How to revert to nixos stable from unstable using flakes

bsag · February 11, 2026, 7:48pm

I was a happy camper on NixOS 25.11, then got interested in installing Noctalia. That needs unstable, so I switched to that.

My flake built, and everything was fine for a while. However, recently, I just can’t get an updated flake to build. Sometimes it’s a broken package, often repos are apparently unreachable, and sometimes there are dependency issues.

This is all to be expected I know, but despite my love of Noctalia, I think I need to get back on stable.

My problem is, I have tried to change my flake to use the stable 25.11 nixos repo (as I had originally), and remove noctalia, but I can’t then build the updated flake. I get an error that there is no such package as xrdb. I can see that in unstable, the package with that name exists, but in 25.11, it is called Xorg.xrdb (assuming it is the same thing). This doesn’t seem to come from any of my own configs, but is part of the toolchain to build the system (as far as I can tell).

How do I fix this? I have tried garbage collecting but that doesn’t seem to help. Is there another cache I need to clear to build from scratch, hopefully without removing my safety net of previous generations?

NobbZ · February 11, 2026, 8:00pm

I am running unstable as my daily driver for several years, and do not have the problems you describe. Sure there are occasional build errors, though lets be honest, those exist on stable as well
For your downgrade problem, can you please share relevant code (maybe even a link to your flake) and the exact error you get?

bsag · February 12, 2026, 11:27am

Maybe it is something about my flake then? I am currently back on unstable, so I will try updating and post any errors I get. I would rather stay on unstable if that’s possible.

I’ll give it a go at the weekend and report back.

bsag · February 12, 2026, 8:53pm

I’ve resolved it, I think, and it was nothing to do with being on unstable.

I noticed that when trying to build I was getting a lot of failures where hosts could not be resolved.

Searching around, I found this post about DNS not resolving. Checking my /etc/resolv.conf, I found that it was using Tailscale’s MagicDNS nameservers (100.100.100.100) not the nameservers I had set in my config.

A few more rabbit holes suggested that Tailscale overrides the nameservers you set unless you use resolved:


    services.resolved = {
      enable = true;
      settings.Resolve = {
        DNSOverTLS = "true";
        DNSSEC = "true";
        Domains = [ "~." ];
        FallbackDNS = [
          "1.1.1.1#one.one.one.one"
          "1.0.0.1#one.one.one.one"
        ];
      };
    };

The next build went perfectly.

I think I only bumped into this problem recently because the builds involved a lot of new packages, so it was more likely that resolving the host would time out.

As a nice side-effect, I’m not getting the puzzling delays to load some web pages that I was getting before, and which I (wrongly) attributed to an unreliable internet connection.

TLATER · February 13, 2026, 3:47am

Not exactly, it’ll just use dhcp to broadcast suggested nameservers, and your network configuration is clearly set to accept that configuration.

Disabling that feature in whatever network management you use would also do the trick, though of course enabling any local DNS client through its NixOS module will configure that for you.

Using DoT as you are has the added advantage that nobody can intercept your DNS traffic and forcibly override it through the usual MITM attack, either. Yeah, for some reason the entire industry has been totally fine with constant MITM attacks on your DNS resolution being the state of the art for like 5 decades.

DoH is typically recommended as it’s harder to block, though.

bsag · February 13, 2026, 10:00am

That doesn’t surprise me at all - I’m generally very comfortable with most techie areas, but DNS baffles and terrifies me!

That’s really interesting though. Do you have a link for an accessible guide for the terrified explaining the differences between DNS over TLS and DNS over HTTPS? (I’m guessing that’s what DoT and DoH is).

TLATER · February 13, 2026, 10:41am

I don’t, but it’s stupid simple:

DoT uses a new, dedicated port for DNS queries that is different from the port traditionally used for DNS, so that the server knows to serve TLS-encrypted traffic.
DoH just abuses HTTPS to do DNS instead of coming up with a new protocol/port, so it all goes over port 443.

The latter certainly feels wrong from a design perspective, we like labeling our traffic as the traffic it is, but not being explicitly marked as encrypted DNS is precisely the advantage: it looks like perfectly normal HTTPS traffic, which you can’t just blanket ban on your network since everything else also needs HTTPS to work, so it’s harder to block.

Since it’s TLS encrypted packet sniffing is also pretty hard, you need heuristics (e.g. IP/domain bans, or more complex and unstable things like blackbox traffic analysis) to try and prevent people from dodging your honeypot DNS server in your internet cafe.

You can tell whether you’re using DoT or DoH by the nameservers you set. The <address>#<domain> syntax is DoT, while DoH simply uses an https URL.

As for using it in practice...

There are more up-and downsides to both; I think ideally you set up a fallback nameserver with DoT (since DoH needs a bootstrap query, and DoT can gracefully fall back to unencrypted DNS when necessary), and otherwise use DoH. You’ll want a good caching resolver and keep copies of both the DoH and DoT server certificates so you don’t end up having to bootstrap that trust chain while under attack.

That said, I haven’t found a good, caching resolver that’d implement this yet. I think the best option is something like unbound + dnscrypt-proxy, but I’ve struggled making them play ball, so personally I still use unbound + DoT and just hope I never need to use a network that blocks DoT.

There’s also no good UI for this yet. None of these setups survive exposure to - gasp - a captive portal (which is usually implemented precisely by MITM-ing your DNS queries and serving the wifi owner’s login page instead of, say, google), so really you need a toggle that lets you make one or two queries with the dhcp-provided nameserver, and then switch back to DoT/H after login for any of this to be useful in practice.

I’ve tried, but it’s still very hard to make this a useful improvement to security!

The downside of encrypted DNS in general that critics will tell you about is that you need to trust the DNS servers you choose, since they can fully track your queries (there is ODoH, which uses a proxy to obfuscate your traffic, but it doesn’t really convince me since now you have to trust the proxy).

In the modern world, where computers travel between networks all the bloody time, I don’t think you’re getting around this, no matter how cleverly you design your intranet. IMO we should hence make encrypted DNS as standard and always-on as possible, so DoH is the way to go for default configs (ideally with e.g. cloudflare so ISPs can’t just block domains on account of cloudflare also being necessary for everything).

If you run a computer on precisely one private network with a carefully controlled, shared caching DNS resolver you probably know what you’re doing and don’t need others to set sensible defaults for you.

bsag · February 13, 2026, 10:59am

Thanks, that’s really useful!