

  • services.searx now supports configuration of the favicons cache and other options available in SearXNG's favicons.toml file

  • services.gitea now supports CAPTCHA usage through the services.gitea.captcha variable.

  • services.soft-serve now restarts upon config change.

  • services.keycloak now provides a realmFiles option that allows to import realms during startup. See https://www.keycloak.org/server/importExport

  • bind.cacheNetworks now only controls access for recursive queries, where it previously controlled access for all queries.

  • services.mongodb.enableAuth now uses the newer mongosh shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the services.mongodb.mongoshPackage option.

  • There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the {option}services.vwifi module, {option}services.kismet NixOS test, and manual for documentation and examples.

  • The paperless module now has an option for regular automatic export of documents data using the integrated document exporter.

  • Exposed the paperless-manage script package via the services.paperless.manage read-only option.

  • New options for the declarative configuration of the user space part of ALSA have been introduced under hardware.alsa, including setting the default capture and playback device, defining sound card aliases and volume controls. Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.

  • services.k3s now provides the autoDeployCharts option that allows to automatically deploy Helm charts via the k3s Helm controller.

  • Mattermost, a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.

    • Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at services.mattermost.telemetry for options to control this behavior.
    • The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
    • We now support mmctl for Mattermost administration if both and are set, which export the Mattermost control socket path into the system environment.

  • services.geoclue2 now uses beaconDB as a default geolocation service, replacing Mozilla Location Services which was retired in June 2024.

  • security.acme now supports renewal using CSRs (Certificate Signing Request) through the options security.acme.*.csr and security.acme.*.csrKey.

  • programs.fzf.keybindings now supports the fish shell.

  • A toggle has been added under users.users.<name>.enable to allow toggling individual users conditionally. If set to false, the user account will not be created.

  • New hooks were added:

    • writableTmpDirAsHomeHook: This setup hook ensures that the directory specified by the HOME environment variable is writable.
    • addBinToPathHook: This setup hook checks if the bin/ directory exists in the $out output path and, if so, adds it to the PATH environment variable.
    • gitSetupHook: This setup hook sets up a valid Git configuration, including the user.name and user.email fields.

NixOS Wiki

The official NixOS Wiki at wiki.nixos.org has new and improved articles, new contributors and some improvements in its dark theme and mobile readability.

../release-notes-nixpkgs/rl-2505.section.md