- `services.teeworlds` module now has a wealth of configuration options, including a new `package` option.

- `services.xserver.desktopManager.budgie` installs `gnome.gnome-terminal` by default (instead of `mate.mate-terminal`).

- `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module
  (such as msmtp or Postfix). It no longer requires using a special ZFS build with email support.

- `sonarr` version was bumped to from 3.0.10 to 4.0.3. Consequently existing config database files will be upgraded automatically, but note that some old apparently-working configs [might actually be corrupt and fail to upgrade cleanly](https://forums.sonarr.tv/t/sonarr-v4-released/33089).

- `stdenv`: The `--replace` flag in `substitute`, `substituteInPlace`, `substituteAll`, `substituteAllStream`, and `substituteStream` is now deprecated if favor of the new `--replace-fail`, `--replace-warn` and `--replace-quiet`. The deprecated `--replace` equates to `--replace-warn`.

- `systemd`: when merging unit options (of type `unitOption`),
  if at least one definition is a list, all those which aren't are now lifted into a list,
  making it possible to accumulate definitions without resorting to `mkForce`,
  hence to retain the definitions not anticipating that need.

- `systemd` units can now specify the `Upholds=` and `UpheldBy=` unit dependencies via the aptly
  named `upholds` and `upheldBy` options. These options get systemd to enforce that the
  dependencies remain continuously running for as long as the dependent unit is in a running state.

- A stdenv's default set of hardening flags can now be set via its `bintools-wrapper`'s `defaultHardeningFlags` argument. A convenient stdenv adapter, `withDefaultHardeningFlags`, can be used to override an existing stdenv's `defaultHardeningFlags`.

- Programs written in [Nim](https://nim-lang.org/) are built with libraries selected by lockfiles.
  The `nimPackages` and `nim2Packages` sets have been removed.
  See https://nixos.org/manual/nixpkgs/unstable#nim for more information.

- The EC2 image module now enables the [Amazon SSM Agent](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html) by default.

- A new abstraction to create both read-only as well as writable overlay file
  systems was added. Available via
  [fileSystems.overlay](#opt-fileSystems._name_.overlay.lowerdir). See also the
  [NixOS docs](#sec-overlayfs).

- A new hardening flag, `zerocallusedregs` was made available, corresponding to the gcc/clang option `-fzero-call-used-regs=used-gpr`.

- A new hardening flag, `trivialautovarinit` was made available, corresponding to the gcc/clang option `-ftrivial-auto-var-init=pattern`.

- `dnsdist` has new options to enable and configure a DNSCrypt endpoint (see `services.dnsdist.dnscrypt.enable`, etc.).
  The module can generate the DNSCrypt provider key pair and certificates, and also rotates them automatically with no downtime.

- The kernel Yama LSM is now enabled by default, which prevents ptracing
  non-child processes. This means you will not be able to attach gdb to an
  existing process, but will need to start that process from gdb (so it is a
  child). Or you can set `boot.kernel.sysctl."kernel.yama.ptrace_scope"` to 0.

- Lisp modules: previously deprecated interface based on `common-lisp.sh` has now been removed.

- The `systemd-confinement` module extension is now compatible with `DynamicUser=true` and thus `ProtectSystem=strict` too.


## Nixpkgs Library {#sec-release-24.05-nixpkgs-lib}

### Additions and Improvements {#sec-release-24.05-lib-additions-improvements}

New functions:
- [`lib.asserts.assertEachOneOf`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.asserts.assertEachOneOf): Check that each value is one of the allowed ones.
- [`lib.attrsets.longestValidPathPrefix`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.longestValidPathPrefix): The longest prefix of an attribute path that refers to an existing attribute in a nesting of attribute sets.