In addition to numerous new and upgraded packages, this release has the following highlights: Support is planned until the end of December 2021, handing over to 21.11. GNOME desktop environment was upgraded to 3.38, see its release notes. GNURadio 3.8 was finnally packaged, along with a rewrite to the Nix expressions, allowing users to override the features upstream supports selecting to compile or not to. Additionally, the attribute gnuradio and gnuradio3_7 now point to an externally wrapped by default derivations, that allow you to also add `extraPythonPackages` to the Python interpreter used by GNURadio. Missing environmental variables needed for operational GUI were also added (#7547).

The following new services were added since the last release: Keycloak, an open source identity and access management server with support for OpenID Connect, OAUTH 2.0 and SAML 2.0. See the Keycloak section of the NixOS manual for more information. Web Services Dynamic Discovery host daemon

When upgrading from a previous release, please be aware of the following incompatible changes: systemd-journal2gelf no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this GitHub issue. If the services.dbus module is enabled, then the user D-Bus session is now always socket activated. The associated options services.dbus.socketActivated and services.xserver.startDbusSession have therefore been removed and you will receive a warning if they are present in your configuration. This change makes the user D-Bus session available also for non-graphical logins. The networking.wireless.iwd module now installs the upstream-provided 80-iwd.link file, which sets the NamePolicy= for all wlan devices to "keep kernel", to avoid race conditions between iwd and networkd. If you don't want this, you can set systemd.network.links."80-iwd" = lib.mkForce {}. rubyMinimal was removed due to being unused and unusable. The default ruby interpreter includes JIT support, which makes it reference it's compiler. Since JIT support is probably needed by some Gems, it was decided to enable this feature with all cc references by default, and allow to build a Ruby derivation without references to cc, by setting jitSupport = false; in an overlay. See #90151 for more info. Setting services.openssh.authorizedKeysFiles now also affects which keys security.pam.enableSSHAgentAuth will use. WARNING: If you are using these options in combination do make sure that any key paths you use are present in services.openssh.authorizedKeysFiles! The option fonts.enableFontDir has been renamed to . The path of font directory has also been changed to /run/current-system/sw/share/X11/fonts, for consistency with other X11 resources. A number of options have been renamed in the kicad interface. oceSupport has been renamed to withOCE, withOCCT has been renamed to withOCC, ngspiceSupport has been renamed to withNgspice, and scriptingSupport has been renamed to withScripting. Additionally, kicad/base.nix no longer provides default argument values since these are provided by kicad/default.nix. The socket for the pdns-recursor module was moved from /var/lib/pdns-recursor to /run/pdns-recursor to match upstream. Paperwork was updated to version 2. The on-disk format slightly changed, and it is not possible to downgrade from Paperwork 2 back to Paperwork 1.3. Back your documents up before upgrading. See this thread for more details. PowerDNS has been updated from 4.2.x to 4.3.x. Please be sure to review the Upgrade Notes provided by upstream before upgrading. Worth specifically noting is that the service now runs entirely as a dedicated pdns user, instead of starting as root and dropping privileges, as well as the default socket-dir location changing from /var/lib/powerdns to /run/pdns. xfsprogs was update from 4.19 to 5.10. It now enables reflink support by default on filesystem creation. Support for reflinks was added with an experimental status to kernel 4.9 and deemed stable in kernel 4.16. If you want to be able to mount XFS filesystems created with this release of xfsprogs on kernel releases older than those, you need to format them with mkfs.xfs -m reflink=0. The uWSGI server is now built with POSIX capabilities. As a consequence, root is no longer required in emperor mode and the service defaults to running as the unprivileged uwsgi user. Any additional capability can be added via the new option . The previous behaviour can be restored by setting: = "root"; = "root"; = { uid = "uwsgi"; gid = "uwsgi"; }; Another incompatibility from the previous release is that vassals running under a different user or group need to use immediate-{uid,gid} instead of the usual uid,gid options. btc1 has been abandoned upstream, and removed. cpp_ethereum (aleth) has been abandoned upstream, and removed. riak-cs package removed along with services.riak-cs module. stanchion package removed along with services.stanchion module. mutt has been updated to a new major version (2.x), which comes with some backward incompatible changes that are described in the release notes for Mutt 2.0. vim switched to Python 3, dropping all Python 2 support. boot.zfs.forceImportAll previously did nothing, but has been fixed. However its default has been changed to false to preserve the existing default behaviour. If you have this explicitly set to true, please note that your non-root pools will now be forcibly imported. openafs now points to openafs_1_8, which is the new stable release. OpenAFS 1.6 was removed. MariaDB has been updated to 10.5. Before you upgrade, it would be best to take a backup of your database and read Incompatible Changes Between 10.4 and 10.5. After the upgrade you will need to run mysql_upgrade. The TokuDB storage engine dropped in mariadb 10.5 and removed in mariadb 10.6. It is recommended to switch to RocksDB. See also TokuDB and MDEV-19780: Remove the TokuDB storage engine. The openldap module now has support for OLC-style configuration, users of the configDir option may wish to migrate. If you continue to use configDir, ensure that olcPidFile is set to /run/slapd/slapd.pid. As a result, extraConfig and extraDatabaseConfig are removed. To help with migration, you can convert your slapd.conf file to OLC configuration with the following script (find the location of this configuration file by running systemctl status openldap, it is the -f option. TMPDIR=$(mktemp -d) slaptest -f /path/to/slapd.conf $TMPDIR slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))' This will dump your current configuration in LDIF format, which should be straightforward to convert into Nix settings. This does not show your schema configuration, as this is unnecessarily verbose for users of the default schemas and slaptest is buggy with schemas directly in the config file. Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and restarting the instance will now cause it to fetch and apply the new user data. Specifically, /etc/ec2-metadata is re-populated on each boot. Some NixOS scripts that read from this directory are guarded to only run if the files they want to manipulate do not already exist, and so will not re-apply their changes if the IMDS response changes. Examples: root's SSH key is only added if /root/.ssh/authorized_keys does not exist, and SSH host keys are only set from user data if they do not exist in /etc/ssh. The rspamd services is now sandboxed. It is run as a dynamic user instead of root, so secrets and other files may have to be moved or their permissions may have to be fixed. The sockets are now located in /run/rspamd instead of /run. Enabling the Tor client no longer silently also enables and configures Privoxy, and the services.tor.client.privoxy.enable option has been removed. To enable Privoxy, and to configure it to use Tor's faster port, use the following configuration: = true; = true; The services.tor module has a new exhaustively typed option following RFC 0042; backward compatibility with old options has been preserved when aliasing was possible. The corresponding systemd service has been hardened, but there is a chance that the service still requires more permissions, so please report any related trouble on the bugtracker. Onion services v3 are now supported in . A new option as been introduced for allowing connections on all the TCP ports configured. The options services.slurm.dbdserver.storagePass and services.slurm.dbdserver.configFile have been removed. Use services.slurm.dbdserver.storagePassFile instead to provide the database password. Extra config options can be given via the option services.slurm.dbdserver.extraConfig. The actual configuration file is created on the fly on startup of the service. This avoids that the password gets exposed in the nix store. The wafHook hook does not wrap Python anymore. Packages depending on wafHook need to include any Python into their nativeBuildInputs. Starting with version 1.7.0, the project formerly named CodiMD is now named HedgeDoc. New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation. Based on , existing installations will continue to work. The fish-foreign-env package has been replaced with fishPlugins.foreign-env, in which the fish functions have been relocated to the vendor_functions.d directory to be loaded automatically. The prometheus json exporter is now managed by the prometheus community. Together with additional features some backwards incompatibilities were introduced. Most importantly the exporter no longer accepts a fixed command-line parameter to specify the URL of the endpoint serving JSON. It now expects this URL to be passed as an URL parameter, when scraping the exporter's /probe endpoint. In the prometheus scrape configuration the scrape target might look like this: http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/endpoint Existing configuration for the exporter needs to be updated, but can partially be re-used. Documentation is available in the upstream repository and a small example for NixOS is available in the corresponding NixOS test. These changes also affect , which is just a preconfigured instance of the json exporter. For more information, take a look at the official documentation of the json_exporter. Androidenv was updated, removing the includeDocs and lldbVersions arguments. Docs only covered a single version of the Android SDK, LLDB is now bundled with the NDK, and both are no longer available to download from the Android package repositories. Additionally, since the package lists have been updated, some older versions of Android packages may not be bundled. If you depend on older versions of Android packages, we recommend overriding the repo. Android packages are now loaded from a repo.json file created by parsing Android repo XML files. The arguments repoJson and repoXmls have been added to allow overriding the built-in androidenv repo.json with your own. Additionally, license files are now written to allow compatibility with Gradle-based tools, and the extraLicenses argument has been added to accept more SDK licenses if your project requires it. See the androidenv documentation for more details. The attribute mpi is now consistently used to provide a default, system-wide MPI implementation. The default implementation is openmpi, which has been used before by all derivations affects by this change. Note that all packages that have used mpi ? null in the input for optional MPI builds, have been changed to the boolean input paramater useMpi to enable building with MPI. Building all packages with mpich instead of the default openmpi can now be achived like this: self: super: { mpi = super.mpich; } The Searx module has been updated with the ability to configure the service declaratively and uWSGI integration. The option services.searx.configFile has been renamed to for consistency with the new . In addition, the searx uid and gid reservations have been removed since they were not necessary: the service is now running with a dynamically allocated uid. The libinput module has been updated with the ability to configure mouse and touchpad settings separately. The options in services.xserver.libinput have been renamed to services.xserver.libinput.touchpad, while there is a new services.xserver.libinput.mouse for mouse related configuration. Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in mouse section. ALSA OSS emulation (sound.enableOSSEmulation) is now disabled by default. Thinkfan as been updated to 1.2.x, which comes with a new YAML based configuration format. For this reason, several NixOS options of the thinkfan module have been changed to non-backward compatible types. In addition, a new option has been added. Please read the thinkfan documentation before updating. Adobe Flash Player support has been dropped from the tree. In particular, the following packages no longer support it: chromium firefox qt48 qt5.qtwebkit Additionally, packages flashplayer and hal-flash were removed along with the services.flashpolicyd module.

stdenv.lib has been deprecated and will break eval in 21.11. Please use pkgs.lib instead. See #108938 for details. The Mailman NixOS module (services.mailman) has a new option , defaulting to true, that controls integration with Postfix. If this option is disabled, default MTA config becomes not set and you should set the options in services.mailman.settings.mta according to the desired configuration as described in Mailman documentation. The default-version of nextcloud is nextcloud20. Please note that it's not possible to upgrade nextcloud across multiple major versions! This means that it's e.g. not possible to upgrade from nextcloud18 to nextcloud20 in a single deploy. The package can be manually upgraded by setting to nextcloud20. The setting defaults to 127.0.0.1 now, making Redis listen on the loopback interface only, and not all public network interfaces. NixOS now emits a deprecation warning if systemd's StartLimitInterval setting is used in a serviceConfig section instead of in a unitConfig; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See #45785 for details. All services should use or StartLimitIntervalSec in instead. The Unbound DNS resolver service (services.unbound) has been refactored to allow reloading, control sockets and to fix startup ordering issues. It is now possible to enable a local UNIX control socket for unbound by setting the option. Previously we just applied a very minimal set of restrictions and trusted unbound to properly drop root privs and capabilities. As of this we are (for the most part) just using the upstream example unit file for unbound. The main difference is that we start unbound as unbound user with the required capabilities instead of letting unbound do the chroot & uid/gid changes. The upstream unit configuration this is based on is a lot stricter with all kinds of permissions then our previous variant. It also came with the default of having the Type set to notify, therefore we are now also using the unbound-with-systemd package here. Unbound will start up, read the configuration files and start listening on the configured ports before systemd will declare the unit active (running). This will likely help with startup order and the occasional race condition during system activation where the DNS service is started but not yet ready to answer queries. Services depending on nss-lookup.target or unbound.service are now be able to use unbound when those targets have been reached. Aditionally to the much stricter runtime environmet the /dev/urandom mount lines we previously had in the code (that would randomly failed during the stop-phase) have been removed as systemd will take care of those for us. The preStart script is now only required if we enabled the trust anchor updates (which are still enabled by default). Another benefit of the refactoring is that we can now issue reloads via either pkill -HUP unbound and systemctl reload unbound to reload the running configuration without taking the daemon offline. A prerequisite of this was that unbound configuration is available on a well known path on the file system. We are using the path /etc/unbound/unbound.conf as that is the default in the CLI tooling which in turn enables us to use unbound-control without passing a custom configuration location. The services.dnscrypt-proxy2 module now takes the upstream's example configuration and updates it with the user's settings. An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch. NixOS now defaults to the unified cgroup hierarchy (cgroupsv2). See the Fedora Article for 31 for details on why this is desirable, and how it impacts containers. If you want to run containers with a runtime that does not yet support cgroupsv2, you can switch back to the old behaviour by setting = false; and rebooting. PulseAudio was upgraded to 14.0, with changes to the handling of default sinks. See its release notes. GNOME users may wish to delete their ~/.config/pulse due to the changes to stream routing logic. See PulseAudio bug 832 for more information. The zookeeper package does not provide zooInspector.sh anymore, as that "contrib" has been dropped from upstream releases. In the ACME module, the data used to build the hash for the account directory has changed to accomodate new features to reduce account rate limit issues. This will trigger new account creation on the first rebuild following this update. No issues are expected to arise from this, thanks to the new account creation handling. now always ensures home directory permissions to be 0700. Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others. The option's description was incorrect regarding ownership management and has been simplified greatly. The GNOME desktop manager once again installs gnome3.epiphany by default. NixOS now generates empty /etc/netgroup. /etc/netgroup defines network-wide groups and may affect to setups using NIS. Platforms, like stdenv.hostPlatform, no longer have a platform attribute. It has been (mostly) flattoned away: platform.gcc is now gcc platform.kernel* is now linux-kernel.* Additionally, platform.kernelArch moved to the top level as linuxArch to match the other *Arch variables. The platform grouping of these things never meant anything, and was just a historial/implementation artifact that was overdue removal. services.restic now uses a dedicated cache directory for every backup defined in services.restic.backups. The old global cache directory, /root/.cache/restic, is now unused and can be removed to free up disk space. isync: The isync compatibility wrapper was removed and the Master/Slave terminology has been deprecated and should be replaced with Far/Near in the configuration file.