Skip to content

nixos

Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}

NixOS

Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}

Release 26.05 ("Yarara", 2026.05/30) {#sec-release-26.05}

Highlights {#sec-release-26.05-highlights}

  • Stage 1 (a.k.a. initrd) is now based on systemd by default, and the old scripted implementation is deprecated and scheduled for removal in 26.11. If you run into issues migrating, you can get help from the community or report an issue on GitHub.

    You can temporarily revert to the scripted stage 1 implementation by disabling , but this is discouraged.

    Most incompatibilities will be explained with assertions during configuration evaluation, but be aware of the following that can't be automatically detected:

    • If you use LUKS disk encryption, ensure that fileSystems."/".device is set to "/dev/mapper/<name>", where <name> matches the name in your boot.initrd.luks.devices.<name> definition, to avoid systemd timing out while prompting for a passphrase. If you have a more complex setup, e.g. with LVM on top of LUKS, you may need to add "x-systemd.device-timeout=infinity" to fileSystems."/".options instead. If you need to disable the timeout before you can boot into the system, pass systemd.default_device_timeout_sec=infinity on the kernel command line.
    • The cryptsetup-askpass program is not available; use systemctl default instead, which will prompt for passphrases as necessary. If you pipe password responses into SSH over stdin, use ssh -o RequestTTY=force to ensure systemctl default gets a TTY to prompt on.
    • Many kernel parameters have been replaced with native systemd versions; see .
    • /dev/root is not available with the systemd stage 1. In the old scripted stage 1, /dev/root was a symlink created by the init script from the root= kernel command line. With systemd stage 1, this symlink is not provided. If your configuration uses /dev/root in fileSystems, replace it with a stable device path such as /dev/disk/by-label/..., /dev/disk/by-uuid/..., or the appropriate /dev/mapper/... path.
  • The system.nix file has been added as an alternative entry point to configuration.nix (and flake.nix) that allows configuring NixOS without using nix-channel. This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the --attr option of nixos-rebuild or nixos-install. For example,

    # system.nix
    let
      # Pinned Nixpkgs archive
      #
      # Use `curl -I https://channels.nixos.org/nixos-26.05` to get the
      # latest commit of the stable channel and `nix-prefetch-url --unpack`
      # to compute its sha256 hash.
      nixpkgs = builtins.fetchTarball {
        url = "https://github.com/NixOS/nixpkgs/archive/c217913993d6.tar.gz";
        sha256 = "026mprs324330pfazlgbw987qmsa8ligglarvqbcxzig2kgw0lqg";
      };
    in
    import "${nixpkgs}/nixos" {
      # Build NixOS using an external configuration.nix file,
      # or directly set your options here
      configuration = ./configuration.nix;
    }

    The default location of system.nix is /etc/nixos/system.nix and can be changed by setting the <nixos-system> search path. nixos-rebuild and nixos-install can now also load a system.nix file in the current directory (only if --attr is used) or from a directory specified with --file.

  • The default kernel package has been updated from 6.12 to 6.18. All supported kernels remain available.

  • The default D-Bus implementation has been switched from dbus to dbus-broker. dbus-broker provides higher performance and reliability while maintaining compatibility with the D-Bus reference implementation.

    Note that changing services.dbus.implementation is a switch inhibitor: switching between implementations requires a reboot rather than just nixos-rebuild switch, because restarting D-Bus mid-session is unsafe.

    Users who wish to keep the classic daemon can set: services.dbus.implementation = "dbus";

  • The NixOS integration test driver now supports systemd-nspawn containers as an alternative backend to QEMU virtual machines (#470248, #478109, #479968). Most NixOS integration tests do not require a full VM, and switching them to containers can considerably reduce test time and resource usage. Container-based tests also run fine on Nix builders that are themselves VMs without KVM, and because containers can bind-mount host device nodes, they make it possible to exercise GPU/CUDA workloads from within NixOS integration tests. See the NixOS manual section on writing tests for details on how to opt in and on the limitations of the container backend.

    • Coincidentally the driver now exposes machines to the testScript using their attr name used in the test module. E.g. a machine declared with nodes.<name> = … is now available as <name>. Before, the test driver used their system.name option value. They both default to the same value, but if you have set both independently, you might need to adapt your testScript.

New Modules {#sec-release-26.05-new-modules}

Backward Incompatibilities {#sec-release-26.05-incompatibilities}

  • is now explicitly defined as an option that takes a list of strings, to facilitate option merging. Setting it to a string value is no longer supported.

  • The default packages in have been dropped, since not every Jenkins installation needs any package at all. It's more reasonable to leave it empty and let users configure what they need.

  • services.taskchampion-sync-server module has had an option added to use systemd's DynamicUser feature. This is enabled by default when stateVersion is at least 26.05, and disabled otherwise. If you need this feature, you need to set services.taskchampion-sync-server.dynamicUser to true and migrate /var/lib/taskchampion-sync-server to /var/lib/private/taskchampion-sync-server.

  • The programs.captive-browser module no longer falls back on a setcap wrapper around udhcpc to discover your network's DNS server due to GHSA-wc3r-c66x-8xmc (CVE-2026-25740). If you're using this module, you must either configure manually or enable one of NetworkManager, dhcpcd, or systemd-networkd.

  • The services.yggdrasil module has been refactored with the following breaking changes:

    • The services.yggdrasil.configFile option has been removed. Configuration should now be specified directly via .
    • The services.yggdrasil.persistentKeys option has been removed. To maintain persistent keys and IPv6 addresses across reboots, use to securely load your private key from a file via systemd credentials. The private key must be in PEM format (PKCS #8).
    • Storing PrivateKey directly in settings is now explicitly forbidden to prevent keys from being stored world-readable in the Nix store.
    • If you previously used configFile, migrate your configuration to the settings option and extract the private key to a separate file referenced by PrivateKeyPath.
    • If you previously used persistentKeys, convert your keys to PEM format and store them in a secure location accessible only to root, then reference them via PrivateKeyPath.
  • services.xserver will now throw an error if an X11 driver specified in videoDriver(s) cannot be found. Previously, unknown drivers would be silently ignored.

  • The option now defaults to false as a mitigation against CVE-2024-52615/GHSA-x6vp-f33h-h32g.

  • systemd.coredump.extraConfig has been removed in favor of the structured option. Use systemd.coredump.settings.Coredump to set any coredump.conf(5) option directly. For example, replace systemd.coredump.extraConfig = "Storage=journal"; with systemd.coredump.settings.Coredump.Storage = "journal";.

  • services.home-assistant.config.lovelace.mode has been renamed to lovelace.dashboards and lovelace.resource_mode to match the configuration format required by Home Assistant 2026.8. Users who explicitly set lovelace.mode should remove it; the module generates the correct entries automatically.

  • fulcrum has been updated to 2.x. If run against an existing v1.x database without the --db-upgrade flag it refuses to start; the upgrade takes around an hour on Bitcoin mainnet.

  • opentrack, slushload, synthesia, vtfedit, winbox, wineasio, and yabridge use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.

  • []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} profiles/hardened has been removed, because:

    • It lacks a consistent and transparent baseline or standard,
    • It may introduce unexpected breakage or degrade performance without clear benefit,
    • It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
    • and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
    • See NixOS Hardening wiki page for hardening options.
  • services.crabfit was removed because its upstream packages are unmaintained and insecure.

  • services.opensnitch.settings.Rules.Path now defaults to /var/lib/opensnitch/rules instead of the previous /etc/opensnitchd/rules because it contains mutable data.

  • services.mosquitto now generates per-listener authentication and access control via the upstream password-file and acl-file plugins instead of the deprecated password_file and acl_file options. The plugins contain the same code, so behaviour is unchanged, but must now be at least version 2.1.

  • sing-box has been updated to 1.13.0, which has removed some deprecated options. See upstream documentation for details and migration options.

  • services.statsd has been removed because the packages it relies on do not exist anymore in nixpkgs.

  • services.pyload has been removed because the package it relies on does not exist anymore in nixpkgs due to vulnerabilities and being unmaintained.

  • Removed the ability from systemd to start units installed via nix-env -i. This feature is hardly used and most units do not work without NixOS specific changes anyways. Removing this allows us to drop a custom systemd patch improving systemd maintainability and update speed.

  • Removed the ability from systemd to depend on open-yet-unformatted dm-crypt devices as systemd device units. For example you cannot call systemd-makefs on such devices. This was never implemented upstream but patched into Nixpkgs's systemd. Removing this allows us to drop a custom systemd patch improving systemd maintainability and update speed.

  • linux_hardened kernel has been removed due to a lack of maintenance.

  • services.tandoor-recipes now uses a sub-directory for media files by default starting with 26.05. Existing setups should move media files out of the data directory and adjust services.tandoor-recipes.extraConfig.MEDIA_ROOT accordingly. See Migrating media files for pre 26.05 installations.

  • linux-rt kernel has been removed due to a lack of maintenance.

  • rustic was upgraded to 0.11.x, which contains breaking changes to command-line parameters and configuration file.

  • The packages iw and wirelesstools (iwconfig, iwlist, etc.) are no longer installed implicitly if wireless networking has been enabled.

  • The fileSystems.<name>.fsType option no longer has a default value and must be specified by the user. The value "auto" still works as before, though its use is generally discouraged.

  • services.uptime has been removed because the package it relies on does not exist anymore in nixpkgs.

  • services.mattermost now defaults to version 11, which has dropped support for MySQL in favor of Postgres. As a result, all support for MySQL has been removed from the module. See the migration steps if you were not running Postgres. Note that version 11 also restricts the user limit to 250 by default; see the pkgs.mattermost removeUserLimit and removeFreeBadge options combined with to change this behavior. For example:

{
  services.mattermost.package = pkgs.mattermost.override {
    removeUserLimit = true;
    removeFreeBadge = true;
  };
}
  • post-resume.target has been removed. See {manpage}systemd.special(7) about sleep.target for instructions on ordering a process after resume with ExecStop=.

  • services.vsftpd no longer automatically configures a PAM module. This means configurations using will no longer work unless and are also configured. The old behaviour can be restored by setting security.pam.services.vsftpd.enable = true, although this only ever worked by accident and may not be secure.

  • services.kubernetes.addons.dns.coredns has been renamed to and now expects a package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:

{
  services.kubernetes.addons.dns.corednsImage = pkgs.dockerTools.pullImage {
    imageName = "coredns/coredns";
    imageDigest = "sha256:af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d";
    finalImageTag = "v1.12.2";
    hash = "sha256-ZgXEyxVrdskQdgg0ONJ9sboAXEEHTgNsiptk5O945c0=";
  };
}
  • services.stalwart-mail has been renamed to services.stalwart to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:

    • Addition of module-specific stateVersion option, which on existing installations of Stalwart must be set to the same as system.stateVersion.

      This enables manually and carefully migrating Stalwart to a new stateVersion or newly enabling the Stalwart module with a newer stateVersion than system.stateVersion.

    • systemd.services.stalwart owned by stalwart:stalwart. The user and group are configurable via services.stalwart.user and services.stalwart.group, respectively. By default, if stateVersion is older than 26.05, will fallback to legacy value of stalwart-mail for both user and group.

    • Default value for services.stalwart.dataDir has changed to /var/lib/stalwart. If stateVersion is older than 26.05, will fallback to legacy value of /var/lib/stalwart-mail.

    • Default tracer name and type have changed to journal. If stateVersion is older than 26.05, will fallback to legacy value of stdout.

  • services.eintopf has been renamed to services.lauti to align with upstream re-brand as a community online calendar.

  • services.oauth2-proxy.clientSecret and services.oauth2-proxy.cookie.secret have been replaced with and respectively. This was done to ensure secrets don't get made world-readable.

  • services.grafana.settings.security.secret_key doesn't have a default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly. See the upstream docs and the instructions on how to rotate for further information.

    Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being on the same filesystem with the same permissions for Grafana only to read, it is most likely OK to keep using the old key.

    If you need to rotate, a 3rd-party tool, grafana-secretkey-rotation-tool is a tested option. When using a secret for this value, make sure to use Grafana's variable expansion to inject secrets.

  • services.promtail has been removed, as promtail reached its end of life. Consider migrating to , or, if you are looking for something light-weight, . See https://grafana.com/docs/alloy/latest/set-up/migrate/ or https://docs.fluentbit.io/manual/data-pipeline/outputs/loki.

  • Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

  • services.immich no longer supports pgvecto.rs since the package has been removed from nixpkgs. As a result, options services.immich.database.enableVectors and services.immich.database.enableVectorchord have been removed, and VectorChord is now always used. If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the migration guide.

  • before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable opt-services.cgit.<name>.gitHttpBackend.checkExportOkFiles (or disable the git-http-backend).

  • rocmPackages_6 has been removed. rocmPackages has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.

  • mysql80 has been removed. Please update to mysql84 or mariadb. See the upgrade guide for more information.

  • services.prometheus.exporters.rspamd has been removed. It relied on the Rspamd /stat endpoint via the JSON exporter. You can use the Rspamd /metrics endpoint directly instead.

  • The Bash implementation of the nixos-rebuild program is removed. All switchable systems now use the Python rewrite. Any prior usage of system.rebuild.enableNg must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

  • services.desktopManager.gnome no longer installs the Geary e-mail client since it is not part of the GNOME core applications list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add programs.geary.enable = true; to your configuration.

  • walker has been updated to 2.0.0+, which is a complete rewrite in rust.

    It now requires a running elephant application launcher backend service, which can be enabled using the new services.elephant.enable.

    The way keybinds and actions are handled have been completely revamped. Please refer to the default config.

  • services.portunus has been upgraded to 2.2.0, which includes a bug fix that may cause existing databases to be rejected if user accounts are configured with malformed email addresses. Please refer to the upstream release announcement for details and instructions on how to fix problematic database entries.

  • Support for reiserfs in nixpkgs has been removed, following the removal in Linux 6.13.

  • services.tor no longer bind mounts Unix sockets of onion services into its chroot because it was not reliable. Users should do it themselves using either JoinsNamespaceOf= and Unix sockets in /tmp or BindPaths= from a persistent parent directory of each Unix socket. See https://github.com/NixOS/nixpkgs/issues/481673.

  • support for ecryptfs in nixpkgs has been removed.

  • services.xserver.cmt has been removed as the xf86-input-cmt package was broken and unmaintained upstream.

  • programs.light was removed from nixpkgs due to the corresponding package being unmaintained upstream. brightnessctl and hardware.acpilight offer replacements.

  • ceph has been upgraded to v20. See the Ceph "tentacle" release notes for details and recommended upgrade procedure. Note that upgrades of server-side components are one-way, and downgrading e.g. an OSD from Tentacle to Squid is not just not supported but is known to break.

  • now defaults to jdk25_headless instead of jdk17_headless, in order to be compatible with new versions of unifi.

  • The networking.wireless module has been security hardened by default: the wpa_supplicant daemon now runs under an unprivileged user with restricted access to the system.

    As part of these changes, /etc/wpa_supplicant.conf has been deprecated: the NixOS-generated configuration file is now linked to /etc/wpa_supplicant/nixos.conf and /etc/wpa_supplicant/imperative.conf has been added for imperatively configuring wpa_supplicant or when using allowAuxiliaryImperativeNetworks.

    If client certificates, keys or other files are needed, these should be stored under /etc/wpa_supplicant and owned by wpa_supplicant to ensure the daemon can read them.

    Similarly, the ctrl_interface directory set in wpa_supplicant's conf must be writeable by the wpa_supplicant user so that the wpa_supplicant daemon can start successfully. If you were changing ctrl_interface in extraConfig or in /etc/wpa_supplicant/imperative.conf, please remove that line.

    Also, the {option}networking.wireless.userControlled.group option has been removed since there is now a dedicated wpa_supplicant group to control the daemon, and {option}networking.wireless.userControlled.enable has been renamed to .

    No functionality should have been impacted by these changes (including controlling via wpa_cli, integration with NetworkManager or connman), but if you find any problems, please open an issue on GitHub. If necessary, the security hardening can be reverted with .

    Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on networking.wireless. So, if you had networking.wireless.enable = false in your configuration, you should remove that line.

  • Some implementation details of the NixOS network-interfaces module have been changed:

    • In the "scripted" backend, network-setup.service has been removed and the network configuration services are now part of network.target, which is now directly pulled into multi-user.target.
    • Interface addresses, routes and default gateways are now configured asynchronously as soon as the underlying network devices become available (fixes issue #154737).
    • In both "networkd" and "scripted" backends, the configuration of name servers is now part of network-local-commands.service (fixes issue #445496).
    • The issue that resulted in a completely unconfigured network if both resolvconf was disabled and no default gateway configured, has also been fixed.
  • In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}services.pdns-recursor.old-settings has been removed and {option}services.pdns-recursor.yaml-settings consequently renamed to .

  • services.angrr now uses TOML for configuration. Define policies with (generate TOML file) or point to a file using . The legacy options services.angrr.period, services.angrr.ownedOnly, and services.angrr.removeRoot have been removed. See man 5 angrr and the description of options for examples and details.

  • services.homepage-dashboard.environmentFile has been renamed to , and now expects a list of strings.

  • services.pingvin-share has been removed as the pingvin-share.backend package was broken and the project was archived upstream.

  • services.jellyseerr has been renamed to services.seerr following the upstream changes. Notable breaking changes:

    • systemd service name changed accordingly.
    • Default config directory moved from /var/lib/jellyseerr/config to /var/lib/seerr/.
      • If stateVersion is older than 26.05, the module fall backs to the legacy path value.
  • services.vikunja has been updated to Vikunja v1.0.0, which introduces multiple breaking changes. Notable breaking changes:

    • CORS is enabled by default. The module now sets services.vikunja.settings.service.publicurl by default. Custom overrides must ensure it is set or disable CORS, otherwise Vikunja will fail to start.
    • API route and response changes may affect integrations.
    • Configuration format and option changes require review of existing settings (including OpenID provider configuration and metrics/log settings).
    • SQLite paths are now relative to service.rootpath unless absolute. Startup now validates file storage and OAuth providers.
  • services.xtreemfs has been removed as the xtreemfs package was broken and unmaintained upstream.

  • opengfw package and services.opengfw module have been removed as the upstream GitHub repository and website have been shut down.

  • services.esphome no longer uses DynamicUser. The service now runs as a static esphome system user. systemd handles the migration from /var/lib/private/esphome automatically, but users with impermanence setups should ensure /var/lib/esphome is persisted.

  • programs.pqos-wrapper module has been deleted as the corresponding package has been dropped from nixpkgs.

  • programs.benchexec.enable = true no longer sets programs.pqos-wrapper.enable = true as the corresponding module has been deleted.

Other Notable Changes {#sec-release-26.05-notable-changes}

  • Reloading or restarting systemd units from the NixOS activation script is deprecated, and will be removed in NixOS 26.11. This deprecation is part of a bigger effort to deprecate activation scripts altogether, which will take place over several releases. There are no in-tree usages of the now-deprecated reload/restart functionality.

  • Switch inhibitors were introduced, which add a pre-switch check that compares a list of strings between the previous and the new generation, and refuses to switch into the new generation when there is a difference between the two lists. This allows avoiding switching into a system when for instance the systemd version changed by adding config.systemd.package.version to the switch inhibitors for your system. You can still forcefully switch into any generation by setting NIXOS_NO_CHECK=1.

  • switch-to-configuration now reloads a service instead of restarting it when the only change to its unit is ExecReload=, and takes no action when ExecReload= is removed. Previously both cases triggered a restart.

  • hardware.nvidia.branch was added to select the NVIDIA driver branch; setting hardware.nvidia.package overrides this.

  • The NixOS NVIDIA module wiring has been updated to match the new nvidia-x11 output layout.

  • nixos/nvidia now uses EGL external platform ICD libraries built from source (egl-gbm, egl-wayland, egl-wayland2, egl-x11) instead of relying on vendor-provided binaries for these components.

  • was added to configure NVIDIA kernel module parameters declaratively. These parameters are now written to modprobe configuration instead of being passed through global kernel command-line parameters.

  • hardware.xpadneo now supports configuring kernel module parameters via a freeform settings option, with convenience options for rumble attenuation and controller quirks.

  • security.acme now defaults to a dynamic renewal duration, if security.acme.defaults.validMinDays remains unset. This accommodates certificates with different ACME profile:

    • For certificates with a total validity at or above 10 days renewal will happen after two thirds of the lifetime has passed (e.g. a certificate valid for 90 days renews once the validity falls below 30 days)
    • For shortlived certificates with a total validity below 10 days renewal will happen after half of the total lifetime has passed
  • The module for the Dovecot IMAP server, services.dovecot2, now uses RFC-42-style settings, exposing a structured interface to write the configuration file.

    Also see the list of available settings for Dovecot 2.3 or 2.4.

  • is now set to true by default.

  • services.frp now supports multiple instances through to make it possible to run multiple frp clients or servers at the same time.

  • services.resolved module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.

  • systemd.sleep.extraConfig was replaced by RFC 0042-compliant , which is used to generate the sleep.conf configuration file. See {manpage}sleep.conf.d(5) for available options.

  • Support for Bluetooth audio based on bluez-alsa has been added to the hardware.alsa module. It can be enabled with the new enableBluetooth option.

  • services.atuin now has an environmentFile option to safely allow configuring secrets, such as an ATUIN_DB_URI containing a Postgres password.

  • systemd.network.* has been updated to support all configuration options from upstream networkd version 259.

  • now defaults to true unconditionally instead of !(config.environment.etc ? "resolv.conf"). If you set environment.etc."resolv.conf" yourself, then you should also set networking.resolvconf.enable = false.

  • The services.drupal module has a few improvements aimed at making it better for installing custom Drupal instances, namely a new webRoot option for identifying custom webroots in source code, a new configRoot option for identifying and synchronizing config yamls onto NixOS, and some new settings for managing variable content and filepaths.

  • services.openssh now supports generating host SSH keys by setting services.openssh.generateHostKeys = true while leaving disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

  • has been added to allow users to opt out of NixOS's curated set of recommended algorithms. This set to true by default, and thus is not a breaking change. Users may want to set this to false if they prefer upstream's default algorithms. See https://github.com/NixOS/nixpkgs/pull/471330.

  • services.openssh.banner has been removed. Use instead.

  • IPVLAN interfaces can now be configured through the option in the networking module.

  • services.caddy now supports setting and and opening them in the firewall via .

  • The latest available version of Nextcloud is v33 (available as pkgs.nextcloud33). The installation logic is as follows:

    • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
    • If system.stateVersion is >=26.05, pkgs.nextcloud33 will be installed by default.
    • If system.stateVersion is >=25.11, pkgs.nextcloud32 will be installed by default.
    • nextcloud31 is EOL and was thus removed.
    • Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to nextcloud32 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud32;.
  • InvoicePlane with the Caddy webserver (services.invoiceplane.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a InvoicePlane site, migrate these options by removing http:// from services.caddy.virtualHosts."http://example.com".

  • services.slurm now supports slurmrestd usage through the NixOS options.

  • The option now defaults to false. Logging of refused or dropped incoming connections can generate a very high volume of kernel log messages on internet-facing systems, causing the kernel ring buffer (dmesg) to rotate quickly and potentially discard more relevant diagnostic information.

  • The services.calibre-web systemd service has been hardened with additional sandboxing restrictions.

  • services.kanidm options for server, client and unix were moved under dedicated namespaces. For each component enableComponent and componentSettings are now component.enable and component.settings. The unix module now supports using SSH keys from Kanidm via services.kanidm.unix.sshIntegration = true.

  • services.radicle now supports importing the private key and passphrase as systemd creds.