NixOS
Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}
Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}
Highlights {#sec-release-26.05-highlights}
Stage 1 (a.k.a. initrd) is now based on systemd by default, and the old scripted implementation is deprecated and scheduled for removal in 26.11. If you run into issues migrating, you can get help from the community or report an issue on GitHub.
You can temporarily revert to the scripted stage 1 implementation by disabling , but this is discouraged.
Most incompatibilities will be explained with assertions during configuration evaluation, but be aware of the following that can't be automatically detected:
- If you use LUKS disk encryption, ensure that
fileSystems."/".deviceis set to"/dev/mapper/<name>", where<name>matches the name in yourboot.initrd.luks.devices.<name>definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add"x-systemd.device-timeout=infinity"tofileSystems."/".optionsinstead. If you need to disable the timeout before you can boot into the system, passsystemd.default_device_timeout_sec=infinityon the kernel command line. - The
cryptsetup-askpassprogram is not available; usesystemctl defaultinstead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, usessh -o RequestTTY=forceto ensuresystemctl defaultgets a TTY to prompt on. - Many kernel parameters have been replaced with native systemd versions; see .
/dev/rootis not available with the systemd stage 1. In the old scripted stage 1,/dev/rootwas a symlink created by the init script from theroot=kernel command line. With systemd stage 1, this symlink is not provided. If your configuration uses/dev/rootinfileSystems, replace it with a stable device path such as/dev/disk/by-label/...,/dev/disk/by-uuid/..., or the appropriate/dev/mapper/...path.
- If you use LUKS disk encryption, ensure that
The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using
nix-channel. This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the--attroption ofnixos-rebuildornixos-install. For example,# system.nix let # Pinned Nixpkgs archive # # Use `curl -I https://channels.nixos.org/nixos-26.05` to get the # latest commit of the stable channel and `nix-prefetch-url --unpack` # to compute its sha256 hash. nixpkgs = builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs/archive/c217913993d6.tar.gz"; sha256 = "026mprs324330pfazlgbw987qmsa8ligglarvqbcxzig2kgw0lqg"; }; in import "${nixpkgs}/nixos" { # Build NixOS using an external configuration.nix file, # or directly set your options here configuration = ./configuration.nix; }The default location of system.nix is
/etc/nixos/system.nixand can be changed by setting the<nixos-system>search path.nixos-rebuildandnixos-installcan now also load a system.nix file in the current directory (only if--attris used) or from a directory specified with--file.The default kernel package has been updated from 6.12 to 6.18. All supported kernels remain available.
The default D-Bus implementation has been switched from
dbustodbus-broker. dbus-broker provides higher performance and reliability while maintaining compatibility with the D-Bus reference implementation.Note that changing
services.dbus.implementationis a switch inhibitor: switching between implementations requires a reboot rather than justnixos-rebuild switch, because restarting D-Bus mid-session is unsafe.Users who wish to keep the classic daemon can set:
services.dbus.implementation = "dbus";The NixOS integration test driver now supports
systemd-nspawncontainers as an alternative backend to QEMU virtual machines (#470248, #478109, #479968). Most NixOS integration tests do not require a full VM, and switching them to containers can considerably reduce test time and resource usage. Container-based tests also run fine on Nix builders that are themselves VMs without KVM, and because containers can bind-mount host device nodes, they make it possible to exercise GPU/CUDA workloads from within NixOS integration tests. See the NixOS manual section on writing tests for details on how to opt in and on the limitations of the container backend.- Coincidentally the driver now exposes machines to the testScript using their attr name used in the test module. E.g. a machine declared with
nodes.<name> = …is now available as<name>. Before, the test driver used theirsystem.nameoption value. They both default to the same value, but if you have set both independently, you might need to adapt your testScript.
- Coincidentally the driver now exposes machines to the testScript using their attr name used in the test module. E.g. a machine declared with
New Modules {#sec-release-26.05-new-modules}
NixOS module was introduced as a simpler alternative to the existing module.
services.nextcloud-spreed-signaling NixOS module has been added to facilitate declarative management of a standalone Spreed signaling server ("High Performance Backend" for Nextcloud Talk).
OpenThread Border Router, a Thread border router for POSIX-based platforms that bridges Thread mesh networks to IP networks. Available as services.openthread-border-router.
Atuin, magical shell history — sync, search and backup your terminal history. Available as programs.atuin.
Meshtastic, an open-source, off-grid, decentralised mesh network designed to run on affordable, low-power devices. Available as services.meshtasticd.
Goupile, an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as services.goupile.
knot-resolver, in version 6. Available as services.knot-resolver. A module for knot-resolver 5 was already available as services.kresd.
ImmichFrame, display your photos from Immich as a digital photo frame. Available as services.immichframe.
adw-bluetooth, a GNOME-inspired LibAdwaita Bluetooth applet. Available as services.adw-bluetooth.
PdfDing, manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as services.pdfding.
mangowc, a lightweight and feature-rich Wayland compositor based on dwl. Available as programs.mangowc.
reaction, a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as services.reaction.
vinyl-cache as the Varnish Cache project renamed itself. Available as services.vinyl-cache. To aid the migration, the old services.varnish module is still available.
papra, an open-source document management platform designed to help you organize, secure, and archive your files effortlessly. Available as services.papra.
rqbit, a bittorrent client written in Rust. It has HTTP API and Web UI, and can be used as a library. Available as services.rqbit.
Tailscale Serve, configure Tailscale Serve for exposing local services to your tailnet. Available as services.tailscale.serve.
qui, a modern alternative webUI for qBittorrent, with multi-instance support. Written in Go/React. Available as services.qui.
kiwix-serve, a service that serves ZIM files (such as Wikipedia archives) over HTTP. Available as services.kiwix-serve.
matterjs-server, a Matter controller with a Home Assistant compatible WebSocket API. Available as services.matterjs-server.
Remark42, a self-hosted comment engine. Available as services.remark42.
LibreChat, open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as services.librechat.
nohang, a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as services.nohang.
clevis-luks-askpass, automatic LUKS unlocking in initrd using clevis token bindings stored in LUKS headers. Available as boot.initrd.clevisLuksAskpass.
bentopdf, a privacy-first PDF toolkit running completely in-browser. Available as services.bentopdf.
hyprwhspr-rs, a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as services.hyprwhspr-rs.
DankMaterialShell, a complete desktop shell for Wayland compositors built with Quickshell. Available as programs.dms-shell.
pyroscope, a continuous profiling platform that allows for performance debugging. Available as services.pyroscope.
dms-greeter, a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as services.displayManager.dms-greeter.
dsearch, a fast filesystem search service with fuzzy matching. Available as programs.dsearch.
Rustical, a CalDav/CardDav server aiming to be simple, fast and passwordless. Available as services.rustical.
Elephant, a data provider service and backend for building custom application launchers. Available as services.elephant.
Dunst, a lightweight and customizable notification daemon. Available as services.dunst.
cocoon, a PDS (personal data server) that is an alternative to the Bluesky PDS. Available as services.cocoon.
Ente Auth, an open source 2FA authenticator, with end-to-end encrypted backups. Available as programs.ente-auth.
linkding, a self-hosted bookmark manager designed to be minimal, fast, and easy to set up. Available as services.linkding.
gs1200-exporter, a Prometheus exporter for Zyxel GS1200 series switches. Available as services.gs1200-exporter.
Tinyauth, a simple authentication middleware for web apps, with OAuth and LDAP support. Available as services.tinyauth.
Strichliste, a digital self-service tallysheet used in hackerspaces, clubs and offices. Available as services.strichliste.
Dawarich, a self-hostable location history tracker. Available as services.dawarich.
Howdy, a Windows Hello™ style facial authentication program for Linux. Available as services.howdy
SuiteNumérique Drive, a collaborative file sharing and document management platform that scales. Built with Django and React. Open source alternative to Sharepoint or Google Drive. Available as services.lasuite-drive.
linux-enable-ir-emitter, a tool used to set up IR cameras, used with Howdy. Available as services.linux-enable-ir-emitter.
udp-over-tcp, a tunnel for proxying UDP traffic over a TCP stream. Available as and .
turborepo-remote-cache, an open-source implementation of the Turborepo custom remote cache server. Available as services.turborepo-remote-cache.
RSSHub, a service to convert many sources into rss. Available as services.rsshub.
ReFrame, a DRM/KMS based remote desktop for Linux that supports Wayland/NVIDIA/headless/login. Available as services.reframe
Komodo Periphery, a multi-server Docker and Git deployment agent by Komodo. Available as services.komodo-periphery.
Shoko, an anime management system. Available as services.shoko.
perses, the open dashboard tool for Prometheus and other data sources. Available as services.perses.
Drasl, an alternative authentication server for Minecraft. Available as services.drasl.
tabbyAPI, the official OpenAI compatible API server for Exllama. Available as services.tabbyapi.
Tdarr, Audio/Video Library Analytics & Transcode/Remux Automation. Available as services.tdarr.
Headplane, a feature-complete Web UI for Headscale. Available as services.headplane.
whois, an intelligent WHOIS client. Available as programs.whois.
porxie, a correct and efficient ATProto blob proxy for secure content delivery. Available as services.porxie.
LogiOps, an unofficial userspace driver for HID++ Logitech devices. Available as services.logiops.
Backward Incompatibilities {#sec-release-26.05-incompatibilities}
is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.
The default packages in have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.
services.taskchampion-sync-server module has had an option added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set
services.taskchampion-sync-server.dynamicUsertotrueand migrate/var/lib/taskchampion-sync-serverto/var/lib/private/taskchampion-sync-server.The programs.captive-browser module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to GHSA-wc3r-c66x-8xmc (CVE-2026-25740). If you're using this module, you must either configure manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.
The services.yggdrasil module has been refactored with the following breaking changes:
- The
services.yggdrasil.configFileoption has been removed. Configuration should now be specified directly via . - The
services.yggdrasil.persistentKeysoption has been removed. To maintain persistent keys and IPv6 addresses across reboots, use to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8). - Storing
PrivateKeydirectly insettingsis now explicitly forbidden to prevent keys from being stored world-readable in the Nix store. - If you previously used
configFile, migrate your configuration to thesettingsoption and extract the private key to a separate file referenced byPrivateKeyPath. - If you previously used
persistentKeys, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them viaPrivateKeyPath.
- The
services.xserver will now throw an error if an X11 driver specified in
videoDriver(s)cannot be found. Previously, unknown drivers would be silently ignored.The option now defaults to
falseas a mitigation againstCVE-2024-52615/GHSA-x6vp-f33h-h32g.systemd.coredump.extraConfighas been removed in favor of the structured option. Usesystemd.coredump.settings.Coredumpto set anycoredump.conf(5)option directly. For example, replacesystemd.coredump.extraConfig = "Storage=journal";withsystemd.coredump.settings.Coredump.Storage = "journal";.services.home-assistant.config.lovelace.modehas been renamed tolovelace.dashboardsandlovelace.resource_modeto match the configuration format required by Home Assistant 2026.8. Users who explicitly setlovelace.modeshould remove it; the module generates the correct entries automatically.fulcrumhas been updated to 2.x. If run against an existing v1.x database without the--db-upgradeflag it refuses to start; the upgrade takes around an hour on Bitcoin mainnet.opentrack,slushload,synthesia,vtfedit,winbox,wineasio, andyabridgeuse wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.[]{#sec-release-26.05-incompatibilities-profiles-hardened-removed}
profiles/hardenedhas been removed, because:- It lacks a consistent and transparent baseline or standard,
- It may introduce unexpected breakage or degrade performance without clear benefit,
- It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
- and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
- See NixOS Hardening wiki page for hardening options.
services.crabfitwas removed because its upstream packages are unmaintained and insecure.services.opensnitch.settings.Rules.Path now defaults to
/var/lib/opensnitch/rulesinstead of the previous/etc/opensnitchd/rulesbecause it contains mutable data.services.mosquitto now generates per-listener authentication and access control via the upstream
password-fileandacl-fileplugins instead of the deprecatedpassword_fileandacl_fileoptions. The plugins contain the same code, so behaviour is unchanged, but must now be at least version 2.1.sing-boxhas been updated to 1.13.0, which has removed some deprecated options. See upstream documentation for details and migration options.services.statsdhas been removed because the packages it relies on do not exist anymore in nixpkgs.services.pyloadhas been removed because the package it relies on does not exist anymore in nixpkgs due to vulnerabilities and being unmaintained.Removed the ability from systemd to start units installed via
nix-env -i. This feature is hardly used and most units do not work without NixOS specific changes anyways. Removing this allows us to drop a custom systemd patch improving systemd maintainability and update speed.Removed the ability from systemd to depend on open-yet-unformatted dm-crypt devices as systemd device units. For example you cannot call systemd-makefs on such devices. This was never implemented upstream but patched into Nixpkgs's systemd. Removing this allows us to drop a custom systemd patch improving systemd maintainability and update speed.
linux_hardenedkernel has been removed due to a lack of maintenance.services.tandoor-recipes now uses a sub-directory for media files by default starting with
26.05. Existing setups should move media files out of the data directory and adjustservices.tandoor-recipes.extraConfig.MEDIA_ROOTaccordingly. See Migrating media files for pre 26.05 installations.linux-rtkernel has been removed due to a lack of maintenance.rusticwas upgraded to0.11.x, which contains breaking changes to command-line parameters and configuration file.The packages
iwandwirelesstools(iwconfig,iwlist, etc.) are no longer installed implicitly if wireless networking has been enabled.The
fileSystems.<name>.fsTypeoption no longer has a default value and must be specified by the user. The value"auto"still works as before, though its use is generally discouraged.services.uptimehas been removed because the package it relies on does not exist anymore in nixpkgs.services.mattermost now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module. See the migration steps if you were not running Postgres. Note that version 11 also restricts the user limit to 250 by default; see the
pkgs.mattermostremoveUserLimit and removeFreeBadge options combined with to change this behavior. For example:
{
services.mattermost.package = pkgs.mattermost.override {
removeUserLimit = true;
removeFreeBadge = true;
};
}
post-resume.targethas been removed. See {manpage}systemd.special(7)aboutsleep.targetfor instructions on ordering a process after resume withExecStop=.services.vsftpd no longer automatically configures a PAM module. This means configurations using will no longer work unless and are also configured. The old behaviour can be restored by setting
security.pam.services.vsftpd.enable = true, although this only ever worked by accident and may not be secure.services.kubernetes.addons.dns.corednshas been renamed to and now expects a package instead of attrs. Now, by default, nixpkgs.coredns in conjunction withdockerTools.buildImageis used, instead of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
{
services.kubernetes.addons.dns.corednsImage = pkgs.dockerTools.pullImage {
imageName = "coredns/coredns";
imageDigest = "sha256:af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d";
finalImageTag = "v1.12.2";
hash = "sha256-ZgXEyxVrdskQdgg0ONJ9sboAXEEHTgNsiptk5O945c0=";
};
}
services.stalwart-mailhas been renamed toservices.stalwartto align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:Addition of module-specific
stateVersionoption, which on existing installations of Stalwart must be set to the same assystem.stateVersion.This enables manually and carefully migrating Stalwart to a new
stateVersionor newly enabling the Stalwart module with a newerstateVersionthansystem.stateVersion.systemd.services.stalwartowned bystalwart:stalwart. Theuserandgroupare configurable viaservices.stalwart.userandservices.stalwart.group, respectively. By default, ifstateVersionis older than26.05, will fallback to legacy value ofstalwart-mailfor bothuserandgroup.Default value for
services.stalwart.dataDirhas changed to/var/lib/stalwart. IfstateVersionis older than26.05, will fallback to legacy value of/var/lib/stalwart-mail.Default tracer name and type have changed to
journal. IfstateVersionis older than26.05, will fallback to legacy value ofstdout.
services.eintopfhas been renamed to services.lauti to align with upstream re-brand as a community online calendar.services.oauth2-proxy.clientSecretandservices.oauth2-proxy.cookie.secrethave been replaced with and respectively. This was done to ensure secrets don't get made world-readable.services.grafana.settings.security.secret_keydoesn't have a default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly. See the upstream docs and the instructions on how to rotate for further information.Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being on the same filesystem with the same permissions for Grafana only to read, it is most likely OK to keep using the old key.
If you need to rotate, a 3rd-party tool,
grafana-secretkey-rotation-toolis a tested option. When using a secret for this value, make sure to use Grafana's variable expansion to inject secrets.services.promtailhas been removed, aspromtailreached its end of life. Consider migrating to , or, if you are looking for something light-weight, . See https://grafana.com/docs/alloy/latest/set-up/migrate/ or https://docs.fluentbit.io/manual/data-pipeline/outputs/loki.Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
services.immich no longer supports pgvecto.rs since the package has been removed from nixpkgs. As a result, options
services.immich.database.enableVectorsandservices.immich.database.enableVectorchordhave been removed, and VectorChord is now always used. If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the migration guide.before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable
opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles(or disable the git-http-backend).rocmPackages_6has been removed.rocmPackageshas been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.mysql80has been removed. Please update tomysql84ormariadb. See the upgrade guide for more information.services.prometheus.exporters.rspamdhas been removed. It relied on the Rspamd /stat endpoint via the JSON exporter. You can use the Rspamd /metrics endpoint directly instead.The Bash implementation of the
nixos-rebuildprogram is removed. All switchable systems now use the Python rewrite. Any prior usage ofsystem.rebuild.enableNgmust now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.services.desktopManager.gnome no longer installs the Geary e-mail client since it is not part of the GNOME core applications list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add
programs.geary.enable = true;to your configuration.walkerhas been updated to 2.0.0+, which is a complete rewrite in rust.It now requires a running
elephantapplication launcher backend service, which can be enabled using the newservices.elephant.enable.The way keybinds and actions are handled have been completely revamped. Please refer to the default config.
services.portunus has been upgraded to 2.2.0, which includes a bug fix that may cause existing databases to be rejected if user accounts are configured with malformed email addresses. Please refer to the upstream release announcement for details and instructions on how to fix problematic database entries.
Support for
reiserfsin nixpkgs has been removed, following the removal in Linux 6.13.services.tor no longer bind mounts Unix sockets of onion services into its chroot because it was not reliable. Users should do it themselves using either
JoinsNamespaceOf=and Unix sockets in/tmporBindPaths=from a persistent parent directory of each Unix socket. See https://github.com/NixOS/nixpkgs/issues/481673.support for
ecryptfsin nixpkgs has been removed.services.xserver.cmthas been removed as thexf86-input-cmtpackage was broken and unmaintained upstream.programs.lightwas removed from nixpkgs due to the corresponding package being unmaintained upstream.brightnessctland hardware.acpilight offer replacements.cephhas been upgraded to v20. See the Ceph "tentacle" release notes for details and recommended upgrade procedure. Note that upgrades of server-side components are one-way, and downgrading e.g. an OSD from Tentacle to Squid is not just not supported but is known to break.now defaults to
jdk25_headlessinstead ofjdk17_headless, in order to be compatible with new versions ofunifi.The networking.wireless module has been security hardened by default: the
wpa_supplicantdaemon now runs under an unprivileged user with restricted access to the system.As part of these changes,
/etc/wpa_supplicant.confhas been deprecated: the NixOS-generated configuration file is now linked to/etc/wpa_supplicant/nixos.confand/etc/wpa_supplicant/imperative.confhas been added for imperatively configuringwpa_supplicantor when using allowAuxiliaryImperativeNetworks.If client certificates, keys or other files are needed, these should be stored under
/etc/wpa_supplicantand owned bywpa_supplicantto ensure the daemon can read them.Similarly, the
ctrl_interfacedirectory set inwpa_supplicant's conf must be writeable by thewpa_supplicantuser so that thewpa_supplicantdaemon can start successfully. If you were changingctrl_interfacein extraConfig or in/etc/wpa_supplicant/imperative.conf, please remove that line.Also, the {option}
networking.wireless.userControlled.groupoption has been removed since there is now a dedicatedwpa_supplicantgroup to control the daemon, and {option}networking.wireless.userControlled.enablehas been renamed to .No functionality should have been impacted by these changes (including controlling via
wpa_cli, integration with NetworkManager or connman), but if you find any problems, please open an issue on GitHub. If necessary, the security hardening can be reverted with .Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on
networking.wireless. So, if you hadnetworking.wireless.enable = falsein your configuration, you should remove that line.Some implementation details of the NixOS network-interfaces module have been changed:
- In the "scripted" backend,
network-setup.servicehas been removed and the network configuration services are now part ofnetwork.target, which is now directly pulled intomulti-user.target. - Interface addresses, routes and default gateways are now configured asynchronously as soon as the underlying network devices become available (fixes issue #154737).
- In both "networkd" and "scripted" backends, the configuration of name servers is now part of
network-local-commands.service(fixes issue #445496). - The issue that resulted in a completely unconfigured network if both
resolvconfwas disabled and no default gateway configured, has also been fixed.
- In the "scripted" backend,
In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}
services.pdns-recursor.old-settingshas been removed and {option}services.pdns-recursor.yaml-settingsconsequently renamed to .services.angrr now uses TOML for configuration. Define policies with (generate TOML file) or point to a file using . The legacy options
services.angrr.period,services.angrr.ownedOnly, andservices.angrr.removeRoothave been removed. Seeman 5 angrrand the description of options for examples and details.services.homepage-dashboard.environmentFilehas been renamed to , and now expects a list of strings.services.pingvin-sharehas been removed as thepingvin-share.backendpackage was broken and the project was archived upstream.services.jellyseerrhas been renamed to services.seerr following the upstream changes. Notable breaking changes:- systemd service name changed accordingly.
- Default config directory moved from
/var/lib/jellyseerr/configto/var/lib/seerr/.- If
stateVersionis older than26.05, the module fall backs to the legacy path value.
- If
services.vikunja has been updated to Vikunja v1.0.0, which introduces multiple breaking changes. Notable breaking changes:
- CORS is enabled by default. The module now sets
services.vikunja.settings.service.publicurlby default. Custom overrides must ensure it is set or disable CORS, otherwise Vikunja will fail to start. - API route and response changes may affect integrations.
- Configuration format and option changes require review of existing settings (including OpenID provider configuration and metrics/log settings).
- SQLite paths are now relative to
service.rootpathunless absolute. Startup now validates file storage and OAuth providers.
- CORS is enabled by default. The module now sets
services.xtreemfshas been removed as thextreemfspackage was broken and unmaintained upstream.opengfwpackage andservices.opengfwmodule have been removed as the upstream GitHub repository and website have been shut down.services.esphome no longer uses
DynamicUser. The service now runs as a staticesphomesystem user. systemd handles the migration from/var/lib/private/esphomeautomatically, but users with impermanence setups should ensure/var/lib/esphomeis persisted.programs.pqos-wrappermodule has been deleted as the corresponding package has been dropped from nixpkgs.programs.benchexec.enable = trueno longer setsprograms.pqos-wrapper.enable = trueas the corresponding module has been deleted.
Other Notable Changes {#sec-release-26.05-notable-changes}
Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.
Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding
config.systemd.package.versionto the switch inhibitors for your system. You can still forcefully switch into any generation by settingNIXOS_NO_CHECK=1.switch-to-configurationnow reloads a service instead of restarting it when the only change to its unit isExecReload=, and takes no action whenExecReload=is removed. Previously both cases triggered a restart.hardware.nvidia.branchwas added to select the NVIDIA driver branch; settinghardware.nvidia.packageoverrides this.The NixOS NVIDIA module wiring has been updated to match the new
nvidia-x11output layout.nixos/nvidianow uses EGL external platform ICD libraries built from source (egl-gbm,egl-wayland,egl-wayland2,egl-x11) instead of relying on vendor-provided binaries for these components.was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to
modprobeconfiguration instead of being passed through global kernel command-line parameters.hardware.xpadneo now supports configuring kernel module parameters via a freeform settings option, with convenience options for rumble attenuation and controller quirks.
security.acmenow defaults to a dynamic renewal duration, if security.acme.defaults.validMinDays remains unset. This accommodates certificates with different ACME profile:- For certificates with a total validity at or above 10 days renewal will happen after two thirds of the lifetime has passed (e.g. a certificate valid for 90 days renews once the validity falls below 30 days)
- For shortlived certificates with a total validity below 10 days renewal will happen after half of the total lifetime has passed
The module for the Dovecot IMAP server, services.dovecot2, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.
Also see the list of available settings for Dovecot 2.3 or 2.4.
services.frp now supports multiple instances through to make it possible to run multiple frp clients or servers at the same time.
services.resolved module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
systemd.sleep.extraConfigwas replaced by RFC 0042-compliant , which is used to generate thesleep.confconfiguration file. See {manpage}sleep.conf.d(5)for available options.Support for Bluetooth audio based on
bluez-alsahas been added to the hardware.alsa module. It can be enabled with the new enableBluetooth option.services.atuin now has an
environmentFileoption to safely allow configuring secrets, such as anATUIN_DB_URIcontaining a Postgres password.systemd.network.*has been updated to support all configuration options from upstreamnetworkdversion 259.now defaults to
trueunconditionally instead of!(config.environment.etc ? "resolv.conf"). If you setenvironment.etc."resolv.conf"yourself, then you should also setnetworking.resolvconf.enable = false.The services.drupal module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new
webRootoption for identifying custom webroots in source code, a newconfigRootoption for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.services.openssh now supports generating host SSH keys by setting
services.openssh.generateHostKeys = truewhile leaving disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See https://github.com/NixOS/nixpkgs/pull/471330.
IPVLAN interfaces can now be configured through the option in the networking module.
services.caddy now supports setting and and opening them in the firewall via .
The latest available version of Nextcloud is v33 (available as
pkgs.nextcloud33). The installation logic is as follows:- If
services.nextcloud.packageis specified explicitly, this package will be installed (recommended) - If
system.stateVersionis >=26.05,pkgs.nextcloud33will be installed by default. - If
system.stateVersionis >=25.11,pkgs.nextcloud32will be installed by default. nextcloud31is EOL and was thus removed.- Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to
nextcloud32(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud32;.
- If
InvoicePlane with the Caddy webserver (
services.invoiceplane.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a siteexample.com, setservices.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a InvoicePlane site, migrate these options by removinghttp://fromservices.caddy.virtualHosts."http://example.com".services.slurmnow supports slurmrestd usage through the NixOS options.The option now defaults to
false. Logging of refused or dropped incoming connections can generate a very high volume of kernel log messages on internet-facing systems, causing the kernel ring buffer (dmesg) to rotate quickly and potentially discard more relevant diagnostic information.The services.calibre-web systemd service has been hardened with additional sandboxing restrictions.
services.kanidmoptions for server, client and unix were moved under dedicated namespaces. For each componentenableComponentandcomponentSettingsare nowcomponent.enableandcomponent.settings. The unix module now supports using SSH keys from Kanidm viaservices.kanidm.unix.sshIntegration = true.services.radicle now supports importing the private key and passphrase as systemd creds.