- `espanso` has been updated to major version 2. Therefore, migration steps may need to be performed. See [the official migration instructions](https://espanso.org/docs/migration/overview/) for how to perform these migrations. Further, `espanso-wayland` can now be used for Wayland support.

- Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the `1.26` version of the package.

- The `nerdfonts` package has been updated to major version 3, which includes potential [breaking changes](https://github.com/ryanoasis/nerd-fonts/releases/tag/v3.0.0).

## Other Notable Changes {#sec-release-23.05-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `openssh` have been moved from `extraConfig` to the new freeform option `settings` and renamed, e.g.:
  - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
  - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
  - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
  - `services.openssh.useDns` to `services.openssh.settings.UseDns`
  - `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`
  - `services.openssh.logLevel` to `services.openssh.settings.LogLevel`
  - `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms`
  - `services.openssh.macs` to `services.openssh.settings.Macs`
  - `services.openssh.ciphers` to `services.openssh.settings.Ciphers`
  - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`


- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).

- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.

- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)

- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)

- `netbox` was updated to 3.5. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's breaking changes [for 3.4.0](https://github.com/netbox-community/netbox/releases/tag/v3.4.0) and [for 3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically.

- `services.netbox` now support RFC42-style options, through `services.netbox.settings`.

- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

- `services.borgmatic` now allows for multiple configurations, placed in `/etc/borgmatic.d/`, you can define them with `services.borgmatic.configurations`.

- `service.openafsServer` features a new backup server `pkgs.fabs` as a
  replacement for openafs's own `buserver`. See
  [FABS](https://github.com/openafs-contrib/fabs) to check if this is an viable
  replacement. It stores backups as volume dump files and thus better integrates
  into contemporary backup solutions.

- `services.maddy` got several updates:
  - Configuration of users and their credentials using `services.maddy.ensureCredentials`.
  - TLS configuration is now possible via `services.maddy.tls` with two loaders present: ACME and file based.