NixOS 14.04: Declarative User Management, Container Support, Systemd Overrides, and Incompatible Changes

- NixOS now supports fully declarative management of users and groups. If you set `users.mutableUsers` to `false`, then the contents of `/etc/passwd` and `/etc/group` will be [congruent](https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/) to your NixOS configuration. For instance, if you remove a user from `users.extraUsers` and run `nixos-rebuild`, the user account will cease to exist. Also, imperative commands for managing users and groups, such as `useradd`, are no longer available. If `users.mutableUsers` is `true` (the default), then behaviour is unchanged from NixOS 13.10. - NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they're not fully isolated from the host. See [](#ch-containers) for details. - Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package `foo` provides systemd units, you can say: ```nix { systemd.packages = [ pkgs.foo ]; } ``` to enable those units. You can then set or override unit options in the usual way, e.g. ```nix { systemd.services.foo.wantedBy = [ "multi-user.target" ]; systemd.services.foo.serviceConfig.MemoryLimit = "512M"; } ``` When upgrading from a previous release, please be aware of the following incompatible changes: - Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting: ```nix { nixpkgs.config.allowUnfree = true; } ``` Otherwise, you get an error message such as: ```ShellSession error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’ has an unfree license, refusing to evaluate ``` - The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set: ```nix { nixpkgs.config.allowUnfree = true; nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium } ``` - The firewall is now enabled by default. If you don't want this, you need to disable it explicitly: ```nix { networking.firewall.enable = false; } ``` - The option `boot.loader.grub.memtest86` has been renamed to `boot.loader.grub.memtest86.enable`. - The `mysql55` service has been merged into the `mysql` service, which no longer sets a default for the option `services.mysql.package`. - Package variants are now differentiated by suffixing the name, rather than the version. For instance, `sqlite-3.8.4.3-interactive` is now called `sqlite-interactive-3.8.4.3`. This ensures that `nix-env -i sqlite` is unambiguous, and that `nix-env -u` won't "upgrade" `sqlite` to `sqlite-interactive` or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now called `firefox-wrapper`. So when using `nix-env`, you should do `nix-env -e firefox; nix-env -i firefox-wrapper` if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names like `pkgs.firefoxWrapper` were already unambiguous. - The symlink `/etc/ca-bundle.crt` is gone. Programs should instead use the environment variable `OPENSSL_X509_CERT_FILE` (which points to `/etc/ssl/certs/ca-bundle.crt`).

NixOS 14.04 introduces fully declarative user and group management, basic container support, and the ability to override systemd units. It also lists several incompatible changes, including the default disabling of unfree packages, Adobe Flash player, and the enabling of the firewall by default. Other changes include renaming of the `boot.loader.grub.memtest86` option, merging of the `mysql55` service into `mysql`, suffixing package variants by name, and removing the `/etc/ca-bundle.crt` symlink in favor of the `OPENSSL_X509_CERT_FILE` environment variable.