Breaking changes announcement for unstable

Let’s try this out for a while and see how it goes. I am starting this as a response to Should we consider a deprecation/removal policy for Nixpkgs?, go there if you want to discuss things.

  • If you have (or see) a PR that removes package or has otherwise backwards incompatible changes, link it in here (together with a short sentence about what exactly is affected).
  • If you run on unstable and want to know in advance when something is about to break, subscribe to this thread.
  • If you have a breaking PR, give people enough time to react to it before merging.
  • I think we can also include module changes as well. Shouldn’t be too noisy.
  • To keep the noise low, please don’t discuss on this thread. Use the one liked above instead.

2 posts were merged into an existing topic: Should we consider a deprecation/removal policy for Nixpkgs?

Heads up!

The Matrix-Synapse module is going to use RFC42 soon. That means many top-level options (services.matrix-synapse) will need to be moved below services.matrix-synapse.settings).

The use of mkRenamedOptionModule is unfortunately broken with types.submodule, so the migration consists of lots of mkRemovedOptionModules instead


The Home Assistant package is also going to use a RFC42 style configuration.

Due to the way that default values are now reflected as options below services.home-assistant.config, the declarative configuration by default is not null anymore.

That means that config needs to be explicitly set to null, if the config is not supposed to be managed declaratively. Otherwise the module will take full control of your configuration.yaml, and potentially delete your imperatively managed configuration.

Also two module options are going away:

  • autoExtraComponents is now enabled unconditionally
  • The settings applied through applyDefaultConfig are now explicit options with the same default values on the services.home-assistant.config option.

The taskserver module will no longer automatically open ports in the firewall
configuration. This is to allow end users to freely choose on which network
interface(s) they want to expose the service. The previous behaviour can be
restored by explicitly adding to the
list networking.firewall.allowedTCPPorts.


I’m refactoring pkgs.makeDesktopEntry to use proper Nix types where possible. I’ve updated all the consumers in Nixpkgs itself, but user configs may need slight changes.


This may not affect a wide range of users, but it is a breaking change for everyone running a scientific compute cluster on NIxOS:


With the following change loading the dummy and bonding kernel driver stopped creating the dummy0 or bond0 interface automatically. Relying on this behaviour is problematic, because the first interface being created automatically creates an outlier. All following interfaces would need to be created manually anyway.

On top of that, since systemd-networkd does not currently recreate netdevs, precreating them like that will set default netdev options that may be undesirable, like the wrong bonding mode (balance-rr vs 802.3ad), which can’t be changed once the link exists.

These are systemd’s default modprobe.d rules, which exist since 2017. They also ship their own explanation for these rules, that everyone can browse here:

Thanks to @grahamc, who made me aware of this bug and the misconceptions I had about this behaviour.

Will follow up with release notes shortly, this had been forgotten.

2 Likes disables polkit by default, which then needs to be re-enabled by the modules that require it. The big ones have been tested, but this might break some of the more obscure setups.

This is more a potentially breaking change than a backwards incompatibility, therefore no action should be required outside of nixpkgs.

1 Like

Note, certain aliases now throw instead of being a warning. Especially look out for “manpages”.

1 Like

I’m a bit late, but the GNOME 42 update was merged two days ago and finally hit unstable today. As usual, there are some backwards incompatible changes that require manual intervention. Also, some breakage has already been caught.

1 Like

OpenLDAP was updated from the 2.4 series to 2.6.2 today. With it comes the removal of a few storage backends, like hdb, bdb and ndb. Before upgrading everyone should dump their database (slapcat -n 1) and make sure they have a working backup. If you’re looking for a new sane default, use mdb.

1 Like

checkMeta is being enabled by default. Meta attributes have occasionally been checked for long enough so that this should not break much, but it still is a breaking change. This might slightly affect evaluation performance, but there is always the option to explicitly turn the check off.

1 Like

PPD files in pkgs.cups-drv-rastertosag-gdi are now gzipped. If you refer to such a PPD file with its path (e.g. via the option hardware.printers.ensurePrinters) you will need to append .gz to the path.


The firefox-wayland, thunderbird-wayland and librewolf-wayland attributes have been converted to aliases, because Wayland support has been enabled by default in the generic package versions.

Please migrate from the attributes above to firefox, thunderbird or librewolf.

The only relevant outcome from this change is that by default these programs will not use XWayland anymore, but instead Wayland on Wayland and X11 on X11.

This behaviour can be reverted at runtime by exporting MOZ_ENABLE_WAYLAND=0 in your environment.


I updated the cinnamon desktop to 5.6, please read the pull request for what is changed. If some of your settings are “changed” / “broken” after this update, reconfigure them in the cinnamon-settings app.

1 Like

Services avahi, unifi-video, tmate-ssh-server and snapserver won’t open the firewall by default anymore. If you use them, either use openFirewall = true in the module, or open the according ports in your locally managed firewall.


Pipewire 0.3.67 (hopefully next staging cycle) will remove the services.pipewire.config options, as they don’t work the way most people expect and are a large maintenance burden for questionable gain. See Pipewire 0.3.67 + big module cleanup by K900 · Pull Request #220332 · NixOS/nixpkgs · GitHub for the change, Pipewire migration guide · GitHub for migration notes and feel free to ping me here, on Github or on Matrix ( if you really want this to be preserved.

I also want to drop in the same cycle, but hopefully no one is using that.

1 Like

fcitx4 has stoped maintaining on upstream and fcitx5 is released instead. To avoid misguiding a new user to use old version, fcitx4 should be removed from nixpkgs and nixos.

We make a pr here. fcitx: remove version 4 by Vonfry · Pull Request #220776 · NixOS/nixpkgs · GitHub


With the next staging cycle the support for old and weak password hashing algorithms will be removed.

  • It was previously annouced in the NixOS 22.11 release notes
  • The new default algorithm will be yescrypt
  • We will still support sha512crypt (prefixed with $6$) hashes, but do recommend migrating to a proper KDF
    • Use mkpasswd to generate a password hash today
    • Use passwd after this PR has reached your system
  • We upgraded the warnings for stateful and declarative passwords, to highlight user accounts with unsupported algorithms, when detected
1 Like
Hosted by Flying Circus.