Support is planned until the end of June 2023, handing over to 23.05.

In addition to numerous new and upgraded packages, this release has the following highlights: GNOME has been upgraded to 43. Please take a look at their Release Notes for details. During cross-compilation, tests are now executed if the test suite can be executed by the build platform. This is the case when doing “native” cross-compilation where the build and host platforms are largely the same, but the nixpkgs’ cross compilation infrastructure is used, e.g. pkgsStatic and pkgsLLVM. Another possibility is that the build platform is a superset of the host platform, e.g. when cross-compiling from x86_64-unknown-linux to i686-unknown-linux. The predicate gating test suite execution is the newly added canExecute predicate: You can e.g. check if stdenv.buildPlatform can execute binaries built for stdenv.hostPlatform (i.e. produced by stdenv.cc) by evaluating stdenv.buildPlatform.canExecute stdenv.hostPlatform. The nixpkgs.hostPlatform and nixpkgs.buildPlatform options have been added. These cover and override the nixpkgs.{system,localSystem,crossSystem} options. hostPlatform is the platform or system string of the NixOS system described by the configuration. buildPlatform is the platform that is responsible for building the NixOS configuration. It defaults to the hostPlatform, for a non-cross build configuration. To cross compile, set buildPlatform to a different value. The new options convey the same information, but with fewer options, and following the Nixpkgs terminology. The existing options nixpkgs.{system,localSystem,crossSystem} have not been formally deprecated, to allow for evaluation of the change and to allow for a transition period so that in time the ecosystem can switch without breaking compatibility with any supported NixOS release. emacs enables native compilation which means: emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine; emacs packages from somewhere else, e.g. package-install, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use (setq native-comp-deferred-compilation nil) to disable it while still enjoy the benefit of native compilation for packages from nixpkgs. nixos-generate-config now generates configurations that can be built in pure mode. This is achieved by setting the new nixpkgs.hostPlatform option. You may have to unset the system parameter in lib.nixosSystem, or similarly remove definitions of the nixpkgs.{system,localSystem,crossSystem} options. Alternatively, you can remove the hostPlatform line and use NixOS like you would in NixOS 22.05 and earlier. PHP now defaults to PHP 8.1, updated from 8.0. PHP is now built NTS (Non-Thread Safe) style by default, for Apache and mod_php usage we still enable ZTS (Zend Thread Safe). This has been a common practice for a long time in other distributions. protonup has been aliased to and replaced by protonup-ng due to upstream not maintaining it. Perl has been updated to 5.36, and its core module HTTP::Tiny was patched to verify SSL/TLS certificates by default. Improved performances of lib.closePropagation which was previously quadratic. This is used in e.g. ghcWithPackages. Please see backward incompatibilities notes below. Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. OpenSSL now defaults to OpenSSL 3, updated from 1.1.1. An image configuration and generator has been added for Linode images, largely based on the present GCE configuration and image. hardware.nvidia has a new option open that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver’s support for GeForce and Workstation GPUs is still alpha quality, see NVIDIA Releases Open-Source GPU Kernel Modules for the official announcement.

appvm, Nix based app VMs. Available as virtualisation.appvm. automatic-timezoned. a Linux daemon to automatically update the system timezone based on location. Available as services.automatic-timezoned. [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as services.xray. syncstorage-rs, a self-hostable sync server for Firefox. Available as services.firefox-syncserver. dragonflydb, a modern replacement for Redis and Memcached. Available as services.dragonflydb. Komga, a free and open source comics/mangas media server. Available as services.komga. Tandoor Recipes, a self-hosted multi-tenant recipe collection. Available as services.tandoor-recipes. HBase cluster, a distributed, scalable, big data store. Available as services.hadoop.hbase. Please, a Sudo clone written in Rust. Available as security.please Sachet, an SMS alerting tool for the Prometheus Alertmanager. Available as services.prometheus.sachet. infnoise, a hardware True Random Number Generator dongle. Available as services.infnoise. kthxbye, an alert acknowledgement management daemon for Prometheus Alertmanager. Available as services.kthxbye kanata, a tool to improve keyboard comfort and usability with advanced customization. Available as services.kanata. karma, an alert dashboard for Prometheus Alertmanager. Available as services.karma languagetool, a multilingual grammar, style, and spell checker. Available as services.languagetool. OpenRGB, a FOSS tool for controlling RGB lighting. Available as services.hardware.openrgb.enable. Outline, a wiki and knowledge base similar to Notion. Available as services.outline. ntfy.sh, a push notification service. Available as services.ntfy-sh alps, a simple and extensible webmail. Available as services.alps. endlessh, an SSH tarpit. Available as services.endlessh. endlessh-go, an SSH tarpit that exposes Prometheus metrics. Available as services.endlessh-go. Garage, a simple object storage server for geodistributed deployments, alternative to MinIO. Available as services.garage. netbird, a zero configuration VPN. Available as services.netbird. persistent-evdev, a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as services.persistent-evdev. schleuder, a mailing list manager with PGP support. Enable using services.schleuder. Dolibarr, an enterprise resource planning and customer relationship manager. Enable using services.dolibarr. FreshRSS, a free, self-hostable RSS feed aggregator. Available as services.freshrss. expressvpn, the CLI client for ExpressVPN. Available as services.expressvpn. merecat, a small and easy HTTP server based on thttpd. Available as services.merecat go-autoconfig, IMAP/SMTP autodiscover server. Available as services.go-autoconfig. tmate-ssh-server, server side part of tmate. Available as services.tmate-ssh-server. Grafana Tempo, a distributed tracing store. Available as services.tempo. AusweisApp2, the authentication software for the German ID card. Available as programs.ausweisapp. Patroni, a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as services.patroni. Prometheus IPMI exporter, an IPMI exporter for Prometheus. Available as services.prometheus.exporters.ipmi. WriteFreely, a simple blogging platform with ActivityPub support. Available as services.writefreely. Listmonk, a self-hosted newsletter manager. Enable using services.listmonk. Uptime Kuma, a fancy self-hosted monitoring tool. Available as services.uptime-kuma. Mepo, a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as programs.mepo.enable.

Nixpkgs now requires Nix 2.3 or newer. The isCompatible predicate checking CPU compatibility is no longer exposed by the platform sets generated using lib.systems.elaborate. In most cases you will want to use the new canExecute predicate instead which also considers the kernel / syscall interface. It is briefly described in the release’s highlights section. lib.systems.parse.isCompatible still exists, but has changed semantically: Architectures with differing endianness modes are no longer considered compatible. ngrok has been upgraded from 2.3.40 to 3.0.4. Please see the upgrade guide and changelog. Notably, breaking changes are that the config file format has changed and support for single hypen arguments was dropped. i18n.supportedLocales is now by default only generated with the locales set in i18n.defaultLocale and i18n.extraLocaleSettings. This got partially copied over from the minimal profile and reduces the final system size by up to 200MB. If you require all locales installed set the option to [ "all" ]. Deprecated settings logrotate.paths and logrotate.extraConfig have been removed. Please convert any uses to services.logrotate.settings instead. The isPowerPC predicate, found on platform attrsets (hostPlatform, buildPlatform, targetPlatform, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace foo.isPowerPC with (with foo; isPower && is32bit && isBigEndian). The fetchgit fetcher now uses cone mode by default for sparse checkouts. Non-cone mode can be enabled by passing nonConeMode = true, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice. openssh was updated to version 9.1, disabling the generation of DSA keys when using ssh-keygen -A as they are insecure. Also, SetEnv directives in ssh_config and sshd_config are now first-match-wins bsp-layout no longer uses the command cycle to switch to other window layouts, as it got replaced by the commands previous and next. The Barco ClickShare driver/client package pkgs.clickshare-csc1 and the option programs.clickshare-csc1.enable have been removed, as it requires qt4, which reached its end-of-life 2015 and will no longer be supported by nixpkgs. According to Barco many of their base unit models can be used with Google Chrome and the Google Cast extension. services.hbase has been renamed to services.hbase-standalone. For production HBase clusters, use services.hadoop.hbase instead. The p4 package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries p4d, p4broker, and p4p. To install the Helix Core Server binaries, use the p4d package instead. The coq package and versioned variants starting at coq_8_14 no longer include CoqIDE, which is now available through coqPackages.coqide. It is still possible to get CoqIDE as part of the coq package by overriding the buildIde argument of the derivation. PHP 7.4 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 22.11 release. The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style settings option instead of extraConfig and the gatewayAddress, apiAddress and swarmAddress options were renamed. Using the old names will print a warning but still work. pkgs.cosign does not provide the cosigned binary anymore. The sget binary has been moved into its own package. Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. Users who still wish to remain using GTK can do so by using emacs-gtk. riak package removed along with services.riak module, due to lack of maintainer to update the package. ppd files in pkgs.cups-drv-rastertosag-gdi are now gzipped. If you refer to such a ppd file with its path (e.g. via hardware.printers.ensurePrinters) you will need to append .gz to the path. xow package removed along with the hardware.xow module, due to the project being deprecated in favor of xone, which is available via the hardware.xone module. dd-agent package removed along with the services.dd-agent module, due to the project being deprecated in favor of datadog-agent, which is available via the services.datadog-agent module. teleport has been upgraded to major version 10. Please see upstream upgrade instructions and release notes. lib.closePropagation now needs that all gathered sets have an outPath attribute. lemmy module option services.lemmy.settings.database.createLocally moved to services.lemmy.database.createLocally. virtlyst package and services.virtlyst module removed, due to lack of maintainers. The nix.checkConfig option now fully disables the config check. The new nix.checkAllErrors option behaves like nix.checkConfig previously did. generateOptparseApplicativeCompletions and generateOptparseApplicativeCompletion from haskell.lib.compose (and haskell.lib) have been deprecated in favor of generateOptparseApplicativeCompletions (plural!) as provided by the haskell package sets (so haskellPackages.generateOptparseApplicativeCompletions etc.). The latter allows for cross-compilation (by automatically disabling generation of completion in the cross case). For it to work properly you need to make sure that the function comes from the same context as the package you are trying to override, i.e. always use the same package set as your package is coming from or – even better – use self.generateOptparseApplicativeCompletions if you are overriding a haskell package set. The old functions are retained for backwards compatibility, but yield are warning. The services.graphite.api and services.graphite.beacon NixOS options, and the python3.pkgs.graphite_api, python3.pkgs.graphite_beacon and python3.pkgs.influxgraph packages, have been removed due to lack of upstream maintenance. The trace binary from perf-linux package has been removed, due to being a duplicate of the perf binary. The aws package has been removed due to being abandoned by the upstream. It is recommended to use awscli or awscli2 instead. The CEmu TI-84 Plus CE emulator package has been renamed to cemu-ti. The Cemu Wii U emulator is now packaged as cemu. systemd-networkd v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes: systemd.network.networks.<name>.dhcpV6PrefixDelegationConfig is renamed to systemd.network.networks.<name>.dhcpPrefixDelegationConfig. systemd.network.networks.<name>.dhcpV6Config no longer accepts the ForceDHCPv6PDOtherInformation= setting. Please use the WithoutRA= and UseDelegatedPrefix= settings in your systemd.network.networks.<name>.dhcpV6Config and the DHCPv6Client= setting in your systemd.network.networks.<name>.ipv6AcceptRAConfig to control when the DHCPv6 client is started and how the delegated prefixes are handled by the DHCPv6 client. systemd.network.networks.<name>.networkConfig no longer accepts the IPv6Token= setting. Use the Token= setting in your systemd.network.networks.<name>.ipv6AcceptRAConfig instead. The systemd.network.networks.<name>.ipv6Prefixes.*.ipv6PrefixConfig now also accepts the Token= setting. arangodb versions 3.3, 3.4, and 3.5 have been removed because they are at EOL upstream. The default is now 3.10.0. Support for aarch64-linux has been removed since the target cannot be built reproducibly. By default arangodb is now built for the haswell architecture. If you wish to build for a different architecture, you may override the targetArchitecture argument with a value from this list supported upstream. Some architecture specific optimizations are also conditionally enabled. You may alter this behavior by overriding the asmOptimizations parameter. You may also add additional architecture support by adding more -DHAS_XYZ flags to cmakeFlags via overrideAttrs. The meta.mainProgram attribute of packages in wineWowPackages now defaults to "wine64". The paperless module now defaults PAPERLESS_TIME_ZONE to your configured system timezone. The top-level termonad-with-packages alias for termonad has been removed. Linux 4.9 has been removed because it will reach its end of life within the lifespan of 22.11. (Neo)Vim can not be configured with configure.pathogen anymore to reduce maintainance burden. Use configure.packages instead. Neovim can not be configured with plug anymore (still works for vim). The adguardhome module no longer uses host and port options, use settings.bind_host and settings.bind_port instead. The default kops version is now 1.25.1 and support for 1.22 and older has been dropped. The zrepl package has been updated from 0.5.0 to 0.6.0. See the changelog for details. k3s no longer supports docker as runtime due to upstream dropping support. cassandra_2_1 and cassandra_2_2 have been removed. Please update to cassandra_3_11 or cassandra_3_0. See the changelog for more information about the upgrade process. mysql57 has been removed. Please update to mysql80 or mariadb. See the upgrade guide for more information. Consequently, cqrlog and amorok now use mariadb instead of mysql57 for their embedded databases. Running mysql_upgrade may be neccesary. k3s supports clusterInit option, and it is enabled by default, for servers. percona-server56 has been removed. Please migrate to mysql or mariadb if possible. obs-studio hase been updated to version 28. If you have packaged custom plugins, check if they are compatible. obs-websocket has been integrated into obs-studio. signald has been bumped to 0.23.0. For the upgrade, a migration process is necessary. It can be done by running a command like this before starting signald.service: signald -d /var/lib/signald/db \ --database sqlite:/var/lib/signald/db \ --migrate-data For further information, please read the upstream changelogs. stylua no longer accepts lua52Support and luauSupport overrides, use features instead, which defaults to [ "lua54" "luau" ]. ocamlPackages.ocaml_extlib has been renamed to ocamlPackages.extlib. pkgs.fetchNextcloudApp has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to apply patches. This means that your hashes are out-of-date and the (previously required) attributes name and version are no longer accepted. The Syncthing service now only allows absolute paths—starting with / or ~/—for services.syncthing.folders.<name>.path. In a future release other paths will be allowed again and interpreted relative to services.syncthing.dataDir. services.github-runner and services.github-runners.<name> gained the option serviceOverrides which allows overriding the systemd serviceConfig. If you have been overriding the systemd service configuration (i.e., by defining systemd.services.github-runner.serviceConfig), you have to use the serviceOverrides option now. Example: services.github-runner.serviceOverrides.SupplementaryGroups = [ "docker" ];

The xplr package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the upstream release notes for more details. Configuring multiple GitHub runners is now possible through services.github-runners.<name>. The option services.github-runner remains. github-runner gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See services.github-runner.ephemeral and services.github-runner.tokenFile for details. A new module was added for the Saleae Logic device family, providing the options hardware.saleae-logic.enable and hardware.saleae-logic.package. ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at OpenZFS/260 and OpenZFS/12842. Use the boot.zfs.allowHibernation option to configure this behaviour. mastodon now automatically removes remote media attachments older than 30 days. This is configurable through services.mastodon.mediaAutoRemove. The Redis module now disables RDB persistence when services.redis.servers.<name>.save = [] instead of using the Redis default. Neo4j was updated from version 3 to version 4. See this migration guide on how to migrate your Neo4j instance. The networking.wireguard module now can set the mtu on interfaces and tag its packets with an fwmark. The option overrideStrategy was added to the different systemd unit options (systemd.services.<name>, systemd.sockets.<name>, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to asDropin. This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to systemd.packages. See the fix proposed in NixOS’s systemd abstraction doesn’t work with systemd template units for an example. The polymc package has been removed due to a rogue maintainer. It has been replaced by prismlauncher, a fork by the rest of the maintainers. For more details, see the pull request that made this change and this issue detailing the vulnerability. Users with existing installations should rename ~/.local/share/polymc to ~/.local/share/PrismLauncher. The main config file’s path has also moved from ~/.local/share/polymc/polymc.cfg to ~/.local/share/PrismLauncher/prismlauncher.cfg. The bloat package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See this upstream commit message for details. The services.matrix-synapse systemd unit has been hardened. The services.grafana options were converted to a RFC 0042 configuration. The services.grafana.provision.datasources and services.grafana.provision.dashboards options were converted to a RFC 0042 configuration. They also now support specifying the provisioning YAML file with path option. The services.grafana.provision.alerting option was added. It includes suboptions for every alerting-related objects (with the exception of notifiers), which means it’s now possible to configure modern Grafana alerting declaratively. Matrix Synapse now requires entries in the state_group_edges table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. The diamond package has been update from 0.8.36 to 2.0.15. See the upstream release notes for more details. The guake package has been updated from 3.6.3 to 3.9.0, see the changelog for more details. dockerTools.buildImage deprecates the misunderstood contents parameter, in favor of copyToRoot. Use copyToRoot = buildEnv { ... }; or similar if you intend to add packages to /bin. memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot’s fork is no longer available. Option descriptions, examples, and defaults writting in DocBook are now deprecated. Using CommonMark is preferred and will become the default in a future release. The documentation.nixos.options.allowDocBook option was added to ease the transition to CommonMark option documentation. Setting this option to false causes an error for every option included in the manual that uses DocBook documentation; it defaults to true to preserve the previous behavior and will be removed once the transition to CommonMark is complete. The redis module now persists each instance’s configuration file in the state directory, in order to support some more advanced use cases like sentinel. The udisks2 service, available at services.udisks2.enable, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. This also means that polkit will now actually be disabled by default. The default for security.polkit.enable was already flipped in the previous release, but udisks2 being enabled by default re-enabled it. Nextcloud has been updated to version 25. Additionally the following things have changed for Nextcloud in NixOS: For Nextcloud >=24, the default PHP version is 8.1. Nextcloud 23 has been removed since it will reach its end of life in December 2022. For system.stateVersion being >=22.11, Nextcloud 25 will be installed by default. For older versions, Nextcloud 24 will be installed. Please ensure that you only upgrade on major release at a time! Nextcloud doesn’t support upgrades across multiple versions, i.e. an upgrade from 23 to 25 is only possible when upgrading to 24 first. Add udev rules for the Teensy family of microcontrollers. The Qt QML disk cache is now disabled by default. This fixes a long-standing issue where updating Qt/KDE apps would sometimes cause them to crash or behave strangely without explanation. Those concerned about the small (~10%) performance hit to application startup can re-enable the cache (and expose themselves to gremlins) by setting the envrionment variable QML_FORCE_DISK_CACHE to 1 using e.g. the environment.sessionVariables NixOS option. systemd-oomd is enabled by default. Depending on which systemd units have ManagedOOMSwap=kill or ManagedOOMMemoryPressure=kill, systemd-oomd will SIGKILL all the processes under the appropriate descendant cgroups when the configured limits are exceeded. NixOS does currently not configure cgroups with oomd by default, this can be enabled using systemd.oomd.enableRootSlice, systemd.oomd.enableSystemSlice, and systemd.oomd.enableUserServices. The tt-rss service performs two database migrations when you first use its web UI after upgrade. Consider backing up its database before updating. The pass-secret-service package now includes systemd units from upstream, so adding it to the NixOS services.dbus.packages option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. There is a new module for AMD SEV CPU functionality, which grants access to the hardware. The Wordpress module got support for installing language packs through services.wordpress.sites.<site>.languages. The default package for services.mullvad-vpn.package was changed to pkgs.mullvad, allowing cross-platform usage of Mullvad. pkgs.mullvad only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to pkgs.mullvad-vpn, or add pkgs.mullvad-vpn to their environment. PowerDNS has been updated from 4.6.x to 4.7.x. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied. There is a new module for the thunar program (the Xfce file manager), which depends on the xfconf dbus service, and also has a dbus service and a systemd unit. The option services.xserver.desktopManager.xfce.thunarPlugins has been renamed to programs.thunar.plugins, and in a future release it may be removed. There is a new module for the xfconf program (the Xfce configuration storage system), which has a dbus service. The nomad package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older. The nodePackages package set now defaults to the LTS release in the nodejs package again, instead of being pinned to nodejs-14_x. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new postRebuild hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies. boot.kernel.sysctl is defined as a freeformType and adds a custom merge option for net.core.rmem_max (taking the highest value defined to avoid conflicts between 2 services trying to set that value). The mame package does not ship with its tools anymore in the default output. They were moved to a separate tools output instead. For convenience, mame-tools package was added for those who want to use it. A NixOS module for Firefox has been added which allows preferences and policies to be set. This also allows extensions to be installed via the ExtensionSettings policy. The new options are under programs.firefox. The option services.picom.experimentalBackends was removed since it is now the default and the option will cause picom to quit instead.