nixpkgs/nixos/doc/manual/release-notes/rl-2511.section.md

Release 25.11 ("Xantusia", 2025.11/??)

Highlights

• nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is enabled by default from this release. You can disable it by setting to false in your configuration if you need, but please report any issues. It is expected that the next major version of NixOS (26.05) will remove the {option}system.rebuild.enableNg option.

• rEFInd, a graphical boot manager for UEFI systems, can now be used through .

• Secure boot support can now be enabled for the Limine bootloader through {option}boot.loader.limine.secureBoot.enable. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.

• The default PostgreSQL version for new NixOS installations (i.e. with system.stateVersion >= 25.11) is v17.

• Added nixos-init, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via system.nixos-init.enable = true;.

• The NetworkManager module does not ship with a default set of VPN plugins anymore. All required VPN plugins must now be explicitly configured in networking.networkmanager.plugins.

• The Qt 5-based versions of KDE Gear, Plasma, Maui and Deepin have been removed. Users are advised to migrate to Plasma 6 and Gear 25.08, available under kdePackages.

• Syncthing has been updated to version 2.0.0.

• COSMIC DE has been updated to the beta version, bringing it closer to its first stable release. This includes updates to its core components, applications, and overall stability.

New Modules

• byedpi, a DPI bypass service. Available as services.byedpi.

• Overseerr, a request management and media discovery tool for the Plex ecosystem. Available as services.overseerr.

• services.rsync has been added to simplify periodic directory syncing.

• gtklock, a GTK-based lockscreen for Wayland. Available as programs.gtklock.

• Chrysalis, a graphical configurator for Kaleidoscope-powered keyboards. Available as programs.chrysalis.

• wayvnc, VNC server for wlroots based Wayland compositors. Available as programs.wayvnc.

• Pi-hole, a DNS sinkhole for advertisements based on Dnsmasq. Available as services.pihole-ftl, and services.pihole-web for the web GUI and API.

• Fediwall, a web application for live displaying toots from mastodon, inspired by mastowall. Available as services.fediwall.

• umami, a simple, fast, privacy-focused alternative to Google Analytics. Available with services.umami.

• FileBrowser, a web application for managing and sharing files. Available as services.filebrowser.

• Options under networking.getaddrinfo are now allowed to declaratively configure address selection and sorting behavior of getaddrinfo in dual-stack networks.

• Homebridge, a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as services.homebridge.

• XPPen, the official closed-source driver for XP Pen tablets. Available as programs.xppen.

• LACT, a GPU monitoring and configuration tool, can now be enabled through services.lact.enable. Note that for LACT to work properly on AMD GPU systems, you need to enable hardware.amdgpu.overdrive.enable.

• Auto-scrub support for Bcachefs filesystems can now be enabled through services.bcachefs.autoScrub.enable to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

• LibreTranslate, a free and open source machine translation API. Available as services.libretranslate.

• Linyaps, a cross-distribution package manager with sandboxed apps and shared runtime. Available as services.linyaps.

• tlsrpt-reporter, an application suite to generate and deliver TLSRPT reports. Available as services.tlsrpt.

• Chhoto URL, a simple, blazingly fast, selfhosted URL shortener with no unnecessary features, written in Rust. Available as services.chhoto-url.

• go-httpbin, a reasonably complete and well-tested golang port of httpbin, with zero dependencies outside the go stdlib. Available as services.go-httpbin.

• radicle-ci-broker, runs CI for repositories in the local Radicle node. Available as services.radicle.ci.broker.enable.

• radicle-native-ci, an adapter for the Radicle CI broker, for performing CI runs locally. Available as services.radicle.ci.adapters.native.

• llama-swap, a light weight transparent proxy server that provides automatic model swapping to llama.cpp's server (or any server with an OpenAI compatible endpoint). Available as .

• tuwunel, a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as services.matrix-tuwunel.

• Broadcast Box, a WebRTC broadcast server. Available as services.broadcast-box.

• boot.kernel.sysfs allows setting of sysfs attributes.

• local-content-share, a simple web-app for storing/sharing text snippets and files in your local network. Available as services.local-content-share.

• Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after May 2, 2025.

• Corteza, a low-code platform. Available as services.corteza.

• Warpgate, a SSH, HTTPS, MySQL and Postgres bastion. Available as services.warpgate. Note that you need to run warpgate recover-access to recover builtin admin account, as the initialisation script uses a throwaway value to initialise its database.

• TuneD, a system tuning service for Linux. Available as services.tuned.

• yubikey-manager, a tool for configuring YubiKey devices. Available as programs.yubikey-manager.

• Linkwarden a self-hosted collaborative bookmark manager to collect, read, annotate, and fully preserve what matters, all in one place. Available as services.linkwarden.

• Draupnir, a Matrix moderation bot. Available as services.draupnir.

• Pangolin, a tunneled reverse proxy server with access control. Available as services.pangolin.

• postfix-tlspol, MTA-STS and DANE resolver and TLS policy server for Postfix. Available as services.postfix-tlspol.

• crowdsec, a free, open-source and collaborative IPS. Available as services.crowdsec.

• crowdsec-firewall-bouncer, the CrowdSec Remediation Component for fetching new and old decisions from a CrowdSec API and adding them to a blocklist used by supported firewalls. Available as services.crowdsec-firewall-bouncer.

• tsidp, a simple OIDC / OAuth Identity Provider (IdP) server for your tailnet. Available as services.tsidp.

• Newt, a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as services.newt.

• IfState, manage host interface settings in a declarative manner. Available as networking.ifstate and boot.initrd.network.ifstate.

• qBittorrent, is a bittorrent client programmed in C++ / Qt that uses libtorrent by Arvid Norberg. Available as services.qbittorrent.

• Speedify, a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as services.speedify.

• Szurubooru, an image board engine inspired by services such as Danbooru, dedicated for small and medium communities. Available as services.szurubooru.

• The Neat IP Address Planner (NIPAP) can now be enabled through services.nipap.enable.

• tpm2-totp can now be used to show a TOTP during boot using Plymouth. Available as boot.plymouth.tpm2-totp.

• nix-store-veritysetup, a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as boot.initrd.nix-store-veritysetup.

• ente, a service that provides a fully open source, end-to-end encrypted platform for photos and videos. Available as services.ente.api and services.ente.web.

• PairDrop, a peer-to-peer file transfer web app. Available as services.pairdrop.

• SuiteNumérique Docs, a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as services.lasuite-docs.

• dwl, a compact, hackable compositor for Wayland based on wlroots. Available as programs.dwl.

• angrr, a service that automatically cleans up old auto GC roots. Available as services.angrr.

• Sharkey, a Sharkish microblogging platform. Available as services.sharkey.

• fw-fanctrl, a simple systemd service to better control Framework Laptop's fan(s). Available as hardware.fw-fanctrl.

• SillyTavern, LLM Frontend for Power Users. Available as services.sillytavern.

• mautrix-discord, a Matrix-Discord puppeting/relay bridge. Available as services.mautrix-discord.

• Timekpr-nExT, a time managing application that helps optimizing time spent at computer for your subordinates, children or even for yourself. Available as .

• SuiteNumérique Meet is an open source alternative to Google Meet and Zoom powered by LiveKit: HD video calls, screen sharing, and chat features. Built with Django and React. Available as services.lasuite-meet.

• Prometheus Storagebox Exporter, a Prometheus exporter for Hetzner storage boxes.

• pmount, a tool that allows normal users to mount removable devices without requiring root privileges Available at programs.pmount.

• lemurs, a customizable TUI display/login manager. Available at services.displayManager.lemurs.

• docuseal, a DocuSign alternative. Create, fill, and sign digital documents. Available at services.docuseal.

• paisa, a personal finance tracker and dashboard. Available as services.paisa.

• conman, a serial console management program. Available as services.conman.

• KMinion, feature-rich Prometheus exporter for Apache Kafka. Available as services.prometheus.exporters.kafka.

• Beszel, a lightweight server monitoring hub with historical data, docker stats, and alerts. Available as services.beszel.agent and services.beszel.hub.

• Spoolman, a inventory management system for Filament spools. Available as services.spoolman.

• Temporal, a durable execution platform that enables developers to build scalable applications without sacrificing productivity or reliability. Available as services.temporal.

• services.libvirtd.autoSnapshot, a backup service for libvirt managed vms.

• Sshwifty, a Telnet and SSH client for your browser. Available as services.sshwifty.

• Added nixos-init, a Rust-based bashless initialization system for systemd initrd. This allows to build NixOS systems without any interpreter. Enable via system.nixos-init.enable = true;.

• nvme-rs, NVMe monitoring services.nvme-rs.

• ringboard, a fast, efficient, and composable clipboard manager for Linux. Available for x11 as services.ringboard and for wayland as services.ringboard.

• Tenstorrent hardware module has been added.

• nixbit, a GUI application for updating your NixOS system from a Nix Flakes Git repository. Available as programs.nixbit.

Backward Incompatibilities

• The Perl implementation of the switch-to-configuration program is removed. All switchable systems now use the Rust rewrite. Any prior usage of system.switch.enableNg must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

• The no-broken-symlink build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).

• hardware.amdgpu.amdvlk and the amdvlk package have been removed, as they have been deprecated by AMD. These have been replaced with the RADV driver from Mesa, which is enabled by default.

• Linux 5.4 and all its variants have been removed since mainline will reach its end of life within the support-span of 25.11.

• The services.polipo module has been removed as polipo is unmaintained and archived upstream.

• boot.enableContainers is only turned on when a declarative NixOS container is defined in containers. If you use the nixos-container tool for imperative container management, set boot.enableContainers = true; explicitly.

• services.parsoid and the nodePackages.parsoid package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.

• virtualisation.lxd has been removed due to lack of Nixpkgs maintenance. Users can migrate to virtualisation.incus, a fork of LXD, as a replacement. See Incus migration documentation for migration information.

• virtualisation.libvirtd now uses OVMF images shipped with QEMU for UEFI machines. virtualisation.libvirtd.qemu.ovmf has been removed.

  • OVMF images from underlying QEMU package are now made available under '/run/libvirt/nix-ovmf', fixing prior issues when using QEMU's automatic EFI firmware and feature handling, relied upon by GNOME Boxes, virsh, virt-manager, etc.
  • Domains that rely on automatic firmware and feature handling, i.e. <os firmware='efi'> need to trigger an update to <loader> and <nvram> entries. Using virsh edit <domain> and deleting aforementioned tags will cause libvirt to replace them with the new paths.
  • Configurations that relied on virtualisation.libvirtd.qemu.ovmf and had domains that did not use automatic firmware and feature handling, require a manual change to their domain configuration, updating <loader> and <nvram> entries from old path to the new path.

    Old Path	New Path
    /run/libvirt/nix-ovmf/OVMF_CODE.fd	/run/libvirt/nix-ovmf/edk2-x86_64-code.fd
    /run/libvirt/nix-ovmf/OVMF_VARS.fd	/run/libvirt/nix-ovmf/edk2-i386-vars.fd
    /run/libvirt/nix-ovmf/OVMF_CODE.ms.fd	/run/libvirt/nix-ovmf/edk2-x86_64-secure-code.fd
    /run/libvirt/nix-ovmf/OVMF_VARS.ms.fd	/run/libvirt/nix-ovmf/edk2-i386-vars.fd
    /run/libvirt/nix-ovmf/AAVMF_CODE.fd	/run/libvirt/nix-ovmf/edk2-aarch64-code.fd
    /run/libvirt/nix-ovmf/AAVMF_VARS.fd	/run/libvirt/nix-ovmf/edk2-arm-vars.fd
    /run/libvirt/nix-ovmf/AAVMF_CODE.ms.fd	/run/libvirt/nix-ovmf/edk2-aarch64-code.fd
    /run/libvirt/nix-ovmf/AAVMF_VARS.ms.fd	/run/libvirt/nix-ovmf/edk2-arm-vars.fd

• The non-LTS Forgejo package (forgejo) has been updated to 12.0.0. This release contains breaking changes, see the release blog post for all the details and how to ensure smooth upgrades.

• sing-box has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run. See the change log for details and migration for how to update old configurations.

• The Pocket ID module ([services.pocket-id][#opt-services.pocket-id.enable]) and package (pocket-id) has been updated to 1.0.0. Some environment variables have been changed or removed, see the migration guide.

• services.seafile has been removed, as it is unmaintained and outdated. See the manual for details and next steps.

• The zigbee2mqtt package was updated to version 2.x, which contains breaking changes. See the discussion for further information.

• []{#sec-release-25.11-incompatibilities-sourcehut-removed} The services.sourcehut module and corresponding sourcehut packages were removed due to being broken and unmaintained.

• The zookeeper project changed their logging tool to logback, therefore services.zookeeper.logging option has been updated to expect a logback compatible string.

• The dovecot systemd service was renamed from dovecot2 to dovecot. The former is now just an alias. Update any overrides on the systemd unit to the new name.

• Configurations with boot.initrd.systemd.enable && !boot.initrd.enable will have their init script at $toplevel/init instead of $toplevel/prepare-root. This is because it does not make sense for systemd stage 1 to affect the init script when stage 1 is entirely disabled (e.g. containers).

• programs.goldwarden has been removed, due to the software not working with newer versions of the Bitwarden and Vaultwarden servers, as well as it being abandoned upstream.

• The chatgpt-retrieval-plugin package and services.chatgpt-retrieval-plugin module were removed due to the package having been broken since at least November 2024.

• The cardboard package and programs.cardboard module were removed due to the package having been broken since at least November 2024.

• The default kops version is now 1.33.0 and versions 1.30 and older have been dropped. See Upgrading Kubernetes for instructions on how to update kOps.

• programs.skim.fuzzyCompletions has been removed in favor of adding the completions to the package itself.

• Prosody has been updated to major release 13 which removed some obsoleted modules and brought a couple of major and breaking changes:

  • The http_files module is now disabled by default because it now requires http_files_dir to be configured.
  • The vcard_muc module has been removed and got replaced by the inbuilt muc_vcard module.
  • The http_upload module has been removed and you must migrate to the http_file_share module to stay XEP-0423 compliant. The httpFileShare options got expanded to better facility that.
  • The admin_shell module is now always being loaded to make prosodyctl functional.
  • The mime_types_file setting is now set to "${pkgs.mailcap}/etc/mime.types" to prevent errors. For a complete list of changes, please see their announcement.

• The yeahwm package and services.xserver.windowManager.yeahwm module were removed due to the package being broken and unmaintained upstream.

• services.nixseparatedebuginfod.enable = true; has been replaced by services.nixseparatedebuginfod2.enable = true. If you only use the official binary cache https://cache.nixos.org then no further configuration should be needed. If you have other https substituters, you can add them to services.nixseparatedebuginfod2.subsituters. SSH substituters are not supported by nixseparatedebuginfod2. Consider running nixseparatedebuginfod2 on the substituter instead, and pointing to it with the new option environment.debuginfodServers.

• The services.snapserver module has been migrated to use the settings option and render a configuration file instead of passing every option over the command line.

• The services.meilisearch module now always defaults to the latest version of meilisearch, as the previous meilisearch_1_11 package was removed. This is only an issue if you were using the old version.

• services.journald.gateway.user and services.journald.gateway.system now defaults to false. This new behaviour matches the default behaviour of the systemd-journal-gatewayd service itself.

• The services.postgresql module now sets up a systemd unit postgresql.target. Depending on postgresql.target guarantees that postgres is in read-write mode and initial/ensure scripts were executed. Depending on postgresql.service only guarantees a read-only connection.

• The services.mysql module now restarts the database on-abnormal, which means that it now will be restarted in certain situations, it wasn't before. For example an OOM-kill.

• The services.tt-rss module and package have been removed as upstream development ceased on 2025-11-01, and the source is no longer available officially.

• The services.siproxd module has been removed as siproxd is unmaintained and broken with libosip 5.x.

• The services.postfixadmin module has been removed due to a lack of active maintainers.

• services.tor.torsocks.enable no longer defaults to true if Tor and Tor client functionality is enabled.

• netbox-manage script created by the netbox module no longer uses sudo -u netbox internally. It can be run as root and will change it's user to netbox using runuser

• services.gateone has been removed as the package was removed such that it does not work.

• services.quorum has been removed as the quorum package was broken and abandoned upstream.

• teleport has been upgraded from major version 17 to major version 18. Refer to upstream upgrade instructions and release notes for v18.

• services.dwm-status.extraConfig was replaced by RFC0042-compliant , which is used to generate the config file. services.dwm-status.order is now moved to , as it's a part of the config file.

• gitversion was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run. See the 6.0.0 release notes for GitVersion for details on the breaking changes, the documentation on the configuration format for the new configuration specification, and the documentation on version variables for what is now supported.

• renovate was updated to v41. See the upstream release notes for v40 and v41 for breaking changes.

• The "NIXOS_EXTRA_MODULE_PATH" variable from configuration evaluation has been deprecated. We recommend a workflow where you update the expression files instead, but if you wish to continue to use this variable, you may do so with a module like:

  {
    imports = [
      (builtins.getEnv "NIXOS_EXTRA_MODULE_PATH")
    ];
  }
  

  This has the benefit that your configuration hints at the non-standard workflow.

• i18n.inputMethod.fcitx5.plasma6Support has been removed because qt6 is the only one used for fcitx5-configtool now.

• firezone has changed how the Everyone group behaves. Service Accounts are no longer considered part of Everyone.

• The boot.readOnlyNixStore has been removed. Control over bind mount options on /nix/store is now offered by the boot.nixStoreMountOpts option.

• Direct use of pkgs.formats.systemd has been deprecated, and should now be instantiated with pkgs.formats.systemd { } similarly to other items in pkgs.formats.

• The Postfix module has been updated and likely requires configuration changes:

  • The services.postfix.sslCert and sslKey options were removed and you now need to configure
    • services.postfix.settings.main.smtpd_tls_chain_files for server certificates,
    • services.postfix.settings.main.smtp_tls_chain_files for client certificates.

• vmalert now supports multiple instances with the option services.vmalert.instances."".enable

• virtualisation.waydroid.package now defaults to waydroid-nftables on systems with nftables enabled.

• services.victorialogs.package now defaults to victorialogs, as victoriametrics no longer contains the VictoriaLogs binaries.

• The services.traccar.settings attribute has been reworked. Instead of the previous flat attribute set the new implementation uses nested attribute sets. You need to update you configuration manually. For instance, services.traccar.settings.loggerConsole becomes services.traccar.settings.logger.console.

• The wstunnel module was converted to RFC42-style settings, you will need to update your NixOS config if you make use of this module.

• private-gpt service has been removed by lack of maintenance upstream.

• The asterisk-lts package was changed to v22 from v18. The default asterisk package was changed to v22 from v20. Asterisk version 18 has been dropped due to being EOL. The asterisk-stable (v20) package was unchanged. You may need to update /var/lib/asterisk to match the template files in ${asterisk-...}/var/lib/asterisk.

• NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start getty@tty1.service, even if the system is forced to boot into multi-user.target instead of graphical.target.

• river 0.3.x has been renamed to river-classic upstream, and the package renamed accordingly. programs.river has been renamed to programs.river-classic.

• command-not-found package is now disabled by default; it works only for nix-channels based systems, and requires setup for it to work.

• The systemd target kbrequest.target is now unset by default, instead of being forcibly symlinked to rescue.target. In case you were relying on this behavior (Alt + ArrowUp on the tty causing the current target to be changed to rescue.target), you can restore it by setting systemd.targets.rescue.aliases = [ "kbrequest.target" ]; in your configuration.

• miniflux no longer uses the hstore PostgreSQL extension. Having the extension would prevent Miniflux from starting. In case you are managing your miniflux PostgreSQL database externally, disable the extension with DROP EXTENSION IF EXISTS hstore;.

Other Notable Changes

• services.clamsmtp is unmaintained and was removed from Nixpkgs.

• The latest available version of Nextcloud is v32 (available as pkgs.nextcloud32). The installation logic is as follows:

  • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
  • If system.stateVersion is >=25.05, pkgs.nextcloud32 will be installed by default.
  • If system.stateVersion is >=24.11, pkgs.nextcloud31 will be installed by default.
  • nextcloud30 is EOL and was thus removed.
  • Please note that an upgrade from v30 (or older) to v32 directly is not possible. Please upgrade to nextcloud31 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud30;.

• services.eris-server was removed from Nixpkgs due to a hostile upstream.

• prosody gained a config check option named services.prosody.checkConfig which runs prosodyctl check config and is turned on by default.

• services.dependency-track removed its configuration of the JVM heap size. This lets the JVM choose its maximum heap size automatically, which should work much better in practice for most users. For deployments on systems with little RAM, it may now be necessary to manually configure a maximum heap size using {option}services.dependency-track.javaArgs.

• services.dnscrypt-proxy2 was renamed to services.dnscrypt-proxy to match the package name. The systemd service is now also dnscrypt-proxy, but the old name is still provided as an alias for backwards compatibility.

• services.dnscrypt-proxy gains a package option to specify dnscrypt-proxy package to use.

• boot.plymouth now has a package option to specify the package used in the module.

• services.limesurvey now supports nginx as reverse-proxy. Available through services.limesurvey.webserver.

• services.nextcloud.configureRedis now defaults to true in accordance with upstream recommendations to have caching for file locking. See the upstream doc for further details.

• mate-wayland-session 1.28.4 is now using the default wayfire decorator instead of firedecor, thus services.xserver.desktopManager.mate.enableWaylandSession is no longer shipping firedecor. If you are experiencing broken window decorations after upgrade, backup and remove ~/.config/mate/wayfire.ini and re-login.

• A new option has been added. This option will be used to guard nspawn-specific configuration in NixOS since is also used for different container-runtimes such as LXC.

  • The new option is automatically set to true by the declarative container module and nixos-container when not using flakes.
    • Existing setups can be migrated by running either
      • nixos-container update <container-name> --config-file /path/to/the/config-file-in-use.nix
      • nixos-container update <container-name> --config '/* config code */'
      • Setting the option by hand in your configuration when using flakes.
  • In all other cases, you'll need to set this option to true yourself.
  • boot.isNspawnContainer being true implies being true.

• Due to deprecation of gnome-session X11 support, services.desktopManager.pantheon now defaults to pantheon-wayland session. The X11 session has been removed, see this issue for details.

• bcachefs file systems will now use the out-of-tree module for supported kernels. The in-tree module has been removed, and users will need to switch to kernels that support the out-of-tree module.

• services.filesender and the package filesender have been removed because they depend on simplesamlphp.

• services.gitea supports sending notifications with sendmail again. To do this, activate the parameter services.gitea.mailerUseSendmail and configure SMTP server.

• services.mattermost has been updated to use the 10.11 ESR instead of 10.5. While this shouldn't break anyone, we also now package Mattermost 11 as mattermostLatest. Note that Mattermost 11 drops support for MySQL. The Mattermost module will assertion fail if you try to use MySQL with Mattermost 11; support for using MySQL with Mattermost will fully be removed in NixOS 26.

• simplesamlphp has been removed since the package was severely outdated, unmaintained in nixpkgs and having known vulnerabilities.

• networking.wireless.networks.<name> now has an option to specify SSID, hence allowing duplicated SSID setup. The BSSID option is added along side with this.

• Revamp of the ACME certificate acquisication and renewal process to help scale systems with lots (100+) of certificates.

  Units and targets have been reshaped to better support more specific dependency propagation and avoid superfluously triggering unchanged units:

  If a service requires a syntactically valid certificate to start it should now depend on the acme-{certname}.service unit.

  We now always generate initial self-signed certificates as this drastically simplifies the dependency structure. As a result, the option security.acme.preliminarySelfsigned has been removed.

  Instead of the previous acme-finished-{certname}.targets there are now acme-order-renew-{certname}.services that will be activated in a delayed fashion to ensure that bootstrapping with servers like nginx that take part in the acquisition/renewal process works smoothly. Dependencies on acme-finished units should move to acme-order-renew.

  Note that system activation will complete before all certificates may have been renewed or acquired.

• php81 was removed.

• libvirt now supports using nftables backend.

  • The virtualisation.libvirtd.firewallBackend option can be used to configure the firewall backend used by libvirtd.

• The third-party ant-contrib is no longer included in the ant package.

• systemd.extraConfig and boot.initrd.systemd.extraConfig was converted to RFC42-style systemd.settings.Manager and boot.initrd.systemd.settings.Manager respectively.

  • systemd.watchdog.runtimeTime was renamed to systemd.settings.Manager.RuntimeWatchdogSec
  • systemd.watchdog.device was renamed to systemd.settings.Manager.WatchdogDevice
  • systemd.watchdog.rebootTime was renamed to systemd.settings.Manager.RebootWatchdogSec
  • systemd.watchdog.kexecTime was renamed to systemd.settings.Manager.KExecWatchdogSec
  • systemd.enableCgroupAccounting was removed. Cgroup accounting now needs to be disabled directly using systemd.settings.Manager.*Accounting.

• services.logind.extraConfig was converted to RFC42-style services.logind.settings.Login.

• services.ntpd-rs now performs configuration validation.

• Immich now has support for VectorChord when using the PostgreSQL configuration provided by services.immich.database.enable, which replaces pgvecto-rs. VectorChord support can be toggled with the option services.immich.database.enableVectorChord. Additionally, pgvecto-rs support is now disabled from NixOS 25.11 onwards using the option services.immich.database.enableVectors. This option will be removed fully in the future once Immich drops support for pgvecto-rs fully. See Immich migration instructions

• services.restic.backups now includes a command option for passing a command to the --stdin-from-command flag.

• services.postsrsd now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the services.postsrsd.configurePostfix option.

• services.pfix-srsd now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the services.pfix-srsd.configurePostfix option.

• services.monero now includes the environmentFile option for adding secrets to the Monero daemon config.

• services.netbird.server now uses dedicated packages split out due to relicensing of server components to AGPLv3 with version 0.53.0,

• linux_libre & linux_latest_libre have been removed due to a lack of maintenance.

• services.pds has been renamed to services.bluesky-pds.

• services.xserver.desktopManager.deepin and associated packages have been removed due to being unmaintained. See issue #422090 for more details.

• services.matter-server now hosts a debug dashboard on the configured port. Open the port on the firewall with services.matter-server.openFirewall.

• The new option networking.ipips has been added to create IP within IP kind of tunnels (including 4in6, ip6ip6 and ipip). With the existing networking.sits option (6in4), it is now possible to create all combinations of IPv4 and IPv6 encapsulation.

• It is now possible to configure the default source address using the new options networking.defaultGateway.source, networking.defaultGateway6.source.

• Potential race conditions in the network setup when using networking.interfaces have been fixed by disabling duplicate address detection (DAD) for statically configured IPv6 addresses.

• strongSwan has been updated to 6.0. See strongSwan 6.0.0 release notes for a complete list of changes.

• slurm no longer supports gtk2.

• amdgpu kernel driver overdrive mode can now be enabled by setting hardware.amdgpu.overdrive.enable and customized through hardware.amdgpu.overdrive.ppfeaturemask. This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}programs.corectrl.gpuOverclock.enable and {option}programs.tuxclocker.enableAMD.

• services.varnish.http_address has been superseeded by services.varnish.listen which is now structured config for all of varnish's -a variations.

• services.nginx.recommendedProxySettings now sets X-Forwarded-Server to the hostname of nginx instead of the original host.

• does not ship with an SSH agent anymore, as this is now handled by the gcr_4 package instead of gnome-keyring. A new module has been added to support this, under (its default value has been set to to ensure a smooth transition). See the relevant upstream PR for more details.

• The nettools package (ifconfig, arp, mii-tool, netstat, route) is not installed by default anymore. The suite is unmaintained and users should migrate to iproute2 and ethtool instead.

• sparkleshare has been removed as it no longer builds and has been abandoned upstream.

• The open-webui package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.

• prl-tools has been moved out of linuxPackages because Parallels Guest Tools become driverless since 26.1.0.

• services.opentelemetry-collector has a new option validateConfigFile option that checks the configuration file during build. It is enabled by default if the configuration file is in the Nix store.