Home Explore Blog CI



nixpkgs
24th chunk of `nixos/doc/manual/release-notes/rl-2411.section.md`
460da3b48ebb43cd0500d06bfbb5ca7c1a8f1aaf81848df30000000100000fc2
- The `shadowstack` hardening flag has been added, though disabled by default.

- `writeReferencesToFile` has been removed after its deprecation in 24.05. Use the trivial build helper `writeClosure` instead.

- `xxd` is now provided by the `tinyxxd` package rather than `vim.xxd` to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.

- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).

- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.

- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
  `rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`

- `power.ups` now powers off UPSs during a power outage event.
  This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
  If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.

- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.

- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
  should be changed to using *runner authentication tokens* by configuring
  {option}`services.gitlab-runner.services.<name>.authenticationTokenConfigFile` instead of the former
  {option}`services.gitlab-runner.services.<name>.registrationConfigFile` option.

- `iproute2` now has libbpf support.

  If you use extensions that are not packaged in nixpkgs, please review whether it still works
  with the current settings and adjust accordingly if needed.

- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
  Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overridden by the `NIX_PATH` configuration variable.

- ZFS now imports its pools in `postResumeCommands` rather than `postDeviceCommands`. If you had `postDeviceCommands` scripts that depended on ZFS pools being imported, those now need to be in `postResumeCommands`.

- `services.automatic-timezoned.enable = true` will now set `time.timeZone = null`.
  This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.

- `services.localtimed.enable = true` will now set `time.timeZone = null`.
  This is to avoid silently shadowing a user's explicitly defined timezone without recognition on the user's part.

- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.

- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.

- `buildDotnetModule` now uses JSON-based instead of nix-based lockfiles.
  Support for nix-based lockfiles has been deprecated and will be dropped on release 25.11.

- `buildDotnetModule.fetch-deps` now generates a JSON lockfile by default.
  A nix-based lockfile will be generated if one existed before for compatibility, however it has been deprecated and will be dropped on release 25.11.
Title: NixOS 24.11 Updates: Security, Power Management, and Package Changes (Continued)
Summary
This section continues the updates in NixOS 24.11. The `shadowstack` flag is added, and `writeReferencesToFile` is removed. `xxd` is now from `tinyxxd`. The `restic` module adds a sleep inhibition option. Mattermost is updated to 9.11 ESR, and `cargo-tauri.hook` assists with Tauri projects. `power.ups` now powers off UPSs during outages. `nixos-firewall-tool` supports nftables. GitLab runner registration tokens are deprecated in favor of authentication tokens. `iproute2` gains libbpf support. `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`. ZFS pool import moves to `postResumeCommands`. `services.automatic-timezoned.enable` and `services.localtimed.enable` set `time.timeZone = null`. `qgis` and `qgis-ltr` are built without `grass` by default. The `virtualisation.incus` module adds `incus-user.service` and `incus-user.socket`. `buildDotnetModule` now uses JSON-based lockfiles, deprecating nix-based lockfiles.