NixOS
Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}
Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}
Highlights {#sec-release-26.11-highlights}
- Create the first release note entry in this section!
New Modules {#sec-release-26.11-new-modules}
tranquil is an ATProto PDS (personal data server) implementation in Rust. A featureful, spec conscious and community driven alternative to the Bluesky reference implementation PDS. Available as services.tranquil-pds.
scx_loader, a system daemon and DBus-based loader for sched_ext schedulers.
scxctlis the command-line client for interacting with the loader, allowing users to switch schedulers, modes, and arguments dynamically. Available as services.scx-loaderNezha, a self-hosted, lightweight server and website monitoring and O&M tool. Available as services.nezha.
mail-tlsa-check-exporter, validates SMTP / IMAP server certificates against a TLSA record as a Prometheus exporter. Available as services.prometheus.exporters.mail-tlsa-check.
CastSponsorSkip, skips YouTube sponsorships (and sometimes ads) on all local Google Cast devices.
Stump, a free and open source comics, manga and digital book server with OPDS support. Available as services.stump.
Freescout, a free, open source Helpdesk and shared mailbox. Available as services.freescout.
Koito, a modern, themeable scrobbler that you can use with any program that scrobbles to a custom ListenBrainz URL. Available as services.koito.
FlapAlerted, detects BGP flapping events and provides statistics based on BGP update messages. Available as services.flap-alerted.
gocron, a task scheduler with web interface. Available as services.gocron.
Unpackerr, extracts downloads for Radarr, Sonarr, Lidarr, Readarr, and/or a Watch folder. Available as services.unpackerr.
Matrix Authentication Service is an OAuth2.0 and OpenID Connect provider for Matrix homeservers (such as Synapse). It replaces standard password authentication with modern OpenID Connect flows, and can delegate authentication to upstream OIDC providers. Available as services.matrix-authentication-service.
Backward Incompatibilities {#sec-release-26.11-incompatibilities}
boot.vesahas been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, setboot.kernelParams = [ "vga=0x317" "nomodeset" ];directly.authentikhas been updated to 2026.5.3, which changes the default listen address from0.0.0.0to[::]. IPv4-only deployments might need to adjust their listen settings. Deployments running the server and worker in the same network namespace must also set at least the workerAUTHENTIK_LISTEN__HTTPaddress so that the server and worker do not bind to the same address.Support for the legacy U‐Boot image format has been removed from the initrd generators, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
Rustical migrates from
settings.http.hostandsettings.http.porttosettings.http.bindto support UNIX domain sockets as well as TCP sockets in one setting.A number of options for
services.llama-cpphave been removed in favor of the structured option, attributes from which are used as arguments tollama-serverexecutable, you can see all available options by runningllama-server --help. Configuring model presets using Nix attribute set viaservices.llama-cpp.modelsPresetis no longer supported, please useservices.llama-cpp.settings.models-presetwith a path to an INI file containing desired options.Python 2 has been removed from the top-level package set, as it is long past end-of-life. The
python2,python27,python2Full,python27Full,python2Packages, andpython27Packagesattributes, along with the legacypython,pythonFull, andpythonPackagesaliases, now throw an error directing you topython3. TheisPy2andisPy27package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside theresholvepackage for itsoildependency and is not exposed for general use.security.polkit.enablePkexecWrapperhas been introduced, making thepkexecsetuid wrapper opt-in.When Avahi's mDNS resolver is enabled (
services.avahi.nssmdns4orservices.avahi.nssmdns6), only the minimal mDNS resolver is enabled by default to avoid adding a 5 second delay to every failed reverse hostname lookup (e.g., delaying ping by 5 seconds). The "full" mDNS resolver now remains disabled unlessservices.avahi.nssmdnsFullis also enabled. Users who have customized/etc/mdns.allowto allow mDNS domains not ending.localmust enableservices.avahi.nssmdnsFullto continue to resolve such domains.systemd.user.extraConfighas been removed in favor of the structured option. Usesystemd.user.settings.Managerto set anysystemd-user.conf(5)option directly. For example, replacesystemd.user.extraConfig = "DefaultTimeoutStartSec=60";withsystemd.user.settings.Manager.DefaultTimeoutStartSec = 60;.services.timesyncd.extraConfighas been removed in favor of the structured option. Useservices.timesyncd.settings.Timeto set anytimesyncd.conf(5)option directly. For example, replaceservices.timesyncd.extraConfig = "PollIntervalMaxSec=180";withservices.timesyncd.settings.Time.PollIntervalMaxSec = 180;.services.firezone.server.provisionhas been removed due to it being unmaintanable. Remove all uses of provisioning and use the WebUI to configure firezone.The
services.syncthingmodule now updates the Syncthing REST API using partial updates (PATCH) instead of full replacements (PUT) for general settings. Updating these settings was broken and prone to errors after updates, see #428808 and #528889. As a result, settings modified manually through the Syncthing Web UI that are not explicitly defined in your Nix configuration will now persist across rebuilds.services.plantuml-server.packages.jettynow supportsjetty_12, it no longer supportsjetty_11.
Other Notable Changes {#sec-release-26.11-notable-changes}
komodohas been updated to the v2 release line (2.x). See the upstream v1 → v2 upgrade guide.security.run0.enableSudoAliasnow uses therun0-sudo-shiminstead of a shell-script to improve compatibility.With
system.etc.overlay.mutable = false, NixOS now ships an empty/etc/machine-idin the image. Previously the file was absent and systemd loggedSystem cannot boot: Missing /etc/machine-id and /etc/ is read-onlywhileConditionFirstBootfired on every boot. With this change, systemd now overlays a transient ID from/run/machine-idfor the session, andsystemd-machine-id-commit.servicehasConditionFirstBootso it writes the machine-id through to a persistent backing file when one is bind-mounted over/etc/machine-id. To persist the machine-id across reboots, bind-mount a writable file containinguninitializedover/etc/machine-idfrom the initrd, or setsystemd.machine_id=on the kernel command line (usesystemd.machine_id=firmwareto derive a stable ID on hardware that supports it).security.run0.persistentAuthoptions have been added to support persistent Authentication of session. Timeout configurable viasecurity.polkit.settings.Polkitd.ExpirationSeconds.boot.loader.systemd-bootgained support for Automatic Boot Assessment via the newboot.loader.systemd-boot.bootCountingoptions, allowing automatic detection of and recovery from bad NixOS generations. As part of this change, boot loader entries on the ESP/XBOOTLDR partition are now namednixos-<content-hash>.confinstead ofnixos-generation-<n>.conf; existing entries are migrated automatically on the nextnixos-rebuild boot/switch.services.nginxgained aluaoption to enable Lua scripting via OpenResty's lua-nginx-module on a stock nginx, configuringlua_package_path/lua_package_cpathfrom the packages listed inservices.nginx.lua.extraPackages. Use this to add Lua to a regular nginx; for the full OpenResty platform (libraries that rely on its bundled lualib, such aslua-resty-openidc), setservices.nginx.packagetopkgs.openrestyinstead — the option configures the Lua search path for it too.security.polkit.settingsadded for RFC42 style configuration of the polkitd daemon.The
programs.fusemodule, which provides thefusermount3executable and the/etc/fuse.confconfig file, is now opt-in. The obligation to enable it has been shifted to its various consumers (e.g. gvfs, flatpak, appimage, sshfs). This can break fuse consumers at runtime, that don't explicitly declare that dependency with a module, e.g the mounting functionality in various backup tools (borg, restic, rclone, ...).services.plausiblecan now again seed an initial admin user declaratively viaservices.plausible.adminUser.email. This makes fully declarative deployments safer: Otherwise the user needed to either accept Plausible's unauthenticated "first launch" setup wizard, which lets anyone reaching the instance create the first admin account, or do more work (deploying with NixOS's default binding tolocalhostwithout exposing it publicly, going through the wizard, and then deploying Plausible exposed to the Internet). This option was previously removed with NixOS 25.05 due to an upstream Plausible change making declarative admin creation more difficult, but this change re-implements the admin creation directly.The
newuidmapandnewgidmapsecurity wrappers are now installed withcap_setuid/cap_setgidfile capabilities instead of the setuid-root bit, matching shadow's--with-fcapsinstall mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via/etc/subuid(which NixOS never configures by default) additionally requirescap_setfcap; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour withsecurity.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";.zoneminderhas been updated to 1.38.x release. See upstream release note. While database migration should happen automatically, it's recommended that you make a backup of the database before upgrading your system.