Skip to content

nixos

Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}

NixOS

Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}

Release 26.11 ("Zokor", 2026.11/??) {#sec-release-26.11}

Highlights {#sec-release-26.11-highlights}

  • Create the first release note entry in this section!

New Modules {#sec-release-26.11-new-modules}

Backward Incompatibilities {#sec-release-26.11-incompatibilities}

  • boot.vesa has been removed. It was deprecated in 2020 because Xorg now works better with kernel modesetting. If you still need the legacy VESA 800x600 fallback, set boot.kernelParams = [ "vga=0x317" "nomodeset" ]; directly.

  • authentik has been updated to 2026.5.3, which changes the default listen address from 0.0.0.0 to [::]. IPv4-only deployments might need to adjust their listen settings. Deployments running the server and worker in the same network namespace must also set at least the worker AUTHENTIK_LISTEN__HTTP address so that the server and worker do not bind to the same address.

  • Support for the legacy U‐Boot image format has been removed from the initrd generators, as it is deprecated upstream and no longer used by any platform in Nixpkgs.

  • Rustical migrates from settings.http.host and settings.http.port to settings.http.bind to support UNIX domain sockets as well as TCP sockets in one setting.

  • A number of options for services.llama-cpp have been removed in favor of the structured option, attributes from which are used as arguments to llama-server executable, you can see all available options by running llama-server --help. Configuring model presets using Nix attribute set via services.llama-cpp.modelsPreset is no longer supported, please use services.llama-cpp.settings.models-preset with a path to an INI file containing desired options.

  • Python 2 has been removed from the top-level package set, as it is long past end-of-life. The python2, python27, python2Full, python27Full, python2Packages, and python27Packages attributes, along with the legacy python, pythonFull, and pythonPackages aliases, now throw an error directing you to python3. The isPy2 and isPy27 package flags have been removed accordingly. The only remaining Python 2 interpreter is vendored inside the resholve package for its oil dependency and is not exposed for general use.

  • security.polkit.enablePkexecWrapper has been introduced, making the pkexec setuid wrapper opt-in.

  • When Avahi's mDNS resolver is enabled (services.avahi.nssmdns4 or services.avahi.nssmdns6), only the minimal mDNS resolver is enabled by default to avoid adding a 5 second delay to every failed reverse hostname lookup (e.g., delaying ping by 5 seconds). The "full" mDNS resolver now remains disabled unless services.avahi.nssmdnsFull is also enabled. Users who have customized /etc/mdns.allow to allow mDNS domains not ending .local must enable services.avahi.nssmdnsFull to continue to resolve such domains.

  • systemd.user.extraConfig has been removed in favor of the structured option. Use systemd.user.settings.Manager to set any systemd-user.conf(5) option directly. For example, replace systemd.user.extraConfig = "DefaultTimeoutStartSec=60"; with systemd.user.settings.Manager.DefaultTimeoutStartSec = 60;.

  • services.timesyncd.extraConfig has been removed in favor of the structured option. Use services.timesyncd.settings.Time to set any timesyncd.conf(5) option directly. For example, replace services.timesyncd.extraConfig = "PollIntervalMaxSec=180"; with services.timesyncd.settings.Time.PollIntervalMaxSec = 180;.

  • services.firezone.server.provision has been removed due to it being unmaintanable. Remove all uses of provisioning and use the WebUI to configure firezone.

  • The services.syncthing module now updates the Syncthing REST API using partial updates (PATCH) instead of full replacements (PUT) for general settings. Updating these settings was broken and prone to errors after updates, see #428808 and #528889. As a result, settings modified manually through the Syncthing Web UI that are not explicitly defined in your Nix configuration will now persist across rebuilds.

  • services.plantuml-server.packages.jetty now supports jetty_12, it no longer supports jetty_11.

Other Notable Changes {#sec-release-26.11-notable-changes}

  • komodo has been updated to the v2 release line (2.x). See the upstream v1 → v2 upgrade guide.

  • security.run0.enableSudoAlias now uses the run0-sudo-shim instead of a shell-script to improve compatibility.

  • With system.etc.overlay.mutable = false, NixOS now ships an empty /etc/machine-id in the image. Previously the file was absent and systemd logged System cannot boot: Missing /etc/machine-id and /etc/ is read-only while ConditionFirstBoot fired on every boot. With this change, systemd now overlays a transient ID from /run/machine-id for the session, and systemd-machine-id-commit.service has ConditionFirstBoot so it writes the machine-id through to a persistent backing file when one is bind-mounted over /etc/machine-id. To persist the machine-id across reboots, bind-mount a writable file containing uninitialized over /etc/machine-id from the initrd, or set systemd.machine_id= on the kernel command line (use systemd.machine_id=firmware to derive a stable ID on hardware that supports it).

  • security.run0.persistentAuth options have been added to support persistent Authentication of session. Timeout configurable via security.polkit.settings.Polkitd.ExpirationSeconds.

  • boot.loader.systemd-boot gained support for Automatic Boot Assessment via the new boot.loader.systemd-boot.bootCounting options, allowing automatic detection of and recovery from bad NixOS generations. As part of this change, boot loader entries on the ESP/XBOOTLDR partition are now named nixos-<content-hash>.conf instead of nixos-generation-<n>.conf; existing entries are migrated automatically on the next nixos-rebuild boot/switch.

  • services.nginx gained a lua option to enable Lua scripting via OpenResty's lua-nginx-module on a stock nginx, configuring lua_package_path/lua_package_cpath from the packages listed in services.nginx.lua.extraPackages. Use this to add Lua to a regular nginx; for the full OpenResty platform (libraries that rely on its bundled lualib, such as lua-resty-openidc), set services.nginx.package to pkgs.openresty instead — the option configures the Lua search path for it too.

  • security.polkit.settings added for RFC42 style configuration of the polkitd daemon.

  • The programs.fuse module, which provides the fusermount3 executable and the /etc/fuse.conf config file, is now opt-in. The obligation to enable it has been shifted to its various consumers (e.g. gvfs, flatpak, appimage, sshfs). This can break fuse consumers at runtime, that don't explicitly declare that dependency with a module, e.g the mounting functionality in various backup tools (borg, restic, rclone, ...).

  • services.plausible can now again seed an initial admin user declaratively via services.plausible.adminUser.email. This makes fully declarative deployments safer: Otherwise the user needed to either accept Plausible's unauthenticated "first launch" setup wizard, which lets anyone reaching the instance create the first admin account, or do more work (deploying with NixOS's default binding to localhost without exposing it publicly, going through the wizard, and then deploying Plausible exposed to the Internet). This option was previously removed with NixOS 25.05 due to an upstream Plausible change making declarative admin creation more difficult, but this change re-implements the admin creation directly.

  • The newuidmap and newgidmap security wrappers are now installed with cap_setuid/cap_setgid file capabilities instead of the setuid-root bit, matching shadow's --with-fcaps install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via /etc/subuid (which NixOS never configures by default) additionally requires cap_setfcap; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";.

  • zoneminder has been updated to 1.38.x release. See upstream release note. While database migration should happen automatically, it's recommended that you make a backup of the database before upgrading your system.