movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

doc/rl-2505: move all package entries from nixos notes

Browse source 
This ensures the NixOS notes only refer to things like modules and
NixOS-specific improvements, while the Nixpkgs notes refer to all
package changes
This commit is contained in:
Seth Flynn 2025-05-15 18:55:33 -04:00
parent 7edb76465e
commit 39a20c95fe
No known key found for this signature in database
GPG key ID: D31BD0D494BBEE86
2 changed files with 91 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

86
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -15,12 +15,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `nixos-option` has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into `attrsOf` and `listOf` submodule options, and `--show-trace`.
- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
- Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
- The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package)
- Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
- The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package).
- GNOME has been updated to version 48.
@ -47,7 +42,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- [programs.amnezia-vpn](#opt-programs.amnezia-vpn.enable): a GUI client which can also deploy a VPN endpoint to a remote server
- {option}`networking.wireguard` adds support for the [AmneziaWG](https://docs.amnezia.org/documentation/amnezia-wg/) variant of the protocol, featuring better masking against Deep Packet Inspection. The variant to be used is set per interface as `networking.wireguard.interfaces.<name>.type`, defaulting to wireguard.
- [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products.
- [Bonsai](https://git.sr.ht/~stacyharper/bonsai), a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the [SXMO](https://sxmo.org/) desktop environment. Available as [services.bonsaid](#opt-services.bonsaid.enable).
@ -260,8 +254,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
and error starting 25.05 with instructions the following instructions:
The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or https://nixos.github.io/amis/ for instructions.
- The udev rules of the libjaylink package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
- The latest available version of Nextcloud is v31 (available as `pkgs.nextcloud31`). The installation logic is as follows:
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
- If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
@ -294,12 +286,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `services.paperless` now installs `paperless-manage` as a normal system package instead of creating a symlink in `/var/lib/paperless`.
`paperless-manage` now also changes to the appropriate user when being executed.
- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0)
for that release to get all the details. The `services.gotenberg` module has been updated appropriately to ensure your configuration is valid with this new release.
- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
- `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.:
```diff
-services.asusd.asusdConfig = '''file contents'''
@ -308,18 +294,12 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `linuxPackages.nvidiaPackages.stable` now defaults to the `production` variant instead of `latest`.
- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated. Also `services.paperless.address` no longer accepts a domain name and Granian also does not support listening on unix domain sockets.
- `timescaledb` requires manual upgrade steps.
After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
- `services.paperless.address` no longer accepts a domain name or Unix domain socket.
- `networking.wireguard.enable = true` does not always add `wireguard-tools` to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH.
- `virtualisation/azure-common.nix`'s filesystem and grub configurations have been moved to `virtualisation/azure-image.nix`. This makes `azure-common.nix` more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import `azure-image.nix`.
- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
- `services.signald` has been removed as `signald` is unmaintained upstream and has been incompatible to official Signal servers for a long while.
- The `earlyoom` service is now using upstream systemd service, which enables
@ -341,9 +321,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `services.bird2` has been renamed to `services.bird` and the default bird package has been switched to `bird3`. `bird2` can still be chosen via the `services.bird.package` option.
- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
Like upstream's docker images, renovate now runs on NodeJS 22.
- The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.
- `gitlab` has been updated from 17.x to 18.x and requires `postgresql` >= 16, as stated in the [documentation](https://docs.gitlab.com/18.0/install/requirements/#postgresql). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
@ -364,21 +341,10 @@ Alongside many enhancements to NixOS modules and general system improvements, th
Given a site example.com, http://example.com now 301 redirects to https://example.com.
To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
- `forgejo` and `forgejo-lts` have been updated to v11.
See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
- `unifi` has been updated to v9.1.
This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
- The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.
Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.
- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
- `gkraken` software and `hardware.gkraken.enable` option have been removed, use `coolercontrol` via `programs.coolercontrol.enable` option instead.
- The `hardware.gkraken` module has been removed. The recommended alternative is [`programs.coolercontrol`](#opt-programs.coolercontrol.enable).
- To avoid delaying user logins unnecessarily the `multi-user.target` is no longer ordered after `network-online.target`.
System services requiring a connection to start correctly must explicitly state so, i.e.
@ -496,8 +462,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
};
```
- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
- systemd's {manpage}`systemd-ssh-generator(8)` now works out of the box on NixOS.
- You can ssh into VMs without any networking configuration if your hypervisor configures the vm to support AF_VSOCK.
It still requires the usual ssh authentication methods.
@ -521,8 +485,6 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
- `services.rss-bridge` now has a `package` option as well as support for `caddy` as reverse proxy.
- `services.avahi.ipv6` now defaults to true.
@ -531,9 +493,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.
- hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. The settings options have been modified to use an attrset, enabling configurations with multiple instances of the daemon running at once, eg, for two separate drive bays.
- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
- [`services.hddfancontrol`](#opt-services.hddfancontrol.enable) has been modified to use an attribute set for settings, enabling configurations with multiple instances of the daemon running at once (e.g., for two separate drive bays).
- `services.cloudflared` now uses a dynamic user, and its `user` and `group` options have been removed. If the user or group is still necessary, they can be created manually.
@ -566,55 +526,17 @@ Alongside many enhancements to NixOS modules and general system improvements, th
- `services.k3s` now provides the `autoDeployCharts` option that allows to automatically deploy Helm charts via the k3s Helm controller.
- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
Example:
```nix
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [
# tagged upstream
"github.com/caddy-dns/powerdns@v1.0.1"
# pseudo-version number generated by Go
"github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
"github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
];
hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
};
};
```
To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
- [Mattermost](#opt-services.mattermost.enable), a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
- A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-mattermost-plugins-build) for an example.
- Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at [`services.mattermost.telemetry`](#opt-services.mattermost.telemetry.enableDiagnostics) for options to control this behavior.
- The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
- `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
- `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
- The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
- We now support `mmctl` for Mattermost administration if both [](#opt-services.mattermost.socket.enable) and [](#opt-services.mattermost.socket.export) are set, which export the Mattermost control socket path into the system environment.
- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
[is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
in Linux 6.13.
- `services.geoclue2` now uses [beaconDB](https://beacondb.net/) as a default geolocation service, replacing Mozilla Location Services which was [retired in June 2024](https://github.com/mozilla/ichnaea/issues/2065).
- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
- `security.acme` now supports renewal using CSRs (Certificate Signing Request) through the options `security.acme.*.csr` and `security.acme.*.csrKey`.
- `programs.fzf.keybindings` now supports the fish shell.
- `gerbera` now has wavpack support.
- A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created.
- New hooks were added: