NixOS has traditionally enabled the `ext` family of file systems by default. Originally, when switching to systemd initrd, we wanted to transition to making this explicit so that initrds could be made without `ext`. The problem is that anyone with `fsType = "auto";` for an `ext` file system in initrd will fail to boot, which is not really an acceptable regression as we switch to systemd initrd by default. By removing `default = "auto"` from `fsType`, we rule out the vast majority of these regressions as eval errors, since most users of `fsType = "auto"` for ext file systems are using it because of the default value. In hindsight, this is probably what #225352 was really about.
28 KiB
Release 26.05 ("Yarara", 2026.05/??)
Highlights
-
The system.nix file has been added has an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using
nix-channel. This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the--attroption ofnixos-rebuildornixos-install. For example,# system.nix let # Pinned Nixpkgs archive # # Use `curl -I https://channels.nixos.org/nixos-26.05` to get the # latest commit of the stable channel and `nix-prefetch-url --unpack` # to compute its sha256 hash. nixpkgs = builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs/archive/c217913993d6.tar.gz"; sha256 = "026mprs324330pfazlgbw987qmsa8ligglarvqbcxzig2kgw0lqg"; }; in import "${nixpkgs}/nixos" { # Build NixOS using an external configuration.nix file, # or directly set your options here configuration = ./configuration.nix; }The default location of system.nix is
/etc/nixos/system.nixand can be changed by setting the<nixos-system>search path.nixos-rebuildandnixos-installcan now also load a system.nix file in the current directory (only if--attris used) or from a directory specified with--file. -
The default kernel package has been updated from 6.12 to 6.18. All supported kernels remain available.
New Modules
-
Meshtastic, an open-source, off-grid, decentralised mesh network designed to run on affordable, low-power devices. Available as [services.meshtasticd] (#opt-services.meshtasticd.enable).
-
Goupile, an open-source design tool for secure forms including Clinical Report Forms (eCRF). Available as services.goupile.
-
knot-resolver in version 6. Available as
services.knot-resolver. A module for knot-resolver 5 was already available asservices.kresd. -
ImmichFrame, display your photos from Immich as a digital photo frame. Available as
services.immichframe. -
PdfDing, manage, view and edit your PDFs seamlessly on all your devices wherever you are. Available as services.pdfding.
-
mangowc, a lightweight and feature-rich Wayland compositor based on dwl. Available as programs.mangowc.
-
reaction, a daemon that scans program outputs for repeated patterns, and takes action. A common usage is to scan ssh and webserver logs, and to ban hosts that cause multiple authentication errors. A modern alternative to fail2ban. Available as services.reaction.
-
rqbit, a bittorrent client written in Rust. It has HTTP API and Web UI, and can be used as a library. Available as services.rqbit.
-
Tailscale Serve, configure Tailscale Serve for exposing local services to your tailnet. Available as services.tailscale.serve.
-
qui, a modern alternative webUI for qBittorrent, with multi-instance support. Written in Go/React. Available as services.qui.
-
kiwix-serve, a service that serves ZIM files (such as Wikipedia archives) over HTTP. Available as services.kiwix-serve.
-
Remark42, a self-hosted comment engine. Available as services.remark42.
-
LibreChat, open-source self-hostable ChatGPT clone with Agents and RAG APIs. Available as services.librechat.
-
nohang, a daemon for Linux that prevents out of memory (OOM) situations from affecting system responsiveness. Available as services.nohang
-
bentopdf, a privacy-first PDF toolkit running completely in-browser. Available as services.bentopdf.
-
hyprwhspr-rs, a keybind activated speech-to-text voice dictation utility built for use with Hyprland. Available as
services.hyprwhspr-rs -
DankMaterialShell, a complete desktop shell for Wayland compositors built with Quickshell. Available as programs.dms-shell.
-
pyroscope, a continuous profiling platform. that allows for performance debugging. Available as services.pyroscope
-
dms-greeter, a modern display manager greeter for DankMaterialShell that works with greetd and supports multiple Wayland compositors. Available as services.displayManager.dms-greeter.
-
dsearch, a fast filesystem search service with fuzzy matching. Available as programs.dsearch.
-
Elephant, a data provider service and backend for building custom application launchers. Available as services.elephant.
-
Dunst, a lightweight and customizable notification daemon. Available as services.dunst.
-
cocoon, is a PDS (personal data server) that is a alternative to the bluesky pds. Available as services.cocoon.
-
Ente Auth, an open source 2FA authenticator, with end-to-end encrypted backups. Available as programs.ente-auth.
-
Tinyauth, a simple authentication middleware for web apps, with OAuth and LDAP support. Available as services.tinyauth.
-
Dawarich, a self-hostable location history tracker. Available as services.dawarich.
-
Howdy, a Windows Hello™ style facial authentication program for Linux.
-
linux-enable-ir-emitter, a tool used to set up IR cameras, used with Howdy.
-
udp-over-tcp, a tunnel for proxying UDP traffic over a TCP stream. Available as
services.udp-over-tcp. -
turborepo-remote-cache, an open-source implementation of the Turborepo custom remote cache server. Available as services.turborepo-remote-cache.
-
Komodo Periphery, a multi-server Docker and Git deployment agent by Komodo. Available as services.komodo-periphery.
-
Shoko, an anime management system. Available as services.shoko.
-
perses, the open dashboard tool for Prometheus and other data sources. Available as services.perses.
-
Drasl, an alternative authentication server for Minecraft. Available as services.drasl.
-
tabbyAPI, the official OpenAI compatible API server for Exllama. Available as services.tabbyapi.
-
Tdarr, Audio/Video Library Analytics & Transcode/Remux Automation. Available as services.tdarr
Backward Incompatibilities
-
opentrack,slushload,synthesia,vtfedit,winbox,wineasio, andyabridgeuse wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss. -
[]{#sec-release-26.05-incompatibilities-profiles-hardened-removed}
profiles/hardenedhas been removed, because:- It lacks a consistent and transparent baseline or standard,
- It may introduce unexpected breakage or degrade performance without clear benefit,
- It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
- and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
- See NixOS Hardening wiki page for hardening options.
-
services.crabfitwas removed because its upstream packages are unmaintained and insecure. -
sing-boxhas been updated to 1.13.0, which has removed some deprecated options. See upstream documentation for details and migration options. -
services.statsdhas been removed because the packages it relies on do not exist anymore in nixpkgs. -
services.tandoor-recipesnow uses a sub-directory for media files by default starting with26.05. Existing setups should move media files out of the data directory and adjustservices.tandoor-recipes.extraConfig.MEDIA_ROOTaccordingly. See Migrating media files for pre 26.05 installations. -
rusticwas upgraded to0.11.x, which contains breaking changes to command-line parameters and configuration file. -
The packages
iwandwirelesstools(iwconfig,iwlist, etc.) are no longer installed implicitly if wireless networking has been enabled. -
The
fileSystems.<name>.fsTypeoption no longer has a default value and must be specified by the user. The value"auto"still works as before, though its use is generally discouraged. -
services.uptimehas been removed because the package it relies on does not exist anymore in nixpkgs. -
services.kubernetes.addons.dns.corednshas been renamed toservices.kubernetes.addons.dns.corednsImageand now expects a package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:
{
services.kubernetes.addons.dns.corednsImage = pkgs.dockerTools.pullImage {
imageName = "coredns/coredns";
imageDigest = "sha256:af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d";
finalImageTag = "v1.12.2";
hash = "sha256-ZgXEyxVrdskQdgg0ONJ9sboAXEEHTgNsiptk5O945c0=";
};
}
-
services.stalwart-mailhas been renamed toservices.stalwartto align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:systemd.services.stalwartowned bystalwart:stalwart. Theuserandgroupare configurable viaservices.stalwart.userandservices.stalwart.group, respectively. By default, ifstateVersionis older than26.05, will fallback to legacy value ofstalwart-mailfor bothuserandgroup.- Default value for
services.stalwart.dataDirhas changed to/var/lib/stalwart. IfstateVersionis older than26.05, will fallback to legacy value of/var/lib/stalwart-mail.
-
services.eintopfhas been renamed toservices.lautito align with upstream re-brand as a community online calendar. -
services.oauth2-proxy.clientSecretandservices.oauth2-proxy.cookie.secrethave been replaced withservices.oauth2-proxy.clientSecretFileandservices.oauth2-proxy.cookie.secretFilerespectively. This was done to ensure secrets don't get made world-readable. -
services.grafana.settings.security.secret_keydoesn't have a default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly. See the upstream docs and the instructions on how to rotate for further information.Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.
If you need to rotate, a 3rd-party tool,
grafana-secretkey-rotation-toolis a tested option. When using a secret for this value, make sure to use Grafana's variable expansion to inject secrets. -
Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.
-
services.immichno longer supports pgvecto.rs since the package has been removed from nixpkgs. As a result, optionsservices.immich.database.enableVectorsandservices.immich.database.enableVectorchordhave been removed, and VectorChord is now always used. If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the migration guide. -
services.cgitbefore always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disableservices.cgit.gitHttpBackend.checkExportOkFiles(or disable the git-http-backend). -
rocmPackages_6has been removed.rocmPackageshas been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated. -
The Bash implementation of the
nixos-rebuildprogram is removed. All switchable systems now use the Python rewrite. Any prior usage ofsystem.rebuild.enableNgmust now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub. -
services.desktopManager.gnomeno longer installs the Geary e-mail client since it is not part of the GNOME core applications list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, addprograms.geary.enable = true;to your configuration. -
MATE packages have been moved to top level (e.g. if you previously added
pkgs.mate.cajatoenvironment.systemPackages, you will need to change it topkgs.caja). -
walkerhas been updated to 2.0.0+, which is a complete rewrite in rust.It now requires a running
elephantapplication launcher backend service, which can be enabled using the newservices.elephpant.enable.The way keybinds and actions are handled have been completely revamped. Please refer to the default config.
-
services.portunus has been upgraded to 2.2.0, which includes a bug fix that may cause existing databases to be rejected if user accounts are configured with malformed email addresses. Please refer to the upstream release announcement for details and instructions on how to fix problematic database entries.
-
Support for
reiserfsin nixpkgs has been removed, following the removal in Linux 6.13. -
services.torno longer bind mounts Unix sockets of onion services into its chroot because it was not reliable. Users should do it themselves using eitherJoinsNamespaceOf=and Unix sockets in/tmporBindPaths=from a persistent parent directory of each Unix socket. See https://github.com/NixOS/nixpkgs/issues/481673. -
support for
ecryptfsin nixpkgs has been removed. -
programs.lightwas removed from nixpkgs due to the corresponding package being unmaintained upstream.brightnessctlandprograms.acpilightoffer replacements. -
The
networking.wirelessmodule has been security hardened by default: thewpa_supplicantdaemon now runs under an unprivileged user with restricted access to the system.As part of these changes,
/etc/wpa_supplicant.confhas been deprecated: the NixOS-generated configuration file is now linked to/etc/wpa_supplicant/nixos.confand/etc/wpa_supplicant/imperative.confhas been added for imperatively configuringwpa_supplicantor when using allowAuxiliaryImperativeNetworks.If client certificates, keys or other files are needed, these should be stored under
/etc/wpa_supplicantand owned bywpa_supplicantto ensure the daemon can read them.Also, the {option}
networking.wireless.userControlled.groupoption has been removed since there is now a dedicatedwpa_supplicantgroup to control the daemon, and {option}networking.wireless.userControlled.enablehas been renamed to .No functionality should have been impacted by these changes (including controlling via
wpa_cli, integration with NetworkManager or connman), but if you find any problems, please open an issue on GitHub. If necessary, the security hardening can be reverted with .Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on
networking.wireless. So, if you hadnetworking.wireless.enable = falsein your configuration, you should remove that line. -
kratoshas been updated from 1.3.1 to 25.4.0. Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:- The
migrate sqlCLI command is nowmigrate sql up - OIDC registration validation errors are now placed in the
defaultnode group instead ofoidc - Failed OIDC account linking returns HTTP 400 instead of 200
- The
-
pdnshas been updated to version v5.0.x, which introduces breaking changes. Check out the Upgrade Notes for details. -
In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}
services.pdns-recursor.old-settingshas been removed and {option}services.pdns-recursor.yaml-settingsconsequently renamed to . -
services.angrrnow uses TOML for configuration. Define policies withservices.angrr.settings(generate TOML file) or point to a file usingservices.angrr.configFile. The legacy optionsservices.angrr.period,services.angrr.ownedOnly, andservices.angrr.removeRoothave been removed. Seeman 5 angrrand the description ofservices.angrr.settingsoptions for examples and details. -
services.homepage-dashboard.environmentFilehas been renamed toservices.homepage-dashboard.environmentFiles, and now expects a list of strings. -
services.pingvin-sharehas been removed as thepingvin-share.backendpackage was broken and the project was archived upstream. -
gephpackage's built-in GUIgeph5-client-guihas been removed by the upstream. All users who wish to continue using the GUI should install thegephgui-wry, which is consistent with the official release version. -
services.jellyseerrhas been renamed toservices.seerrfollowing the upstream changes. Notable breaking changes:- systemd service name changed accordingly.
- Default config directory moved from
/var/lib/jellyseerr/configto/var/lib/seerr/.- If
stateVersionis older than26.05, the module fall backs to the legacy path value.
- If
-
services.vikunjahas been updated to Vikunja v1.0.0, which introduces multiple breaking changes. Notable breaking changes:- CORS is enabled by default. The module now sets
services.vikunja.settings.service.publicurlby default. Custom overrides must ensure it is set or disable CORS, otherwise Vikunja will fail to start. - API route and response changes may affect integrations.
- Configuration format and option changes require review of existing settings (including OpenID provider configuration and metrics/log settings).
- SQLite paths are now relative to
service.rootpathunless absolute. Startup now validates file storage and OAuth providers.
- CORS is enabled by default. The module now sets
-
lunarvimpackage has been removed, as it was abandoned upstream and relied on an old version ofneovimto work properly. -
opengfwpackage andservices.opengfwmodule have been removed as the upstream GitHub repository and website have been shut down.
Other Notable Changes
-
hardware.xpadneo now supports configuring kernel module parameters via a freeform settings option, with convenience options for rumble attenuation and controller quirks.
-
Wine has been updated to the 11.0 branch. Please check the upstream announcement for more details.
-
security.acmenow defaults to a dynamic renewal duration, if security.acme.defaults.validMinDays remains unset. This accomodates certificates with different ACME profile:- For certificates with a total validity at or above 10 days renewal will happen after two thirds of the lifetime has passed (e.g. a certificate valid for 90 days renews once the validity falls below 30 days)
- For shortlived certificates with a total validty below 10 days renewal will happen after half of the total lifetime has passed
-
Cinnamon has been updated to 6.6, please check the upstream announcement for more details.
-
Budgie has been updated to 10.10, please check the upstream announcement for more details.
-
stestrCheckHookwas added: This test hook runsstestr run. You can disable tests withdisabledTestsanddisabledTestsRegex. -
services.frpnow supports multiple instances throughservices.frp.instancesto make it possible to run multiple frp clients or servers at the same time. -
hyphennow supports over 40 language variants throughhyphenDictsand now allows to enable all supported languages throughhyphenDicts.all. -
services.resolved module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.
-
systemd.sleep.extraConfigwas replaced by RFC 0042-compliantsystemd.sleep.settings.Sleep, which is used to generate thesleep.confconfiguration file. See {manpage}sleep.conf.d(5)for available options. -
Support for Bluetooth audio based on
bluez-alsahas been added to thehardware.alsamodule. It can be enabled with the new enableBluetooth option. -
services.opensshnow supports generating host SSH keys by settingservices.openssh.generateHostKeys = truewhile leavingservices.openssh.enabledisabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix. -
IPVLAN interfaces can now be configured through the
networking.ipvlansoption in the networking module. -
services.caddynow supports settinghttpPortandhttpsPortand opening them in the firewall viaopenFirewall. -
The latest available version of Nextcloud is v33 (available as
pkgs.nextcloud33). The installation logic is as follows:- If
services.nextcloud.packageis specified explicitly, this package will be installed (recommended) - If
system.stateVersionis >=26.05,pkgs.nextcloud33will be installed by default. - If
system.stateVersionis >=25.11,pkgs.nextcloud32will be installed by default. nextcloud31is EOL and was thus removed.- Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to
nextcloud32(or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaringservices.nextcloud.package = pkgs.nextcloud32;.
- If
-
InvoicePlane with the Caddy webserver (
services.invoiceplane.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a siteexample.com, setservices.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a InvoicePlane site, migrate these options by removinghttp://fromservices.caddy.virtualHosts."http://example.com". -
services.slurmnow supports slurmrestd usage through theservices.slurm.restNixOS options. -
The
services.calibre-websystemd service has been hardened with additional sandboxing restrictions. -
services.kanidmoptions for server, client and unix were moved under dedicated namespaces. For each componentenableComponentandcomponentSettingsare nowcomponent.enableandcomponent.settings. The unix module now supports using SSH keys from Kanidm viaservices.kanidm.unix.sshIntegration = true. -
mdbook-linkcheckhas been removed as it is unmaintained and incompatible with the latest version ofmdbook. Users can instead migrate tomdbook-linkcheck2. -
glibchas been updated to version 2.42.This version no longer makes the stack executable when a shared library requires this. A symptom is an error like
cannot enable executable stack as shared object requires: Invalid argument
This is usually a bug. Please consider reporting it to the software maintainers.
In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:
-
When building the shared library in question from source, use the following linker flags to force turning off the executable flag:
mkDerivation { # … env.NIX_LDFLAGS = "-z,noexecstack"; } -
If the sources are not available, the execstack-flag can be cleared with
patchelf:patchelf --clear-execstack binary-only.so -
If the shared library to be loaded actually requires an executable stack and it isn't turned on by the application loading it, you may force allowing that behavior by setting the following environment variable:
GLIBC_TUNABLES=glibc.rtld.execstack=2Do not set this globally! This makes your setup inherently less secure.
-
-
services.radiclenow supports importing the private key and passphrase as systemd creds.