rl-2505.section.md

Release 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}

Highlights {#sec-release-25.05-highlights}

• This release of Nixpkgs requires macOS Big Sur 11.3 or newer, as announced in the 24.11 release notes. We cannot guarantee that packages will continue to work on older versions of macOS. Future Nixpkgs releases will only support macOS versions supported by Apple; this means that Nixpkgs 25.11 will require macOS Sonoma 14 or newer. Users on old macOS versions should consider upgrading to a supported version (potentially using OpenCore Legacy Patcher for old hardware) or installing NixOS. If neither of those options are viable and you require new versions of software, MacPorts supports versions back to Mac OS X Snow Leopard 10.6.

• The default kernel package has been updated from 6.6 to 6.12. All supported kernels remain available.

• GCC has been updated from GCC 13 to GCC 14. This introduces some backwards‐incompatible changes; see the upstream porting guide for details.

• LLVM has been updated from LLVM 16 (on Darwin) and LLVM 18 (on other platforms) to LLVM 19. This introduces some backwards‐incompatible changes; see the upstream release notes for details.

• The default PHP version has been updated to 8.3.

• The default Erlang OTP version has been updated to 27.

• The default Elixir version has been updated to 1.18.

• buildPythonPackage, buildPythonApplication and the Python building setup hooks now support both __structuredAttrs = true and __structuredAttrs = false.

• services.dex now restarts upon changes to the .environmentFile or entries in .settings.staticClients[].secretFile when the entry is a path type.

• nixos-rebuild-ng, a full rewrite of nixos-rebuild in Python, is available for testing. You can enable it by setting system.rebuild.enableNg in your configuration (this will replace the old nixos-rebuild), or by adding nixos-rebuild-ng to your environment.systemPackages (in this case, it will live side-by-side with nixos-rebuild as nixos-rebuild-ng). It is expected that the next major version of NixOS (25.11) will enable system.rebuild.enableNg by default.

• A nixos-rebuild build-image sub-command has been added. It allows users to build platform-specific (disk) images from their NixOS configurations. nixos-rebuild build-image works similar to the popular nix-community/nixos-generators project. See new section on image building in the nixpkgs manual. It is also available for nixos-rebuild-ng.

• nixos-option has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into attrsOf and listOf submodule options, and --show-trace.

• The Mattermost module ({option}services.mattermost) and packages (mattermost and mmctl) have been substantially updated:

  • {option}services.mattermost.preferNixConfig now defaults to true if you advance {option}system.stateVersion to 25.05. This means that if you have {option}services.mattermost.mutableConfig set, NixOS will override your settings to those that you define in the module. It is recommended to leave this at the default, even if you used a mutable config before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading.
  • Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at {option}services.mattermost.telemetry for options to control this behavior.
  • pkgs.mattermostLatest is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (pkgs.mattermost) to pkgs.mattermostLatest.
  • The Mattermost frontend is now built from source and can be overridden.
    • Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; }) now.
  • services.mattermost.listenAddress has been split into {option}services.mattermost.host and {option}services.mattermost.port. If your listenAddress contained a port, you will need to edit your configuration.
  • Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating {option}system.stateVersion to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration.
  • The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
  • Mattermost's entire test suite is now enabled by default, which will extend build time from sources by up to an hour. A withoutTests passthru has been added in case you want to skip it.
  • We now support mmctl for Mattermost administration if both {option}services.mattermost.socket.enable and {option}services.mattermost.socket.export are set, which export the Mattermost control socket path into the system environment.
  • A new pkgs.mattermost.buildPlugin function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and manual for an example.
  • Note that the Mattermost module will create an account without a well-known UID if the username differs from the default (mattermost). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading.

New Modules {#sec-release-25.05-new-modules}

• AmneziaVPN, an open-source VPN client, with a key feature that enables you to deploy your own VPN server on your server. Available as programs.amnezia-vpn.

• Bazecor, the graphical configurator for Dygma Products.

• Bonsai, a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the SXMO desktop environment. Available as services.bonsaid.

• scanservjs, a web UI for SANE scanners. Available at services.scanservjs.

• Kimai, a web-based multi-user time-tracking application. Available as services.kimai.

• Homer, a very simple static homepage for your server. Available as services.homer.

• Omnom, a webpage bookmarking and snapshotting service. Available as services.omnom.

• Yggdrasil-Jumper is an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes.

• Zenoh, a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as services.zenohd

• ytdl-sub, a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as services.ytdl-sub.

• MaryTTS, an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as services.marytts.

• networking.modemmanager has been split out of networking.networkmanager. NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.

• doh-server, a high performance DNS over HTTPS server. Available as services.doh-server.

• ncps, a Nix binary cache proxy service implemented in Go using go-nix. Available as services.ncps.

• Conduwuit, a federated chat server implementing the Matrix protocol, forked from Conduit. Available as services.conduwuit.

• Readeck, a read-it later web-application. Available as services.readeck.

• Traccar, a modern GPS Tracking Platform. Available as services.traccar.

• Schroot, a lightweight virtualisation tool. Securely enter a chroot and run a command or login shell. Available as programs.schroot.

• crab-hole, a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as services.crab-hole.

• zwave-js-ui, a full featured Z-Wave Control Panel and MQTT Gateway. Available as services.zwave-js-ui.

• Amazon CloudWatch Agent, the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as services.amazon-cloudwatch-agent.

• Bat, a {manpage}cat(1) clone with wings. Available as programs.bat.

• Autotier, a passthrough FUSE filesystem. Available as services.autotierfs.

• µStreamer, a lightweight MJPEG-HTTP streamer. Available as services.ustreamer.

• Whoogle Search, a self-hosted, ad-free, privacy-respecting metasearch engine. Available as services.whoogle-search.

• autobrr, a modern download automation tool for torrents and usenets. Available as services.autobrr.

• agorakit, an organization tool for citizens' collectives. Available with services.agorakit.

• vivid, a generator for LS_COLOR. Available as programs.vivid.

• waagent, the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with services.waagent.

• nfc-nci, an alternative NFC stack and PC/SC driver for the NXP PN54x chipset, commonly found in Lenovo systems as NXP1001 (NPC300). Available as hardware.nfc-nci.

• duckdns, free dynamic DNS. Available with services.duckdns

• nostr-rs-relay, This is a nostr relay, written in Rust. Available as services.nostr-rs-relay.

• Prometheus Node Cert Exporter, a prometheus exporter to check for SSL cert expiry. Available under services.prometheus.exporters.node-cert.

• Actual Budget, a local-first personal finance app. Available as services.actual.

• immich-public-proxy, a proxy for sharing Immich albums without exposing the Immich API. Available as services.immich-public-proxy.

• Zipline, a ShareX/file upload server that is easy to use, packed with features, and with an easy setup. Available as services.zipline.

• Stash, An organizer for your adult videos/images, written in Go. Available as services.stash.

• vsmartcard-vpcd, a virtual smart card driver. Available as services.vsmartcard-vpcd.

• Fider, an open platform to collect and prioritize feedback. Available as services.fider.

• PDS, Personal Data Server for bsky. Available as services.pds.

• mqtt-exporter, a Prometheus exporter for exposing messages from MQTT. Available as services.prometheus.exporters.mqtt.

• nvidia-gpu, a Prometheus exporter that scrapes nvidia-smi for GPU metrics. Available as services.prometheus.exporters.nvidia-gpu.

• OpenGamepadUI, an open source gamepad-native game launcher and overlay for Linux. Available as programs.opengamepadui.

• InputPlumber, an open source input router and remapper daemon for Linux. Available as services.inputplumber.

• PowerStation, an open source TDP control and performance daemon with DBus interface for Linux. Available as services.powerstation.

• g3proxy, an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as services.g3proxy.

• echoip, a simple service for looking up your IP address. Available as services.echoip.

• Buffyboard, a framebuffer on-screen keyboard. Available as services.buffyboard.

• KanBoard, a project management tool that focuses on the Kanban methodology. Available as services.kanboard.

• git-worktree-switcher, switch between git worktrees with speed. Available as programs.git-worktree-switcher

• GLPI-Agent, GLPI Agent. Available as services.glpiAgent.

• Recyclarr a TRaSH Guides synchronizer for Sonarr and Radarr. Available as services.recyclarr.

Backward Incompatibilities {#sec-release-25.05-incompatibilities}

• ast-grep remove sg command to prevent conflict with sg command from shadow-utils. If you need legacy sg command compatibility with old code, you can use ast-grep.override { enableLegacySg = true; }

• binwalk was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available. See the release notes of 3.1.0 for more information.

• buildGoModule now passes environment variables via the env attribute. CGO_ENABLED should now be specified with env.CGO_ENABLED when passing to buildGoModule. Direct specification of CGO_ENABLED is now redirected by a compatibility layer with a warning, but will become an error in future releases.

  Go-related environment variables previously shadowed by buildGoModule now results in errors when specified directly. Such variables include GOOS and GOARCH.

  Third-party projects supporting both stable and unstable channels could detect this change through the absence of the CGO_ENABLED function argument in buildGoModule (!((lib.functionArgs buildGoModule) ? CGO_ENABLED)).

• buildGoPackage has been removed. Use buildGoModule instead. See the Go section in the nixpkgs manual for details.

• top-level playwright now refers to the github Microsoft/playwright package instead of the python tester launcher. You can still refer to the python launcher via python3Packages.toPythonApplication python3Packages.playwright

• The representation of the flags attributes as shell/environment variables for most Python building setup hooks are now the same as stdenv.mkDerivation and other build helpers -- they are space-separated environment variables when __structuredAttrs = false and Bash arrays when __structuredAttrs = true, and are concatenated to the command without Bash-evaluation. The following behaviour changes are introduced during the conversion:

  • The following flags are no longer Bash-expanded before concatenated to the command:

    • disabledTests and disabledTestPaths for pytestCheckHook. (disabledTestPaths used to be expanded twice before concatenation.)
    • setupPyBuildFlags and setupPyGlobalFlags for setuptoolsBuildHook.

  • pytestFlags and unittestFlags replace pytestFlagsArray and unittestFlagsArray and become the new and conforming interface.

  • pytestFlagsArray and unittestFlagsArray are kept for compatibility purposes. They continue to be Bash-expanded before concatenated. This compatibility layer will be removed in future releases.

• strawberry has been updated to 1.2, which drops support for the VLC backend and Qt 5. The strawberry-qt5 package and withGstreamer/withVlc override options have been removed due to this.

• ps3-disc-dumper was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI

• is unset by default, the previous default was sqlite. This was done because sqlite is not a reasonable default since it's not recommended by upstream and thus doesn't qualify as default.

• Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised to review the new defaults and description of .

• The services.locate module does no longer support findutil's locate due to its inferior performance compared to mlocate and plocate. The new default is plocate. As the service.locate.localuser option only applied when using findutil's locate, it has also been removed.

• kmonad is now hardened by default using common systemd settings. If KMonad is used to execute shell commands, hardening may make some of them fail. In that case, you can disable hardening using {option}services.kmonad.keyboards.<name>.enableHardening option.

• asusd has been upgraded to version 6 which supports multiple aura devices. To account for this, the single auraConfig configuration option has been replaced with auraConfigs which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that text is used for your existing configs, e.g.:

  -services.asusd.asusdConfig = '''file contents'''
  +services.asusd.asusdConfig.text = '''file contents'''

• linuxPackages.nvidiaPackages.stable now defaults to the production variant instead of latest.

• timescaledb requires manual upgrade steps. After you run ALTER EXTENSION, you must run this SQL script. For more details, see the following pull requests #6797. PostgreSQL 13 is no longer supported in TimescaleDB v2.16.

• Support for CUDA 10 has been dropped, as announced in the 24.11 release notes.

• virtualisation/azure-common.nix's filesystem and grub configurations have been moved to virtualisation/azure-image.nix. This makes azure-common.nix more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import azure-image.nix.

• zammad has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the migration guide for how to convert your database to PostgreSQL.

• The earlyoom service is now using upstream systemd service, which enables hardening and filesystem isolation by default. If you need filesystem write access or want to access home directory via killHook, hardening setting can be changed via, e.g. systemd.services.earlyoom.serviceConfig.ProtectSystem.

  services.earlyoom.extraArgs is now shell-escaped for each element without word-breaking. So you want to write extraArgs = [ "--prefer" "spaced pat" ] rather than previous extraArgs = [ "--prefer 'spaced pat'" ].

• nodePackages."@commitlint/config-conventional" has been removed, as it is a library, and projects should depend on it instead.

• nodePackages.vls has been deprecated, as the upstream consumer of it, vetur, has been deprecated by upstream. Upstream suggests migrating to Volar for Vue LSP tooling instead.

• nodePackages.create-react-native-app has been removed, as it is deprecated. Upstream suggests using a framework for React Native apps instead.

• nodePackages.insect has been removed, as it's deprecated by upstream. The suggested replacement is numbat.

• nodePackages.webpack-dev-server has been removed, as it should be installed in projects that use it instead.

• nodePackages.copy-webpack-plugin has been removed, as it should be installed in projects that use it instead.

• himalaya has been updated from v1.0.0-beta.4 to v1.1.0, which introduces breaking changes. Check out the release notes for details.

• linuxPackages.nvidiaPackages.dc_520 has been removed since it is marked broken and there are better newer alternatives.

• pnpm was updated to version 10. If your project is incompatible, you can install the previous version from the package attribute pnpm_9.

• zig_0_9 and zig_0_10 have been removed, you should upgrade to zig_0_13 (also available as just zig), zig_0_12 or zig_0_11 instead.

• programs.less.lessopen is now null by default. To restore the previous behaviour, set it to ''|${lib.getExe' pkgs.lesspipe "lesspipe.sh"} %s''.

• hardware.pulseaudio has been renamed to services.pulseaudio. The deprecated option names will continue to work, but causes a warning.

• minetest has been renamed to luanti to match the upstream name change but aliases have been added. The new name hasn't resulted in many changes as of yet but older references to minetest should be sunset. See the new name announcement for more details.

• poac has been renamed to cabinpkg to match the upstream name change but an alias has been added. See the new name announcement for more details.

• serious-sans has been removed because upstream changed its name to Serious Shanns, which is not currently packaged.

• racket_7_9 has been removed, as it is insecure. It is recommended to use Racket 8 instead.

• services.mongodb.initialRootPassword has been replaced with the more secure option services.mongodb.initialRootPasswordFile

• rofi has been updated from 1.7.5 to 1.7.6 which introduces some breaking changes to binary plugins, and also contains a lot of new features and bug fixes. This is highlighted because the patch version bump does not indicate the volume of changes by itself. See the upstream release notes for the full list of changes.

• ente-auth now uses the name enteauth for its binary. The previous name was ente_auth.

• foundationdb was upgraded to 7.3.

• fluxus has been removed, as it depends on racket_7_9 and had no updates in 9 years.

• sm64ex-coop has been removed as it was archived upstream. Consider migrating to sm64coopdx.

• tldr now uses tldr-python-client instead of tldr-c-client which is unmaintained.

• services.bird2 has been renamed to services.bird and the default bird package has been switched to bird3. bird2 can still be choosen via the services.bird.package option.

• renovate was updated to v39. See the upstream release notes for breaking changes. Like upstream's docker images, renovate now runs on NodeJS 22.

• The behavior of the networking.nat.externalIP and networking.nat.externalIPv6 options has been changed. networking.nat.forwardPorts now only forwards packets destined for the specified IP addresses.

• python3Packages.bpycv has been removed due to being incompatible with Blender 4 and unmaintained.

• python3Packages.jaeger-client was removed because it was deprecated upstream. OpenTelemetry is the recommended replacement.

• nodePackages.meshcommander has been removed, as the package was deprecated by Intel.

• The default version of z3 has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.

• prometheus has been updated from 2.55.0 to 3.1.0. Read the release blog post and migration guide.

• kanata was updated to v1.8.0, which introduces several breaking changes. See the release notes of v1.7.0 and v1.8.0 for more information.

• ags was updated to v2, which is just a CLI for Astal now. Components are available as a different package set astal.*. If you want to use v1, it is available as ags_1 package.

  See the release notes of v2.0.0 for more information.

• nodePackages.expo-cli has been removed, as it was deprecated by upstream. The suggested replacement is the npx expo command.

• DokuWiki with the Caddy webserver (services.dokuwiki.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a DokuWiki site, migrate these options by removing http:// from services.caddy.virtualHosts."http://example.com".

• open-policy-agent has has been updated to 1.0.0+. This major release makes the rego.v1 syntax the default. This is a breaking change for those using v0 Rego. See the upgrade documentation for more details. For those unable to upgrade yet, there is a v0 compatibility mode available too.

• vscode-utils.buildVscodeExtension now requires pname as an argument

• The behavior of services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers was changed to not include CCMP-256 anymore. Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.

• nerdfonts has been separated into individual font packages under the namespace nerd-fonts. The directories for font files have changed from $out/share/fonts/{opentype,truetype}/NerdFonts to $out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>, where <fontDirName> can be found in the official website as the titles in preview images, with the "Nerd Font" suffix and any whitespaces trimmed. Configuration changes are required, see build output.

• retroarch has been refactored and the older retroarch.override { cores = [ ... ]; } to create a RetroArch derivation with custom cores doesn't work anymore, use retroarch.withCores (cores: [ ... ]) instead. If you need more customization (e.g.: custom settings), use wrapRetroArch instead.

• gkraken software and hardware.gkraken.enable option have been removed, use coolercontrol via programs.coolercontrol.enable option instead.

• To avoid delaying user logins unnecessarily the multi-user.target is no longer ordered after network-online.target. System services requiring a connection to start correctly must explicitly state so, i.e.

  systemd.services.<name> = {
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
  };

  This changed follows a deprecation period of one year started in NixOS 24.05 (see PR #283818).

• The values of services.borgbackup.jobs.*.extraArgs and other extra*Args options are now represented as Bash arrays. If these arguments were modified using services.borgbackup.jobs.*.preHook, they will need to be adjusted to append to these arrays, i.e.

  -extraCreateArgs="$extraCreateArgs --exclude /some/path"
  +extraCreateArgs+=("--exclude" "/some/path")

• borgmatic has been updated from 1.8.14 to 1.9.5, please check the upstream changelog for more details, especially for a few possibly breaking changes noted in the 1.9.0 changelog.

• programs.xonsh.package now gets overrided internally with extraPackages to support programs.xonsh.extraPackages. See programs.xonsh.extraPackages for more details.

• nodePackages.ganache has been removed, as the package has been deprecated by upstream.

• virtualisation.azure.agent option provided by azure-agent.nix is replaced by services.waagent, and will be removed in a future release.

• matomo now defaults to version 5 (previously available as matomo_5). Version 4 has been removed as it reached EOL on December 19, 2024.

• matomo-beta has been removed as the version of the matomo package can now be easily overriden through overrideAttrs (see PR #374022)

• docker_24 has been removed, as it was EOL with vulnerabilites since June 08, 2024.

• containerd has been updated to v2, which contains breaking changes. See the containerd 2.0 documentation for more details.

• The ZFS import service now respects fileSystems.*.options = [ "noauto" ]; and does not add that pool's import service to zfs-import.target, meaning it will not be automatically imported at boot.

• nodePackages.stackdriver-statsd-backend has been removed, as the StackDriver service has been discontinued by Google, and therefore the package no longer works.

• python3Packages.opentracing has been removed due to being unmaintained upstream. OpenTelemetry is the recommended replacement.

• Default file names of images generated by several builders in system.build have been changed as outlined in the table below.

  Names are now known at evaluation time and customizable via the new options image.baseName, image.extension, image.fileName and image.filePath with the latter returning a path relative to the derivations out path (e.g. iso/${image.fileName for iso images).

  | system.build Option | Old Filename | New Filename | |--------------------------+------------------------------------------------------------+-----------------------------------------------------------------| | amazonImage | nixos-amazon-image-25.05pre-git-x86_64-linux.vhd | nixos-image-amazon-25.05pre-git-x86_64-linux.vhd | | azureImage | disk.vhd | nixos-image-azure-25.05pre-git-x86_64-linux.vhd | | digitalOceanImage | nixos.qcow2.gz | nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz | | googleComputeImage | nixos-image-25.05pre-git-x86_64-linux.raw.tar.gz | nixos-image-google-compute-25.05pre-git-x86_64-linux.raw.tar.gz | | hypervImage | nixos-25.05pre-git-x86_64-linux.vhdx | nixos-image-hyperv-25.05pre-git-x86_64-linux.vhdx | | isoImage (installer) | nixos-25.05pre-git-x86_64-linux.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | isoImage | nixos.iso | nixos-image-25.05pre-git-x86_64-linux.iso | | kubevirtImage | nixos.qcow2 | nixos-image-kubevirt-25.05pre-git-x86_64-linux.qcow2 | | linodeImage | nixos-image-25.05pre-git-x86_64-linux.img.gz | nixos-image-linode-25.05pre-git-x86_64-linux.img.gz | | metadata (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-metadata-25.05pre-git-x86_64-linux.tar.xz | | OCIImage | nixos.qcow2 | nixos-image-oci-25.05pre-git-x86_64-linux.qcow2 | | openstackImage (zfs) | nixos-openstack-image-25.05pre-git-x86_64-linux.root.qcow2 | nixos-image-openstack-zfs-25.05pre-git-x86_64-linux.root.qcow2 | | openstackImage | nixos.qcow2 | nixos-image-openstack-25.05pre-git-x86_64-linux.qcow2 | | sdImage | nixos-sd-image-25.05pre-git-x86_64-linux.img.zst | nixos-image-sd-card-25.05pre-git-x86_64-linux.img.zst | | tarball (lxc-container) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-25.05pre-git-x86_64-linux.tar.xz | | tarball (proxmox-lxc) | nixos-system-x86_64-linux.tar.xz | nixos-image-lxc-proxmox-25.05pre-git-x86_64-linux.tar.xz | | vagrantVirtualbox | nixos-25.05pre-git-x86_64-linux.ova | nixos-image-virtualbox-25.05pre-git-x86_64-linux.ova | | virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova | | vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk |

• security.apparmor.policies.<name>.enforce and security.apparmor.policies.<name>.enable were removed. Configuring the state of apparmor policies must now be done using security.apparmor.policies.<name>.state tristate option.

• the notmuch vim plugin now lives in a separate output of the notmuch package. Installing notmuch will not bring the notmuch vim package anymore, add vimPlugins.notmuch-vim to your (Neo)vim configuration if you want the vim plugin.

• prisma and prisma-engines have been updated to version 6.3.0, which introduces several breaking changes. See the Prisma ORM upgrade guide for more information.

• nq was updated to 1.0, which renames the fq and tq utilities to nqtail and nqterm respectively.

• zf was updated to 0.10.2, which includes breaking changes from the 0.10.0 release. zf no longer does Unicode normalization of the input and no longer supports terminal escape sequences in the ZF_PROMPT environment variable.

• programs.clash-verge.tunMode was deprecated and removed because now service mode is neccessary to start program. Without programs.clash-verge.enable, clash-verge-rev will refuse to start.

• siduck76-st has been renamed to st-snazzy, like the project's flake.

• python3Packages.jax now directly depends on python3Packages.jaxlib. As a result, packages that depend on jax no longer need to include jaxlib to their dependencies. There is also a breaking change in the handling of CUDA. Instead of using a CUDA compatible jaxlib as before, you can use plugins like python3Packages.jax-cuda12-plugin.

• services.netbird.tunnels was renamed to services.netbird.clients, hardened (using dedicated less-privileged users) and significantly extended.

Other Notable Changes {#sec-release-25.05-notable-changes}

• Cinnamon has been updated to 6.4, please check the upstream announcement for more details.

  • Following changes in Mint 22 we are no longer overriding Qt application styles. You can still restore the previous default with qt.style = "gtk2" and qt.platformTheme = "gtk2".
  • Following changes in Mint 20 we are replacing xplayer with celluloid since xplayer is no longer maintained.

• Pantheon has been updated to 8, please check the upstream announcement for more details.

  • Same as elementary OS, the X11 session is named "Classic Session" and the Wayland session is named "Secure Session".
  • The dock has been rewritten, you need to manually migrate the dock items on update. You can check ~/.config/plank/dock1/launchers/ for your previous settings.

• Xfce has been updated to 4.20, please check the upstream feature tour for more details.

  • Wayland session is still experimental and requires opt-in using enableWaylandSession option.
  • Overriding Wayland compositor is possible using enableWaylandSession option, but you might need to take care xfce4-session, dbus-update-activation-environment and systemctl --user import-environment on startup.
  • For new Xfce installations, default panel layout has changed to not include external panel plugins by default. You can still add them yourself using the "Panel Preferences" dialog.

• system.stateVersion is now validated and must be in the "YY.MM" format, ideally corresponding to a prior NixOS release.

• GOverlay has been updated to 1.2, please check the upstream changelog for more details.

• services.mongodb is now compatible with the mongodb-ce binary package. To make use of it, set services.mongodb.package to pkgs.mongodb-ce.

• services.jupyter is now compatible with Jupyter Notebook 7. See the migration guide for details.

• networking.wireguard now has an optional networkd backend. It is enabled by default when networking.useNetworkd is enabled, and it can be enabled alongside scripted networking with networking.wireguard.useNetworkd. Some networking.wireguard options have slightly different behavior with the networkd and script-based backends, documented in each option.

• services.rss-bridge now has a package option as well as support for caddy as reverse proxy.

• services.avahi.ipv6 now defaults to true.

• The Home Assistant module has new options {option}services.home-assistant.blueprints.automation, services.home-assistant.blueprints.script, and {option}services.home-assistant.blueprints.template that allow for the declarative installation of blueprints into the appropriate configuration directories.

• For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.

• services.kmonad now creates a determinate symlink (in /dev/input/by-id/) to each of KMonad virtual devices.

• bind.cacheNetworks now only controls access for recursive queries, where it previously controlled access for all queries.

• services.mongodb.enableAuth now uses the newer mongosh shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the services.mongodb.mongoshPackage option.

• The paperless module now has an option for regular automatic export of documents data using the integrated document exporter.

• New options for the declarative configuration of the user space part of ALSA have been introduced under hardware.alsa, including setting the default capture and playback device, defining sound card aliases and volume controls. Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.

• Caddy can now be built with plugins by using caddy.withPlugins, a passthru function that accepts an attribute set as a parameter. The plugins argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The hash argument represents the vendorHash of the resulting Caddy source code with the plugins added.

  Example:

  services.caddy = {
    enable = true;
    package = pkgs.caddy.withPlugins {
      plugins = [
        # tagged upstream
        "github.com/caddy-dns/[email protected]"
        # pseudo-version number generated by Go
        "github.com/caddy-dns/[email protected]"
        "github.com/mholt/[email protected]"
      ];
      hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
    };
  };

  To get the necessary hash of the vendored dependencies, omit hash. The build will fail and tell you the correct value.

  Note that all provided plugins must have versions/tags (string after @), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run go get <plugin> and see changes in go.mod to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.

• KDE Partition Manager partitionmanager's support for ReiserFS is removed. ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and is removed in Linux 6.13.

• programs.fzf.keybindings now supports the fish shell.

• gerbera now has wavpack support.

• ddclient was updated from 3.11.2 to 4.0.0 Release notes

../release-notes-nixpkgs/rl-2505.section.md