Breaking changes announcement for unstable

The dhcpcd service (networking.useDHCP) has been hardened and now runs exclusively as the “dhcpcd” user (no root at all). (PR #336988)

Most users shouldn’t see any difference, but if you were relying on the root privileges in networking.dhcpcd.runHook you will have to write specific sudo or polkit rules to allow dhcpcd to perform privileged actions.

Also, as part of these changes, the DHCP lease files directory has also been moved from /var/db/dhcpcd to /var/lib/dhcpcd. This migration is performed automatically, but you may have to update your backup rules.

A typo was introduced and subsequently fixed in the ec2-data script that runs on OpenStack and AWS and will clobber the permissions of your machine and lock you out of SSH. Unfortunately the change made it into the unstable channel.

The fix just rolled out in unstable-small but is still rolling out to unstable Nixpkgs PR #347678 ("treewide: fix typo chown -> chmod") progress

If you happen to be locked out, the fix for AWS is:

• log in using SSM (for this your IAM instance profile must have the arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore policy attached)
• You’ll notice that /etc/ssh is owned by a non-existent user named 755
• chown root /etc/ssh /etc/ec2-metadata
• You should have access to your server over SSH again

I will work on a NixOS test that will make these kind of bugs channel blockers

pkgs.meilisearch changes from 1.9.0 → 1.10.2 including a breaking change in the Experimental AI-powered search.

Users should follow the update and migration guide: https://www.meilisearch.com/docs/learn/update_and_migration/updating

See also meilisearch: 1.9.0 -> 1.10.2 by bbenno · Pull Request #349995 · NixOS/nixpkgs · GitHub

The Darwin SDK pattern changes have landed in master. See Title: The Darwin SDKs have been updated for the list of breaking changes.

I don’t know why, but gnomeExtensions.pop-launcher-super-key is apparently gone.

Bisected to gnomeExtensions: Handle GNOME 47 extensions · NixOS/nixpkgs@cd005ec · GitHub

Extension doesn’t support gnome 45

buildGoModule: remove buildFlags/buildFlagsArray

Both have been deprecated for long and weren’t used anymore in nixpkgs. For people using buildGoModule outside of nixpkgs, this might be a breaking change. Use ldflags, env.GOFLAGS and tags instead.

Any documentation changes that update identifiers (content like headings, etc. that have an anchor) now require updating a redirects mapping doc/redirects.json or nixos/doc/manual/redirects.json for the nixpkgs and nixos manuals respectively. If not updated, CI should fail (given the last CI run was after this PR was merged).

This is part of an effort better described in this announcement.

To make this less inconvenient for contributors, a helper command is in the works which would remove the requirement to manually edit the aforementioned JSON mapping.

Not my change, but pkgs.nerdFonts was broken up into individual packages that now live under pkgs.nerd-fonts.*.

PR: nerdfonts: separate into individual font packages, 3.2.1 -> 3.3.0 by rc-zb · Pull Request #354543 · NixOS/nixpkgs · GitHub

This is what the diff to fix it for my config looks like, for whom it helps:

-  fonts.packages = [
-    (pkgs.nerdfonts.override {
-      fonts = [
-        "JetBrainsMono" # wezterm default font
-        "LiberationMono" # I just like this font :)
-        "FiraCode"
-        "DroidSansMono"
-        "NerdFontsSymbolsOnly"
-        "FantasqueSansMono"
-      ];
-    })
+  fonts.packages = with pkgs; [
+    nerd-fonts.jetbrains-mono
+    nerd-fonts.liberation # no mono version of this?
+    nerd-fonts.fira-code # `fira-mono` also exists
+    nerd-fonts.droid-sans-mono
+    nerd-fonts.symbols-only
+    nerd-fonts.fantasque-sans-mono

A networkd-based backend for networking.wireguard was merged recently. It will be enabled if you enable networking.useNetworkd or networking.wireguard.useNetworkd.

You must make sure that your secrets are readable by the systemd-network user. Otherwise, systemd-networkd will silently fail while trying to set up your WireGuard interface.

PR: nixos/wireguard-networkd: init by Majiir · Pull Request #259092 · NixOS/nixpkgs · GitHub

There appear to be a lot of breaking changes around <type>.functor, unfortunately I don’t fully grasp what the changes entail. Though from looking at the repl, it seems that enum types are now structured as functor.payload.values instead of functor.payload.

@waffle8946 It’s really just the second PR, here’s the release note for that:

Copy for readability:

• Structure of the functor of some types has changed. functor is an implementation detail and should not be relied upon. If you did rely on it let us know in this PR.
  • lib.types.enum: Previously the functor.payload was the list of enum values directly. Now it is an attribute set containing the values in the values attribute.
  • lib.types.separatedString: Previously the functor.payload was the seperator directly. Now it is an attribute set containing the seperator in the sep attribute.

If you used these internal fields for type merging before, you can do this instead:

mergeTypes = a: b: a.typeMerge b.functor;

buildGoModule now accepts environment variables (especially CGO_ENABLED) only via the env attribute to prepare for the __structuredAttrs = true support.

The only exception is GOFLAGS. Relevant discussion and implementation is under the following PR: