Nixpkgs
Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}
Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}
Highlights {#sec-nixpkgs-release-26.11-highlights}
- Create the first release note entry in this section!
Backward Incompatibilities {#sec-nixpkgs-release-26.11-incompatibilities}
databricks-clihas been updated from0.290.2to1.x.x, the first major release. OAuth tokens for interactive logins (auth_type = databricks-cli) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of~/.databricks/token-cache.json; cached tokens from older versions are not migrated, so rundatabricks auth loginonce per profile after upgrading. To keep the previous file-backed storage, setDATABRICKS_AUTH_STORAGE=plaintextor addauth_storage = plaintextunder[__settings__]in~/.databrickscfg. Additionally, thevector_search_endpointsDABs resource renamedmin_qpstotarget_qps(and thevector-search-endpointscommand renamed--min-qpsto--target-qps). See the upstream changelog for details.hurlhas been updated to8.x.xwhich has some breaking changes. See upstream changelog for details.xsecurelockno longer supports authentication via htaccess files (~/.xsecurelock.pw) or via thepamtesterprogram by default. Only the recommended PAM module is supported unless rebuilt withwithHtaccessorwithPamtester.python3Packages.django-health-checkhas been updated to major version 4. See its migration guide and changelog for breaking changes.libgdatahas been removed, as it was archived upstream and relied on the insecure libsoup 2.4.services.mysqlnow setsroot@localhostauthentication toauth_socketwhen used withmysqlorpercona-server. Existing deployments will also be adjusted if possible. See the security advisory GHSA-6qxx-6rg8-c4p8 for more information.uhttpmockproviding 0.0 ABI was removed.uhttpmock_1_0providing 1.0 ABI was renamed touhttpmockanduhttpmock_1_0was kept as an alias.nix-serve-ng(andhaskellPackages.nix-serve-ng) is now built against Lix instead of CppNix, following upstream which has switched to Lix as its supported Nix implementation.Linux kernel configuration has been moved out of the
linux-kernelfield of the platform structure into the kernel builders:linux-kernel.namehas been removed.linux-kernel.targetis available as thetargetparameter and passthru attribute on the kernel builders.linux-kernel.installTargethas been removed, as it should not be necessary to customize.linux-kernel.DTBis available as thebuildDTBsparameter and passthru attribute on the kernel builders.linux-kernel.{autoModules,preferBuiltin,extraConfig}were already available as kernel builder parameters.
The
imgargument ofvmToolshas been renamed tokernelImage, as it collided with the top-levelimgpackage. Additionally, the kernel module tree used inside the VM has been split out of thekernelargument into a newkernelModulesargument (defaulting tokernel). Callers that overrodekernelwith a module tree (e.g. frompkgs.aggregateModules) to make extra modules available must now pass it viakernelModulesinstead, keepingkernelpointing at a bootable kernel derivation.The ARMv5 Linux kernel build now uses a standard configuration and generates a standard compressed image instead of the deprecated legacy U‐Boot image format.
lib.systems.{examples,platforms}.{sheevaplug,pogoplug4}have been unified intolib.systems.examples.armv5tel-multiplatform. Note that there is no official support for ARMv5 and it is not possible to build even a simple NixOS configuration out of the box.pdnshas been updated from5.0.xto5.1.x. Please be sure to review the Upgrade Notes before upgrading. Namely LUA record updates are no longer allowed by default, and the embedded webserver no longer includes aaccess-control-allow-origin: *header by default.Support for the legacy U‐Boot image format has been removed from the Linux kernel builders, as it is deprecated upstream and no longer used by any platform in Nixpkgs.
rke2retires ingress-nginx and transitions to Traefik starting inrke2_1_36. Because ingress-nginx was retired upstream as of March 2026, Traefik is now the default for new clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid breakage). This transition brings the following structural changes:- Airgapped Environments: The rke2-images-core tarball now contains Traefik images instead of ingress-nginx. The standalone rke2-images-traefik tarball has been removed. Users who must continue using ingress-nginx will now need to manually provide the rke2-images-ingress-nginx tarball.
- Future Removal: The ingress-nginx chart will not receive any additional updates and will be completely removed in v1.37 for community users.
buildFHSEnvChroothas been removed after deprecation in 23.05.requireFilenow setsmeta.license = lib.licenses.unfreeby default. Users ofrequireFile-based derivations that preserve this default will need to explicitly allow their evaluation as described in .librestproviding 0.7 ABI was removed.librest_1_0providing 1.0 ABI was renamed tolibrestandlibrest_1_0was kept as an alias.pnpm_10was upgraded to version 10.34.1+, which introduced stricter integrity checks. If you encounterERR_PNPM_MISSING_TARBALL_INTEGRITY, you can fall back to the olderpnpm_10_34_0.fetchPnpmDeps'fetcherVersion = 1andfetcherVersion = 2have been removed, as announced in the 26.05 release. Packages still using them now throw an evaluation error and must migrate tofetcherVersion = 3(or later) and regenerate their hashes. See the pnpmfetcherVersionsection of the manual for details.rebuilderdhas been updated to 0.27.0 introducing breaking changes. See upstream changelog for details: 0.26.0, 0.27.0Starting with v14,
flameshotwill primarily utilise xdg-desktop-portal calls for screenshotting. This will directly affect users on X11 window managers due to the lack of a compatible portal with Screenshot feature. See upstream changelog or NixOS Flameshot wiki page for workarounds.
Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}
super-productivityhas been updated. The binary has been renamed fromsuper-productivitytosuperproductivity. A symlink from the old name is provided for backward compatibility.Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for
fetchgit,fetchpypiandfetchFromGithubfetchers.mkDerivationhas been adjusted to reuse this information. Package-URLs allow reliably identifying and locating software packages. Maintainers of derivations using the adapted fetchers should rely on thedrv.src.meta.identifiers.v1.purldefault identifier and can enhance theirdrv.meta.identifiers.v1.purlslist once they would like to have additional identifiers. Maintainers usingfetchurlfordrv.srcare urged to adapt theirdrv.meta.identifiers.purlPartsfor proper identification.Emacs loads the
early-defaultlibrary afterearly-init.el. Users can addearly-init.elviaemacs.pkgs.withPackagesby packagingearly-init.elinto a library namedearly-default. To prevent loading theearly-defaultlibrary, setinhibit-early-default-initinearly-init.el.services.cephenabled the generation of Ceph log files at/var/log/ceph/. They were missing before because Ceph omitted logs when this directory was missing. Ceph logs can grow large, so you may want to configure rotation of these logs.
Nixpkgs Library {#sec-nixpkgs-release-26.11-lib}
Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}
- Create the first release note entry in this section!
Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}
- Create the first release note entry in this section!
Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}
- Create the first release note entry in this section!