nixpkgs/nixos/doc/manual/release-notes/rl-2605.section.md
Will Fancher f8ed5f30c0 nixos/filesystems: Remove default = "auto" from fsType
NixOS has traditionally enabled the `ext` family of file systems by
default. Originally, when switching to systemd initrd, we wanted to
transition to making this explicit so that initrds could be made
without `ext`. The problem is that anyone with `fsType = "auto";` for
an `ext` file system in initrd will fail to boot, which is not really
an acceptable regression as we switch to systemd initrd by default.

By removing `default = "auto"` from `fsType`, we rule out the vast
majority of these regressions as eval errors, since most users of
`fsType = "auto"` for ext file systems are using it because of the
default value.

In hindsight, this is probably what #225352 was really about.
2026-04-05 19:06:28 -04:00

28 KiB

Release 26.05 ("Yarara", 2026.05/??)

Highlights

  • The system.nix file has been added has an alternative entry point to configuration.nix (and flake.nix) that allows to configure NixOS without using nix-channel. This file must evaluate to a NixOS system derivation or an attribute set of such derivations, in which case the attribute to build has to be selected with the --attr option of nixos-rebuild or nixos-install. For example,

    # system.nix
    let
      # Pinned Nixpkgs archive
      #
      # Use `curl -I https://channels.nixos.org/nixos-26.05` to get the
      # latest commit of the stable channel and `nix-prefetch-url --unpack`
      # to compute its sha256 hash.
      nixpkgs = builtins.fetchTarball {
        url = "https://github.com/NixOS/nixpkgs/archive/c217913993d6.tar.gz";
        sha256 = "026mprs324330pfazlgbw987qmsa8ligglarvqbcxzig2kgw0lqg";
      };
    in
    import "${nixpkgs}/nixos" {
      # Build NixOS using an external configuration.nix file,
      # or directly set your options here
      configuration = ./configuration.nix;
    }
    

    The default location of system.nix is /etc/nixos/system.nix and can be changed by setting the <nixos-system> search path. nixos-rebuild and nixos-install can now also load a system.nix file in the current directory (only if --attr is used) or from a directory specified with --file.

  • The default kernel package has been updated from 6.12 to 6.18. All supported kernels remain available.

New Modules

Backward Incompatibilities

  • opentrack, slushload, synthesia, vtfedit, winbox, wineasio, and yabridge use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.

  • []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} profiles/hardened has been removed, because:

    • It lacks a consistent and transparent baseline or standard,
    • It may introduce unexpected breakage or degrade performance without clear benefit,
    • It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
    • and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
    • See NixOS Hardening wiki page for hardening options.
  • services.crabfit was removed because its upstream packages are unmaintained and insecure.

  • sing-box has been updated to 1.13.0, which has removed some deprecated options. See upstream documentation for details and migration options.

  • services.statsd has been removed because the packages it relies on do not exist anymore in nixpkgs.

  • services.tandoor-recipes now uses a sub-directory for media files by default starting with 26.05. Existing setups should move media files out of the data directory and adjust services.tandoor-recipes.extraConfig.MEDIA_ROOT accordingly. See Migrating media files for pre 26.05 installations.

  • rustic was upgraded to 0.11.x, which contains breaking changes to command-line parameters and configuration file.

  • The packages iw and wirelesstools (iwconfig, iwlist, etc.) are no longer installed implicitly if wireless networking has been enabled.

  • The fileSystems.<name>.fsType option no longer has a default value and must be specified by the user. The value "auto" still works as before, though its use is generally discouraged.

  • services.uptime has been removed because the package it relies on does not exist anymore in nixpkgs.

  • services.kubernetes.addons.dns.coredns has been renamed to services.kubernetes.addons.dns.corednsImage and now expects a package instead of attrs. Now, by default, nixpkgs.coredns in conjunction with dockerTools.buildImage is used, instead of pulling the upstream container image from Docker Hub. If you want the old behavior, you can set:

{
  services.kubernetes.addons.dns.corednsImage = pkgs.dockerTools.pullImage {
    imageName = "coredns/coredns";
    imageDigest = "sha256:af8c8d35a5d184b386c4a6d1a012c8b218d40d1376474c7d071bb6c07201f47d";
    finalImageTag = "v1.12.2";
    hash = "sha256-ZgXEyxVrdskQdgg0ONJ9sboAXEEHTgNsiptk5O945c0=";
  };
}
  • services.stalwart-mail has been renamed to services.stalwart to align with upstream re-brand as an e-mail and collaboration server. Other notable breaking changes to module:

    • systemd.services.stalwart owned by stalwart:stalwart. The user and group are configurable via services.stalwart.user and services.stalwart.group, respectively. By default, if stateVersion is older than 26.05, will fallback to legacy value of stalwart-mail for both user and group.
    • Default value for services.stalwart.dataDir has changed to /var/lib/stalwart. If stateVersion is older than 26.05, will fallback to legacy value of /var/lib/stalwart-mail.
  • services.eintopf has been renamed to services.lauti to align with upstream re-brand as a community online calendar.

  • services.oauth2-proxy.clientSecret and services.oauth2-proxy.cookie.secret have been replaced with services.oauth2-proxy.clientSecretFile and services.oauth2-proxy.cookie.secretFile respectively. This was done to ensure secrets don't get made world-readable.

  • services.grafana.settings.security.secret_key doesn't have a default value anymore. Please generate your own key or hard-code the old one ("SW2YcwTIb9zpOOhoPsMm") explicitly. See the upstream docs and the instructions on how to rotate for further information.

    Please do note that there's no official way to rotate. On a single-node instance with the database and the secret-key being on the same filesystem with the same permissions for Grafana only to read it's most likely OK to keep using the old key.

    If you need to rotate, a 3rd-party tool, grafana-secretkey-rotation-tool is a tested option. When using a secret for this value, make sure to use Grafana's variable expansion to inject secrets.

  • Ethercalc and its associated module have been removed, as the package is unmaintained and cannot be installed from source with npm now.

  • services.immich no longer supports pgvecto.rs since the package has been removed from nixpkgs. As a result, options services.immich.database.enableVectors and services.immich.database.enableVectorchord have been removed, and VectorChord is now always used. If you have not completed the migration yet, ensure you completely remove the extension from your database before upgrading by following the migration guide.

  • services.cgit before always had the git-http-backend and its "export all" setting enabled, which sidestepped any access control configured in cgit's settings. Now you have to make a decision and either enable or disable services.cgit.gitHttpBackend.checkExportOkFiles (or disable the git-http-backend).

  • rocmPackages_6 has been removed. rocmPackages has been updated to ROCm 7.x. Out of tree packages may rely on obsolete hipblas APIs or compile time constant warp size and need to be updated.

  • The Bash implementation of the nixos-rebuild program is removed. All switchable systems now use the Python rewrite. Any prior usage of system.rebuild.enableNg must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

  • services.desktopManager.gnome no longer installs the Geary e-mail client since it is not part of the GNOME core applications list. Geary's position in the default favorite apps section has been replaced by GNOME Text Editor. To keep it installed, add programs.geary.enable = true; to your configuration.

  • MATE packages have been moved to top level (e.g. if you previously added pkgs.mate.caja to environment.systemPackages, you will need to change it to pkgs.caja).

  • walker has been updated to 2.0.0+, which is a complete rewrite in rust.

    It now requires a running elephant application launcher backend service, which can be enabled using the new services.elephpant.enable.

    The way keybinds and actions are handled have been completely revamped. Please refer to the default config.

  • services.portunus has been upgraded to 2.2.0, which includes a bug fix that may cause existing databases to be rejected if user accounts are configured with malformed email addresses. Please refer to the upstream release announcement for details and instructions on how to fix problematic database entries.

  • Support for reiserfs in nixpkgs has been removed, following the removal in Linux 6.13.

  • services.tor no longer bind mounts Unix sockets of onion services into its chroot because it was not reliable. Users should do it themselves using either JoinsNamespaceOf= and Unix sockets in /tmp or BindPaths= from a persistent parent directory of each Unix socket. See https://github.com/NixOS/nixpkgs/issues/481673.

  • support for ecryptfs in nixpkgs has been removed.

  • programs.light was removed from nixpkgs due to the corresponding package being unmaintained upstream. brightnessctl and programs.acpilight offer replacements.

  • The networking.wireless module has been security hardened by default: the wpa_supplicant daemon now runs under an unprivileged user with restricted access to the system.

    As part of these changes, /etc/wpa_supplicant.conf has been deprecated: the NixOS-generated configuration file is now linked to /etc/wpa_supplicant/nixos.conf and /etc/wpa_supplicant/imperative.conf has been added for imperatively configuring wpa_supplicant or when using allowAuxiliaryImperativeNetworks.

    If client certificates, keys or other files are needed, these should be stored under /etc/wpa_supplicant and owned by wpa_supplicant to ensure the daemon can read them.

    Also, the {option}networking.wireless.userControlled.group option has been removed since there is now a dedicated wpa_supplicant group to control the daemon, and {option}networking.wireless.userControlled.enable has been renamed to .

    No functionality should have been impacted by these changes (including controlling via wpa_cli, integration with NetworkManager or connman), but if you find any problems, please open an issue on GitHub. If necessary, the security hardening can be reverted with .

    Note for NetworkManager users: before these changes NetworkManager used to spawn its own wpa_supplicant daemon, but now it relies on networking.wireless. So, if you had networking.wireless.enable = false in your configuration, you should remove that line.

  • kratos has been updated from 1.3.1 to 25.4.0. Upstream switched to a new versioning scheme (year.major.minor). Notable breaking changes:

    • The migrate sql CLI command is now migrate sql up
    • OIDC registration validation errors are now placed in the default node group instead of oidc
    • Failed OIDC account linking returns HTTP 400 instead of 200
  • pdns has been updated to version v5.0.x, which introduces breaking changes. Check out the Upgrade Notes for details.

  • In the PowerDNS Recursor module, following the deprecation period started with NixOS 25.05, the option {option}services.pdns-recursor.old-settings has been removed and {option}services.pdns-recursor.yaml-settings consequently renamed to .

  • services.angrr now uses TOML for configuration. Define policies with services.angrr.settings (generate TOML file) or point to a file using services.angrr.configFile. The legacy options services.angrr.period, services.angrr.ownedOnly, and services.angrr.removeRoot have been removed. See man 5 angrr and the description of services.angrr.settings options for examples and details.

  • services.homepage-dashboard.environmentFile has been renamed to services.homepage-dashboard.environmentFiles, and now expects a list of strings.

  • services.pingvin-share has been removed as the pingvin-share.backend package was broken and the project was archived upstream.

  • geph package's built-in GUI geph5-client-gui has been removed by the upstream. All users who wish to continue using the GUI should install the gephgui-wry, which is consistent with the official release version.

  • services.jellyseerr has been renamed to services.seerr following the upstream changes. Notable breaking changes:

    • systemd service name changed accordingly.
    • Default config directory moved from /var/lib/jellyseerr/config to /var/lib/seerr/.
      • If stateVersion is older than 26.05, the module fall backs to the legacy path value.
  • services.vikunja has been updated to Vikunja v1.0.0, which introduces multiple breaking changes. Notable breaking changes:

    • CORS is enabled by default. The module now sets services.vikunja.settings.service.publicurl by default. Custom overrides must ensure it is set or disable CORS, otherwise Vikunja will fail to start.
    • API route and response changes may affect integrations.
    • Configuration format and option changes require review of existing settings (including OpenID provider configuration and metrics/log settings).
    • SQLite paths are now relative to service.rootpath unless absolute. Startup now validates file storage and OAuth providers.
  • lunarvim package has been removed, as it was abandoned upstream and relied on an old version of neovim to work properly.

  • opengfw package and services.opengfw module have been removed as the upstream GitHub repository and website have been shut down.

Other Notable Changes

  • hardware.xpadneo now supports configuring kernel module parameters via a freeform settings option, with convenience options for rumble attenuation and controller quirks.

  • Wine has been updated to the 11.0 branch. Please check the upstream announcement for more details.

  • security.acme now defaults to a dynamic renewal duration, if security.acme.defaults.validMinDays remains unset. This accomodates certificates with different ACME profile:

    • For certificates with a total validity at or above 10 days renewal will happen after two thirds of the lifetime has passed (e.g. a certificate valid for 90 days renews once the validity falls below 30 days)
    • For shortlived certificates with a total validty below 10 days renewal will happen after half of the total lifetime has passed
  • Cinnamon has been updated to 6.6, please check the upstream announcement for more details.

  • Budgie has been updated to 10.10, please check the upstream announcement for more details.

  • stestrCheckHook was added: This test hook runs stestr run. You can disable tests with disabledTests and disabledTestsRegex.

  • services.frp now supports multiple instances through services.frp.instances to make it possible to run multiple frp clients or servers at the same time.

  • hyphen now supports over 40 language variants through hyphenDicts and now allows to enable all supported languages through hyphenDicts.all.

  • services.resolved module was converted to RFC42-style settings. The moved options have also been renamed to match the upstream names. Aliases mean current configs will continue to function, but users should move to the new options as convenient.

  • systemd.sleep.extraConfig was replaced by RFC 0042-compliant systemd.sleep.settings.Sleep, which is used to generate the sleep.conf configuration file. See {manpage}sleep.conf.d(5) for available options.

  • Support for Bluetooth audio based on bluez-alsa has been added to the hardware.alsa module. It can be enabled with the new enableBluetooth option.

  • services.openssh now supports generating host SSH keys by setting services.openssh.generateHostKeys = true while leaving services.openssh.enable disabled. This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

  • IPVLAN interfaces can now be configured through the networking.ipvlans option in the networking module.

  • services.caddy now supports setting httpPort and httpsPort and opening them in the firewall via openFirewall.

  • The latest available version of Nextcloud is v33 (available as pkgs.nextcloud33). The installation logic is as follows:

    • If services.nextcloud.package is specified explicitly, this package will be installed (recommended)
    • If system.stateVersion is >=26.05, pkgs.nextcloud33 will be installed by default.
    • If system.stateVersion is >=25.11, pkgs.nextcloud32 will be installed by default.
    • nextcloud31 is EOL and was thus removed.
    • Please note that an upgrade from v31 (or older) to v33 directly is not possible. Please upgrade to nextcloud32 (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring services.nextcloud.package = pkgs.nextcloud32;.
  • InvoicePlane with the Caddy webserver (services.invoiceplane.webserver = "caddy") now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. To keep the old behavior for a site example.com, set services.caddy.virtualHosts."example.com".hostName = "http://example.com". If you set custom Caddy options for a InvoicePlane site, migrate these options by removing http:// from services.caddy.virtualHosts."http://example.com".

  • services.slurm now supports slurmrestd usage through the services.slurm.rest NixOS options.

  • The services.calibre-web systemd service has been hardened with additional sandboxing restrictions.

  • services.kanidm options for server, client and unix were moved under dedicated namespaces. For each component enableComponent and componentSettings are now component.enable and component.settings. The unix module now supports using SSH keys from Kanidm via services.kanidm.unix.sshIntegration = true.

  • mdbook-linkcheck has been removed as it is unmaintained and incompatible with the latest version of mdbook. Users can instead migrate to mdbook-linkcheck2.

  • glibc has been updated to version 2.42.

    This version no longer makes the stack executable when a shared library requires this. A symptom is an error like

    cannot enable executable stack as shared object requires: Invalid argument

    This is usually a bug. Please consider reporting it to the software maintainers.

    In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:

    • When building the shared library in question from source, use the following linker flags to force turning off the executable flag:

      mkDerivation {
        # …
      
        env.NIX_LDFLAGS = "-z,noexecstack";
      }
      
    • If the sources are not available, the execstack-flag can be cleared with patchelf:

      patchelf --clear-execstack binary-only.so
      
    • If the shared library to be loaded actually requires an executable stack and it isn't turned on by the application loading it, you may force allowing that behavior by setting the following environment variable:

      GLIBC_TUNABLES=glibc.rtld.execstack=2
      

      Do not set this globally! This makes your setup inherently less secure.

  • services.radicle now supports importing the private key and passphrase as systemd creds.