Breaking changes announcement for unstable

The dhcpcd service (networking.useDHCP) has been hardened and now runs exclusively as the “dhcpcd” user (no root at all). (PR #336988)

Most users shouldn’t see any difference, but if you were relying on the root privileges in networking.dhcpcd.runHook you will have to write specific sudo or polkit rules to allow dhcpcd to perform privileged actions.

Also, as part of these changes, the DHCP lease files directory has also been moved from /var/db/dhcpcd to /var/lib/dhcpcd. This migration is performed automatically, but you may have to update your backup rules.

A typo was introduced and subsequently fixed in the ec2-data script that runs on OpenStack and AWS and will clobber the permissions of your machine and lock you out of SSH. Unfortunately the change made it into the unstable channel.

The fix just rolled out in unstable-small but is still rolling out to unstable Nixpkgs PR #347678 ("treewide: fix typo chown -> chmod") progress

If you happen to be locked out, the fix for AWS is:

• log in using SSM (for this your IAM instance profile must have the arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore policy attached)
• You’ll notice that /etc/ssh is owned by a non-existent user named 755
• chown root /etc/ssh /etc/ec2-metadata
• You should have access to your server over SSH again

I will work on a NixOS test that will make these kind of bugs channel blockers

pkgs.meilisearch changes from 1.9.0 → 1.10.2 including a breaking change in the Experimental AI-powered search.

Users should follow the update and migration guide: https://www.meilisearch.com/docs/learn/update_and_migration/updating

See also meilisearch: 1.9.0 -> 1.10.2 by bbenno · Pull Request #349995 · NixOS/nixpkgs · GitHub

The Darwin SDK pattern changes have landed in master. See Title: The Darwin SDKs have been updated for the list of breaking changes.

I don’t know why, but gnomeExtensions.pop-launcher-super-key is apparently gone.

Bisected to gnomeExtensions: Handle GNOME 47 extensions · NixOS/nixpkgs@cd005ec · GitHub

Extension doesn’t support gnome 45

buildGoModule: remove buildFlags/buildFlagsArray

Both have been deprecated for long and weren’t used anymore in nixpkgs. For people using buildGoModule outside of nixpkgs, this might be a breaking change. Use ldflags, env.GOFLAGS and tags instead.

Any documentation changes that update identifiers (content like headings, etc. that have an anchor) now require updating a redirects mapping doc/redirects.json or nixos/doc/manual/redirects.json for the nixpkgs and nixos manuals respectively. If not updated, CI should fail (given the last CI run was after this PR was merged).

This is part of an effort better described in this announcement.

To make this less inconvenient for contributors, a helper command is in the works which would remove the requirement to manually edit the aforementioned JSON mapping.

Not my change, but pkgs.nerdFonts was broken up into individual packages that now live under pkgs.nerd-fonts.*.

PR: nerdfonts: separate into individual font packages, 3.2.1 -> 3.3.0 by rc-zb · Pull Request #354543 · NixOS/nixpkgs · GitHub

This is what the diff to fix it for my config looks like, for whom it helps:

-  fonts.packages = [
-    (pkgs.nerdfonts.override {
-      fonts = [
-        "JetBrainsMono" # wezterm default font
-        "LiberationMono" # I just like this font :)
-        "FiraCode"
-        "DroidSansMono"
-        "NerdFontsSymbolsOnly"
-        "FantasqueSansMono"
-      ];
-    })
+  fonts.packages = with pkgs; [
+    nerd-fonts.jetbrains-mono
+    nerd-fonts.liberation # no mono version of this?
+    nerd-fonts.fira-code # `fira-mono` also exists
+    nerd-fonts.droid-sans-mono
+    nerd-fonts.symbols-only
+    nerd-fonts.fantasque-sans-mono

A networkd-based backend for networking.wireguard was merged recently. It will be enabled if you enable networking.useNetworkd or networking.wireguard.useNetworkd.

You must make sure that your secrets are readable by the systemd-network user. Otherwise, systemd-networkd will silently fail while trying to set up your WireGuard interface.

PR: nixos/wireguard-networkd: init by Majiir · Pull Request #259092 · NixOS/nixpkgs · GitHub

There appear to be a lot of breaking changes around <type>.functor, unfortunately I don’t fully grasp what the changes entail. Though from looking at the repl, it seems that enum types are now structured as functor.payload.values instead of functor.payload.

@waffle8946 It’s really just the second PR, here’s the release note for that:

Copy for readability:

• Structure of the functor of some types has changed. functor is an implementation detail and should not be relied upon. If you did rely on it let us know in this PR.
  • lib.types.enum: Previously the functor.payload was the list of enum values directly. Now it is an attribute set containing the values in the values attribute.
  • lib.types.separatedString: Previously the functor.payload was the seperator directly. Now it is an attribute set containing the seperator in the sep attribute.

If you used these internal fields for type merging before, you can do this instead:

mergeTypes = a: b: a.typeMerge b.functor;

buildGoModule now accepts environment variables (especially CGO_ENABLED) only via the env attribute to prepare for the __structuredAttrs = true support.

The only exception is GOFLAGS. Relevant discussion and implementation is under the following PR:

Plasma 5 is officially deprecated now, and I expect most of it (and also Gear 23.08, and most Frameworks 5.116) to be gone very quickly after 25.05 releases. I’m mildly surprised it lasted this long myself.

The real breaking change, however, comes in the top-level aliases of Plasma-related things being changed to throws, to ensure we don’t just silently upgrade people from Qt5 versions of things to Qt6. The libsForQt5 versions of those packages are still there and can be accessed by full path, but you should really be running the Qt6 versions from kdePackages by now.

grafana-agent is already marked as broken due to requiring an EOL Go version that has been removed from nixpkgs as of yesterday and will become EOL within the release cycle of the upcoming 25.05 anyway.
As such, grafana-agent will be dropped from nixpkgs very soon:

If you depend on grafana-agent, consider migrating to grafana-alloy.
See https://grafana.com/docs/alloy/latest/set-up/migrate/, NixOS Search and nixpkgs/nixos/tests/alloy.nix at 88b2709b781be6235e99af08702d357c7ab58be3 · NixOS/nixpkgs · GitHub for details and jumping-off points.

Note that grafana-alloy cannot be configured via JSON (yet^[1]), only via River, which is more or less Grafana’s take on HashiCorp’s HCL.

1. Add support for configuration via YAML/JSON · Issue #326 · grafana/alloy · GitHub ↩︎

As the conduwuit project (the matrix server implementation forked from conduit) has been discontinued, the conduwuit package will be marked as vulnerable (as it is considered EOL now) and the recently introduced services.conduwuit module will be removed. The module was merged less than four months ago, so the impact will hopefully be minimal (as I’m dailydriving it myself, I know this sucks).

Several PAM services are now disabled by default. If you use i3lock (or i3lock-color), vlock, xlock, xscreensaver, or any wrapper around any of these (e.g. betterlockscreen), and you don’t use one of the following options:

• programs.i3lock.enable (for i3lock, i3lock-color, betterlockscreen, etc.)
• console.enable (for vlock, enabled by default)
• services.xserver.enable (for xlock)
• services.xscreensaver.enable (for xscreensaver)

then you must take action to avoid your lockscreen locking you out of your system. You should either enable the relevant option above, or enable the security.pam.services.<service>.enable option (where <service> is one of i3lock, i3lock-color, vlock, xlock, or xscreensaver).

4 posts were split to a new topic: Re: recent breaking changes - lockscreen

We’re in the process of shrinking cudaPackages “public” interface: tree-wide: cudaPackages.cudaFlags -> cudaPackages.flags by ConnorBaker · Pull Request #406545 · NixOS/nixpkgs · GitHub

Reminder for this thread: breaking changes are not allowed in master right now. (except DEs) Schedule: NixOS 25.05 – Release schedule · Issue #390768 · NixOS/nixpkgs · GitHub