nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md

Release 24.11 (“Vicuña”, 2024.11/??)

Highlights

• Convenience options for amdgpu, open source driver for Radeon cards, is now available under hardware.amdgpu.

• AMDVLK, AMD's open source Vulkan driver, is now available to be configured as hardware.amdgpu.amdvlk option. This also allows configuring runtime settings of AMDVLK and enabling experimental features.

New Services

• Open-WebUI, a user-friendly WebUI for LLMs. Available as services.open-webui service.

• Quickwit, sub-second search & analytics engine on cloud storage. Available as services.quickwit.

• Flood, a beautiful WebUI for various torrent clients. Available as services.flood.

• Renovate, a dependency updating tool for various git forges and language ecosystems. Available as services.renovate.

Backward Incompatibilities

• transmission package has been aliased with a trace warning to transmission_3. Since Transmission 4 has been released last year, and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The services.transmission.package defaults to transmission_3 as well because the upgrade can cause data loss in certain specific usage patterns (examples: #5153, #6796). Please make sure to back up to your data directory per your usage:

  • transmission-gtk: ~/.config/transmission
  • transmission-daemon using NixOS module: ${config.services.transmission.home}/.config/transmission-daemon (defaults to /var/lib/transmission/.config/transmission-daemon)

• androidenv.androidPkgs_9_0 has been removed, and replaced with androidenv.androidPkgs for a more complete Android SDK including support for Android 9 and later.

• wstunnel has had a major version upgrade that entailed rewriting the program in Rust. The module was updated to accommodate for breaking changes. Breaking changes to the module API were minimised as much as possible, but some were nonetheless inevitable due to changes in the upstream CLI. Certain options were moved from separate CLI arguments into the forward specifications, and those options were also removed from the module's API, please consult the wstunnel man page for more detail. Also be aware that if you have set additional options in services.wstunnel.{clients,servers}.<name>.extraArgs, that those might have been removed or modified upstream.

• clang-tools_<version> packages have been moved into llvmPackages_<version> (i.e. clang-tools_18 is now llvmPackages_18.clang-tools).

  • For convenience, the top-level clang-tools attribute remains and is now bound to llvmPackages.clang-tools.
  • Top-level clang_tools_<version> attributes are now aliases; these will be removed in a future release.

• nginx package no longer includes gd and geoip dependencies. For enabling it, override nginx package with the optionals withImageFilter and withGeoIP.

• openssh and openssh_hpn are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can use the new opensshWithKerberos and openssh_hpnWithKerberos flavors (e.g. programs.ssh.package = pkgs.openssh_gssapi).

• security.ipa.ipaHostname now defaults to the value of networking.fqdn if it is set, instead of the previous hardcoded default of ${networking.hostName}.${security.ipa.domain}.

• nvimpager was updated to version 0.13.0, which changes the order of user and nvimpager settings: user commands in -c and --cmd now override the respective default settings because they are executed later.

• services.forgejo.mailerPasswordFile has been deprecated by the drop-in replacement services.forgejo.secrets.mailer.PASSWD, which is part of the new free-form services.forgejo.secrets option. services.forgejo.secrets is a small wrapper over systemd's LoadCredential=. It has the same structure (sections/keys) as services.forgejo.settings but takes file paths that will be read before service startup instead of some plaintext value.

• services.ddclient.use has been deprecated: ddclient now supports separate IPv4 and IPv6 configuration. Use services.ddclient.usev4 and services.ddclient.usev6 instead.

• vaultwarden lost the capability to bind to privileged ports. If you rely on this behavior, override the systemd unit to allow CAP_NET_BIND_SERVICE in your local configuration.

• The Invoiceplane module now only accepts the structured settings option. extraConfig is now removed.

• Legacy package stalwart-mail_0_6 was dropped, please note the manual upgrade process before changing the package to pkgs.stalwart-mail in services.stalwart-mail.package.

• androidndkPkgs has been updated to androidndkPkgs_26.

• Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.

• haskell.lib.compose.justStaticExecutables now disallows references to GHC in the output by default, to alert users to closure size issues caused by #164630. See "Packaging Helpers" in the Haskell section of the Nixpkgs manual for information on working around output '...' is not allowed to refer to the following paths errors caused by this change.

• The stalwart-mail service now runs under the stalwart-mail system user instead of a dynamically created one via DynamicUser, to avoid automatic ownership changes on its large file store each time the service was started. This change requires to manually move the state directory from /var/lib/private/stalwart-mail to /var/lib/stalwart-mail and to change the ownership of the directory and its content to stalwart-mail.

• The stalwart-mail module now uses RocksDB as the default storage backend for stateVersion ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs).

• libe57format has been updated to >= 3.0.0, which contains some backward-incompatible API changes. See the release note for more details.

• gitlab deprecated support for runner registration tokens in GitLab 16.0, disabled their support in GitLab 17.0 and will ultimately remove it in GitLab 18.0, as outlined in the documentation. After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0. Refer to the manual on using registration tokens after GitLab 17.0. GitLab administrators should migrate to the new runner registration workflow with runner authentication tokens until the release of GitLab 18.0.

• zx was updated to v8, which introduces several breaking changes. See the v8 changelog for more information.

• The portunus package and service do not support weak password hashes anymore. If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. Then, follow the instructions on the upstream release notes to upgrade all existing user accounts to strong password hashes. If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:

  services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
  services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
  

• keycloak was updated to version 25, which introduces new hostname related options. See Upgrading Guide for instructions.

• The tracy package no longer works on X11, since it's moved to Wayland support, which is the intended default behavior by Tracy maintainers. X11 users have to switch to the new package tracy-x11.

• The services.prometheus.exporters.minio option has been removed, as it's upstream implementation was broken and unmaintained. Minio now has built-in Prometheus metrics exposure, which can be used instead.

Other Notable Changes

• hareHook has been added as the language framework for Hare. From now on, it, not the hare package, should be added to nativeBuildInputs when building Hare programs.

• To facilitate dependency injection, the imgui package now builds a static archive using vcpkg' CMake rules. The derivation now installs "impl" headers selectively instead of by a wildcard. Use imgui.src if you just want to access the unpacked sources.