Release 25.11 ("Xantusia", 2025.11/??)

Highlights

nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is enabled by default from this release. You can disable it by setting to false in your configuration if you need, but please report any issues. It is expected that the next major version of NixOS (26.05) will remove the {option}system.rebuild.enableNg option.
Secure boot support can now be enabled for the Limine bootloader through {option}boot.loader.limine.secureBoot.enable. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.

gtklock, a GTK-based lockscreen for Wayland. Available as programs.gtklock.
Chrysalis, a graphical configurator for Kaleidoscope-powered keyboards. Available as programs.chrysalis.
Pi-hole, a DNS sinkhole for advertisements based on Dnsmasq. Available as services.pihole-ftl, and services.pihole-web for the web GUI and API.
FileBrowser, a web application for managing and sharing files. Available as services.filebrowser.
Options under networking.getaddrinfo are now allowed to declaratively configure address selection and sorting behavior of getaddrinfo in dual-stack networks.
LACT, a GPU monitoring and configuration tool, can now be enabled through services.lact.enable. Note that for LACT to work properly on AMD GPU systems, you need to enable hardware.amdgpu.overdrive.enable.
Broadcast Box, a WebRTC broadcast server. Available as services.broadcast-box.
Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after May 2, 2025.
Draupnir, a Matrix moderation bot. Available as services.draupnir.
postfix-tlspol, MTA-STS and DANE resolver and TLS policy server for Postfix. Available as services.postfix-tlspol.
SuiteNumérique Docs, a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as services.lasuite-docs.

dwl, a compact, hackable compositor for Wayland based on wlroots. Available as programs.dwl.

The services.polipo module has been removed as polipo is unmaintained and archived upstream.
The Pocket ID module ([services.pocket-id][#opt-services.pocket-id.enable]) and package (pocket-id) has been updated to 1.0.0. Some environment variables have been changed or removed, see the migration guide.
The yeahwm package and services.xserver.windowManager.yeahwm module were removed due to the package being broken and unmaintained upstream.
The services.siproxd module has been removed as siproxd is unmaintained and broken with libosip 5.x.
services.dwm-status.extraConfig was replaced by RFC0042-compliant , which is used to generate the config file. services.dwm-status.order is now moved to , as it's a part of the config file.
renovate was updated to v40. See the upstream release notes for breaking changes.
The boot.readOnlyNixStore has been removed. Control over bind mount options on /nix/store is now offered by the boot.nixStoreMountOpts option.
The Postfix module has been updated and likely requires configuration changes:
- The services.postfix.sslCert and sslKey options were removed and you now need to configure
  - services.postfix.config.smtpd_tls_chain_files for server certificates,
  - services.postfix.config.smtp_tls_chain_files for client certificates.
vmalert now supports multiple instances with the option services.vmalert.instances."".enable

services.clamsmtp is unmaintained and was removed from Nixpkgs.
services.dnscrypt-proxy2 gains a package option to specify dnscrypt-proxy package to use.
amdgpu kernel driver overdrive mode can now be enabled by setting hardware.amdgpu.overdrive.enable and customized through hardware.amdgpu.overdrive.ppfeaturemask. This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}programs.corectrl.gpuOverclock.enable and {option}programs.tuxclocker.enableAMD.
does not ship with an SSH agent anymore, as this is now handled by the gcr_4 package instead of gnome-keyring. A new module has been added to support this, under (its default value has been set to to ensure a smooth transition). See the relevant upstream PR for more details.