nixpkgs/nixos/doc/manual/release-notes/rl-2511.section.md

Release 25.11 ("Xantusia", 2025.11/??)

Highlights

• nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is enabled by default from this release. You can disable it by setting to false in your configuration if you need, but please report any issues. It is expected that the next major version of NixOS (26.05) will remove the {option}system.rebuild.enableNg option.

• Secure boot support can now be enabled for the Limine bootloader through {option}boot.loader.limine.secureBoot.enable. Bootloader install script signs the bootloader, then kernels are hashed during system rebuild and written to a config. This allows Limine to boot only the kernels installed through NixOS system.

• The default PostgreSQL version for new NixOS installations (i.e. with system.stateVersion >= 25.11) is v17.

• The NetworkManager module does not ship with a default set of VPN plugins anymore. All required VPN plugins must now be explicitly configured in networking.networkmanager.plugins.

New Modules

• gtklock, a GTK-based lockscreen for Wayland. Available as programs.gtklock.

• Chrysalis, a graphical configurator for Kaleidoscope-powered keyboards. Available as programs.chrysalis.

• Pi-hole, a DNS sinkhole for advertisements based on Dnsmasq. Available as services.pihole-ftl, and services.pihole-web for the web GUI and API.

• Fediwall, a web application for live displaying toots from mastodon, inspired by mastowall. Available as services.fediwall.

• FileBrowser, a web application for managing and sharing files. Available as services.filebrowser.

• Options under networking.getaddrinfo are now allowed to declaratively configure address selection and sorting behavior of getaddrinfo in dual-stack networks.

• Homebridge, a lightweight Node.js server you can run on your home network that emulates the iOS HomeKit API. Available as services.homebridge.

• LACT, a GPU monitoring and configuration tool, can now be enabled through services.lact.enable. Note that for LACT to work properly on AMD GPU systems, you need to enable hardware.amdgpu.overdrive.enable.

• Auto-scrub support for Bcachefs filesystems can now be enabled through services.bcachefs.autoScrub.enable to periodically check for data corruption. If there's a correct copy available, it will automatically repair corrupted blocks.

• LibreTranslate, a free and open source machine translation API. Available as services.libretranslate.

• tlsrpt-reporter, an application suite to generate and deliver TLSRPT reports. Available as services.tlsrpt.

• Chhoto URL, a simple, blazingly fast, selfhosted URL shortener with no unnecessary features, written in Rust. Available as services.chhoto-url.

• tuwunel, a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as services.matrix-tuwunel.

• Broadcast Box, a WebRTC broadcast server. Available as services.broadcast-box.

• Docker now defaults to 28.x, because version 27.x stopped receiving security updates and bug fixes after May 2, 2025.

• Corteza, a low-code platform. Available as services.corteza.

• Draupnir, a Matrix moderation bot. Available as services.draupnir.

• postfix-tlspol, MTA-STS and DANE resolver and TLS policy server for Postfix. Available as services.postfix-tlspol.

• Newt, a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. Available as services.newt.

• qBittorrent, is a bittorrent client programmed in C++ / Qt that uses libtorrent by Arvid Norberg. Available as services.qbittorrent.

• Speedify, a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as services.speedify.

• Szurubooru, an image board engine inspired by services such as Danbooru, dedicated for small and medium communities. Available as services.szurubooru.

• The Neat IP Address Planner (NIPAP) can now be enabled through services.nipap.enable.

• nix-store-veritysetup, a systemd generator to unlock the Nix Store as a dm-verity protected block device. Available as boot.initrd.nix-store-veritysetup.

• SuiteNumérique Docs, a collaborative note taking, wiki and documentation web platform and alternative to Notion or Outline. Available as services.lasuite-docs.

• dwl, a compact, hackable compositor for Wayland based on wlroots. Available as programs.dwl.

• Sharkey, a Sharkish microblogging platform. Available as services.sharkey.

• fw-fanctrl, a simple systemd service to better control Framework Laptop's fan(s). Available as hardware.fw-fanctrl.

• mautrix-discord, a Matrix-Discord puppeting/relay bridge. Available as services.mautrix-discord.

• SuiteNumérique Meet is an open source alternative to Google Meet and Zoom powered by LiveKit: HD video calls, screen sharing, and chat features. Built with Django and React. Available as services.lasuite-meet.

• lemurs, a customizable TUI display/login manager. Available at services.displayManager.lemurs.

• paisa, a personal finance tracker and dashboard. Available as services.paisa.

Backward Incompatibilities

• The Perl implementation of the switch-to-configuration program is removed. All switchable systems now use the Rust rewrite. Any prior usage of system.switch.enableNg must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

• The no-broken-symlink build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).

• The services.polipo module has been removed as polipo is unmaintained and archived upstream.

• The non-LTS Forgejo package (forgejo) has been updated to 12.0.0. This release contains breaking changes, see the release blog post for all the details and how to ensure smooth upgrades.

• The Pocket ID module ([services.pocket-id][#opt-services.pocket-id.enable]) and package (pocket-id) has been updated to 1.0.0. Some environment variables have been changed or removed, see the migration guide.

• []{#sec-release-25.11-incompatibilities-sourcehut-removed} The services.sourcehut module and corresponding sourcehut packages were removed due to being broken and unmaintained.

• The dovecot systemd service was renamed from dovecot2 to dovecot. The former is now just an alias. Update any overrides on the systemd unit to the new name.

• The yeahwm package and services.xserver.windowManager.yeahwm module were removed due to the package being broken and unmaintained upstream.

• The services.postgresql module now sets up a systemd unit postgresql.target. Depending on postgresql.target guarantees that postgres is in read-write mode and initial/ensure scripts were executed. Depending on postgresql.service only guarantees a read-only connection.

• The services.siproxd module has been removed as siproxd is unmaintained and broken with libosip 5.x.

• netbox-manage script created by the netbox module no longer uses sudo -u netbox internally. It can be run as root and will change it's user to netbox using runuser

• services.dwm-status.extraConfig was replaced by RFC0042-compliant , which is used to generate the config file. services.dwm-status.order is now moved to , as it's a part of the config file.

• gitversion was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run. See the 6.0.0 release notes for GitVersion for details on the breaking changes, the documentation on the configuration format for the new configuration specification, and the documentation on version variables for what is now supported.

• renovate was updated to v41. See the upstream release notes for v40 and v41 for breaking changes.

• The boot.readOnlyNixStore has been removed. Control over bind mount options on /nix/store is now offered by the boot.nixStoreMountOpts option.

• The Postfix module has been updated and likely requires configuration changes:

  • The services.postfix.sslCert and sslKey options were removed and you now need to configure
    • services.postfix.settings.main.smtpd_tls_chain_files for server certificates,
    • services.postfix.settings.main.smtp_tls_chain_files for client certificates.

• vmalert now supports multiple instances with the option services.vmalert.instances."".enable

• services.victorialogs.package now defaults to victorialogs, as victoriametrics no longer contains the VictoriaLogs binaries.

• The wstunnel module was converted to RFC42-style settings, you will need to update your NixOS config if you make use of this module.

Other Notable Changes

• services.clamsmtp is unmaintained and was removed from Nixpkgs.

• services.dependency-track removed its configuration of the JVM heap size. This lets the JVM choose its maximum heap size automatically, which should work much better in practice for most users. For deployments on systems with little RAM, it may now be necessary to manually configure a maximum heap size using {option}services.dependency-track.javaArgs.

• services.dnscrypt-proxy2 gains a package option to specify dnscrypt-proxy package to use.

• services.gitea supports sending notifications with sendmail again. To do this, activate the parameter services.gitea.mailerUseSendmail and configure SMTP server.

• libvirt now supports using nftables backend.

• services.ntpd-rs now performs configuration validation.

• services.postsrsd now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the services.postsrsd.configurePostfix option.

• services.pfix-srsd now automatically integrates with the local Postfix instance, when enabled. This behavior can disabled using the services.pfix-srsd.configurePostfix option.

• services.monero now includes the environmentFile option for adding secrets to the Monero daemon config.

• The new option networking.ipips has been added to create IP within IP kind of tunnels (including 4in6, ip6ip6 and ipip). With the existing networking.sits option (6in4), it is now possible to create all combinations of IPv4 and IPv6 encapsulation.

• It is now possible to configure the default source address using the new options networking.defaultGateway.source, networking.defaultGateway6.source.

• Potential race conditions in the network setup when using networking.interfaces have been fixed by disabling duplicate address detection (DAD) for statically configured IPv6 addresses.

• amdgpu kernel driver overdrive mode can now be enabled by setting hardware.amdgpu.overdrive.enable and customized through hardware.amdgpu.overdrive.ppfeaturemask. This allows for fine-grained control over the GPU's performance and maybe required by overclocking softwares like Corectrl and Lact. These new options replace old options such as {option}programs.corectrl.gpuOverclock.enable and {option}programs.tuxclocker.enableAMD.

• services.varnish.http_address has been superseeded by services.varnish.listen which is now structured config for all of varnish's -a variations.

• does not ship with an SSH agent anymore, as this is now handled by the gcr_4 package instead of gnome-keyring. A new module has been added to support this, under (its default value has been set to to ensure a smooth transition). See the relevant upstream PR for more details.

• The nettools package (ifconfig, arp, mii-tool, netstat, route) is not installed by default anymore. The suite is unmaintained and users should migrate to iproute2 and ethtool instead.

• sparkleshare has been removed as it no longer builds and has been abandoned upstream.