# Nixos 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05} ## Highlights {#sec-release-25.05-highlights} - Initial support for the [COSMIC DE](https://system76.com/cosmic), a Rust-based desktop environment by System76, makers of Pop!_OS. Toggle the greeter (login manager) using `services.displayManager.cosmic-greeter.enable` and the DE itself with `services.desktopManager.cosmic.enable`. Mostly stable but still experimental. Please report any issues to the [COSMIC DE tracker in Nixpkgs](https://github.com/NixOS/nixpkgs/issues/259641) instead of upstream. - `services.dex` now restarts upon changes to the `.environmentFile` or entries in `.settings.staticClients[].secretFile` when the entry is a `path` type. - `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is available for testing. You can enable it by setting [system.rebuild.enableNg](options.html#opt-system.rebuild.enableNg) in your configuration (this will replace the old `nixos-rebuild`), or by adding `nixos-rebuild-ng` to your `environment.systemPackages` (in this case, it will live side-by-side with `nixos-rebuild` as `nixos-rebuild-ng`). It is expected that the next major version of NixOS (25.11) will enable `system.rebuild.enableNg` by default. - The `nixos-generate-config` command now supports a optional `--flake` option, which will generate a flake.nix file alongside the `configuration.nix` and `hardware-configuration.nix`, providing an easy instroduction into flake-based system configurations. - A `nixos-rebuild build-image` sub-command has been added. It allows users to build platform-specific (disk) images from their NixOS configurations. `nixos-rebuild build-image` works similar to the popular [nix-community/nixos-generators](https://github.com/nix-community/nixos-generators) project. See new [section on image building in the NixOS manual](https://nixos.org/manual/nixos/unstable/#sec-image-nixos-rebuild-build-image). It is also available for `nixos-rebuild-ng`. - `nixos-option` has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into `attrsOf` and `listOf` submodule options, and `--show-trace`. - The `intel` video driver for X.org (from the xf86-video-intel package) which was previously removed because it was non-functional has been fixed and the driver has been re-introduced. - The Mattermost module ({option}`services.mattermost`) and packages (`mattermost` and `mmctl`) have been substantially updated: - {option}`services.mattermost.preferNixConfig` now defaults to true if you advance {option}`system.stateVersion` to 25.05. This means that if you have {option}`services.mattermost.mutableConfig` set, NixOS will override your settings to those that you define in the module. It is recommended to leave this at the default, even if you used a mutable config before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading. - Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at {option}`services.mattermost.telemetry` for options to control this behavior. - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`. - The Mattermost frontend is now built from source and can be overridden. - Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now. - `services.mattermost.listenAddress` has been split into {option}`services.mattermost.host` and {option}`services.mattermost.port`. If your `listenAddress` contained a port, you will need to edit your configuration. - Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating {option}`system.stateVersion` to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration. - The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file. - Mattermost's entire test suite is now enabled by default, which will extend build time from sources by up to an hour. A `withoutTests` passthru has been added in case you want to skip it. - We now support `mmctl` for Mattermost administration if both {option}`services.mattermost.socket.enable` and {option}`services.mattermost.socket.export` are set, which export the Mattermost control socket path into the system environment. - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-mattermost-plugins-build) for an example. - Note that the Mattermost module will create an account _without_ a well-known UID if the username differs from the default (`mattermost`). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading. - androidenv has been updated: - All versions specified in composeAndroidPackages now track latest. Android packages are automatically updated on unstable, and run the androidenv test suite on every update. - Some androidenv packages are now searchable on [search.nixos.org](https://search.nixos.org). - We now use the latest Google repositories, which should improve aarch64-darwin compatibility. The SDK now additionally evaluates on aarch64-linux, though not all packages are functional. ## New Modules {#sec-release-25.05-new-modules} - [AmneziaVPN](https://amnezia.org/en), an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server. Available as [programs.amnezia-vpn](#opt-programs.amnezia-vpn.enable). - [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products. - [Bonsai](https://git.sr.ht/~stacyharper/bonsai), a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the [SXMO](https://sxmo.org/) desktop environment. Available as [services.bonsaid](#opt-services.bonsaid.enable). - [archtika](https://github.com/archtika/archtika), a FLOSS, modern, performant, lightweight and self‑hosted CMS. Available as [services.archtika](#opt-services.archtika.enable). - [scanservjs](https://github.com/sbs20/scanservjs/), a web UI for SANE scanners. Available at [services.scanservjs](#opt-services.scanservjs.enable). - [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](options.html#opt-services.kimai). - [Homer](https://homer-demo.netlify.app/), a very simple static homepage for your server. Available as [services.homer](options.html#opt-services.homer). - [Ghidra](https://ghidra-sre.org/), a software reverse engineering (SRE) suite of tools. Available as [programs.ghidra](options.html#opt-programs.ghidra). - [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](options.html#opt-services.omnom.enable). - [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper) is an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes. - [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed, especially useful for people who want to use an XBox One controller under the xone driver and an Xbox 360 controller under the xpad driver at the same time. Available as [hardware.xpad-noone](options.html#hardware.xpad-noone). - [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](options.html#opt-services.umurmur). - [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](options.html#opt-services.zenohd.enable) - [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](options.html#opt-services.ytdl-sub.instances). - [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](options.html#opt-services.marytts). - [networking.modemmanager](options.html#opt-networking.modemmanager) has been split out of [networking.networkmanager](options.html#opt-networking.networkmanager). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager. - [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data. - [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](options.html#opt-services.doh-server.enable). - [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](options.html#opt-services.ncps.enable). - [Conduwuit](https://conduwuit.puppyirl.gay/), a federated chat server implementing the Matrix protocol, forked from Conduit. Available as [services.conduwuit](#opt-services.conduwuit.enable). - [Readeck](https://readeck.org/), a read-it later web-application. Available as [services.readeck](#opt-services.readeck.enable). - [Traccar](https://www.traccar.org/), a modern GPS Tracking Platform. Available as [services.traccar](#opt-services.traccar.enable). - [Schroot](https://codeberg.org/shelter/reschroot), a lightweight virtualisation tool. Securely enter a chroot and run a command or login shell. Available as [programs.schroot](#opt-programs.schroot.enable). - [Firezone](https://firezone.dev), an enterprise-ready zero-trust access platform built on WireGuard. This includes the server stack as [services.firezone.server.enable](#opt-services.firezone.server.enable), a TURN/STUN relay service as [services.firezone.relay.enable](#opt-services.firezone.relay.enable), a gateway service as [services.firezone.gateway.enable](#opt-services.firezone.gateway.enable), a headless client as [services.firezone.headless-client.enable](#opt-services.firezone.headless-client.enable) and a GUI client as [services.firezone.gui-client.enable](#opt-services.firezone.gui-client.enable). - [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable). - [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable). - [Pinchflat](https://github.com/kieraneglin/pinchflat), a selfhosted YouTube media manager used to track channels and download videos on release. Available as [services.pinchflat](#opt-services.pinchflat.enable). - [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable). - [Fluent Bit](https://github.com/fluent/fluent-bit), a fast Log, Metrics and Traces Processor and Forwarder. Available as [services.fluent-bit](#opt-services.fluent-bit.enable). - [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat). - [Autotier](https://github.com/45Drives/autotier), a passthrough FUSE filesystem. Available as [services.autotierfs](options.html#opt-services.autotierfs.enable). - [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](options.html#opt-services.postgrest.enable). - [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](options.html#opt-services.ustreamer). - [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable). - [autobrr](https://autobrr.com), a modern download automation tool for torrents and usenets. Available as [services.autobrr](#opt-services.autobrr.enable). - [cross-seed](https://www.cross-seed.org), a tool to set-up fully automatic cross-seeding of torrents. Available as [services.cross-seed](#opt-services.cross-seed.enable). - [Froide-Govplan](https://github.com/okfde/froide-govplan), a web application government planer. Available as [services.froide-govplan](#opt-services.froide-govplan.enable). - [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable). - [vivid](https://github.com/sharkdp/vivid), a generator for LS_COLOR. Available as [programs.vivid](#opt-programs.vivid.enable). - [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](options.html#opt-services.matrix-alertmanager.enable). - [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable). - [nfc-nci](https://github.com/StarGate01/ifdnfc-nci), an alternative NFC stack and PC/SC driver for the NXP PN54x chipset, commonly found in Lenovo systems as NXP1001 (NPC300). Available as [hardware.nfc-nci](#opt-hardware.nfc-nci.enable). - [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](options.html#opt-services.grav.enable). - [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable) - [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](options.html#opt-programs.zoxide.enable) - [victorialogs][https://docs.victoriametrics.com/victorialogs/], log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable) - [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](options.html#opt-services.gokapi.enable) - [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable). - [haven](https://github.com/bitvora/haven), is a high availability vault for events on nostr. Available as [services.haven](options.html#opt-services.haven.enable). - [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](options.html#opt-services.strfry.enable). - [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable). - [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable). - [immich-public-proxy](https://github.com/alangrainger/immich-public-proxy), a proxy for sharing Immich albums without exposing the Immich API. Available as [services.immich-public-proxy](#opt-services.immich-public-proxy.enable). - [Zipline](https://zipline.diced.sh/), a ShareX/file upload server that is easy to use, packed with features, and with an easy setup. Available as [services.zipline](#opt-services.zipline.enable). - [GlitchTip](https://glitchtip.com/), an open source Sentry API compatible error tracking platform. Available as [services.glitchtip](#opt-services.glitchtip.enable). - [Stash](https://github.com/stashapp/stash), An organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable). - [vsmartcard-vpcd](https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), a virtual smart card driver. Available as [services.vsmartcard-vpcd](#opt-services.vsmartcard-vpcd.enable). - [Fider](https://fider.io/), an open platform to collect and prioritize feedback. Available as [services.fider](#opt-services.fider.enable). - [PDS](https://github.com/bluesky-social/pds), Personal Data Server for [bsky](https://bsky.social/). Available as [services.pds](option.html#opt-services.pds). - [synapse-auto-compressor](https://github.com/matrix-org/rust-synapse-compress-state?tab=readme-ov-file#automated-tool-synapse_auto_compressor), a rust-based matrix-synapse state compressor for postgresql. Available as [services.synapse-auto-compressor](#opt-services.synapse-auto-compressor.enable). - [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable). - [pocket-id](https://pocket-id.org/), an OIDC provider with passkeys support. Available as [services.pocket-id](#opt-services.pocket-id.enable). - [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable). - [OpenGamepadUI](https://github.com/ShadowBlip/OpenGamepadUI/), an open source gamepad-native game launcher and overlay for Linux. Available as [programs.opengamepadui](#opt-programs.opengamepadui.enable). - [InputPlumber](https://github.com/ShadowBlip/InputPlumber/), an open source input router and remapper daemon for Linux. Available as [services.inputplumber](#opt-services.inputplumber.enable). - [PowerStation](https://github.com/ShadowBlip/PowerStation/), an open source TDP control and performance daemon with DBus interface for Linux. Available as [services.powerstation](#opt-services.powerstation.enable). - [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable). - [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable). - [LiteLLM](https://github.com/BerriAI/litellm), a LLM Gateway to provide model access, fallbacks and spend tracking across 100+ LLMs. All in the OpenAI format. Available as [services.litellm](#opt-services.litellm.enable). - [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard). - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable). - [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable) - [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](options.html#opt-services.glpiAgent.enable). - [Recyclarr](https://github.com/recyclarr/recyclarr) a TRaSH Guides synchronizer for Sonarr and Radarr. Available as [services.recyclarr](#opt-services.recyclarr.enable). - [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable). - [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable) - [Orthanc](https://orthanc.uclouvain.be/) a lightweight, RESTful DICOM server for healthcare and medical research. Available as [services.orthanc](#opt-services.orthanc.enable). - [Docling Serve](https://github.com/docling-project/docling-serve) running [Docling](https://github.com/docling-project/docling) as an API service. Available as [services.docling-serve](#opt-services.docling-serve.enable). - [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable) - [ipfs-cluster](https://ipfscluster.io/), Pinset orchestration for IPFS. Available as [services.ipfs-cluster](#opt-services.ipfs-cluster.enable) - [bitbox-bridge](https://github.com/BitBoxSwiss/bitbox-bridge), a bridge software that connects BitBox hardware wallets to computers & web wallets like [Rabby](https://rabby.io/). Allows one to interact & transact with smart contracts, Web3 websites & financial services without storing private keys anywhere other than the hardware wallet. Available as [services.bitbox-bridge](#opt-services.bitbox-bridge.enable). ## Backward Incompatibilities {#sec-release-25.05-incompatibilities} - `services.rippled` has been removed, as `rippled` was broken and had not been updated since 2022. - `services.rippleDataApi` has been removed, as `ripple-data-api` was broken and had not been updated since 2022. - The `nixos/modules/virtualisation/amazon-ec2-amis.nix` file is not supported anymore since 24.05. It will throw and error starting 25.05 with instructions the following instructions: The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or https://nixos.github.io/amis/ for instructions. - The udev rules of the libjaylink package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions. - The latest available version of Nextcloud is v31 (available as `pkgs.nextcloud31`). The installation logic is as follows: - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default. - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud31` will be installed by default. - Please note that an upgrade from v29 (or older) to v31 directly is not possible. Please upgrade to `nextcloud30` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](options.html#opt-services.nextcloud.package). - `services.cloudflare-dyndns.apiTokenFile` now must be just your Cloudflare api token. Previously it was supposed to be a file of the form `CLOUDFLARE_API_TOKEN=...`. - [](#opt-services.nextcloud.config.dbtype) is unset by default, the previous default was `sqlite`. This was done because `sqlite` is not a reasonable default since it's [not recommended by upstream](https://docs.nextcloud.com/server/30/admin_manual/installation/system_requirements.html) and thus doesn't qualify as default. - Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised to review the new defaults and description of [](#opt-services.nextcloud.poolSettings). - The `services.locate` module does no longer support findutil's `locate` due to its inferior performance compared to `mlocate` and `plocate`. The new default is `plocate`. As the `service.locate.localuser` option only applied when using findutil's `locate`, it has also been removed. - `services.paperless` now installs `paperless-manage` as a normal system package instead of creating a symlink in `/var/lib/paperless`. `paperless-manage` now also changes to the appropriate user when being executed. - `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.: ```diff -services.asusd.asusdConfig = '''file contents''' +services.asusd.asusdConfig.text = '''file contents''' ``` - `linuxPackages.nvidiaPackages.stable` now defaults to the `production` variant instead of `latest`. - `timescaledb` requires manual upgrade steps. After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797). PostgreSQL 13 is no longer supported in TimescaleDB v2.16. - `virtualisation/azure-common.nix`'s filesystem and grub configurations have been moved to `virtualisation/azure-image.nix`. This makes `azure-common.nix` more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import `azure-image.nix`. - `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL. - `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`. - The `earlyoom` service is now using upstream systemd service, which enables hardening and filesystem isolation by default. If you need filesystem write access or want to access home directory via `killHook`, hardening setting can be changed via, e.g. `systemd.services.earlyoom.serviceConfig.ProtectSystem`. `services.earlyoom.extraArgs` is now shell-escaped for each element without word-breaking. So you want to write `extraArgs = [ "--prefer" "spaced pat" ]` rather than previous `extraArgs = [ "--prefer 'spaced pat'" ]`. - `programs.less.lessopen` is now null by default. To restore the previous behaviour, set it to `''|${lib.getExe' pkgs.lesspipe "lesspipe.sh"} %s''`. - `hardware.pulseaudio` has been renamed to `services.pulseaudio`. The deprecated option names will continue to work, but causes a warning. - `services.nextcloud` now uses systemd's credential mechanism to read in secret files. The `nextcloud-occ` wrapper script implements this using `systemd-run`, as such it now also requires root privileges or `$CREDENTIALS_DIRECTORY` set where running it as user `nextcloud` was enough previously. - `services.mongodb.initialRootPassword` has been replaced with the more secure option [`services.mongodb.initialRootPasswordFile`](#opt-services.mongodb.initialRootPasswordFile) - `services.bird2` has been renamed to `services.bird` and the default bird package has been switched to `bird3`. `bird2` can still be chosen via the `services.bird.package` option. - DokuWiki with the Caddy webserver (`services.dokuwiki.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`. If you set custom Caddy options for a DokuWiki site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`. - Wordpress with the Caddy webserver (`services.wordpress.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. Given a site example.com, http://example.com now 301 redirects to https://example.com. To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`. - The behavior of `services.hostapd.radios..networks..authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd. - `gkraken` software and `hardware.gkraken.enable` option have been removed, use `coolercontrol` via `programs.coolercontrol.enable` option instead. - To avoid delaying user logins unnecessarily the `multi-user.target` is no longer ordered after `network-online.target`. System services requiring a connection to start correctly must explicitly state so, i.e. ```nix systemd.services. = { wants = [ "network-online.target" ]; after = [ "network-online.target" ]; }; ``` This changed follows a deprecation period of one year started in NixOS 24.05 (see [PR #283818](https://github.com/NixOS/nixpkgs/pull/283818)). - The values of `services.borgbackup.jobs.*.extraArgs` and other `extra*Args` options are now represented as Bash arrays. If these arguments were modified using `services.borgbackup.jobs.*.preHook`, they will need to be adjusted to append to these arrays, i.e. ```diff -extraCreateArgs="$extraCreateArgs --exclude /some/path" +extraCreateArgs+=("--exclude" "/some/path") ``` - `programs.xonsh.package` now gets overrided internally with `extraPackages` to support `programs.xonsh.extraPackages`. See `programs.xonsh.extraPackages` for more details. - `services.nitter.guestAccounts` has been renamed to `services.nitter.sessionsFile`, for consistency with upstream. The file format is unchanged. - `virtualisation.azure.agent` option provided by `azure-agent.nix` is replaced by `services.waagent`, and will be removed in a future release. - The ZFS import service now respects `fileSystems.*.options = [ "noauto" ];` and does not add that pool's import service to `zfs-import.target`, meaning it will not be automatically imported at boot. - Default file names of images generated by several builders in `system.build` have been changed as outlined in the table below. Names are now known at evaluation time and customizable via the new options `image.baseName`, `image.extension`, `image.fileName` and `image.filePath` with the latter returning a path relative to the derivations out path (e.g. `iso/${image.fileName` for iso images). | `system.build` Option | Old Filename | New Filename | |--------------------------+------------------------------------------------------------+-----------------------------------------------------------------| | amazonImage | nixos-amazon-image-25.05pre-git-x86_64-linux.vhd | nixos-image-amazon-25.05pre-git-x86_64-linux.vhd | | azureImage | disk.vhd | nixos-image-azure-25.05pre-git-x86_64-linux.vhd | | digitalOceanImage | nixos.qcow2.gz | nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz | | googleComputeImage | nixos-image-25.05pre-git-x86_64-linux.raw.tar.gz | nixos-image-google-compute-25.05pre-git-x86_64-linux.raw.tar.gz | | hypervImage | nixos-25.05pre-git-x86_64-linux.vhdx | nixos-image-hyperv-25.05pre-git-x86_64-linux.vhdx | | isoImage (installer) | nixos-25.05pre-git-x86_64-linux.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | isoImage | nixos.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | kubevirtImage | nixos.qcow2 | nixos-image-kubevirt-25.05pre-git-x86_64-linux.qcow2 | | linodeImage | nixos-image-25.05pre-git-x86_64-linux.img.gz | nixos-image-linode-25.05pre-git-x86_64-linux.img.gz | | metadata (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-metadata-25.05pre-git-x86_64-linux.tar.xz | | OCIImage | nixos.qcow2 | nixos-image-oci-25.05pre-git-x86_64-linux.qcow2 | | openstackImage (zfs) | nixos-openstack-image-25.05pre-git-x86_64-linux.root.qcow2 | nixos-image-openstack-zfs-25.05pre-git-x86_64-linux.root.qcow2 | | openstackImage | nixos.qcow2 | nixos-image-openstack-25.05pre-git-x86_64-linux.qcow2 | | sdImage | nixos-sd-image-25.05pre-git-x86_64-linux.img.zst | nixos-image-sd-card-25.05pre-git-x86_64-linux.img.zst | | tarball (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-25.05pre-git-x86_64-linux.tar.xz | | tarball (proxmox-lxc) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-proxmox-25.05pre-git-x86_64-linux.tar.xz | | vagrantVirtualbox | nixos-25.05pre-git-x86_64-linux.ova | nixos-image-virtualbox-25.05pre-git-x86_64-linux.ova | | virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova | | vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk | - `security.apparmor.policies..enforce` and `security.apparmor.policies..enable` were removed. Configuring the state of apparmor policies must now be done using `security.apparmor.policies..state` tristate option. - `services.graylog.package` now defaults to `graylog-6_0` as previous default `graylog-5_1` is EOL and therefore removed. Check the migration guides on [5.1→5.2](https://go2docs.graylog.org/5-2/upgrading_graylog/upgrading_to_graylog_5.2.x.htm) and [5.2→6.0](https://go2docs.graylog.org/6-0/upgrading_graylog/upgrading_to_graylog_6.0.x.html) for breaking changes. - `programs.clash-verge.tunMode` was deprecated and removed because now service mode is necessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start. - `services.netbird.tunnels` was renamed to [`services.netbird.clients`](#opt-services.netbird.clients), hardened (using dedicated less-privileged users) and significantly extended. ## Other Notable Changes {#sec-release-25.05-notable-changes} - `virtualisation.containers` with backend "podman" now supports rootless containers and `sd_notify(3)`-integration based on container healthchecks. - Cinnamon has been updated to 6.4, please check the [upstream announcement](https://www.linuxmint.com/rel_xia_whatsnew.php) for more details. - Following [changes in Mint 22](https://github.com/linuxmint/mintupgrade/commit/f239cde908288b8c250f938e7311c7ffbc16bd59) we are no longer overriding Qt application styles. You can still restore the previous default with `qt.style = "gtk2"` and `qt.platformTheme = "gtk2"`. - Following [changes in Mint 20](https://github.com/linuxmint/mintupgrade-legacy/commit/ce15d946ed9a8cb8444abd25088edd824bfb18f6) we are replacing xplayer with celluloid since xplayer is no longer maintained. - Pantheon has been updated to 8, please check the [upstream announcement](https://blog.elementary.io/os-8-available-now/) for more details. - Same as elementary OS, the X11 session is named "Classic Session" and the Wayland session is named "Secure Session". - The dock has been rewritten, you need to manually migrate the dock items on update. You can check `~/.config/plank/dock1/launchers/` for your previous settings. - Xfce has been updated to 4.20, please check the [upstream feature tour](https://www.xfce.org/about/tour420) for more details. - Wayland session is still [experimental](https://wiki.xfce.org/releng/wayland_roadmap) and requires opt-in using `enableWaylandSession` option. - Overriding Wayland compositor is possible using `waylandSessionCompositor` option, but you might need to take care [`xfce4-session`](https://gitlab.xfce.org/xfce/xfce4-session/-/merge_requests/49), [`dbus-update-activation-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L234) and [`systemctl --user import-environment`](https://github.com/labwc/labwc/blob/eaf11face68ee1f1bcc7ce1498304ca8c108c8ba/src/config/session.c#L239) on startup. - For new Xfce installations, default panel layout has [changed](https://gitlab.xfce.org/xfce/xfce4-panel/-/merge_requests/158/diffs) to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog. - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release. - `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option. Example: ```nix services.mysql = { enable = true; galeraCluster = { enable = true; localName = "Node 1"; localAddress = "galera_01"; nodeAddresses = [ "galera_01" "galera_02" "galera_03"]; }; }; ``` - [`services.geoclue2`](#opt-services.geoclue2.enable) now has an `enableStatic` option, which allows the NixOS configuration to specify a fixed location for GeoClue to use. - [`services.mongodb`](#opt-services.mongodb.enable) is now compatible with the `mongodb-ce` binary package. To make use of it, set [`services.mongodb.package`](#opt-services.mongodb.package) to `pkgs.mongodb-ce`. - [`services.jupyter`](#opt-services.jupyter.enable) is now compatible with `Jupyter Notebook 7`. See [the migration guide](https://jupyter-notebook.readthedocs.io/en/latest/migrate_to_notebook7.html) for details. - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. - The `stackclashprotection` hardening flag has been enabled by default on compilers that support it. - `services.rss-bridge` now has a `package` option as well as support for `caddy` as reverse proxy. - `services.avahi.ipv6` now defaults to true. - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script. - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`. - hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. - `nextcloud-news-updater` is unmaintained and was removed from nixpkgs. - `services.cloudflared` now uses a dynamic user, and its `user` and `group` options have been removed. If the user or group is still necessary, they can be created manually. - The Home Assistant module has new options {option}`services.home-assistant.blueprints.automation`, `services.home-assistant.blueprints.script`, and {option}`services.home-assistant.blueprints.template` that allow for the declarative installation of [blueprints](https://www.home-assistant.io/docs/blueprint/) into the appropriate configuration directories. - `services.dovecot2.modules` have been removed, now need to use `environment.systemPackages` to load additional Dovecot modules. - `services.kmonad` now creates a determinate symlink (in `/dev/input/by-id/`) to each of KMonad virtual devices. - `services.searx` now supports configuration of the favicons cache and other options available in SearXNG's `favicons.toml` file - `services.gitea` now supports CAPTCHA usage through the `services.gitea.captcha` variable. - `services.soft-serve` now restarts upon config change. - `services.keycloak` now provides a `realmFiles` option that allows to import realms during startup. See https://www.keycloak.org/server/importExport - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries. - [`services.mongodb.enableAuth`](#opt-services.mongodb.enableAuth) now uses the newer [mongosh](https://github.com/mongodb-js/mongosh) shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the [`services.mongodb.mongoshPackage`](#opt-services.mongodb.mongoshPackage) option. - The paperless module now has an option for regular automatic export of documents data using the integrated document exporter. - New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](options.html#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls. Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system. - `services.k3s` now provides the `autoDeployCharts` option that allows to automatically deploy Helm charts via the k3s Helm controller. - Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added. Example: ```nix services.caddy = { enable = true; package = pkgs.caddy.withPlugins { plugins = [ # tagged upstream "github.com/caddy-dns/powerdns@v1.0.1" # pseudo-version number generated by Go "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d" ]; hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk="; }; }; ``` To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value. Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get ` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output. - KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed. ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0) in Linux 6.13. - `authelia` version 4.39.0 has made some changes which deprecate older configurations. They are still expected to be working until future version 5.0.0, but will generate warnings in logs. Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes. - `programs.fzf.keybindings` now supports the fish shell. - A toggle has been added under `users.users..enable` to allow toggling individual users conditionally. If set to false, the user account will not be created. ```{=include=} sections ../release-notes-nixpkgs/rl-2505.section.md ```