- The default kernel package has been updated from 6.12 to 6.18. All supported kernels remain available.
-
Meshtastic, an open-source, off-grid, decentralised mesh network designed to run on affordable, low-power devices. Available as [services.meshtasticd] (#opt-services.meshtasticd.enable).
-
knot-resolver in version 6. Available as
services.knot-resolver. A module for knot-resolver 5 was already available asservices.kresd. -
ImmichFrame, display your photos from Immich as a digital photo frame. Available as
services.immichframe. -
PdfDing, manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as services.pdfding.
-
mangowc, a lightweight and feature-rich Wayland compositor based on dwl. Available as programs.mangowc.
-
reaction, a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as services.reaction.
-
rqbit, a bittorrent client written in Rust. It has HTTP API and Web UI, and can be used as a library. Available as services.rqbit.
-
Tailscale Serve, configure Tailscale Serve for exposing local services to your tailnet. Available as services.tailscale.serve.
-
qui, a modern alternative webUI for qBittorrent, with multi-instance support. Written in Go/React. Available as services.qui.
-
Remark42, a self-hosted comment engine. Available as services.remark42.
-
LibreChat, open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as services.librechat.
-
nohang, a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as services.nohang
-
bentopdf, a privacy-first PDF toolkit running completely in-browser. Available as services.bentopdf.
-
hyprwhspr-rs, a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as
services.hyprwhspr-rs -
DankMaterialShell, a complete desktop shell for Wayland compositors built with Quickshell. Available as programs.dms-shell.
-
dms-greeter, a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as services.displayManager.dms-greeter.
-
dsearch, a fast filesystem search service with fuzzy matching. Available as programs.dsearch.
-
Elephant, a data provider service and backend for building custom application launchers. Available as services.elephant.
-
Dunst, a lightweight and customizable notification daemon. Available as services.dunst.
-
cocoon, is a PDS (personal data server) that is a alternative to the bluesky pds. Available as services.cocoon.
-
Ente Auth, an open source 2FA authenticator, with end-to-end encrypted backups. Available as programs.ente-auth.
-
Dawarich, a self-hostable location history tracker. Available as services.dawarich.
-
Howdy, a Windows Hello™ style facial authentication program for Linux.
-
linux-enable-ir-emitter, a tool used to set up IR cameras, used with Howdy.
-
udp-over-tcp, a tunnel for proxying UDP traffic over a TCP stream. Available as
services.udp-over-tcp. -
Komodo Periphery, a multi-server Docker and Git deployment agent by Komodo. Available as services.komodo-periphery.
-
Shoko, an anime management system. Available as services.shoko.
-
Drasl, an alternative authentication server for Minecraft. Available as services.drasl.
-
opentrack,slushload,synthesia,vtfedit,winbox,wineasio, andyabridgeuse wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss. -
services.crabfitwas removed because its upstream packages are unmaintained and insecure. -
services.tandoor-recipesnow uses a sub-directory for media files by default starting with26.05. Existing setups should move media files out of the data directory and adjustservices.tandoor-recipes.extraConfig.MEDIA_ROOTaccordingly. See Migrating media files for pre 26.05 installations. -
rusticwas upgraded to0.11.x, which contains breaking changes to command-line parameters and configuration file. -
The packages
iwandwirelesstools(iwconfig,iwlist, etc.) are no longer installed implicitly if wireless networking has been enabled. -
services.kubernetes.addons.dns.corednshas been renamed toservices.kubernetes.addons.dns.corednsImageand now expects a package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
{
services.kubernetes.addons.dns.corednsImage = pkgs.dockerTools.pullImage {
imageName = "coredns/coredns";
imageDigest = "sha256:af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d";
finalImageTag = "v1.12.2";
hash = "sha256-ZgXEyxVrdskQdgg0ONJ9sboAXEEHTgNsiptk5O945c0=";
};
}-
services.stalwart-mailhas been renamed toservices.stalwartto align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:systemd.services.stalwartowned bystalwart:stalwart. Theuserandgroupare configurable viaservices.stalwart.userandservices.stalwart.group, respectively. By default, ifstateVersionis older than26.05, will fallback to legacy value ofstalwart-mailfor bothuserandgroup.- Default value for
services.stalwart.dataDirhas changed to/var/lib/stalwart. IfstateVersionis older than26.05, will fallback to legacy value of/var/lib/stalwart-mail.
-
services.oauth2-proxy.clientSecretandservices.oauth2-proxy.cookie.secrethave been replaced withservices.oauth2-proxy.clientSecretFileandservices.oauth2-proxy.cookie.secretFilerespectively. This was done to ensure secrets don't get made world-readable. -
services.grafana.settings.security.secret_keydoesn't have a default value anymore. Please generate your own key or hard-code the old one explicitly. See the upstream docs and the instructions on how to rotate for further information. -
Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
-
services.cgitbefore always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disableservices.cgit.gitHttpBackend.checkExportOkFiles(or disable the git-http-backend). -
rocmPackages_6has been removed.rocmPackageshas been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated. -
The Bash implementation of the
nixos-rebuildprogram is removed. All switchable systems now use the Python rewrite. Any prior usage ofsystem.rebuild.enableNgmust now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub. -
services.desktopManager.gnomeno longer installs the Geary e-mail client since it is not part of the GNOME core applications list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, addprograms.geary.enable = true;to your configuration. -
MATE packages have been moved to top level (e.g. if you previously added
pkgs.mate.cajatoenvironment.systemPackages, you will need to change it topkgs.caja). -
walkerhas been updated to 2.0.0+, which is a complete rewrite in rust.It now requires a running
elephantapplication launcher backend service, which can be enabled using the newservices.elephpant.enable.The way keybinds and actions are handled have been completely revamped. Please refer to the default config.
-
services.portunus has been upgraded to 2.2.0, which includes a bug fix that may cause existing databases to be rejected if user accounts are configured with malformed email addresses. Please refer to the upstream release announcement for details and instructions on how to fix problematic database entries.
-
Support for
reiserfsin nixpkgs has been removed, following the removal in Linux 6.13. -
services.torno longer bind mounts Unix sockets of onion services into its chroot because it was not reliable. Users should do it themselves using eitherJoinsNamespaceOf=and Unix sockets in/tmporBindPaths=from a persistent parent directory of each Unix socket. See NixOS#481673. -
support for
ecryptfsin nixpkgs has been removed. -
The
networking.wirelessmodule has been security hardened by default: thewpa_supplicantdaemon now runs under an unprivileged user with restricted access to the system.As part of these changes,
/etc/wpa_supplicant.confhas been deprecated: the NixOS-generated configuration file is now linked to/etc/wpa_supplicant/nixos.confand/etc/wpa_supplicant/imperative.confhas been added for imperatively configuringwpa_supplicantor when using allowAuxiliaryImperativeNetworks.If client certificates, keys or other files are needed, these should be stored under
/etc/wpa_supplicantand owned bywpa_supplicantto ensure the daemon can read them.Also, the {option}
networking.wireless.userControlled.groupoption has been removed since there is now a dedicatedwpa_supplicantgroup to control the daemon, and {option}networking.wireless.userControlled.enablehas been renamed to .No functionality should have been impacted by these changes (including controlling via
wpa_cli, integration with NetworkManager or connman), but if you find any problems, please open an issue on GitHub. If necessary, the security hardening can be reverted with .Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on
networking.wireless. So, if you hadnetworking.wireless.enable = falsein your configuration, you should remove that line. -
kratoshas been updated from 1.3.1 to 25.4.0. Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:- The
migrate sqlCLI command is nowmigrate sql up - OIDC registration validation errors are now placed in the
defaultnode group instead ofoidc - Failed OIDC account linking returns HTTP 400 instead of 200
- The
-
pdnshas been updated to version v5.0.x, which introduces breaking changes. Check out the Upgrade Notes for details. -
In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}
services.pdns-recursor.old-settingshas been removed and {option}services.pdns-recursor.yaml-settingsconsequently renamed to . -
services.angrrnow uses TOML for configuration. Define policies withservices.angrr.settings(generate TOML file) or point to a file usingservices.angrr.configFile. The legacy optionsservices.angrr.period,services.angrr.ownedOnly, andservices.angrr.removeRoothave been removed. Seeman 5 angrrand the description ofservices.angrr.settingsoptions for examples and details. -
services.homepage-dashboard.environmentFilehas been renamed toservices.homepage-dashboard.environmentFiles, and now expects a list of strings. -
services.pingvin-sharehas been removed as thepingvin-share.backendpackage was broken and the project was archived upstream. -
gephpackage's built-in GUIgeph5-client-guihas been removed by the upstream. All users who wish to continue using the GUI should install thegephgui-wry, which is consistent with the official release version. -
services.vikunjahas been updated to Vikunja v1.0.0, which introduces multiple breaking changes. Notable breaking changes:- CORS is enabled by default. The module now sets
services.vikunja.settings.service.publicurlby default. Custom overrides must ensure it is set or disable CORS, otherwise Vikunja will fail to start. - API route and response changes may affect integrations.
- Configuration format and option changes require review of existing settings (including OpenID provider configuration and metrics/log settings).
- SQLite paths are now relative to
service.rootpathunless absolute. Startup now validates file storage and OAuth providers.
- CORS is enabled by default. The module now sets
-
hardware.xpadneo now supports configuring kernel module parameters via a freeform settings option, with convenience options for rumble attenuation and controller quirks.
-
Wine has been updated to the 11.0 branch. Please check the upstream announcement for more details.
-
Cinnamon has been updated to 6.6, please check the upstream announcement for more details.
-
Budgie has been updated to 10.10, please check the upstream announcement for more details.
-
stestrCheckHookwas added: This test hook runsstestr run. You can disable tests withdisabledTestsanddisabledTestsRegex. -
services.frpnow supports multiple instances throughservices.frp.instancesto make it possible to run multiple frp clients or servers at the same time. -
hyphennow supports over 40 language variants throughhyphenDictsand now allows to enable all supported languages throughhyphenDicts.all. -
services.resolved module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
-
Support for Bluetooth audio based on
bluez-alsahas been added to thehardware.alsamodule. It can be enabled with the new enableBluetooth option. -
services.opensshnow supports generating host SSH keys by settingservices.openssh.generateHostKeys = truewhile leavingservices.openssh.enabledisabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix. -
services.caddynow supports settinghttpPortandhttpsPortand opening them in the firewall viaopenFirewall. -
The latest available version of Nextcloud is v33 (available as
pkgs.nextcloud33). The installation logic is as follows:- If
services.nextcloud.packageis specified explicitly, this package will be installed (recommended) - If
system.stateVersionis >=26.05,pkgs.nextcloud33will be installed by default. - If
system.stateVersionis >=25.11,pkgs.nextcloud32will be installed by default. nextcloud31is EOL and was thus removed.- Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to
nextcloud32(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud32;.
- If
-
services.slurmnow supports slurmrestd usage through theservices.slurm.restNixOS options. -
The
services.calibre-websystemd service has been hardened with additional sandboxing restrictions. -
services.kanidmoptions for server, client and unix were moved under dedicated namespaces. For each componentenableComponentandcomponentSettingsare nowcomponent.enableandcomponent.settings. The unix module now supports using SSH keys from Kanidm viaservices.kanidm.unix.sshIntegration = true. -
glibchas been updated to version 2.42.This version no longer makes the stack executable when a shared library requires this. A symptom is an error like
cannot enable executable stack as shared object requires: Invalid argument
This is usually a bug. Please consider reporting it to the software maintainers.
In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
-
When building the shared library in question from source, use the following linker flags to force turning off the executable flag:
mkDerivation { # … env.NIX_LDFLAGS = "-z,noexecstack"; }
-
If the sources are not available, the execstack-flag can be cleared with
patchelf:patchelf --clear-execstack binary-only.so -
If the shared library to be loaded actually requires an executable stack and it isn't turned on by the application loading it, you may force allowing that behavior by setting the following environment variable:
GLIBC_TUNABLES=glibc.rtld.execstack=2Do not set this globally! This makes your setup inherently less secure.
-